IPv6 Addressing

IPv6 Addressing
IPv6 DEPLOYMENT
SESSION RST-2305
RST-2305
9629_05_2004_c1
© 2004 Cisco Systems, Inc. All rights reserved.
1
Agenda
•
•
•
•
Why IPv6
Introduction Review
How to Get Started
Enterprise Deployment
Campus
WAN
Remote Access
• Advanced Deployment
Multicast
QoS
Security
Mobility
RST-2305
9629_05_2004_c1
© 2004 Cisco Systems, Inc. All rights reserved.
© 2004 Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
2
Related Breakout Sessions
• RST-1305—IPv6 Concepts
Should have attended before this deployment session ☺
What RST-1305 covered that I will not:
Detailed IPv6 addressing
ICMPv6 operation
(neighbor discovery, router solicitation, etc..)
IPv6 routing details or configuration
• SEC-2003—IPv6 Security Threats
• RST-1701, 2701 and 4701—Multicast Sessions
• RST-2304—Introduction to Mobile IP
RST-2305
9629_05_2004_c1
© 2004 Cisco Systems, Inc. All rights reserved.
3
WHY IPv6?
RST-2305
9629_05_2004_c1
© 2004 Cisco Systems, Inc. All rights reserved.
© 2004 Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
4
Drivers for IPv6
O.S. and Applications
Mobile Networking
Restoring
an Environment
for Innovation
The Ubiquitous
Internet
Agriculture/Wildlife
Consumer
and Services
Manufacturing
Services on the Edge
of the Network
RST-2305
9629_05_2004_c1
Transportation
Medical
e-Nations
Government
(Federal/Public Sector)
Higher Ed./Research
5
© 2004 Cisco Systems, Inc. All rights reserved.
Expanding Where the Network “IS”
The Network Without Boundaries—IPv6
Data
Center
Mobile
Workforce
Campus
AIRPORT
In te r n e t
UNIVERSITY
Enterprise
Intranet
Branch
Teleworker
The Network Today with IPv4
RST-2305
9629_05_2004_c1
© 2004 Cisco Systems, Inc. All rights reserved.
© 2004 Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
6
IPv6 Vertical Activity
Consumer
Higher Ed./Research
•
•
•
•
•
• Media services
• Collaboration
• Mobility
Government
Transportation
(Federal/Public Sector)
Manufacturing
• Embedded devices
• Industrial Ethernet
• IP-enabled
components
RST-2305
9629_05_2004_c1
•
•
•
•
•
DoD
WIN-T
FCS
JTRS
GIG-BE
•
•
•
•
Telematics
Traffic control
Hotspots
Transit
services
Set-top boxes
Gaming
Appliances
Voice/video
Security monitoring
Agriculture/Wildlife
•
•
•
•
Animal tags
Imagery
Botanical
Weather
Medical
• Home care
• Imaging
• Mobility
7
© 2004 Cisco Systems, Inc. All rights reserved.
IPv6 for the Military
• Soldiers
• Massive address space (billions)
• Weapons
• Mobile IP
• Sensors
• Security/encryption
• Command/control
• Simplified management
• Logistics
• Inter-service interoperability
FCS (Future Combat Systems)
WIN-T (Warfighter Information Network—Tactical)
RST-2305
9629_05_2004_c1
© 2004 Cisco Systems, Inc. All rights reserved.
© 2004 Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
8
INTRODUCTION REVIEW
SEE: RST-1305 IPv6 CONCEPTS
RST-2305
9629_05_2004_c1
9
© 2004 Cisco Systems, Inc. All rights reserved.
IPv6 Technology Comparison
Service
IPv4 Solution
IPv6 Solution
Addressing Range
32-bit, Network Address
Translation
128-bit, Multiple Scopes
Autoconfiguration
DHCP
Stateless,
Reconfiguration, DHCP
Security
IPSec
IPSec Mandated, Works
End-to-End
Mobility
Mobile IP
Mobile IP with Direct
Routing
Differentiated Service,
Integrated Service
Differentiated Service,
Integrated Service
IGMP/PIM/MBGP
MLD/PIM/MBGP, Scope
Identifier
Quality-of-Service
Multicast
RST-2305
9629_05_2004_c1
© 2004 Cisco Systems, Inc. All rights reserved.
© 2004 Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
10
IPv6 Addressing
• IPv6 addressing rules are covered by multiples RFC’s
Architecture defined by RFC 3513
• Address types are:
Unicast: one to one
Global
Link local (FE80)
TED
Site
local
draft Unique Local
ECA(FEC0)—new
DEPR
(draft-ietf-ipv6-unique-local-addr-xx.txt)
Anycast: one to nearest (allocated from unicast)
Multicast (FF): one to many
Reserved
• A single interface may be assigned multiple IPv6 addresses of
any type (unicast, anycast, multicast)
No broadcast address. Now uses multicast
RST-2305
9629_05_2004_c1
11
© 2004 Cisco Systems, Inc. All rights reserved.
Interface Address Set
• Loopback (Required)
(Only assigned to a single interface per
node)
• Link local (Required)
(Required on all interfaces)
• Unique local (Optional)
(Addressing valid only within a site)
• Auto-configured 6to4 (Optional)
(If IPv4 public is address available)
• Solicited node Multicast (Required)
(Required for neighbor discovery - DAD)
• All node multicast (Required)
• Global (Optional)
RST-2305
9629_05_2004_c1
© 2004 Cisco Systems, Inc. All rights reserved.
© 2004 Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
(Globally routed prefix – Does not mean
globally available)
12
IPv6 Addressing
/23
2001
/32
/48
/64
0DB8
Interface ID
Registry
ISP Prefix
Site Prefix
Subnet Prefix
Represented as:
x:x:x:x:x:x:x:x where x is a 16-bit hexadecimal field
• 2001:0DB8:C003:0001:0000:0000:0000:BEEF
• 2001:DB8:C003:1:0:0:0:BEEF
• 2001:DB8:C003:1::BEEF
• 0:0:0:0:0:0:0:1 --> ::1 - Loopback address
RST-2305
9629_05_2004_c1
© 2004 Cisco Systems, Inc. All rights reserved.
13
IPv6 Routing Protocols
• RIPng (RFC 2080)
• OSPFv3 (RFC 2740)
• ISIS for IPv6
(draft-ietf-isis-ipv6-05.txt)
Multi-Topology IS-IS
• MP-BGP4 (RFC 2858/2545)
• Cisco EIGRP for IPv6 is
coming…
• The same routing protocols
you already know, only better
RST-2305
9629_05_2004_c1
© 2004 Cisco Systems, Inc. All rights reserved.
© 2004 Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
14
A Quick View of Routing Configs
MP-BGP4
OSPFv3
interface Ethernet0/0
router bgp 100
ipv6 address 2001:DB8:C003:1::1/64
bgp router-id 1.1.1.11
ipv6 ospf 1 area 0
no bgp default ipv4-unicast
neighbor 2001:DB8:C003:111A::2 remote-as 100
!
ipv6 router ospf 1
!
router-id 1.1.1.1
address-family ipv6
neighbor 2001:DB8:C003:111A::2 activate
no synchronization
exit-address-family
RIPng
interface GigabitEthernet2/2
ipv6 address 2001:DB8:C003:1106::1/64
ipv6 rip v6 enable
ipv6 rip v6 default-information only
IS-IS
interface GigabitEthernet2/2
ipv6 address 2001:DB8:C003:1106::1/64
ipv6 router isis
isis circuit-type level-2-only
!
ipv6 router rip v6
redistribute bgp 100
!
router isis
net 49.0001.0000.0000.000c.00
RST-2305
9629_05_2004_c1
© 2004 Cisco Systems, Inc. All rights reserved.
15
HOW TO GET STARTED
RST-2305
9629_05_2004_c1
© 2004 Cisco Systems, Inc. All rights reserved.
© 2004 Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
16
First Steps
• Talk with your service
provider(s) about getting your
IPv6 prefix(s) and what kind of
services they plan to support
• Start a pilot or lab network to
gain familiarity with IPv6 and
YOUR applications
• Include IPv6 in your investment
strategy for new operating
systems, networking gear,
deployment and management
• Understand the reasons why
you are going this route
RST-2305
9629_05_2004_c1
17
© 2004 Cisco Systems, Inc. All rights reserved.
Hierarchical Addressing and Aggregation
2001:DB8:0001:0001:/64
Site 1
2001:DB8:0001:0002:/64
ISP
2001:DB8:0001:/48
Site 2
Only
Announces
the /32 Prefix
2001:DB8::/32
2001:DB8:0002:0001:/64
IPv6 Internet
2001:DB8:0002:0002:/64
2001::/16
2001:DB8:0002:/48
/23
2001
/32
/48
0DB8
/64
Interface ID
Registry
ISP Prefix
Site Prefix
Subnet Prefix
RST-2305
9629_05_2004_c1
© 2004 Cisco Systems, Inc. All rights reserved.
© 2004 Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
18
ENTERPRISE DEPLOYMENT
RST-2305
9629_05_2004_c1
19
© 2004 Cisco Systems, Inc. All rights reserved.
IPv6 Coexistence in the Enterprise
NAT-PT
Dual Stack
IPv4: 192.168.99.1
IPv6/IPv4
IPv6
IPv4
IPv6: 2001:db8:1::1/64
NAT-PT
IPv6
Host
Configured/
6to4 Tunnel
IPv6
Network
IPv4 ONLY
IPv6
IPv4
ISATAP
Router
RST-2305
9629_05_2004_c1
© 2004 Cisco Systems, Inc. All rights reserved.
© 2004 Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
IPv4
IPv6
Host
Configured/
6to4 Tunnel
IPv6
Network
ISATAP
Tunneling
Dual Stack
IPv4 and IPv6 Addresses
20
Cisco Recommended IPv6 Deployment Options
For the Enterprise
Scenario
Cisco
IOS
Support
IPv6 Services Available from ISP and WAN
Routers IPv6 Ready
Dual Stack
Yes
Dedicated Data Link Layers, e.g. LL, ATM
and FR PVC, sWDM Lambda
Dual Stack
Yes
No IPv6 Services from ISP or WAN Core Not
IPv6 Capable
Configured
Tunnels
Yes
No IPv6 Services from ISP—Many Sites, Any
to Any Communication
6to4
Yes
Dual Stack
Yes
ISATAP
Yes
Environment
WAN
Campus L3 Infrastructure—IPv6 Capable
L3 Infrastructure—Not IPv6 Capable, or
Sparse IPv6 Hosts Population
RST-2305
9629_05_2004_c1
21
© 2004 Cisco Systems, Inc. All rights reserved.
Cisco IOS: IPv6 Feature Overview
www.cisco.com/go/fn
Core
Security
•
•
•
•
IPv6 standard ACL
IPv6 extended ACL
IPv6 IPSec authentication
for OSPFv3
IPv6 firewall (Stateful)
Integration
• Configured and automatic
tunnels (RFC 2893)
• 6to4 (RFC 3056 and 3068)
• IPv6 over GRE/IPv4
• IPv6 over MPLS (6PE)
• ISATAP
• NAT-PT phase I and II
(RFC 2765 and 2766)
• IP over IPv6 tunnels
•
•
•
•
•
•
•
•
IPv6 (RFC 2460)
ICMPv6 (RFC 2463)
Neighbor discovery (RFC 2461)
Stateless auto-configuration
Anycast
CEFv6/dCEFv6
uRPF
CEFv6 switched tunnels
Broadband Access
•
•
•
•
•
Cisco VSA AAA
RADIUS AAA (RFC 3162)
PPPoA, PPPoE, RBE and
ATM 1483 encapsulations
DHCPv6 prefix delegation
(RFC3633)
Stateless DHCP (RFC 3646)
Generic prefix
•
•
•
•
•
•
•
MLDv1 and v2
MLD access group
PIMv2 SM, SSM, Bi-Dir
PIM embedded RP
IPv6 MC over IPv4 tunnels
Scope boundaries
Static mRoutes
•
IPv6 QoS (MQC)
•
Multicast
Cisco IOS Software
Release 12.0S, 12.2S,
12.3M and 12.3T
Routing
Applications and Mgnt
•
RIPng
•
OSPFv3
•
Telnet,
TFTP, DNS resolver, HTTP,
•
IS-IS for IPv6
Ping, Traceroute, SSH
•
MT IS-IS
• Cisco IP and IP-Forwarding MIBs
•
MP-BGP IPv6 Unicast
• Netflow for IPv6
•
MP-BGP IPv6 Multicast
RST-2305
•
Policy-based routing© 2004 Cisco Systems, Inc. All rights reserved.
9629_05_2004_c1
© 2004 Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
QoS
22
ENTERPRISE DEPLOYMENT:
CAMPUS
RST-2305
9629_05_2004_c1
23
© 2004 Cisco Systems, Inc. All rights reserved.
Basic Campus Coexistence
Example
Access
Layer
L2
Dual Stack
v6-Enabled
-v6Enabled
Dual Stack
Layer
Dual 3
Stack
Dual Stack
ISATAP
Not-v6Enabled
v6-Enabled
Core
Layer
IPv6 Server
RST-2305
9629_05_2004_c1
Distribution
Layer
© 2004 Cisco Systems, Inc. All rights reserved.
