Fred explains IPv6


Published on

My first book preview.
The published eBook willl have plenty of Hyperlinks to Flash movies to explain advanced topics. You can donate or order the books if you want.

  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Fred explains IPv6

  1. 1. First EditionFredExplainsIPv6In-depthFred Bovy. IPv6 For Life! 2012 ©
  2. 2. Preface 

1 This is why I wrote this very first book and a great tribute to my CISCO Colleagues from who I learned so many things! Then it also gives a pointer to the Web server that must be used with this book and the IPv6 Certifications. Please read important information at the End of this Chapter!
  3. 3. Preface to support ALL applications for EVERYONE! ! 12 years ago I decided to join the community of people who are building the new Internet for everyone and for the new applications that IPv6 enables!1 I joined the CISCO IPv6 IOS® Engineering Team to help the development of 6PE and 6VPE for about 3 years then Netflow for IPv6 and finally SeND and related IPv6 Security for about 3 years.My name is Fred Bovy, CCIE #3013, and I have been in the Networking industry for I would like to thank Eric Levy-Abegnoly, who was my IPv6 Team Leader and mentor (with Luc Revar-more than 20 years, with a focus primarily on IPv6 and Service Provider issues for del), who designed and developed 6PE, 6VPE, SeND and more, Ole Troan, another Great IPv6 Teamabout 10 years. Leader, who designed most of the IPv6 IOS Code, Benoit Lourdelet, who is the IPv6 Product man- ager, Patrick Grossetete before him and many other great CISCO people I have been working with. IIn 1999 I joined CISCO as a Network Consultant. My initial long term project involved learned so much with them. I was a CCIE and a CCSI when I joined CISCO, but I learned more abouthelping a Service Provider and an enterprise deploy brand new MPLS-VPN the Networks during the 10 years working for CISCO than all I had learned before. Special thanks tobackbones. Since then, I have been hooked, and have developed an expertise in Jim Guichard (my first mentor who went with me to the customers in my first 6 months within CISCO),this subject. I later joined the CISCO IPv6 IOS Engineering Team as a dev-tester. Peter Psenak (who was the NSA Engineer for EQUANT before me and also helped me a lot during the transition. He is now one of the best OSPF Engineers WorldWide. Networks are transparent for For more than 3 years, I focused on 6PE and 6VPE testing. During that time, I devel- him.), Arjen Boers (The multicast man who hired me with Valerio), JP Vasseur (CISCO Fellow Guruoped many TCL scripts to test 6PE and 6VPE functionalities, routing and switching who worked with me on the MPLS-TE Fast Re-Route project for EQUANT and such a nice guy !),performance, scalability, High Availability, all the supported network design like Inter- Francois Le Faucheur (Another Brain, the Architects of QoS in MPLS Network who invented DiffServ- TE, QoS Models in MPLS Networks), Robert Hanzl (The Customer support Engineer who helped menet Access models, Carrier’s Carrier or Hub and Spoke and more. I also got deeply on my first crisis with a customer and then became an MPLS Team Leader), Robert Rasczuk (Theinvolved in testing Netflow for IPv6 and SeND. MPLS Deployment Engineer who helped me on my first big crisis with a customer facing a major Back- bone instability), Luc Revardel (who taught me the basics of IPv6 Testing Automation), Greg Boland,In 2009 I resumed teaching, keeping the focus on IPv6 with special attention on the Steve Glaus, Mandy Mac Diarmid, Mado Bourgoin and all my managers who helped me to focus ontransition to IPv6. I believe that we have finally hit the tipping point for IPv6, given my work starting with Valerio Muzzolini, Serge Dupouy, Nick Gale.... And all the good guys and girlsthat all of the IPv4 addresses ran out in February. It’s time for everyone to realize, who I am forgetting, who are the CISCO Assets.before companies and individuals lose their competitive edge, that IPv6 is fast be- These 10 years were the best school, university, experience and also basis for human values, not onlycoming a requirement that will enable the Next Generation Internet. technical...About This was not only a matter of knowledge and people, it was also a way to manage the people that I had never found in any French companies or International companies not managed by Americans.I have written this book to help anyone who needs to design, configure and trouble- During my interviews when I got hired, someone asked me what I was expecting from my manage- ment. I answered support to keep me focused on my technical job, and I was correct! This was typi-shoot IPv6 Networks because this is the experience I have gathered in my life as an cally what I found with all my managers with an exception of the French SE (Pre Sales) Manager I gotIPv6 Tester, Consultant and Trainer and also from my 20+ (almost 25) years of IP when I joined the Account Team to help the customer validation process for free as this was normallyand CISCO Routers. a service charged to the customer. But except this one, I only got great managers who always sup- ported me when I was a Network Consulting and a Software Engineer. I was always supported to fo-In this first book I will cover the Fundamentals. Following books will be about Routing cus on my job and didnt have to worry about the political cases that the French really enjoy in mostProtocols, Transition To IPv6, Multicast, Security and more... big companies. I had the benefit of working for a big company, but at the same time I was so free to organize my work and received awards every time I was doing something good that I had the feeling IThe book must be used with the IPv6 TUTORIAL that can be found from was working for my own company. This was the first time that I was also working for a company where the technical skills were considered and you did not have to become a (often bad) manager when you were good in your Technical role as a reward! At last I found people like me, people working like me! Working for CISCO was my best experience in my carreer. After CISCO I resumed my trainer and consultant life and started to teach what I had learned with my CISCO masters and more! I am a self-employed IPv6 Expert working as a Fast Lane IPv6 Course Subject Matter Expert with other CISCO partners and for myself as well.1.1 Tribute  to  C ISCO  and  to  the  U SA!IPv6 is more than a Job to me; it is a hobby and a philosophy; it is a Community. It is open, and every-body is welcome to bring something!IPv6 was designed about 20 years ago by people who thought that the Internet should be for every-body and not only for the lucky ones who can get a Class A or whatever IPv4 block... It was designed 2
  4. 4. About the book You need to have a host connected to the Internet to do the proposed exer- cises and to validate that you were able to provide the correct answers.2 This is Free and very interesting certification.2.1 IPv6  Fundamentals 2.2.3 CISCO  C CIE  Rou5ng  &  SwitchingIPv6 cannot be understood if the Fundamentals are not. Thats why the first Module of this book is Cisco has one main 5 days training course and a derivated training from thisessential. one I have designed for CISCO which is aimed at the SP MarketYou can find some help in the "IPv6 For Life!" Tutorial from the home page: Tutorial has several chapters for the Fundamental Module:Fundamentals #1. Introduction and IPv6 Addressing 2.3 Important  informa5onFundamentals #2. More about IPv6 Addressing. ICMPv6 and an Intro about Neighbor DiscoveryFundamentals #3. DHCPv6, DNS, MOBILE IPV6 and derived applications THIS BOOK CAN BE READ COVER TO COVER OR YOU CAN PICK UP ANY PAGE FROM ANY CHAPTER WHEN NEEDED.Our first chapter will introduce the IPv6 basics.Then we will study the IPv6 Addressing which is the main reason why IPv6 was developed, to provide THIS E-BOOK IS ALIVE. MANY VIDEO LINKS ARE FLASH PRESENTATIONSan addressing which will match the requirements of the Internet for the next century. AND YOU WILL NEED A LARGE SCREEN AND FLASH® (ADOBE) SOFTWAREThere was a day one missed requirement which was the Multihoming requirement. This should have ENABLED BROWSER. PLEASE CHECK managed by the IPv6 Stack as a service like Mobile IPv6, but the Engineers just missed to ad- I AM ADDING NEW PRESENTATIONS ON A REGULAR BASIS AND I WILL UP-dress this issue which is still not completely resolved with a long term solution commonly accepted. DATE THE LINKS IN THIS BOOK. WHEN YOU GET A NEW VERSION OF THISThe next chapter will be about the IPv6 header, the long addresses, the Extension Headers and other E-BOOK YOU WILL GET PLENTY OF NEW PRESENTATIONS.interesting improvements for more efficiency.Then ICMPv6 basics, quite close to IPv4 and more interesting, the Neighbor Discovery Protocol which FOR ALL THE LINKS