© 2004 Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
Aggregation
Layer
• Example shows
Dual Stack and
ISATAP in use
• Use ISATAP to
“tunnel” IPv6 over
layer 3 switches
that do not yet
support IPv6
ISATAP Intra-Site
Automatic
Tunnel
Addressing
Protocol
24
IPv6 on a Campus: Dual-Stack IPv4-IPv6
• Requires switching/routing
platforms to support hardware
based forwarding for IPv4 and IPv6
IPv6 is transparent on L2 switches except
for multicast—MLD snooping
Data Center
• Requires robust control plane for
both IPv4 and IPv6
Stateless Autoconfiguration
Routing protocols
• IPv6 multicast and other advanced
services such a QoS
• Security through IPv6 access
control capabilities
Including option headers
• IPv4 and IPv6 control planes and
data planes must not impact
each other
RST-2305
9629_05_2004_c1
WAN and Internet
Access
25
© 2004 Cisco Systems, Inc. All rights reserved.
Distribution Layer: Dual Stack
ipv6 unicast-routing
interface Vlan10
ipv6 cef
description Data VLAN for Access
!
ipv6 address 2001:DB8:C003:1102::1/64
interface GigabitEthernet1/1
description To 6k-core-right
ipv6 address 2001:DB8:C003:1105::2/64
ipv6 ospf 1 area 0
ipv6 nd prefix 2001:DB8:C003:1102::/64
86400 86400
ipv6 ospf 1 area 1
ipv6 cef
!
ipv6 cef
!
interface GigabitEthernet1/2
description To 6k-core-left
ipv6 address 2001:DB8:C003:1106::2/64
ipv6 ospf 1 area 0
Lower Valid/Preferred
Lifetimes from Defaults
(2592000/604800)—in
Seconds
ipv6 cef
RST-2305
9629_05_2004_c1
© 2004 Cisco Systems, Inc. All rights reserved.
© 2004 Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
26
IPv6 Campus ISATAP Configuration
Create DNS “A” Record
for “ISATAP” = 10.1.1.1
No Configuration Change
on Non-v6 Switches
Currently ISATAP Does Not
Support Multicast!!
ISATAP
10.1.2.100
ipv6 unicast-routing
ipv6 cef
Use Static Config if DNS
Use Is Not Desired:
C:\>netsh interface
ipv6 isatap set
router 10.1.1.1
!
interface Loopback0
description ISATAP address for Access Layer
ip address 10.1.1.1 255.255.255.255
!
interface GigabitEthernet2/10
ipv6 address 2001:DB8:C003:111C::2/64
ipv6 cef
!
ISATAP Address Format:
0000:5EFE: IPv4 Addr.
64-bit Unicast Prefix
32-bit
32-bit
Interface ID
interface Tunnel0
2001:DB8:C003:111F:0:5EFE:10.1.2.100
RST-2305
9629_05_2004_c1
© 2004 Cisco Systems, Inc. All rights reserved.
ipv6 address 2001:DB8:C003:111F::/64 eui-64
no ipv6 nd suppress-ra
ipv6 cef
tunnel source Loopback0
tunnel mode ipv6ip isatap
27
ENTERPRISE DEPLOYMENT:
WAN
RST-2305
9629_05_2004_c1
© 2004 Cisco Systems, Inc. All rights reserved.
© 2004 Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
28
WAN: Branch Transition
Example
Corporate
Network
• Cisco WAN routers
support IPv6
• Dual-stack is recommended
due to ease of deployment,
security advantage and
performance
IP WAN
• Will show example of branch
requirement to run a tunnel
mechanism
Dual
Stack
Dual Stack
RST-2305
9629_05_2004_c1
ISATAP
29
© 2004 Cisco Systems, Inc. All rights reserved.
IPv6 in the Branch
When Would a Tunnel Be Used in the Branch LAN?
Dual-Stack
IPv6 Mechanism
Used: Dual-Stack
RST-2305
9629_05_2004_c1
© 2004 Cisco Systems, Inc. All rights reserved.
© 2004 Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
Router with non-IPv6
Layer 3 Switch
IPv6 Mechanism
Used: ISATAP
30
IPv6 in the Branch: Configuration
No Configuration Change on Switches
Dual-Stack
ISATAP
20.1.2.100
ipv6 unicast-routing
ipv6 cef
!
interface FastEthernet0/0
ipv6 address 2001:DB8:C003:111E::1/64
ipv6 cef
!
interface Serial0/0.1
ipv6 address 2001:DB8:C003:111A::2/64
ipv6 cef
ISATAP Address Format:
0000:5EFE: IPv4 Addr.
64-bit Unicast Prefix
32-bit
32-bit
Interface ID
2001:DB8:C003:111D:0:5EFE:20.1.2.100
RST-2305
9629_05_2004_c1
© 2004 Cisco Systems, Inc. All rights reserved.
ipv6 unicast-routing
ipv6 cef
!
interface FastEthernet0/0
ip address 20.1.1.1 255.255.255.252
ipv6 cef
!
interface Serial0/0
ipv6 address 2001:DB8:C003:111C::2/64
ipv6 cef
!
interface Tunnel0
ipv6 address 2001:DB8:C003:111D::/64 eui-64
no ipv6 nd suppress-ra
ipv6 cef
tunnel source FastEthernet0/0
tunnel mode ipv6ip isatap
31
OTHER TRANSITION TYPES
RST-2305
9629_05_2004_c1
© 2004 Cisco Systems, Inc. All rights reserved.
© 2004 Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
32
IPv6 over IPv4 Tunnels
Configured Tunnel
IPv6
Host
IPv4
IPv6
Network
ipv6 unicast-routing
ipv6 cef
!
interface Tunnel0
no ip address
ipv6 address 2001:DB8:C003:1104::1/64
ipv6 cef
tunnel source Serial0/0
tunnel destination 192.168.0.1
tunnel mode ipv6ip
!
interface FastEthernet0/0
ipv6 address 2001:DB8:C003:111E::1/64
ipv6 cef
!
interface Serial0/0
ip address 10.1.1.1 255.255.255.252
RST-2305
9629_05_2004_c1
IPv6
Host
Dual-Stack
Router
Dual-Stack
Router
IPv6
Network
ipv6 unicast-routing
ipv6 cef
!
interface Tunnel0
no ip address
ipv6 address 2001:DB8:C003:1104::2/64
ipv6 cef
tunnel source Serial0/0
tunnel destination 10.1.1.1
tunnel mode ipv6ip
!
interface FastEthernet0/0
ipv6 address 2001:DB8:C003:111F::1/64
ipv6 cef
!
interface Serial0/0
ip address 192.168.0.1 255.255.255.252
33
© 2004 Cisco Systems, Inc. All rights reserved.
VPN with Configured Tunnels
• Cannot natively establish IPSec tunnels using IPv6 addresses…yet
• Currently deploy IPv6 VPNs using configured and 6to4 tunnels
IPv6 Configured Tunnel
Branch 1
VPN HE1
IPv4
Internet
Corporate
Network
Branch 2
IPv6 Configured Tunnel
VPN HE2
Primary IPv6 Tunnel
Secondary IPv6 Tunnel
RST-2305
9629_05_2004_c1
© 2004 Cisco Systems, Inc. All rights reserved.
© 2004 Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
34
IPv6 Configured Tunnel: Site-to-Site VPN
VPN Head-end configuration
VPN Branch configuration
ipv6 unicast-routing
ipv6 cef
!
interface Tunnel2
description to Branch VPN – IPv6
no ip address
ipv6 address 2001:DB8:C003:1121::1/64
ipv6 rip v6 enable
ipv6 cef
tunnel source Serial0/0
tunnel destination 131.108.102.1
tunnel mode ipv6ip
crypto map static-map
!
interface FastEthernet0/0
description to CAMPUS LAN
ipv6 address 2001:DB8:C003:111E::2/64
ipv6 rip v6 enable
ipv6 cef
!
interface Serial0/0
ip address 131.108.1.5 255.255.255.252
crypto map static-map
!
ip access-list extended TO-VPN-BRANCH2
permit 41 host 131.108.1.5 host 131.108.102.1
ipv6 unicast-routing
ipv6 cef
!
interface Tunnel2
description to HE#1 VPN – IPv6
no ip address
ipv6 address 2001:DB8:C003:1121::2/64
ipv6 rip v6 enable
ipv6 cef
tunnel source Serial0/0
tunnel destination 131.108.1.5
tunnel mode ipv6ip
crypto map static-map
!
interface FastEthernet0/0.1
description to BRANCH LAN
ipv6 address 2001:DB8:C003:1115::1/64
ipv6 rip v6 enable
ipv6 cef
!
interface Serial0/0
ip address 131.108.102.1 255.255.255.252
crypto map static-map
!
ip access-list extended TO-VPN-RIGHT
permit 41 host 131.108.102.1 host 131.108.1.5
http://www.cisco.com/go/vpn—Site-to-Site VPNs
RST-2305
9629_05_2004_c1
35
© 2004 Cisco Systems, Inc. All rights reserved.
6to4 Tunnel (RFC 3056)
Public IPv4
Address
2002
SLA
/48
/16
6to4
Router1
IPv6
Network
E0
Interface ID
/64
IPv4
192.168.99.1
6to4
Router2
E0
192.168.30.1
Network Prefix:
2002:C0A8:6301::/48
Network Prefix:
2002:C0A8:1E01::/48
=
• 6to4 tunnel:
Is an automatic tunnel method
Gives a prefix to the attached IPv6 network
2002::/16 assigned to 6to4
Requires global IPv4 addressing
on each Ingress/Egress site
(no RFC 1918)
RST-2305
9629_05_2004_c1
IPv6
Network
© 2004 Cisco Systems, Inc. All rights reserved.
© 2004 Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
=
interface Loopback0
ip address 192.168.30.1 255.255.255.0
ipv6 address 2002:C0A8:1E01:1::/64 eui-64
!
interface Tunnel0
no ip address
ipv6 unnumbered Ethernet0
tunnel source Loopback0
tunnel mode ipv6ip 6to4
!
ipv6 route 2002::/16 Tunnel0
36
6to4 Relay
6to4
Router1
IPv6
Network
IPv4
6to4
Relay
IPv6
Internet
IPv6
Network
192.168.99.1
Network Prefix:
2002:C0A8:6301::/48
IPv6 Address:
2002:C0A8:1E01::1
=
interface Loopback0
ip address 192.168.99.1 255.255.255.0
ipv6 address 2002:C0A8:6301:1::/64 eui-64
!
interface Tunnel0
no ip address
ipv6 unnumbered Ethernet0
tunnel source Loopback0
tunnel mode ipv6ip 6to4
!
ipv6 route 2002::/16 Tunnel0
ipv6 route ::/0 2002:C0A8:1E01::1
RST-2305
9629_05_2004_c1
• 6to4 relay:
Is a gateway to the rest of
the IPv6 Internet
Default router
Anycast address (RFC
3068) for multiple 6to4 relay
(192.88.99.1)
37
© 2004 Cisco Systems, Inc. All rights reserved.
Configured Tunnels vs. Automatic Tunnels
Configured
ISATAP
6to4
Manual
Configuration per
Client (Router-Side)
YES
NO
NO
Manual
Configuration per
Client (Client-Side)
YES
NO
NO
IPv6 Multicast
Support
YES
NO
NO
Broad Client OS
Support
YES
NO
YES
Optimal for Remote
Access Clients
NO
YES
YES
RST-2305
9629_05_2004_c1
© 2004 Cisco Systems, Inc. All rights reserved.
© 2004 Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
38
Legacy Services (IPv4 Only)
NAT-PT
IPv4-Only
Segment
IPv6-Only
Segment
IPv6-Enabled
Network
IPv6-only
Host
Legacy IPv4 Server
IPv6 Server
• Many of the non-routing/switching products do not yet
support IPv6 (i.e. content switching modules)
• NAT-PT (Network Address Translation—Protocol Translation)
as an option to front-end IPv4-only server
• Place NAT-PT box as close to IPv4-only server as possible
• Be VERY aware of performance and manageability issues
RST-2305
9629_05_2004_c1
39
© 2004 Cisco Systems, Inc. All rights reserved.
NAT-PT Packet Flow
IPv4
Interface
NAT-PT
IPv6
Interface
IPv4 Host
IPv6 Host
2001:DB8:C003:1::10
192.168.1.10
RST-2305
9629_05_2004_c1
2
1
Src: 192.168.2.10
Dst: 192.168.1.10
Src: 2001:DB8:C003:1::10
Dst: PREFIX::1
3
4
Src: 192.168.1.10
Dst: 192.168.2.10
Src: PREFIX::1
Dst: 2001:DB8:C003:1::10
© 2004 Cisco Systems, Inc. All rights reserved.
© 2004 Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
40
Configuring Cisco IOS NAT-PT
• NAT-PT enables communication between IPv6-only and
IPv4-only nodes
DNS
.100
.10
192.168.1.0/24
F0/1
F0/0
NAT Prefix 2010::/96
2001:DB8:C003:1::/64
2001:DB8:C003:1::10
RST-2305
9629_05_2004_c1
interface FastEthernet0/0
ipv6 address 2001:DB8:C003:1::1/64
ipv6 nat prefix 2010::/96
ipv6 nat
!