YOU WILL NEED To ACCESS IPv6 FOR LIFE® WEBis described in two separate RFCs. Many solutions are provided by ND like Autoconfiguration or SERVER: http://www.ipv6forlife.comRouter Discovery and more. Despite I am based in France I have been speaking and writing more in EnglishFinally we will describe all the most important Services which are not implemented for all platforms. than French for the last 25 years but I still may do some mistakes that I needLinux is the best platform to test and support all the IPv6 Services. you to forgive me if it happens in this book!2.2 IPv6  Cer5fica5ons The IPv6 Internet belongs to everybody. Thanks for reading me!2.2.1 IPv6  Forum  Cer5fica5onThere are many certifications at the IPv6 Forum with 2 levels, Silver and Gold for 
Engineer and Trainer. The Trainer is more advanced than the Engineers. Kindest Regards,For the moment, all you need is to apply on the IPv6 Forum Web Server and providea few proof of achievements to get certified. Fred Bovy2.2.2 Hurricane  ElectricHurricane Electric propose a very challenging certification with multiple levels up toSage Level.Each step requires both theory and practical exercise. 3
  5. 5. Introduction to IPv62 This chapter how we arrived to IPv6 in 2012 and the long path we walked by since the 80s! Address depletion is not a new issue and IPv4 was never intended to scale a Global Public Internet!
  6. 6. Chapter 2Introduction to IPv61 Introduction to IPv61.1 HistoryIPv4 was developed in the 80s for a military network with a few thousands hosts maximum by theDoD of the USA.There was no need for security as it was a private network in the DoD Buildings. There was no needfor Autoconfiguration or Mobility and many things.IPv4 Addresses were widely distributed until they were no more enough for everyone. In the early 90s,IPv4 Address depletion started to be a problem. Digital Equipment thought that OSI would replace IPv4 and that DecNET Phase V was actually OSII posted something about it in my blog about this history: Protocols. OSI  Protocols 1.1.2 ATM  and  Frame-­‐relay  The first serious candidate to replace TCP/IP was the OSI Protocols. The Open Systems Interconnec- But at the same time the convergence of Data and Voice Networks had started since the middle of thetion (OSI) protocols are a family of information exchange standards developed jointly by the ISO and 80s, and we were looking for a network which could manage both Real Time (Voice, Video) and Non-the ITU-T starting in 1977. Real Time data with multiple levels of Precedence as IPv4 was already doing. Some people were working very hard for a converged network and they came up with a new protocol called ATM (Asyn-OSI defined a Layered Model with 7 Layers while TCP/IP just had 5 since OSI Layers 5, 6 and 7 were chronous Transfer Mode).actually managed by the TCP/IP Application Layer. ATM could manage any kind of Traffic: Voice, Video, Business Data, Bulk Data. ATM was really a Net-OSI Protocols was providing a Datagram Service like IP called Connectionless Network Service work Scientist Protocol Architecture, its routing protocol PNNI was able to react in Real-Time to any(CLNS) with an address of up to 20 bytes (160 bits) long. change in the Network to find paths which could match any Class of Service Traffic.Its routing protocol, ISIS, very close to OSPF immediately interested many service providers since it ATM was based on 53 bytes cells at the Physical Level for Real-Time and Non Real-Time traffic to bewas an Integrated routing protocol which could support IPv4 as well (RFC1195). Actually it was more interleaved.SP Oriented and could support many more routers in the same area. It is also a much easier protocolto troubleshoot. A simple look at its Database will convince any Network Engineer in 5 minutes. ATM was designed for 155 Mbps Sonet SDH Fiber links minimum, and this was not really widely avail- able at this time. Also, the ASICS to manage the 53 Bytes Cells were not yet available or very expen- sive as it was not made at a sufficient large scale to get a reasonable price. So, an interim technology 5