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
ipv6 nat
!
ipv6 nat v4v6 source 192.168.1.100 2010::100
!
ipv6 nat v6v4 source route-map MAP1 pool V4POOL
ipv6 nat v6v4 pool V4POOL 192.168.2.1
192.168.2.10 prefix-length 24
!
route-map MAP1 permit 10
match interface FastEthernet0/0
© 2004 Cisco Systems, Inc. All rights reserved.
41
IPv6 OVER MPLS
SEE RST-2602, 4607 AND 2702
RST-2305
9629_05_2004_c1
© 2004 Cisco Systems, Inc. All rights reserved.
© 2004 Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
42
IPv6 over MPLS
Deployment Scenarios
• Many ways to deliver IPv6 services to end users
Most important is end-to-end IPv6 traffic forwarding
• Many service providers have already deployed
MPLS in their IPv4 backbone for various reasons
MPLS/VPN, MPLS/QoS, MPLS/TE, ATM + IP switching, L2
services (AToM, EoMPLS)
• MPLS can be used to facilitate IPv6 integration
• Multiple approaches for IPv6 over MPLS:
IPv6 CE-to-CE IPv6 over IPv4 Tunnels
IPv6 Provider Edge Router (6PE) over MPLS
IPv6 VPN Provider Edge (6VPE) over MPLS—in progress
RST-2305
9629_05_2004_c1
43
© 2004 Cisco Systems, Inc. All rights reserved.
IPv6 Provider Edge Router (6PE) over MPLS
iBGP (MBGP) Sessions
2001:0620:: v6
145.95.0.0
v4
6PE
P
P
v6
2001:0421::
Dual Stack IPv4IPv4-IPv6 Routers
v6
P
CE
6PE
192.76.10.0
2001:0420::
6PE
Dual Stack IPv4IPv4-IPv6 Routers
2001:0621::
v6
v4
IPv4
MPLS
P
6PE
CE
v4
192.254.10.0
CE
• IPv4 or MPLS core infrastructure is IPv6-unaware
• PEs are updated to support dual stack/6PE
• IPv6 reachability exchanged among 6PEs via iBGP (MBGP)
• IPv6 packets transported from 6PE to 6PE inside MPLS
http://www.cisco.com/warp/public/cc/pd/iosw/prodlit/iosip_an.htm
RST-2305
9629_05_2004_c1
© 2004 Cisco Systems, Inc. All rights reserved.
© 2004 Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
44
6PE
• See <draft-ietf-ngtrans-bgp-tunnel-04.txt>:
“BGP Tunneling”—co-authored by Cisco
Generic solution for transport of IPv6 over any tunneling
technique (including MPLS) using MP-BGP
6PE is Cisco IOS implementation of “BGP Tunneling” over MPLS
v6
v6
v4
6PE
v6
P
P
P
P
6PE
v6
6PE
6PE
v4
v4
CE
RST-2305
9629_05_2004_c1
© 2004 Cisco Systems, Inc. All rights reserved.
45
Why Cisco IOS IPv6 VPN
Provider Edge (6VPE)?
• For VPN customers, IPv6 VPN service is exactly the
same as IPv4 VPN service
• Current 6PE is “like VPN” but this is NOT VPN,
i.e. global reachability
• For ISP offering MPLS/VPN for IPv4 that wish to add
IPv6 services as well
No modification on the MPLS core
Support both IPv4 and IPv6 VPNs concurrently on the same
interfaces
Configuration and operations of IPv6 VPNs exactly like
IPv4 VPNs
RST-2305
9629_05_2004_c1
© 2004 Cisco Systems, Inc. All rights reserved.
© 2004 Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
46
6VPE Deployment
VPN A v4 and v6 VPN
iBGP (MBGP) Sessions
v4 and v6 VPN
VPN A
VPN B
VPN A
v6 Only
P
P
P
P
v4 and v6 VPN
VPN B
v6 Only VPN B
v6 Only
• IPv6 VPN can coexist with IPv4 VPN—same coverage
• 6VPE is added only when and where the service is required
• <draft-ietf-ppvpn-bgp-ipv6-vpn-xx.txt>
• 6VPE—An implementation of <draft-ietf-bgp-ipv6-vpn> over
MPLS/IPv4
RST-2305
9629_05_2004_c1
© 2004 Cisco Systems, Inc. All rights reserved.
47
ENTERPRISE DEPLOYMENT:
REMOTE ACCESS
RST-2305
9629_05_2004_c1
© 2004 Cisco Systems, Inc. All rights reserved.
© 2004 Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
48
IPv6 for Remote Devices
• Remote nodes can use a VPN client or router
to establish connectivity back to enterprise
• Possible over IPv4 today, not possible over
IPv6 today (key management is still in
progress)
• How could we allow access to IPv6 services at
central site or Internet in a secure fashion?
Internet
Enabling IPv6 traffic inside the Cisco VPN Client tunnel
Allow remote host to establish a v6-in-v4 tunnel either
automatically or manually
Corporate
Network
ISATAP—Intra Site Automatic Tunnel Addressing
Protocol
Configured—Static configuration for each side
of tunnel
Same (severe) split-tunneling issues exists
RST-2305
9629_05_2004_c1
49
© 2004 Cisco Systems, Inc. All rights reserved.
IPv6-in-IPv4 Tunnel Example
Tunnel(s)
Remote User
Catalyst 6500
Supervisor 720
Dual-stack
VPN 3000 Concentrator
IPv6 Traffic
IPv4 Traffic
IPv4 Link
Internet
IPv6 Link
Corporate
Network
Firewall
IPv6 Server
IPSec VPN
IPv6-in-IPv4 Tunnel
Note: The VPN Concentrator Could Be Replaced with a VPN-Enabled Cisco IOS Router or PIX
RST-2305
9629_05_2004_c1
© 2004 Cisco Systems, Inc. All rights reserved.
© 2004 Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
50
Considerations
• Cisco IOS version supporting IPv6 configured/ISATAP tunnels
Configured—12.3(1)M/12.3(2)T/12.2(14)S and above
ISATAP—12.3(1)M, 12.3(2)T, 12.2(14)S and above
Catalyst 6500 with Sup720—12.2(17a)SX1—HW forwarding
• Be aware of the security issues if split-tunneling is used
Attacker can come in IPv6 interface and jump on the IPv4 interface
(encrypted to enterprise)
• Remember that the IPv6 tunneled traffic is still encapsulated
as a tunnel WHEN it leaves the VPN device
• Allow IPv6 tunneled traffic across any access lists
(Protocol 41)
RST-2305
9629_05_2004_c1
© 2004 Cisco Systems, Inc. All rights reserved.
51
Required Stuff: Client Side
• Client operating system with IPv6
Microsoft Windows XP SP1 (Supports Configured/ISATAP)
Linux (7.3 or higher)—USAGI port required for ISATAP
Mac OS X (10.2 or higher)—Currently need a VPN device on client network
SunOS (8 or higher)—Currently need a VPN device on client network
See reference slide for links/OS listing
• Cisco VPN Client 4.0.1 and higher for configured/ISATAP
• Cisco VPN Client 3.x for configured ONLY
• Cisco HW VPN Client 3002—recommended for Mac/Sun
clients until virtual adapter support is available
RST-2305
9629_05_2004_c1
© 2004 Cisco Systems, Inc. All rights reserved.
© 2004 Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
52
IPv6 Using Cisco VPN Client
Example: Router Configuration: ISATAP
VPN 3000 Concentrator
Catalyst 6500
Supervisor 720
Dual-stack
F3/1
G2/1
Dual-stack router configuration
ipv6 unicast-routing
ipv6 cef
!
interface FastEthernet3/1
description TO VPN 3000
Corporate
Network
ip address 20.1.1.1 255.255.255.0
!
interface GigabitEthernet2/1
ipv6 address 2001:DB8:C003:111C::2/64
ipv6 cef
!
interface Tunnel0
description ISATAP Tunnel for VPN Clients
ISATAP Address Format:
0000:5EFE: IPv4 Addr.
64-bit Unicast Prefix
32-bit
32-bit
Interface ID
2001:DB8:C003:1101:0:5EFE:20.1.1.1
RST-2305
9629_05_2004_c1
no ip address
ipv6 address 2001:DB8:C003:1101::/64 eui-64
no ipv6 nd suppress-ra
ipv6 cef
tunnel source FastEthernet3/1
tunnel mode ipv6ip isatap
© 2004 Cisco Systems, Inc. All rights reserved.
53
IPv6 Using Cisco VPN Client
Example: Client Configuration (Windows XP): ISATAP
• Microsoft Windows XP (SP1 or higher)
• IPv6 must be installed
C:\>ipv6 install
• XP will automatically attempt to resolve the name “ISATAP”
Local host name
Hosts file—SystemRoot\system32\drivers\etc
DNS name query
NetBIOS and Lmhosts
• Manual ISATAP router entry can be made
netsh interface ipv6 isatap set router 20.1.1.1
• Key fact here is that NO additional configuration on the client
is needed again!!!
Note: ISATAP Is Supported on Some Versions of Linux/BSD (Manual Router Entry Is Required)
RST-2305
9629_05_2004_c1
© 2004 Cisco Systems, Inc. All rights reserved.
© 2004 Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
54
Does It Work?
Windows XP Client
VPN 3000
Catalyst 6500/Sup 720
Dual-Stack
10.1.99.102—VPN Address
2001:DB8:c003:1101:0:5efe:10.1.99.102—IPv6 address
Interface 2: Automatic Tunneling Pseudo-Interface
Addr Type
--------Public
Link
DAD State Valid Life
Pref. Life
Address
---------- ------------ ------------ ----------------------------Preferred
29d23h56m5s 6d23h56m5s 2001:db8:c003:1101:0:5efe:10.1.99.102
Preferred
infinite
infinite
fe80::5efe:10.1.99.102
netsh interface ipv6>show route
Querying active state...
Publish
------no
no
RST-2305
Type
-------Autoconf
Manual
9629_05_2004_c1
Met
---9
1
Prefix
-----------------------2001:db8:c003:1101::/64
::/0
© 2004 Cisco Systems, Inc. All rights reserved.
Idx
--2
2
Gateway/Interface Name
--------------------Automatic Tunneling Pseudo-Interface
fe80::5efe:20.1.1.1
55
ADVANCED DEPLOYMENT
RST-2305
9629_05_2004_c1
© 2004 Cisco Systems, Inc. All rights reserved.
© 2004 Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
56
IPv6 MULTICAST
SEE RST-1701, 2701 AND 4701
RST-2305
9629_05_2004_c1
57
© 2004 Cisco Systems, Inc. All rights reserved.
IPv4 and IPv6 Multicast Comparison
Service
IPv4 Solution
IPv6 Solution
Addressing Range
32-bit, Class D
128-bit (112-bit Group)
Protocol Independent, All
IGPs and MBGP
Protocol Independent, All
IGPs and MBGP with v6
mcast SAFI
PIM-DM, PIM-SM,
PIM-SSM, PIM-bidir
PIM-SM, PIM-SSM,
PIM-bidir
IGMPv1, v2, v3
MLDv1, v2
Boundary, Border
Scope Identifier
Routing
Forwarding
Group Management
Domain Control
Interdomain Solutions
RST-2305
9629_05_2004_c1
MSDP across
Single RP within Globally
Independent PIM Domains
Shared Domains
© 2004 Cisco Systems, Inc. All rights reserved.
© 2004 Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
58
IPv6 Multicast Addresses (RFC 3513)
128 bits
Group ID (112 bits)
1111 1111
F
Flags
F
FLAGS =
P T Scope
8 bits
8 bits
SCOPE =
RST-2305
9629_05_2004_c1
T or Lifetime, 0 if Permanent, 1 if Temporary
P Proposed for Unicast-Based Assignments
Others Are Undefined and Must Be Zero
1 = Interface-local
2 = Link
4 = Admin-local
5 = Site
8 = Organization
E = Global
59
© 2004 Cisco Systems, Inc. All rights reserved.
IPv6 Unicast Based Multicast
Addresses (RFC3306)
• Solves the old IPv4 address assignment problem:
How can I get global IPv4 multicast addresses?
• In IPv6, if you own an IPv6 unicast address prefix you implicitly own
an RFC3306 IPv6 multicast address prefix:
8
4
4
8
8
64
32
FF | Flags| Scope |Rsvd| Plen | Network Prefix | Group ID
FF3E:0040:2001:0DB8:C003:1109:0000:1111
3 hex
Uni-pfx
E hex
Global
RST-2305
9629_05_2004_c1
40 hex
Prefix=64
Flags = 00PT, P = 1, T = 1=> Unicast-Based Address
© 2004 Cisco Systems, Inc. All rights reserved.
© 2004 Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
60
Multicast Listener Discovery: MLD
Multicast Host Membership Control
• MLD is equivalent to IGMP in IPv4
• MLD messages are transported
over ICMPv6
• MLD uses link local source
addresses
Host
Multicast
Control
via MLD
• MLD packets use “Router Alert”
option in IPv6 header (RFC2711)
• Version number confusion:
MLDv1 (RFC2710) like IGMPv2
(RFC2236)
MLDv2 (draft-vida-mld-v2-xx) like
IGMPv3 (RFC3376)
RST-2305
9629_05_2004_c1
61
© 2004 Cisco Systems, Inc. All rights reserved.