  7. 7. was also created to transport Data and Voice while ATM was growing. This was Frame-Relay, astripped down version of X.25 with PVC only. SVCs came later, but they were never as popular asPVC.In the mid 90s ATM was the only serious candidate to support these converged Networks, and VoIPwas not an option in the networking business world.At the end of the 90s, most people realized that ATM would not scale with MultiGigabit Links, whichwere arriving slowly. Also, some ATM Protocols like LAN Emulations collapsed under traffic as theNode dedicated to replicate the Broadcast and Multicast was too much solicited. ATM, which wasgreat on paper, proved to be not scalable, and a complex and expensive solution, so VoIP came backas a viable solution.But all this work made for ATM was not thrashed, and many protocols built for ATM are still in use inmany solutions. A lot of of the QoS, a protocol like NHRP, which was developed for ATM Classical IP,is now used for CISCO DMVPN.1.1.3 MPLS  And also, there was the idea to replace a long address by a label that was already used by the oldX.25, then ATM networks gave the idea of replacing the IPv4 header with a short label! Epsilons IPSwitching, Ciscos tag switching and many other Vendors provided such a solution with an initial moti-vation to make faster routers.Then CISCO also saw that with Tag Switching it was possible to add some services which were notpossible with IP like Tag-VPN. Tag-VPN permitted providing each connected customer with a VirtualPrivate Network having its own IPv4 Addresses.Tag-VPN was based on a Multi-Protocol BGP Extension with a new BGP vpnv4 address family as itwas adding a 32 bit prefix to the the IPv4 address, called a Route Distinguisher (RD) for the BGP pre- !fix to be unique in the Service Provider Backbone BGP Table.In addition to the RD, an Extended Community BGP Attribute was added to the BGP Prefix before it 1.1.4  was advertised to a remote BGP Router. This Extended Attribute was then used to recognize a prefix IPv6  and import it into the Customer Virtual Routing Table. Later, in the early Y2Ks when IPv6 became the next version approved by the IETF and more andThe Benefits of Tag-VPN on the previous Layer 3 VPN based on IP were that: more requested by the Customers, CISCOs reply was to provide an IPv6 Service over IPv4/MPLSThe Backbone routers (P) did not have to know any of the the Customers Route. Only the BGP Next- without any need to upgrade the backbone.Hop, the exit point host route for each Provider Edge (PE) Router which was connecting to the Cus- They invented 6PE designed and developed in the South of France from an Architecture (RFC) oftomer Edge (CE) Router was enough. Francois Le Faucheur and other companies and then designed and coded by Eric Levy-Abegnoly.Before Tag-VPN, in the SP Point of Presence, each Customers needed to have a dedicated router In the early Y2K, the first large scale IPv6 offers from SPs were mostly brought by 6PE in Asia and inwhich was importing all the BGP Routes with a given Community Attribute. With Tag-VPN. the same the USA.PE could be shared by all the customers with each customer having its own Virtual Route. Later came 6VPE which was actually 6PE in the VRF, allowing the customers to have a dual-stackCustomers could have overlapping addresses without any problem. VPN supporting both IPv4 and IPv6.The provisoning and the management of the VPN were very much simplified. We will cover 6PE and 6VPE later with all details...Traffic Engineering was another great service of Tag-VPN, allowing the SP to use more than the bestroute links in their backbone to use all the available bandwidth of the core.Tag-Switching was then standardised by the IETF to MPLS,So in the late 90s and in the early y2k, most service providers were upgrading their backbone to 1.2  I Pv4  Address  Deple5onMPLS! As we have seen earlier, the IPv4 address Depletion started to be a problem in the 90s, and while some people were working on new protocols to replace IPv4, some others were working on a work- around to keep on working longer with IPv4. 6
  8. 8. They came up with NAT and Private Addresses (RFC1918). BeforeRFC1918, some people were already doing some private addressing,but it was at their own risk if they were choosing an address alreadyin use, and they could need one day to join like for instance One of these was used in my company in the early 90swith Proxies to reach the Internet for http or ftp protocols.Now with RFC1918, some block were reserved for private address-ing, and with NATPT aka PAT, it was possible to use one public ad-dress for a whole building or all the PCs of a residential user.Lets take a shortcut and call NAT: NAT, NATPT or PAT.NAT immediately solved the problem for many years, but at the sametime, it