Multicast Interdomain Options
With and Without Rendezvous Points (RP)
SSM, No RPs
S
R
DR
ASM Across Multiple Separate PIM Domains, Each with RP, MSDP Peering
S
R
DR
RP
RP
RP
ASM Across Single Shared PIM Domain, One RP
S
R
DR
RST-2305
9629_05_2004_c1
RP
© 2004 Cisco Systems, Inc. All rights reserved.
© 2004 Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
62
Source Specific Multicast (SSM)
• NO configuration required
other than enabling
ipv6 multicast-routing
• SSM group ranges are
automatically defined
• Very few applications
support MLDv2…yet
router#show ipv6 pim range-list
config SSM Exp: never Learnt from : ::
FF33::/32 Up: 1d00h
FF34::/32 Up: 1d00h
FF35::/32 Up: 1d00h
FF36::/32 Up: 1d00h
FF37::/32 Up: 1d00h
FF38::/32 Up: 1d00h
FF39::/32 Up: 1d00h
FF3A::/32 Up: 1d00h
FF3B::/32 Up: 1d00h
FF3C::/32 Up: 1d00h
FF3D::/32 Up: 1d00h
FF3E::/32 Up: 1d00h
FF3F::/32 Up: 1d00h
RST-2305
9629_05_2004_c1
© 2004 Cisco Systems, Inc. All rights reserved.
63
Rendezvous Point (RP) Deployment Types
• Static RP
For PIM-SM and Bidir-PIM
Provides group-to-RP mapping, no RP redundancy
• Boot Strap Router (BSR)
Provides group-to-RP mapping AND RP redundancy
• Embedded-RP
Easy to deploy
Group-to-RP mapping only, no RP redundancy
PIM-SM only (today), no Bidir-PIM
• RP redundancy options for static/embedded-RP
MSDP mesh-group, PIM/Anycast ?, Prefixlength/Anycast
Could also be combined with BSR for faster convergence
RST-2305
9629_05_2004_c1
© 2004 Cisco Systems, Inc. All rights reserved.
© 2004 Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
64
IPv6 Multicast Static RP
• Easier than before as PIM is autoenabled on every interface
ipv6 multicast-routing
!
interface Loopback0
description IPV6 IPmc RP
no ip address
ipv6 address 2001:DB8:C003:110A::1/64
!
ipv6 pim rp-address 2001:DB8:C003:110A::1/64
Corporate
Network
Source
L0
RP
IP
WAN
ipv6 multicast-routing
!
ipv6 pim rp-address 2001:DB8:C003:110A::1/64
RST-2305
9629_05_2004_c1
© 2004 Cisco Systems, Inc. All rights reserved.
65
Bidirectional PIM (Bidir)
• The same many-to-many model as before
• Configure Bidir RP and range via the usual ip pim rpaddress syntax with the optional bidir keyword
!
ipv6 pim rp-address 2001:DB8:C003:110A::1 bidir
!
#show ipv6 pim range | include BD
Static BD RP: 2001:DB8:C003:110A::1 Exp: never Learnt from : ::
RST-2305
9629_05_2004_c1
© 2004 Cisco Systems, Inc. All rights reserved.
© 2004 Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
66
IPv6 Multicast PIM BSR: Configuration
wan-top#sh run | incl ipv6 pim bsr
ipv6 pim bsr candidate-bsr 2001:DB8:C003:1116::2
ipv6 pim bsr candidate-rp 2001:DB8:C003:1116::2
RP—2001:DB8:C003:1116::2
Corporate
Network
IP
WAN
Source
RP—2001:DB8:C003:110A::1
wan-bottom#sh run | incl ipv6 pim bsr
ipv6 pim bsr candidate-bsr 2001:DB8:C003:110A::1
ipv6 pim bsr candidate-rp 2001:DB8:C003:110A::1
RST-2305
9629_05_2004_c1
67
© 2004 Cisco Systems, Inc. All rights reserved.
Embedded-RP Addressing Overview
• draft-savola-mboned-mcast-rpaddr-00.txt
• Relies on a subset of RFC3306 - IPv6 unicast-prefix-based
multicast group addresses with special encoding rules:
Group address carries the RP address for the group!
For each Unicast prefix you own, you now also own:
16 RPs for each of the 16 Multicast Scopes (256 total) with 2^32
multicast groups assigned to each RP (2^40 total)
8
4
4
4
4
8
64
32
FF | Flags| Scope |Rsvd | RPaddr| Plen | Network Prefix | Group ID
New Address format defined :
Flags = 0RPT, R = 1, P = 1, T = 1=> RP address embedded
Example Group: FF76:0130:1234:5678:9ab0::01020304
Embedded RP: 1234:5678:9ab0::1
RST-2305
9629_05_2004_c1
© 2004 Cisco Systems, Inc. All rights reserved.
© 2004 Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
68
Embedded-RP
Addressing Benefit
• PIM-SM protocol operations with embedded-RP:
No change in actual PIM-SM protocol operations
Embedded-RP can be considered as an automatic
replacement to static RP configuration
Can as well replace BSR for RP learning
Works so simple because of the large address space of IPv6
No equivalent possible in IPv4
Intradomain transition into embedded-RP is easy:
Non-supporting routers simply need to be configured
statically or via BSR for the embedded-RPs!
RST-2305
9629_05_2004_c1
© 2004 Cisco Systems, Inc. All rights reserved.
69
Embedded-RP
Limitations
• Embedded-RP is just a method to learn ONE RP address for a
multicast group:
It can not replace RP-redundancy as possible with BSR or
MSDP/anycast-RP
Any RP redundancy solution that ought to work for an
embedded RP must be some kind of anycast-RP solution
because the embedded RP address is fixed through the
mechanism—e.g.: If MSDP was available for IPv6,
MSDP/anycast-RP could be used together with embedded RP
See later slides!
• Embedded-RP does not (yet) support Bidir-PIM
Simply extending the mapping function to define Bidir-PIM RPs is
not sufficient:
In Bidir-PIM routers carry per-RP state (DF per interface)
prior to any data packet arriving; this would need to be
changed in Bidir-PIM if Embedded-RP was to be supported
RST-2305
9629_05_2004_c1
© 2004 Cisco Systems, Inc. All rights reserved.
© 2004 Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
70
Embedded-RP
Configuration Example
• RP to be used as an
Embedded-RP needs to be
configured with address/
group range
Corporate
Network
Source
L0
• All other non-RP routers
require no special
configuration
RP
IP
WAN
ipv6 pim rp-address 2001:DB8:C003:111D::1 ERP
!
ipv6 access-list ERP
permit ipv6 any FF7E:140:2001:DB8:C003:111D::/96
RST-2305
9629_05_2004_c1
71
© 2004 Cisco Systems, Inc. All rights reserved.
Embedded RP
Does It Work?
branch#show ipv6 pim group
FF7E:140:2001:DB8:C003:111D::/96*
RP
: 2001:DB8:C003:111D::1
Protocol: SM
Client : Embedded
Groups : 1
Info
: RPF: Se0/0.1,FE80::210:7FF:FEDD:40
branch#show ipv6 mroute active
Active IPv6 Multicast Sources - sending >= 4 kbps
Group: FF75:140:2001:DB8:C003:111D:0:1112
Source: 2001:DB8:C003:1109::2
Rate: 21 pps/122 kbps(1sec), 124 kbps(last 100 sec)
IP
WAN
To
RP
Receiver
Sends
Report
branch#show ipv6 pim range | include Embedded
Embedded SM RP: 2001:DB8:C003:111D::1 Exp: never Learnt from : ::
FF7E:140:2001:DB8:C003:111D::/96 Up: 00:00:24
RST-2305
9629_05_2004_c1
© 2004 Cisco Systems, Inc. All rights reserved.
© 2004 Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
72
RP Redundancy
Potential Anycast RP Alternatives
• MSDPv6
Perfectly well suited to support Anycast-RP
(one mesh-group)
Primary Backup
RP
RP?
Complex protocol—only a small subset of MSDP
needed for Anycast-RP
• Draft-ietf-farinacci-pim-anycast-rp-xx.txt
Most simple protocol doing exactly what MSDP needs
to do in one mesh-group: PIM-SM register messages
are unicast forwarded between the redundant RPs
(Almost) no operational differences to MSDP for
Anycast-RP
Now What Do I Do??
• Prefixlength/Anycast-RP
Solution without any new protocol (in that way similar
to embedded-RP)—a.k.a.: most simple solution?
Could support PIM-SM and Bidir-PIM, IPv4
and IPv6
RST-2305
9629_05_2004_c1
© 2004 Cisco Systems, Inc. All rights reserved.
73
Pick Your Poison
• One size does NOT fit all
• PIM-SSM is the way to go for one/few-to-many
applications, but requires MLDv2 and the app to
support SSM operation
• Embedded-RP is simple to deploy, but is new and
does not currently provide for RP redundancy
• PIM-BSR provides for easier RP deployment than
static RP and provides for RP redundancy (albeit
slow), but is a bit more complicated
• Cisco is working on scalable and highly-available
RP deployment methods (see appendix)
RST-2305
9629_05_2004_c1
© 2004 Cisco Systems, Inc. All rights reserved.
© 2004 Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
74
IPv6 QoS
SEE NMS-2T30 AND RST-2510
RST-2305
9629_05_2004_c1
75
© 2004 Cisco Systems, Inc. All rights reserved.
IPv6 QoS: Header Fields
• IPv6 traffic class
Exactly the same as TOS field
in IPv4
• IPv6 flow label
Version
Traffic
Class
Payload Length
Flow Label
Next
Header
Hop Limit
A new 20-bit field in the IPv6
basic header which:
Labels packets belonging to
particular flows
Source Address
Can be used for special
sender requests
No RFC regarding flow label
usage yet
Destination Address
RST-2305
9629_05_2004_c1
draft-ietf-ipv6-flow-label-xx.txt
© 2004 Cisco Systems, Inc. All rights reserved.
© 2004 Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
76
IPv6 QoS Syntax Changes
• IPv4 syntax has used “ip” following match/set statements
Example: match ip dscp, set ip dscp
• Modification in QoS syntax to support IPv6 and IPv4
New match criteria
match dscp—Match DSCP in v4/v6
match precedence—Match Precedence in v4/v6
match protocol ipv6—Match on IPv6 Protocol
New set criteria
set dscp—Set DSCP in v4/v6
set precedence—Set Precedence in v4/v6
• Additional support for IPv6 does not always require new
Command Line Interface (CLI)
Example—WRED
RST-2305
9629_05_2004_c1
77
© 2004 Cisco Systems, Inc. All rights reserved.
Simple QoS Example: IPv4 and IPv6
class-map match-any BRANCH-BULK-DATA
match access-group name BULK-DATA-IPV6
match access-group name BULK-DATA
class-map match-all BULK-DATA
match dscp af11
!
policy-map RBR-WAN-EDGE
class BULK-DATA
bandwidth percent 4
random-detect
!
policy-map RBR-LAN-EDGE-IN
class BRANCH-BULK-DATA
set dscp af11
!
ip access-list extended BULK-DATA
permit tcp any any eq ftp
permit tcp any any eq ftp-data
!
ipv6 access-list BULK-DATA-IPV6
permit tcp any any eq ftp
permit tcp any any eq ftp-data
RST-2305
9629_05_2004_c1
© 2004 Cisco Systems, Inc. All rights reserved.
© 2004 Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
ACL Match To Set DSCP
(If Packets Are Not Already Marked)
service-policy input RBR-LAN-EDGE-IN
service-policy output RBR-WAN-EDGE
ACLs to Match for Both
IPv4 and IPv6 Packets
78
IPv6 QoS: Support
• Cisco’s current IPv6 QoS implementation supports:
Packet classification
Queuing—(does support LLQ)—excluding PQ/CQ
Traffic shaping
WRED
Class-based packet marking
Policy-based packet marking
• Cisco’s current IPv6 QoS implementation does not support:
Compressed Real-Time Protocol (CRTP)
Network-Based Application Recognition (NBAR)
Committed Access Rate (CAR)
Priority Queuing (PQ)
Custom Queuing (CQ)
RST-2305
9629_05_2004_c1
© 2004 Cisco Systems, Inc. All rights reserved.
79
IPv6 SECURITY
ATTEND SEC-2003
www.cisco.com/security_services/ciag/documents/v6-v4-threats.pdf
RST-2305
9629_05_2004_c1
© 2004 Cisco Systems, Inc. All rights reserved.
© 2004 Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
80
IPv6 Hacking Tools
Let the Games Begin…
• Sniffers/packet capture
• Scanners
Snort
IPv6 Security Scanner
TCPdump
Halfscan6
Sun Solaris snoop
Nmap
COLD
Strobe
Ethereal
Netcat
Analyzer
• DoS Tools
Windump
6tunneldos
WinPcap
4to6ddos
NetPeek
Imps6-tools
Sniffer Pro
• Packet forgers
• Worms
SendIP
Slapper
Packit
Spak6
RST-2305
9629_05_2004_c1
© 2004 Cisco Systems, Inc. All rights reserved.
81
IPv6 Security
• RFC “mandates” privacy and encryption
• Same IPSec you already know
• Two security extension headers defined; all implementations
required to support (IPSec)
Authentication Header (AH)
Encapsulating Security Payload (ESP)
Key distribution protocols are under development
Support for manual key configuration required
• New concept of privacy addressing
On by default in Microsoft XP SP1+
Randomly generated address used as the source address for applications
• Nearly impossible to perform successful network scans
RST-2305
9629_05_2004_c1
© 2004 Cisco Systems, Inc. All rights reserved.