killed some concepts which created the popularity of the Inter-net like the End-to-End Addressing or peer to peer capabilities.In the 90s, this was the time for Downsizing and Client-Server Applica-tions. Many companies moved to TCP/IP for this reason.Downsizing was the migration of Applications from Mainframes toServers running on RISC Workstations, Mini Computers (AS/400) oreven PCs and PS/2s.Client-Server Applications was the migration from hierarchical Applica-tions runnning on a Mainframe and accessed by dumb terminals toApplications on Servers accessed by smart Clients, mostly micro com-puters or Unix Plaforms, PCs or RISC based.To keep on working with NAT, now we have to provision a public ad-dress for each server and configure a Static NAT Translation for eachServer. This can become tedious when you have a lot of servers tomanage. And we cannot save anymore addresses. Still each serverrequires a Public Address. !NAT introduced many states in the IP Network, which was a datagrambest-effort model, and this has many Architectural Implications. Just And even if the Service Provider was running NAT a second time in the SP Backbone to share anmake a search in the IETF Server for all the RFCs about NAT or PAT IPv4 Address among multiple Customers (NAT444), this could not give enough addresses to matchor NAPT, and you will find more than 80 documents explaining the the need of all the emerging countries, the need for more than one IPv4 address per user. We mustlimitations, how to workaround NAT to support most of the Network now support plenty of new connected devices which did not exist in the 90s: Smartphones, iPADs,Applications. and so on...NAT seems an easy and cheap solution, but when you look into it, So today the question is no more if we need to move to IPv6 but when!you find that it actually cost a fortune in hidden costs and thousandsof lines of code to support it!To support Voice application, Skype workaround is to use a Server in the middle of your connection,and your Smartphone must send keepalive on a regular basis to keep the NAT States up drainingyour batteries. 1.3 The  Current  Market  NeedsSkype makes it with the cost of a server and keepalives, but many voice applications are still impossi- We have seen that IPv4 even with double NAT could not provide enough addresses for all the Emerg-ble because of NAT! ing Countries, new devices and new applications which require more and more addresses and even more and more ports (Ajax)!A 10.0.0/8 block looks like a big block for the needs of most companies, but it is still too small forsome very large companies or some Service Providers. Thats why the Cable SPs requested that The Cable Networks Operators have requested that the last DOCSIS Cable standard MUST supportDOCSIS 3.0 supports IPv6! IPv6.Today, even with the use of NAT, we are now running out of IPv4 Addresses in most regions of the Voice Applications suffer more and more from the NAT limitations and Mobile IPv6 or Proxy MobileWorld! IPv6 can bring solutions impossible to solve for IPv4. 7
  9. 9. All IPv6 Addresses of a building Xlate to one IPv4 Addresses: 2001:DB8:678:1000::/48 -> IP 2001:DB8:678:1000::/48 -> IP 2001:DB8:678:1000::/48 -> IP NAT44 (CGN/LSN) NAT44 -> -> 1 IPv4 Only Host IPv4 2001:db8:678::1/64 (SLAAC) STATEFUL 2 Internet DHCPv6 Client DHCPv6-PD Client Use LL for the p2p Link Address to SP NAT64 ISP Control IPv6 RFC 1918 Internet ISP NAT44 First Subnet IPv4 Private 2001:db8:678::/64 2001:db8:678:3::/56 8 bits for Subnets Network IPv6 Private 2001:db8:678:1::/56 8 bits for Subnets Network NAT44 2001:db8:658::/48 2001:db8:678:30::/64 2001:db8:678:31::/64 2001:db8:678:2::/56 ... 8 bits for Subnets 2001:db8:678:10::/64 2001:db8:678:11::/64 2001:db8:678:20::/64 ... 2001:db8:678:21::/64 ...autono- devices which not only do autoconfiguration, but also can form Networks dynamically after theyautomatically discover neighbors. This is Wireless Sensors Networks (6LowPAN) applications. The current solutions to address this problem are the Stateful Carrier Grade NAT (CGN) aka1.4 Transi5on  Richness Large Scale NAT (LSN) and the Stateless dIVI-pd or A+P Solutions.Since the IPv6 introduction, tools for a soft transition were provided. They have evolved with the timeand the demand. • SPs with IPv4 Backbones need to provide IPv6 Access to the IPv6 Internet or among IPv6 customers. This is based on 6PE or 6VPE for MPLS/IPv4 or 6RD for IPv4 Backbone. 
In 1996, IPv6 was shipped with a dual-stack and static tunnels.While the Internet is still growing very fast with more connected devices every day, the available IPv4 • SPs with IPv6 Backbone need to provide IPv4 Access to the IPv4 Internet or among IPv4 Cus-addresses have declined and IANA has been completely depleted since February 2011. As IPv6 has tomers.been now implemented for more than 15 years and available on most Operating Systems and Net-work vendors, most Service Providers and even more companies have not yet switched to the next This is based on DS-Lite or 4RD based Solutions.generation Internet protocol. As a consequence we still need to buy some time to allow a smooth tran- • To Provide access to IPv4 Resources for IPv6 ONLY Customers.sition to IPv6. It is planned that we will need to support mixed IPv4 and IPv6 networks. This is based on Address Family Translators with NAT64 and DNS64 as currently the best solu-Clearly, maximum performances, security and other benefits we can think about with running IPv6 will tions. These translators permit to translate IPv6 to IPv4 packets originating from the IPv6 achieved when the transition is complete. With Stateless it is a One-to-One translation using a reserved IPv6 prefix.
During the transition we will need to compromise features, performances and security for the With Stateful NAT64, multiple IPv6 addresses can be translated to one IPv4 addressesbenefit of supporting old IPv4 nodes and applications. .We have to address the four following problems: There is a Stateless implementation on Linux called TAYGA. They say on theire Web site that to get a • To Support a maximum of new IPv4 customers with the few remaining IPv4 Public Addresses. stateful NAT64 one just needs to combine their TAYGA with a Statefull NAT44 also available on Linux. This implies more sharing of the remaining addresses. 8
  10. 10. This will be more developed in the next book with a module or a full book about Translation to IPv6. 1.5.3 More  Efficient  Packets  SwitchingThere are so many possibilies and so many technologies being tested if we really want to cover all theexperience currently or lately performed. No more Header Checksum in IPv6. This field has been completely removed.SP are not very happy with the CGN or LSN based solutions since they have to run a stateful protocol Header aligned on 64 bits for more efficient their backbone. The Capacity Planning is almost impossible in most cases so they may have toover provision the NAT64 or NAT444 with big CPU and a lot of RAM just in case you have to manage Routers are no more responsible for fragmentation. If fragmentation must be done, it must betwice more translation for an occasion like a global sport event like the Olympic Games. If TV is not done by the source. The fragmentation information are no more carried in each packet but inworking for the Olympic Games or a Mundial soccer event it would be a reason for many users to an Extension Header if needed.move to a competitor! Protocol like 4RD, dIVI-PD.With CGN/LSN the SP must keep the logs which represent some Tera Bytes of Data each month.Transition protocols are expensive and as all SPs are transitioning to IPv6, I have serious doubts nowthat dual-stack will be supported for a long time. The "Good" Internet User who complies with IPv6 willnot want to pay the bill of the one who is doing nothing for 15 years?1.5 What  are  the  I Pv6  improvements?1.5.1 128  bits  Addresses1.5.1.1 IPv6  addresses  -­‐  how  many  is  that  in  numbers?IPv6 is our Word of the Day today. The big difference between it and IPv4 is the increase in addressspace. IPv4 addresses are 32 bits; IPv6 addresses are 128 bits. That’s a lot more, for sure, but whatdoes it look like in numbers? What could we compare it to in real-world terms?DevDevin did the math:How many IP addresses does IPv6 support? Well, without knowing the exact implementation details,we can get a rough estimate based on the fact that it uses 128 bits. So 2 to the power of 128 ends upbeing 340,282,366,920,938,000,000,000,000,000,000,000,000 unique IP addresses.How do you say that, though? 