© 2004 Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
82
IPv6 Protocol Challenges
• Inherits many challenges found in IPv4
Same applications
Same TCP, UDP layers
• Many new features
Autoconfiguration (router advertisements)
ND—neighbor discovery (altering ICMPv6 packets)
DAD—multiple (bad) addresses
Mobile IPv6—binding update, etc.
RST-2305
9629_05_2004_c1
© 2004 Cisco Systems, Inc. All rights reserved.
83
IPv6 Security Considerations
• If all hosts are performing encryption, what happens to…
Intrusion detection
Intrusion prevention (inline filtering)
Virus protection
Deep packet inspection
Proxies
• The real world will likely implement…
Decoupling of end to end encryption (terminate connections on a bulk
encryption device)
Use of authentication headers providing packet integrity, but not
encryption
Extensive use of personal (host-based) firewalls and host-based IDS
(Cisco Security Agent) to augment network-based security tools
RST-2305
9629_05_2004_c1
© 2004 Cisco Systems, Inc. All rights reserved.
© 2004 Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
84
IPv6 Transition Mechanism Challenges
• Dual stack
Consider security for both protocols
Cross v4/v6 abuse
Resiliency (shared resources)
• Tunnels
Bypass firewalls (protocol 41)
Relayed DoS attacks from v6 to v4 and vice versa
• Translation mechanisms
Prevent end-to-end network and transport layer security
RST-2305
9629_05_2004_c1
85
© 2004 Cisco Systems, Inc. All rights reserved.
Basic IPv6 Packet Filtering
(Access Control List)
• When used for traffic filtering, IPv6 Access Control Lists
(ACL) offers the same level of support as in IPv4
Every IPv6 ACL has implicit permit icmp any any nd-na and permit
icmp any any nd-ns
Implicit deny all at the end of access list
interface FastEthernet0/0
ipv6 address 2001:DB8:C003:1101::1/64
ipv6 traffic-filter V6FILTER in
!
ipv6 access-list V6FILTER
permit tcp any host 2001:DB8:C003:1102::10 eq web
!
HTTP
ANY
IPv6 Internet
F0/0
Web Server
2001:DB8:C003:1102::10/64
RST-2305
9629_05_2004_c1
© 2004 Cisco Systems, Inc. All rights reserved.
© 2004 Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
86
Cisco IOS IPv6 Firewall Feature Set
Example: Nothing New from IPv4
• Cisco IOS Firewall released 12.3(7)T
ipv6 unicast-routing
!
ipv6 inspect audit-trail
ipv6 inspect max-incomplete low 150
ipv6 inspect max-incomplete high 250
ipv6 inspect one-minute low 100
ipv6 inspect one-minute high 200
ipv6 inspect name V6FW tcp timeout 300
ipv6 inspect name V6FW udp
ipv6 inspect name V6FW icmp
!
interface FastEthernet0/0
ipv6 address 2001:DB8:C003:1112::2/64
ipv6 traffic-filter EXAMPLE in
ipv6 inspect V6FW in
!
ipv6 access-list EXAMPLE
permit tcp any host 2001:DB8:C003:1113::2 eq www
permit tcp any host 2001:DB8:C003:1113::2 eq ftp
deny ipv6 any any log
http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/ps5
761/index.html
RST-2305
9629_05_2004_c1
© 2004 Cisco Systems, Inc. All rights reserved.
IPv6 Internet
F0/0
HTTP
FTP
ANY
Web/FTP Server
2001:DB8:C003:1113::2
87
MOBILE IPv6 (MIPv6)
SEE RST-2304
RST-2305
9629_05_2004_c1
© 2004 Cisco Systems, Inc. All rights reserved.
© 2004 Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
88
Mobile IPv6 Benefits
• IPv6 address space enables mobile IP deployment in any kind
of large environment
• No foreign agent needed in MIPv6
Infrastructure does not need an upgrade to accept Mobile IPv6 Nodes
• IPv6 auto-configuration simplifies Mobile Node (MN) CoA
(Care of Address) assignment
• MIPv6 take benefits of IPv6 protocol itself
E.g.. option headers, neighbor discovery
• Optimized routing—avoids triangular routing
Scale easier but network management challenges
• MN's work transparently even with other nodes that do not
support mobility
Albeit without route optimization
RST-2305
9629_05_2004_c1
89
© 2004 Cisco Systems, Inc. All rights reserved.
Mobile IPv6: Key Components
CN, Correspondent Node
Destination IP Host in
Session with a Mobile Node
Internet
HA, Home Agent
Maintains an Association Between
the MN’s “Home” IP Address and
Its Care of Address (Loaned
Address) on the Foreign Network
MN
MN, Mobile Node
An IP Host that Maintains Network
Connectivity Using Its “Home” IP Address,
Regardless of which Link (or Network) It Is
Connected to
RST-2305
9629_05_2004_c1
© 2004 Cisco Systems, Inc. All rights reserved.
© 2004 Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
90
MIPv6 Operations: MN on its Home Network
Home Link
CN
Internet
While a Mobile Node Is at
Home, Packets Addressed to
Its Home Address Are Routed
to the Mobile Node's Home
Link, Using Conventional
Internet Routing Mechanisms
MN
• A Mobile Node (MN) is always expected to be addressable at its
home address, whether it is currently attached to its home link or is
away from home
• The “home address” is an IP address assigned to MN within its home
subnet prefix on its home link
RST-2305
9629_05_2004_c1
91
© 2004 Cisco Systems, Inc. All rights reserved.
MIPv6 Operations: MN Moving to a New Link
Home Link
CN
Home Agent
Internet
Bin
din
gU
Bin
din
gA
ckn
ow
MN Obtains an IPv6
Address in the Visited
Network Through
Stateless or Stateful
Auto-Configuration
pd
ate
led
ge
me
nt
(2) BINDING UPDATE
While away from Home, a MN
Registers Its Primary Care-of
Address with a Router on Its
Home Link, Requesting this
Router to Function as the
"Home Agent" for the MN
RST-2305
9629_05_2004_c1
(1) CARE OF
ADDRESS
© 2004 Cisco Systems, Inc. All rights reserved.
© 2004 Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
MN
92
Packet Forwarding
Bidirectional Tunneling Mode
Home Link
Packets from the CN Are
Routed to the HA and then
Tunneled to the MN
• Not required
to support
Mobile IPv6
on the CN
CN
Home Agent
Internet
• No binding
registration
between MN
and CN
MN
Packets to the CN Are Tunneled
from the MN to the HA (“Reverse
Tunneled”) and then Routed
Normally from the Home Network
to the CN
RST-2305
9629_05_2004_c1
93
© 2004 Cisco Systems, Inc. All rights reserved.
Packet Forwarding
Route Optimization Mode
Home Link
CN Must Support MIPv6 Requires MN to
Register Its Binding Association to CN
MN Can Also Be a CN to Communicate with
other MN
CN
Packets from CN Are
Routed Directly to the COA
of MN by Checking the
Binding Cache Table
Internet
Home Agent
MN
Traffic Is Going through HA until
the Return Routability Procedure
Is Performed
Signaling via HA, and Home
Registrations Still Keep HA
Informed
RST-2305
9629_05_2004_c1
© 2004 Cisco Systems, Inc. All rights reserved.
© 2004 Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
When Routing Packets Directly to CN, MN Sets
the Source Address in the Packet’s IPv6 Header
to Its Current CoA
94
Cisco IOS Mobile IPv6 Home Agent
Technology Preview
MP3 Client
• MIPv6 home agent technology preview
release built on IETF MIPv6 draft 24
AP2
IPSec support planned for a later stage
Waiting for IETF MIPv6 WG completion
Binding update can be filtered by source address
using ACL
F0/0
• Only available for testing and experiment
Tested with BSD, Linux and Windows MIPv6 client
F0/1
AP1
RST-2305
9629_05_2004_c1
ipv6 unicast-routing
ipv6 cef
!
interface FastEthernet0/0
ipv6 address 2001:DB8:C003:1101::45A/64
ipv6 mobile home-agent run
!
interface FastEthernet0/1
ipv6 address 2001:DB8:C003:1102::45C/64
ipv6 mobile home-agent run
© 2004 Cisco Systems, Inc. All rights reserved.
95
Conclusion
• IPv6 is REAL!
• Start now rather than later
Purchase for the future
Start moving legacy application towards IPv6 support
• Deploy a pilot or lab if you do not need a full-scale solution
• Know what is still under development:
EIGRP for IPv6
IPv6 HSRP
Enterprise products/features—(Voice, CDN, Advanced Security)
Full-scale management of IPv6
Key management for IPSec
(prevents scalable IPv6 IPSec deployment with clients)
ISP multihoming solutions
RST-2305
9629_05_2004_c1
© 2004 Cisco Systems, Inc. All rights reserved.
© 2004 Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
96
Links/Reference
• www.cisco.com/go/ipv6
CCO IPv6 main page
IPv6 Overviews (ABCs of IPv6)
Technical configuration guides
IPv6 presentations
Industry activity (IETF, IPv6 Forum)
• www.cisco.com/go/fn
Select “Feature” and search for “IPv6”, then Select “IPv6 for Cisco IOS Software”
• www.microsoft.com/ipv6
• www.ietf.org
• www.hs247.com/
Mass quantities of information about applications, operating systems and IPv6
connectivity options
• www.nav6tf.org
• www.ipv6forum.com
• www.ipv6.org
RST-2305
9629_05_2004_c1
97
© 2004 Cisco Systems, Inc. All rights reserved.
IPv6 Support Outside of Cisco:
Operating Systems
Vendor
IPv6
Support
Versions
More Info
Microsoft
YES
XP (SP1) and 2003
http://www.microsoft.com/ipv6
CE .NET (Pocket PC 4.1)
Sun
YES
Solaris 8 and 9
http://wwws.sun.com/software/solaris/ipv6/
IBM
YES
z/OS Rel. 1.4
AIX 4.3 - >
OS/390 V2R6 eNCS
http://www-3.ibm.com/software/os/zseries/ipv6/
BSD
YES
FreeBSD 4.0 - >
OpenBSD 2.7 - >
NetBSD 1.5 - >
BSD/OS 4.2 - >
Linux
YES
RH 6.2 - >
Mandrake 8.0 - >
SuSE 7.1 - >
Debian 2.2 - >
HP/Compaq
YES
HP-UX 11i
Tru64 UNIX V5.1
OpenVMS V5.1
http://h18000.www1.hp.com/ipv6/next_gen.html
Novell
YES
Netware 6.1
http://www.novell.com/documentation/lg/nw65/i
ndex.html?page=/documentation/lg/nw65/readm
e/data/ajzlp6r.html
Apple
YES
MAC OS X 10.2 - >
http://developer.apple.com/macosx/
RST-2305
9629_05_2004_c1
© 2004 Cisco Systems, Inc. All rights reserved.
© 2004 Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
http://www.kame.net/
http://www.bieringer.de/linux/IPv6/status/IPv6+L
inux-status-distributions.html
98
Bedtime Reading
• “Cisco Self-Study: Implementing Cisco IPv6
Networks (IPV6)” by Regis Desmeules—Cisco
Press (ISBN: 1587050862)
• “Understanding IPv6” by Joseph Davies—Microsoft
Press (ISBN: 0735612455)
• “IPv6 Essentials” by Silvia Hagen—O’Reilly &
Associates (ISBN: 0596001258)
RST-2305
9629_05_2004_c1
© 2004 Cisco Systems, Inc. All rights reserved.
99
Complete Your Online Session Evaluation!
WHAT:
Complete an online session evaluation
and your name will be entered into a
daily drawing
WHY:
Win fabulous prizes! Give us your feedback!
WHERE: Go to the Internet stations located
throughout the Convention Center
HOW:
RST-2305
9629_05_2004_c1
Winners will be posted on the onsite
Networkers Website; four winners per day
© 2004 Cisco Systems, Inc. All rights reserved.
© 2004 Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
100
Q AND A
RST-2305
9629_05_2004_c1
© 2004 Cisco Systems, Inc. All rights reserved.
101
RST-2305
9629_05_2004_c1
© 2004 Cisco Systems, Inc. All rights reserved.
102
© 2004 Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
APPENDIX SLIDES FOR
REFERENCE ONLY
RST-2305
9629_05_2004_c1
© 2004 Cisco Systems, Inc. All rights reserved.
103
IPv6 MULTICAST:
ADDITIONAL SLIDES
RST-2305
9629_05_2004_c1
© 2004 Cisco Systems, Inc. All rights reserved.
© 2004 Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
104
Solicited-Node Multicast Address
64 bits
64 bits
Unicast Prefix
Interface ID
24 bits
FF02:
0:0:0:0
:1:FF
• FF02::1:FF00:0000/104—IPv6 prefix (compressed)
• Consists of the prefix and the low-order 24-bits of the unicast
or anycast address
• Link-local address: FE80::20B:45FF:FE94:1C00
• Solicited-node address: FF02::1:FF94:1C00
RST-2305
9629_05_2004_c1
105
© 2004 Cisco Systems, Inc. All rights reserved.
Multicast Neighbor Solicitation for
Duplicate Address Detection
Ethernet Header
• Dest MAC is 33-33-FF-52-F9-D8
IPv6 Header
• Source Address is ::
• Destination Address is FF02::1:FF52:F9D8
• Hop limit is 255
Neighbor Solicitation Header
• Target Address is
FE80::2:260:8FF:FE52:F9D8
Host A
Tentative IP: FE80::2:260:8FF:FE52:F9D8
Send Multicast Neighbor Solicitation
Neighbor Solicitation
MAC: 00-60-08-52-F9-D8
IP: FE80::2:260:8FF:FE52:F9D8
Host B
RST-2305
9629_05_2004_c1
© 2004 Cisco Systems, Inc. All rights reserved.
© 2004 Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
106
Multicast Neighbor Advertisement
(Response)
Ethernet Header
• Destination MAC is 33-33-00-00-00-01
IPv6 Header
• Source Address is FE80::2:260:8FF:FE52:F9D8
• Destination Address is FF02::1
• Hop limit is 255
Neighbor Advertisement Header
• Target Address is FE80::2:260:8FF:FE52:F9D8
Neighbor Discovery Option
• Target Link-Layer Address is 00-60-08-52-F9-D8
Host A
Tentative IP: FE80::2:260:8FF:FE52:F9D8
Neighbor Advertisement
Send Multicast Neighbor Advertisement
MAC: 00-60-08-52-F9-D8
IP: FE80::2:260:8FF:FE52:F9D8
Host B
RST-2305
9629_05_2004_c1
107
© 2004 Cisco Systems, Inc. All rights reserved.
MLDv1: Joining a Group (REPORT)
FE80::209:5BFF:FE08:A674
FE80::250:8BFF:FE55:78DE
H1
H2
2
1
1
1
2
Destination:
FF3E:40:2001:DB8:C003:1109:1111:1111
ICMPv6 Type: 131
H1 Sends a REPORT for the Group
H2 Sends a REPORT for the Group
2 Destination:
FF3E:40:2001:DB8:C003:1109:1111:1111
ICMPv6 Type: 131
rtr-a
FE80::207:85FF:FE80:692
Source
Group:FF3E:40:2001:DB8:C003:1109:1111:1111
RST-2305
9629_05_2004_c1
© 2004 Cisco Systems, Inc. All rights reserved.
© 2004 Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
108
MLDv1: Host Management
(Group-Specific Query)
FE80::209:5BFF:FE08:A674
FE80::250:8BFF:FE55:78DE
H1
H2
3 REPORT to group
ICMPv6 Type: 131
1
1
Destination:
FF02::2
ICMPv6 Type: 132
2 Destination:
FF3E:40:2001:DB8:C003:1109:1111:1111
ICMPv6 Type: 130
1 H1 Sends DONE to FF02::2
2 RTR-A Sends Group-Specific Query
3 H2 Sends REPORT for the Group
rtr-a
FE80::207:85FF:FE80:692
Source
Group:FF3E:40:2001:DB8:C003:1109:1111:1111
RST-2305
9629_05_2004_c1
© 2004 Cisco Systems, Inc. All rights reserved.
109
Other MLD Details
• Leave/DONE
Last host leaves—Sends DONE (type 132)
Router will respond with group-specific query (type 130)
Router will use the last member query response interval
(Default=1 sec) for each query
Query is sent twice and if no reports occur then entry is removed
(2 seconds)
• General query (type 130)
Sent to learn of listeners on the attached link
Sets the multicast address field to zero
Sent every 125 seconds (configurable)
• MLDv2 type 143 problems in IETF
Cisco IOS will provide configuration (CSCed45941)
RST-2305
9629_05_2004_c1
© 2004 Cisco Systems, Inc. All rights reserved.
© 2004 Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
110
IPv6 Multicast PIM BSR: Election
RP—2001:DB8:C003:1116::2
Corporate
Network
IP
WAN
Source
RP—2001:DB8:C003:110A::1
wan-agg-left#show ipv6 pim bsr election
PIMv2 BSR information
BSR Election Information
Scope Range List: ff00::/8
BSR Address: 2001:DB8:C003:1116::2
Uptime: 2d21h, BSR Priority: 0, Hash mask length: 126
RPF: FE80::201:42FF:FE2D:9580,Serial2/1/0.2
BS Timer: 00:01:44
This system is candidate BSR
Candidate BSR address: 2001:DB8:C003:110A::1, priority: 0, hash mask
length:126
RST-2305
9629_05_2004_c1
111
© 2004 Cisco Systems, Inc. All rights reserved.
IPv6 Multicast PIM BSR: Non-RPs
RP—2001:DB8:C003:1116::2
FF02::D
Corporate
Network
IP
WAN
Source
RP—2001:DB8:C003:110A::1
IPv6 BSR: Received BSR message from FE80::230:F2FF:FE15:9C00 for
2001:DB8:C003:1116::2, priority 0 hash mask length 126
IPv6 BSR: Skipping interface FastEthernet0/0, no PIM neighbors found
IPv6 BSR: Skipping interface Serial0/2, incoming interface
IPv6 BSR: Received Group range FF00::/8, RP count 2 Fragment RP count2
IPv6 BSR: RP 2001:DB8:C003:110A::1, Holdtime 150, Priority 192
IPv6 BSR: RP 2001:DB8:C003:1116::2, Holdtime 150, Priority 192
BSR Election Information
Scope Range List: ff00::/8
BSR Address: 2001:DB8:C003:1116::2
Uptime: 01:51:17, BSR Priority: 0, Hash mask length: 126
RPF: FE80::230:F2FF:FE15:9C00,Serial0/2
BS Timer: 00:01:13
RST-2305
9629_05_2004_c1
© 2004 Cisco Systems, Inc. All rights reserved.
© 2004 Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
112
Embedded-RP
Address Example
Multicast Address with Embedded RP Address
8
FF
4
Flags
4
Scope
4
Rsvd
4
RPadr
8
Plen
64
Network-Prefix
32
Group-ID
FF76:0130:1234:5678:9abc::4321
1234:5678:9abc::1
Resulting RP Address
• RP address = network prefix = Rpad
• 16 RP addresses per network prefix
RST-2305
9629_05_2004_c1
© 2004 Cisco Systems, Inc. All rights reserved.
113
Embedded RP
More Details
• Embedded-RP allows for the control of the multicast groups
AND RPs to be handled by the applications group
• Embedded RP router MUST configure “ipv6 rp-address”
• Consider the issue when the WRONG RP is defined within the
group address and a lonely 800 series router on a 128k line
becomes to RP for hundreds of high-rate video streams (worse
yet, you are using ipv6 pim spt-threshold infinity)
• Use the no ipv6 pim rp embedded command to disable
Embedded-RP learning
• Embedded RP can be used interdomain without
additional work:
Just requires for all routers between sources and receivers in an
application (potentially worldwide) to support the embedded-RP
mechanism
RST-2305
9629_05_2004_c1
© 2004 Cisco Systems, Inc. All rights reserved.
© 2004 Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
114
Embedded RP
Interdomain Concerns and Answers
In Current IPv4 Multicast, a Multicast Group Is Served by Typically
One (Set of) RPs per Domain and These RPs Are Interconnected by
MSDP; with IPv6 Embedded-RP, There Would Just Be One (Set of
Anycast-) RPs Globally for a Group:
• Scalability…flat virtual topology
Similar to SSM with just one added RP—simple! = scalable?
No MSDP scalability/reliability/administration concerns!
Almost arbitrary number of RPs that can be used:
Each RP may need to serve only very few groups
• 3rd party RP dependency?
Yes: For totally anarchic applications that must not have a single
identifiable point of origin
No: The majority of IP multicast applications will (like for example web
applications) have an identifiable owner; this owner must take care of
using an appropriate RP under his control
RST-2305
9629_05_2004_c1
© 2004 Cisco Systems, Inc. All rights reserved.
115
RP Redundancy
Overview
• ASM always requires an RP, whether it is PIM-SM or Bidir-PIM
(PIM-DM would be the exception to this rule for ASM)
• RP is single point of failure and redundancy is a basic
operational requirement
BSR is today the only available RP redundancy solution for IPv6:
Static-RP configuration can by itself not provide for redundancy
MSDP (for anycast RP redundancy) is not defined for IPv6
(Cisco would consider it given demand by customers)
BSR/AutoRP are in IPv4 considered to be inferior solutions to anycast:
Worse convergence times
Active protocol operations required in all routers
BSR has a set of limitation but further protocol work does not
seem to happen in the IETF
• An anycast-RP solution for IPv6 could solve the issues at
hand if combined together with embedded-RP
RST-2305
9629_05_2004_c1
© 2004 Cisco Systems, Inc. All rights reserved.
© 2004 Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
116
RP Redundancy
Prefixlength/Anycast-RP
Primary RP
Loopback 1
1234:5678:9ab0::1/48
Secondary RP
Loopback 1
1234:5678:9ab0::1/47
DR 1
DR 2
• NEW: Designate a primary and a secondary
(tertiary, etc. are possible too) RP for the anycast group
• NEW: Configure Primary RP with longest subnet mask on the
loopback, secondary has longer mask, etc.
• OLD: Distribute loopback interfaces routes into IGP
RST-2305
9629_05_2004_c1
© 2004 Cisco Systems, Inc. All rights reserved.
117
A Few Notes on PIM Tunnels…
• PIM uses tunnels when RPs/sources are known
• Source registering (on first-hop router)
Uses virtual tunnel interface (appear in OIL for (S,G))
Created automatically on first-hop router when RP
is known
Cisco IOS keeps tunnel as long as RP is known
Unidirectional (transmit only) tunnels
PIM register-stop messages are sent directly from RP
to registering router (not through tunnel!)
RST-2305
9629_05_2004_c1
© 2004 Cisco Systems, Inc. All rights reserved.
© 2004 Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
118
PIM Tunnels (DR-to-RP)
branch#show ipv6 pim tunnel
Tunnel1*
Type : PIM Encap
RP
: 2001:DB8:C003:1116::2
Source: 2001:DB8:C003:111E::2
Corporate
Network
Source
branch#show interface tunnel 1
Tunnel1 is up, line protocol is up
Hardware is Tunnel
MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel source 2001:DB8:C003:111E::2 (Serial0/2),
destination 2001:DB8:C003:1116::2
Tunnel protocol/transport PIM/IPv6, key disabled,
sequencing disabled
Checksumming of packets disabled
Tunnel is transmit only
Last input never, output never, output hang never
Last clearing of "show interface" counters never
… output truncated…
RST-2305
9629_05_2004_c1
L0
RP
DR
© 2004 Cisco Systems, Inc. All rights reserved.
119
PIM Tunnels (RP)
• Source registering (on RP) 2 virtual tunnels
are created
1 transmit only for registering sources locally connected to
the RP
1 receive only for decapsulating incoming registers from
remote designated routers
No one-to-one relationship between virtual tunnels on
designated routers and RP!
RST-2305
9629_05_2004_c1
© 2004 Cisco Systems, Inc. All rights reserved.
© 2004 Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
120
PIM Tunnels (RP-for-Source)
RP-router#show ipv6 pim tunnel
Tunnel0*
Type : PIM Encap
RP
: 2001:DB8:C003:1116::2
Source: 2001:DB8:C003:1116::2
Tunnel1*
Type : PIM Decap
RP
: 2001:DB8:C003:1116::2
Source: -
Corporate
Network
Source
Tu
L0
RP
RP-router#show interface tunnel 1
Tunnel1 is up, line protocol is up
Hardware is Tunnel
MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel source 2001:DB8:C003:1116::2
(FastEthernet0/0), destination 2001:DB8:C003:1116::2
Tunnel protocol/transport PIM/IPv6, key disabled,
sequencing disabled
Checksumming of packets disabled
Tunnel is receive only
… output truncated…
RST-2305
9629_05_2004_c1
© 2004 Cisco Systems, Inc. All rights reserved.
121
IPv6 OVER CLIENT VPN:
REFERENCE SLIDES FOR
NON-WINDOWS PLATFORMS
RST-2305
9629_05_2004_c1
© 2004 Cisco Systems, Inc. All rights reserved.
© 2004 Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
122
Router Configuration: Configured Tunnels
VPN 3000 Concentrator
Catalyst 6500
Supervisor 720
Dual-stack
F3/1
G2/1
Dual-stack router configuration
ipv6 unicast-routing
!
Corporate
Network
interface FastEthernet3/1
description TO VPN 3000
ip address 20.1.1.1 255.255.255.0
!
VPN Client
interface GigabitEthernet2/1
description TO Campus Network
ipv6 address 2001:DB8:C003:111C::2/64
!
interface Tunnel1
description Configured Tunnel for Client1
no ip address
ipv6 address 2001:DB8:C003:1123::1/64
tunnel source FastEthernet3/1
tunnel destination 10.1.99.103
tunnel mode ipv6ip
RST-2305
9629_05_2004_c1
123
© 2004 Cisco Systems, Inc. All rights reserved.