340 trillion, 282 billion, 366 million, 920 thousand, 938 — followed by24 zeroes. There’s no short way to say it in numbers without resorting to math.Here’s how Wikipedia expresses it:The very large IPv6 address space supports a total of 2128 (about 3.4×1038) addresses - or approxi-mately 5×1028 (roughly 295) addresses for each of the roughly 6.5 billion (6.5×109) people alive to-day. In a different perspective, this is 252 addresses for every observable star in the known universe. Steve Leibson takes a shot at putting it in real world terms. It’s big — grains of sand don’t even enterinto it. No, he’s got to take it to the atomic level. Here’s his conclusion:So we could assign an IPv6 address to EVERY ATOM ON THE SURFACE OF THE EARTH, and stillhave enough addresses left to do another 100+ earths. It isn’t remotely likely that we’ll run out of IPV6addresses at any time in the future.1.5.2 Extension  HeadersIn IPv4 we had a limited amount of Option which could not provide for any new Extension. In IPv6 wehave Extension Headers instead. These Extension Headers can be daisy chained so it is now possi-ble to put as many Options as we want in an IPv6 packet to support any new IPv6 Level Applications.The first great example of what we can do with Extension Headers is Mobile IPv6 and all derived appli-cations: Mobile router (NEMO), MANET, Wireless Sensors Networks (6LowPAN), PMIPv6. As we cantweak Addresses at the Network Layer it becomes transparent for the Transport or Application Level. 9
  11. 11. IPv6 AddressesAddresses3 This chapter introduces the key feature of IPv6 which is an address that scales the Internet requirements of 2012 until we all die!
  12. 12. Chapter 2IPv6 Addresses 1 IPv6 Addresses 1.1 Introduc5on IPv6 not only makes longer addresses, but also makes a better use of addresses and how to manage them. For instance if you have a small LAN without any routers, the workstations will be able to pick up an address automatically, which will only be valid on this LAN (Link-local) and will permit the Node to be automatically configured with a local address. Then if a router comes up, new prefixes will be advertised by the router, and the Workstation will automatically configure addresses derived from these prefixes. The most important things are: There is no more Broadcast, only Multicast! • Link-Local addresses only valid on the link where it is configured. This leads to the concept ofTopics Zone. This Link-local address belongs to a zone with its own routing table. • Anycast Addresses which is an address to the nearest Service. This was already existing in IPv4 but now it is fully managed. • Routers are discovered Automatically1. Introduction • ARP has been dramatically improved in the Neighbor Discovery protocol. There is no more just a TImeout for the MAC to IP Address cache, but the Neighbors are Managed in the cache by a Finite State Machine. Useless entries of dead neighbors are cleared. When a Timer ex-2. What does 128 bit represent? pires, a few probes are sent to the neighbor (About 35 seconds with default). • The concept of zone is also important in IPv6. For the moment it mostly applies to Multicast and Link-local Addresses, but it could be used to creat VPN. Still each zone has its own Rout-3. All types of IPv6 Addresses: ing Table (Please see RFC4007 "Scoped Zone Architecture" for more details). See RFC4291 for IPv6 Address Architecture 1. Unicast 1.2 What  does  128  bit  represent? 1. Unique Local Unicast We could assign an IPv6 address to EVERY ATOM ON THE SURFACE OF THE EARTH, and still 2. Global Unicast Addresses have enough addresses left to do another 100+ earths. It isn’t remotely likely that we’ll run out of IPV6 addresses at any time in the future! 3. Special Addresses So we must change the way we design networks and stop trying to save IP Addresses! We must give large blocks when needed as wasting IPv6 Addresses is not to use the huge amount of available address to make scalable Networks rather than saving each single bit of Address! Wasting 2. Multicast Addresses does not mean the same thing in IPv6 as in IPv4! 3. Anycast 1.3 How  to  write  an  I Pv6  Address? The 128 bits Address is written as 8 16 bits digits written in Hexa and separated by a colon :. Leading zeros can be ignored. You can write: 11
  13. 13. 2001:db8:1:459d:f123:98ab:d0:e1 IPv6 addresses are made of 128 bits, but we still find the same 3 parts that we have in an IPv4 Address:instead of: 9 bits 36 bits 16 Bits Host. 64 bits2001:0db8:0001:459d:f123:98ab:00d0:00e1. 3Once in the address you can replace a long list of zeroes with double colons :: 001 ARIN RIR or ISP Subnet ID Interface IDYou can write: 16bits2001:db8::1 IPv6 Unicast Addressesinstead of:2001:db8:0:0:0:0:0:1 Global  Rou>ng  Prefix An ISP Customer Prefix used to route the packet to the customer. This Prefix itself is built of a com-1.3.1 The  I Pv6  Addresses  are: mon prefix for all the Global Unicast Addresses 0010 or 2000::/3. Then you have a prefix matching a Regional Internet Registry, a RIR and then the part of the Address which addresses the customer. The • Unicast: One to One most common prefixes are typically a /48 Prefix for each site. This may seem overkill, but we do not waste addresses if we use them. We waste them if we dont! • Global Unicast Addresses (Public) 2001:db8::/16 is reserved for documentation and labs! • Unique Local Addresses (Private) • Link-Local Address The  Subnets  bits These bits can be used by the customer to address many subnets for each site. We may find that us- • Special addresses: loopback, unspecified, IPv4 Mapped ing a /48 prefix for each site may be a waste of Addresses with our IPv4 reflexes, but this is actually • Anycast: One to Any the other way around as we have so many addresses available that it would be wasting addresses if we were trying to save addresses instead of using them generously to maximize the scalability of the • Multicast: One to Many addressing and allow easy growing of the sites. The  Interface  I D1.4 IPv6  Unicast  Addresses The Interface ID is similar to the IPv4 Host Address. It is used to identify the Host itself.­‐64  or  Modified  E UI-­‐641.4.1 Global  Unicast  Addresses  (Public) This address is generally derived from the Interface MAC Address which is 48 bit. 0xFFFFE is added in the middle of the MAC address to make a 64 bits address:The Global Unicast Addresses are similar to the Public IPv4 addresses and are routable in the IPv6Internet. Provider . 48 bits Site . 16 bits Host. 64 bits 00 90 59 02 E0 F9 Global Routing Prefix SLA Interface IDGlobal Unicast Address 00 90 59 FF FE 02 E0 F9In the Internet 2000::/3 (binary 0010) is reserved by IANA for the global unicast address. You will findmore details on the Internet here and RFC4291 for IPv6 Address Architecture:ThAs the Global Routing Prefix contains the IANA prefix for Global Unicast Adddress, a prefixwhich identifies the Regional Internet Registries (RIPE in Europe for instance) and eventuallyanother prefix which identifies the ISP: 000000X0 EUI-64 Address In this example, the MAC Address is 00-90-59-02-E0-F9. The EUI-64 Address will be: 90:59ff:ff02:e0f9 And the Modified EUI-64 Address will be: 290:59ff:fe02:e0f9 12
  14. 14. For the Modified EUI-64 address X=1 which means that the address is a Locally Administratively Man-aged Address. Global ID 40 bits Subnet ID Interface ID1.  Random  Prefix  (RFC4941)As NAT is no more used and the Interface ID of a Laptop may not change, a user may be tracked byits address. To avoid this possible problem it is possible to use a Random Temporary Interface ID and 1111 1100 1111 1101change it everyday!This is configurable on all the available platforms (Windows, MAC OS, Linux). FC00::/7 FD00::/  Configured Unique local AddressOn Routers or some servers, it may be better to assign static addresses instead of a EUI or RandomInterface ID. The big benefits of ULA other RFC1918 in IPv4 is that you have 40 bits to make your