Client Configuration (Windows XP):
Configured Tunnels
VPN 3000 Concentrator
Catalyst 6500
Supervisor 720
Dual-stack
F3/1
G2/1
Corporate
Network
• Create v6v4tunnel
• Add IPv6 address to tunnel
interface
• Create a default route (::/0)
for the tunnel
Windows XP
VPN Client
VPN IP
Router IP
netsh interface ipv6>add v6v4tunnel “CISCO” 10.1.99.103 20.1.1.1
Ok.
netsh interface ipv6>add address “CISCO” 2001:DB8:c003:1123::2
Ok.
netsh interface ipv6>add route ::/0 “CISCO”
Ok.
RST-2305
9629_05_2004_c1
© 2004 Cisco Systems, Inc. All rights reserved.
© 2004 Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
124
Does It Work?
Windows XP Client
VPN 3000
Catalyst 6500
Supervisor 720
Dual-stack
10.1.99.103 - VPN address
2001:DB8:c003:1123::2 - IPv6 address
20.1.1.1 - IPv4 address
2001:DB8:c003:1123::1 - IPv6 address
Interface 21: CISCO
Addr Type
--------Manual
Link
DAD State Valid Life
Pref. Life
---------- ------------ -----------Preferred
infinite
infinite
Preferred
infinite
infinite
Address
----------------------------2001:DB8:c003:1123::2
fe80::a01:6368
netsh interface ipv6>show neighbors 21
Interface 2: Automatic Tunneling Pseudo-Interface
Internet Address
--------------------------------------------2001:DB8:c003:1123::1
fe80::1401:0101
RST-2305
9629_05_2004_c1
Physical Address
----------------20.1.1.1
20.1.1.1
Type
----------Permanent
Permanent
125
© 2004 Cisco Systems, Inc. All rights reserved.
Client Configuration (Linux):
ISATAP Tunnels
Catalyst 6500
Supervisor 720
Dual-stack
F3/1
G2/1
• IPv6-enabled
• Requires Kernel support for
ISATAP—USAGI
• Modified iproute package—
USAGI
Corporate
Network
• Must configure ISATAP router—
NOT automatic
Linux
VPN Client
VPN IP
Router IP
# ip tunnel add is0 mode isatap 10.1.99.104 v4any 20.1.1.1 ttl 64
# ip link set is0 up
*See Notes for Full Instructions for Enabling IPv6 on Linux
RST-2305
9629_05_2004_c1
© 2004 Cisco Systems, Inc. All rights reserved.
© 2004 Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
126
Client Configuration (Sun Solaris):
Configured Tunnels with 3002 Client
Catalyst 6500
Supervisor 720
Dual-stack
F3/1
G2/1
• IPv6-enabled
• Example of Solaris behind a
3002 VPN Client
• Basic configured tunnel—
manual commands given
Corporate
Network
• Can maintain configuration
permanently using
/etc/hostname6.ip.tunN
(where N is 0, 1, 2 and so on)
3002 VPN Client
Sun Solaris
Local LAN IP
Router IP
# ifconfig ip.tun0 inet6 plumb
# ifconfig ip.tun0 inet6 tsrc 192.168.0.1 tdst 20.1.1.1 up
# ifconfig ip.tun0 inet6 addif 2001:DB8:c003:1123::2/64 2001:DB8:c003:1123::1 up
Created new logical interface ip.tun0:2
*See Notes for Full Instructions for Enabling IPv6 on Solaris
RST-2305
9629_05_2004_c1
127
© 2004 Cisco Systems, Inc. All rights reserved.
Client Configuration (Mac): Configured
Tunnels with 3002 HW Client
Catalyst 6500
Supervisor 720
Dual-stack
F3/1
G2/1
• IPv6-enabled
• Have permissions (root user)
• Example of Mac behind a 3002
VPN Client
Corporate
Network
3002 VPN Client
MAC OS X Client
Local LAN IP Router IP
#
#
#
#
ifconfig gif0 tunnel create
ifconfig gif0 tunnel 192.168.0.1 20.1.1.1
ifconfig gif0 inet6 alias 2001:DB8:c003:1123::2
route add -inet6 default -interface gif0
RST-2305
9629_05_2004_c1
© 2004 Cisco Systems, Inc. All rights reserved.
© 2004 Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
128
MIPv6 REFERENCE SLIDES
RST-2305
9629_05_2004_c1
129
© 2004 Cisco Systems, Inc. All rights reserved.
Dynamic Home Agent Address Discovery
Internet
• Home agent address
discovery request sent
to home agents anycast
address of its own
home subnet prefix
• Home agent address
discovery reply
MN
MN
• MIPv6 also provides support for multiple HA’s, and a limited support
for the reconfiguration of the home network; in these cases, the MN
may not know the IP address of its own HA, and even the home subnet
prefixes may change over time
• A mechanism, known as “dynamic home agent address discovery
(DHAAD)” allows a MN to dynamically discover the IP address of a HA
on its home link, even when the MN is away from home
• MN can also learn new information about home subnet prefixes
through the “mobile prefix discovery” mechanism
RST-2305
9629_05_2004_c1
© 2004 Cisco Systems, Inc. All rights reserved.
© 2004 Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
130
Mobile IPv6 Security Overview
• MIPv6 ID-24 provides a number of security features
• Protection of binding updates both to home agents and
correspondent nodes
Use of IPSec extension headers, or by the use of the binding authorization
data option; this option employs a binding management key, Kbm, which
can be established through the return routability procedure
• Protection of mobile prefix discovery
Through the use of IPSec extension headers
• Protection of the mechanisms that MIPv6 uses for
transporting data packets
Mechanisms related to transporting payload packets—such as the home
address destination option and type 2 routing header—have been
specified in a manner which restricts their use in attacks
RST-2305
9629_05_2004_c1
131
© 2004 Cisco Systems, Inc. All rights reserved.
Security Threats and Solutions
CORRESPONDENT NODE
CoT
Home Link
Binding up
date
Internet
HoT
CoTI
Bin
din
Bin
gU
din
pd
gA
ate
ckn
ow
led
ge
me
nt
Binding Ack
CN
Home Agent
HoTI
MN
Reverse Tunnel
Arbitrary: No Preexisting
Security Association
Return
Routability Test
• Verifies the collocation
of the CoA and the
home address
• Assumes better
security association
between HA and MN
• Scalable and stateless
• Secured by IPSec
• Requires a preexisting security association
RST-2305
9629_05_2004_c1
© 2004 Cisco Systems, Inc. All rights reserved.
© 2004 Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
132
IPv6 Protocol Extension: Mobility Header
Next Header = TBD
Mobility Header
Previous Header
Mobility Header
Mobility Header
Hdr Ext Length
Hdr Ext Length
Checksum
Next Header
MH Type
Reserved
Message Data
• New extension header to be used by MN, HA and CN in all
messaging related to the creation and management of binding
• IPv6 option header may allow piggybacking of these
messages
Another advantage over IPv4
RST-2305
9629_05_2004_c1
© 2004 Cisco Systems, Inc. All rights reserved.
133
Mobility Header
• Mobility header type
Binding Refresh Request Message
Home Test Init Message (HoTI)—Home Test Message (HoT)
Care-of Test Init Message (CoTI)—Care-of Test Message (CoT)
Binding Update Message (BU)—Binding Acknowledgement Message (BA)
Binding Error Message (BE)
• Message data field contains mobility options
Binding refresh advice
Alternate Care-of Address
Nonce Indices
Binding authorization data
• Triangular routing does not require all these message, only
BU, BA and BE
RST-2305
9629_05_2004_c1
© 2004 Cisco Systems, Inc. All rights reserved.
© 2004 Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
134
New Option in Destination Option Header
Next Header = 60
Destination Header
IPv6 Basic Header
Destination Header
Destination Header
Next Header
Option Type
Hdr Ext Length
Option Length
Home Address
• The home address option is carried by the destination option
extension header
• It is used in a packet sent by a MN while away from home, to inform
the recipient of the MN's home address
HAO is not a security risk, if mobile is unknown, hosts send a parameter problem;
otherwise contents are verified
• Have to use CoA as source due to RPF
RST-2305
9629_05_2004_c1
135
© 2004 Cisco Systems, Inc. All rights reserved.
Type 2 Routing Header
Next Header = 43
Routing Header
IPv6 Basic Header
Routing Header
Routing Header
Next Header
Hdr Ext Length
Routing Type = 2 Segments Left = 1
Reserved
Home Address
• MIPv6 defines a new routing header variant to allow the packet to be routed
directly from a CN to a MN CoA
• MN CoA is inserted into the IPv6 destination address field; once the packet
arrives at the care-of address, the MN retrieves its home address from the
routing header, and this is used as the final destination address for the packet
• The new routing header uses a different type than defined for "regular" IPv6
source routing, enabling firewalls to apply different rules to source routed
packets than to mobile IPv6
RST-2305
9629_05_2004_c1
© 2004 Cisco Systems, Inc. All rights reserved.
© 2004 Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
136
MIPv6: 4 New ICMPv6 Messages
• Use of ICMPv6 and neighbor discovery makes
MIPv6 independent from the data link layer
technology
• Two for use in the dynamic home agent address
discovery (DHAAD) mechanism
Home agent address discovery request—use of home
agents anycast address of its own home subnet prefix
Home agent address discovery reply
• Two for renumbering and mobile configuration
mechanisms
Mobile prefix solicitation
Mobile prefix advertisement
RST-2305
9629_05_2004_c1
© 2004 Cisco Systems, Inc. All rights reserved.
137
Modifications to Neighbor Discovery
• Modified router advertisement message format
Single flag bit indicating HA service
• Modified prefix information option format
To allow a router to advertise its global address
• New advertisement interval option format
• New home agent information option format
• Changes to sending router advertisements
To provide timely movement detection for mobile nodes
RST-2305
9629_05_2004_c1
© 2004 Cisco Systems, Inc. All rights reserved.
© 2004 Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
138
Mobile IPv6 Operations Overview
• Mobile Node (MN) is assigned an IPv6 Home
Address (HoA)
• MN obtains a new IPv6 address (Care of Address
[CoA]) on networks it connects to
• MN informs a Home Agent (HA) on its original home
network about its new address
• The HA masquerades as the MN; capturing traffic to
the MN and transferring traffic from the MN
• MN can also informs other nodes—Correspondent
Node (CN)—it communicates with about its CoA;
then CN can directly send traffic to MN
RST-2305
9629_05_2004_c1
© 2004 Cisco Systems, Inc. All rights reserved.
139
Binding Updates Protection
• BU/BA to home agents MUST be secured through IPSec
ESP encapsulation of binding updates and acknowledgements
between the mobile node and home agent MUST be supported
and MUST be used
ESP encapsulation of the home test init and home test messages
tunneled between the mobile node and home agent MUST be
supported and SHOULD be used
ESP encapsulation of the ICMPv6 messages related to prefix
discovery MUST be supported and SHOULD be used
ESP encapsulation of the payload packets tunneled between the
mobile node and home agent MAY be supported and used
If multicast group membership control protocols or stateful
address autoconfiguration protocols are supported, payload data
protection MUST be supported for those protocols
RST-2305
9629_05_2004_c1
© 2004 Cisco Systems, Inc. All rights reserved.
© 2004 Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
140
Mobile Prefix Discovery
• Mobile node and the home agent SHOULD use an
IPSec security association to protect the integrity
and authenticity of the mobile prefix solicitations
and advertisements
Both the MNs and the has MUST support and SHOULD use
the Encapsulating Security Payload (ESP) header in
transport mode with a non-null payload authentication
algorithm to provide data origin authentication,
connectionless integrity and optional anti-replay protection
RST-2305
9629_05_2004_c1
© 2004 Cisco Systems, Inc. All rights reserved.
141
Payload Packets
• Payload packets exchanged with MN can be follow the same
protection policy as other IPv6 hosts
• Specific security measures are defined to protect the specificity
of MIPv6
Home address destination option
Routing header
Tunneling headers
• Home address destination option can only be used when a CN
already has a binding cache entry for the given home address
• Tunnels protection between a MN and HA
MN verifies that the outer IP address corresponds to its HA
HA verifies that the outer IP address corresponds to the current location of the MN
(Binding Updates sent to the home agents are secure)
HA identifies the MN through the source address of the inner packet (home address
of the MN)
• For traffic tunneled via the HA, additional IPSec ESP encapsulation
MAY be supported
RST-2305
9629_05_2004_c1
© 2004 Cisco Systems, Inc. All rights reserved.
© 2004 Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
142
Mobile IPv6 Terms
• Binding management key (Kbm)
A binding management key (Kbm) is a key used for authorizing a binding
cache management message (e.g., BU or BA); return routability provides a
way to create a binding management key
• Cookie
A cookie is a random number used by a mobile nodes to prevent spoofing
by a bogus correspondent node in the return routability procedure
• Keygen Token
A keygen token is a number supplied by a correspondent node in the
return routability procedure to enable the mobile node to compute the
necessary binding management key for authorizing a binding update
• Nonce
Nonces are random numbers used internally by the correspondent node
in the creation of keygen tokens related to the return routability
procedure; the nonces are not specific to a mobile node, and are kept
secret within the correspondent node
RST-2305
9629_05_2004_c1
© 2004 Cisco Systems, Inc. All rights reserved.
143
Mobile IPv6 @ Cisco
• Home agent
In field trial since CY ’01
Draft 24 compliant
http://www.ietf.org/internet-drafts/draft-ietf-mobileip-ipv6-24.txt
Some issues from TAHI—dynamic HA address discovery, mobile
prefix discovery—being worked on
Target CCO CY ’05
• Founding member of Mobile IPv6 LAB at Lancaster Univ.
Microsoft, Lancaster University, Orange UK
http://www.mobileipv6.net/
• Mobile IPv6 is part of the planned IPv6 rollouts
http://www.cisco.com/warp/public/732/Tech/ipv6/ipv6_learnabout.shtml
http://www.cisco.com/warp/public/732/Tech/ipv6/
RST-2305
9629_05_2004_c1
© 2004 Cisco Systems, Inc. All rights reserved.
© 2004 Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
144
OPERATING SYSTEM
CONFIGURATION REFERENCE
RST-2305
9629_05_2004_c1
© 2004 Cisco Systems, Inc. All rights reserved.
145
MICROSOFT
RST-2305
9629_05_2004_c1
© 2004 Cisco Systems, Inc. All rights reserved.
© 2004 Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
146
Client Configuration (Windows XP):
Dual-Stack
• Required
Microsoft Windows XP (SP1 or higher)
Microsoft Windows Server 2003
Windows XP Client
Dual-stack
Router
• IPv6 must be installed
C:\>ipv6 install
• Have network (routers/switches)
configured for IPv6
Stateless autoconfiguration and/or DHCPv6
C:\>ipconfig
Windows IP Configuration
Ethernet adapter Local Area
Connection-specific
IP Address. . . . .
Subnet Mask . . . .
IP Address. . . . .
IP Address. . . . .
Default Gateway . .
RST-2305
9629_05_2004_c1
Connection 1:
DNS Suffix .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
:
:
:
:
:
:
10.1.1.100
255.255.255.0
2001:DB8:C003:1122:203:ffff:fe81:d6da
fe80::203:ffff:fe81:d6da%4
10.1.1.1
fe80::201:42ff:fe2d:9580
© 2004 Cisco Systems, Inc. All rights reserved.
147
© 2004 Cisco Systems, Inc. All rights reserved.
148
LINUX
RST-2305
9629_05_2004_c1
© 2004 Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
What Is Required
• Red Hat 6.2 and higher
RH 8, 9, WS and ES preferred
Fedora project builds
• Mandrake 8.0 and higher
• SuSE 7.1 and higher
• Debian 2.2 and higher
• ISATAP support requires
Requires Kernel support for ISATAP—USAGI
Modified iproute package—USAGI
http://www.linux-ipv6.org/
RST-2305
9629_05_2004_c1
© 2004 Cisco Systems, Inc. All rights reserved.
149
Client Configuration (Linux):
Dual-Stack
• ENABLE IPv6 support on Linux
Edit—/etc/sysconfig/network
Add entry—NETWORKING_IPV6=yes
Restart networking or reboot
# ifconfig eth0
eth0
Link encap:Ethernet HWaddr 00:40:F4:6C:C8:AF
inet addr:10.1.1.100 Bcast:10.1.1.255 Mask:255.255.255.0
inet6 addr: 2001:DB8:C003:1122:240:f4ff:fe6c:c8af/64 Scope:Global
inet6 addr: fe80::240:f4ff:fe6c:c8af/10 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:289223 errors:0 dropped:0 overruns:0 frame:0
TX packets:13452 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:53425777 (50.9 Mb) TX bytes:3381080 (3.2 Mb)
Interrupt:5 Base address:0xf000
RST-2305
9629_05_2004_c1
© 2004 Cisco Systems, Inc. All rights reserved.
© 2004 Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
150
Client Configuration (Linux):
ISATAP Tunnels
Linux
Client
L3 Switch
IPv6 L3
IPv6 Not Supported Switch/Router
• IPv6-enabled
• Requires Kernel support for
ISATAP—USAGI
10.1.1.100—Client IPv4 address
2001:DB8:C003:111f:0:5efe:10.1.1.100—IPv6 address
• Modified IProute package—
USAGI
• Must configure ISATAP router—
NOT automatic
Host IP
Router IP
# ip tunnel add is0 mode isatap 10.1.1.100 v4any 30.1.1.1 ttl 64
# ip link set is0 up
RST-2305
9629_05_2004_c1
151
© 2004 Cisco Systems, Inc. All rights reserved.
Client Configuration (Linux):
Configured Tunnels
Linux
Client
L3 Switch
IPv6 L3
IPv6 Not Supported Switch/Router
• Create tunnel
• Enable the tunnel interface
10.1.1.100—Client IPv4 address
2001:DB8:C003:1123::2—IPv6 address
• Add IPv6 address to tunnel
interface
• Create a default route (::/0) for
the tunnel
Router IP
#
#
#
#
ip
ip
ip
ip
RST-2305
9629_05_2004_c1
Host IP
tunnel add sit1 mode sit remote 30.1.1.1 local 10.1.1.100
link set sit1 up
address add dev sit1 2001:DB8:C003:1123::2/64
route add ::/0 dev sit1
© 2004 Cisco Systems, Inc. All rights reserved.
© 2004 Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
152
Does It Work?
#ip tunnel show sit1
sit1: ipv6/ip remote 30.1.1.1
local 10.1.1.100
#route -A inet6 | grep sit1
Kernel IPv6 routing table
Destination
2001:DB8:C003:1123::/64
fe80::/10
ff02::9/128
ff00::/8
::/0
Next Hop
::
::
ff02::9
::
::
ttl inherit
Flags
UA
UA
UAC
UA
U
Metric
256
256
0
256
1024
Ref
10
6
1
0
0
Use
0
0
0
0
0
Iface
sit1
sit1
sit1
sit1
sit1
# ip -6 addr show sit1
6: [email protected]: <POINTOPOINT,NOARP,UP> mtu 1480 qdisc noqueue
inet6 fe80::a5e:a64d/128 scope link
inet6 2001:DB8:C003:1123::2/64 scope global
#ping6 -I sit1 2001:DB8:C003:1123::1
PING 2001:DB8:C003:1123::1 from 2001:DB8:C003:1123::2 sit1:
64 bytes from 2001:DB8:C003:1123::1: icmp_seq=1 ttl=64 time=0.454
64 bytes from 2001:DB8:C003:1123::1: icmp_seq=2 ttl=64 time=0.371
64 bytes from 2001:DB8:C003:1123::1: icmp_seq=3 ttl=64 time=0.392
64 bytes from 2001:DB8:C003:1123::1: icmp_seq=4 ttl=64 time=0.377
RST-2305
9629_05_2004_c1
© 2004 Cisco Systems, Inc. All rights reserved.
ms
ms
ms
ms
153
MAC OS X
RST-2305
9629_05_2004_c1
© 2004 Cisco Systems, Inc. All rights reserved.
© 2004 Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
154
Client Configuration (Mac OS X 10.2 +):
Dual-Stack via GUI
RST-2305
9629_05_2004_c1
155
© 2004 Cisco Systems, Inc. All rights reserved.
Client Configuration (Mac):
Configured Tunnels
Mac
Client
L3 Switch
IPv6 L3
IPv6 Not Supported Switch/Router
• Create tunnel interface
• Set tunnel end-points
• Add IPv6 address to tunnel
30.1.3.201—Client IPv4 address
2001:DB8:C003:1124::2—IPv6 address
• Set default route
Local LAN IP Router IP
#
#
#
#
ifconfig gif0 tunnel create
ifconfig gif0 tunnel 30.1.3.201 30.1.1.1
ifconfig gif0 inet6 alias 2001:DB8:C003:1124::2
route add -inet6 default -interface gif0
# ifconfig gif0
gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
tunnel inet 30.1.3.201 --> 30.1.1.1
inet6 fe80::203:93ff:feee:9f1f prefixlen 64 scopeid 0x2
inet6 2001:DB8:C003:1124::2 prefixlen 64
RST-2305
9629_05_2004_c1
© 2004 Cisco Systems, Inc. All rights reserved.
© 2004 Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
156
SUN SOLARIS
RST-2305
9629_05_2004_c1
© 2004 Cisco Systems, Inc. All rights reserved.
157
Things to Know
• Sun Solaris 8 and 9 will prompt for IPv6 activation during the
installation process
Say yes and you will be ready for dual-stack with autoconfiguration
• You can also create the /etc/hostname6.<interface> file
manually
For example if your physical Ethernet adapter is eri0 then you will find a
/etc/hostname.eri0 file
You can create a /etc/hostname6.eri0 file manually or if you opted to have
IPv6 support during installation then the file will already exist
#touch /etc/hostname6.eri0
reboot
ifconfig -a and you will see a link local address on the interfaces
RST-2305
9629_05_2004_c1
© 2004 Cisco Systems, Inc. All rights reserved.
© 2004 Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
158
Client Configuration (Sun Solaris):
Configured Tunnels
L3 Switch
IPv6 L3
IPv6 Not Supported Switch/Router
Mac
Client
10.1.1.100—Client IPv4 address
2001:DB8:C003:1123::2—IPv6 address
Local LAN IP
•
•
•
•
Create tunnel interface
Create tunnel end-points
Add IPv6 address to interface
Can maintain configuration
permanently using
/etc/hostname6.ip.tunN
(where N is 0, 1, 2 and so on)
Router IP
# ifconfig ip.tun0 inet6 plumb
# ifconfig ip.tun0 inet6 tsrc 10.1.1.100 tdst 30.1.1.1 up
# ifconfig ip.tun0 inet6 addif 2001:DB8:C003:1123::2/64 2001:DB8:C003:1123::1 up
Created new logical interface ip.tun0:2
ip.tun0: flags=2200851<UP,POINTOPOINT,RUNNING,MULTICAST,NONUD,IPv6> mtu 1480 index 3
inet tunnel src 10.1.1.100 tunnel dst 30.1.1.1
tunnel hop limit 60
inet6 fe80::4065:406a/10 --> fe80::a5e:a644
ip.tun0:1: flags=2200851<UP,POINTOPOINT,RUNNING,MULTICAST,NONUD,IPv6> mtu 1480 index 3
inet6 2001:DB8:C003:1123::2/64 --> 2001:DB8:C003:1123::1
RST-2305
9629_05_2004_c1
© 2004 Cisco Systems, Inc. All rights reserved.
159
Links/Reference
• Microsoft
http://www.microsoft.com/ipv6: Main page
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/window
sserver2003/proddocs/standard/sag_IP_v6topnode.asp: IPv6 documentation
• Linux
http://www.deepspace6.net/sections/docs.html: Linux IPv6 documentation
http://www.linux-ipv6.org/: Site for the USAGI port
http://v6web.litech.org/isatap: ISATAP for Linux site
• Mac
http://lists.apple.com/mailman/listinfo/ipv6: Mailing list for IPv6 on Mac
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-ipv6.html: IPv6
documentation that applies to Mac (Darwin) and general FreeBSD ports
• Sun
http://docs.sun.com/db/doc/817-0573: Sun Solaris IPv6 documentation
• Multi-OS tunnel configuration
http://www.join.uni-muenster.de/Dokumente/Howtos/index_howtos.php?lang=en:
Great site for general IPv6 tunneling for most operation systems
RST-2305
9629_05_2004_c1
© 2004 Cisco Systems, Inc. All rights reserved.
© 2004 Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
160
OTHER REFERENCE SLIDES
RST-2305
9629_05_2004_c1
161
© 2004 Cisco Systems, Inc. All rights reserved.
DHCPv6 Prefix-Delegation
FTTH
• Leases for prefixes
DHCPv6 Server(s)
• Flexible deployments
Client/Relay/Server model
• Requesting router includes
request for prefixes in DHCP
configuration request
• Delegating router assigns
prefixes in response along
with other DHCP
configuration information
ADSL
DHCPv6 Client
/48
• draft-ietf-ipv6-prefixdelegation-requirement-xx.txt
/64
DHCPv6 Relay
http://www.cisco.com/warp/public/732/Tech/ipv6/docs/dhcpv6.pdf
RST-2305
9629_05_2004_c1
© 2004 Cisco Systems, Inc. All rights reserved.
© 2004 Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
162
DHCPv6 Prefix Delegation
IPv6 ISP
Router1
Fa4/0
Router2
Fa1/0
Router2#
!
interface Loopback0
ipv6 address CLIENT1 ::2:0:0:0:1/64
ipv6 enable
!
interface FastEthernet1/0
ipv6 address CLIENT1 ::1:0:0:0:1/64
ipv6 enable
ipv6 mtu 1480
interface FastEthernet4/0
ipv6 address CLIENT1 ::4:0:0:0:1/64
ipv6 enable
ipv6 dhcp client pd CLIENT1
RST-2305
9629_05_2004_c1
© 2004 Cisco Systems, Inc. All rights reserved.
© 2004 Cisco Systems, Inc. All rights reserved. Printed in USA.
Presentation_ID.scr
Router1#
!
ipv6 dhcp pool CLIENT1
prefix-delegation pool CLIENTPD
!
interface FastEthernet2/0
ipv6 address 2001:db8:2:4::2/64
ipv6 enable
ipv6 dhcp server CLIENT1
!
ipv6 local pool CLIENTPD 2001:db8:2::/48 61
• Router1(the delegating router)
contains a pool of /61 prefixes that
it can allocate to requesting routers
• Router2 (the requesting router) will
ask for a prefix via Fa4/0 from
Router1
• Router2 will then further subnet the
/61 it receives into /64 prefixes and
assign to multiple interfaces (3
bits= 8 possible)
163
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement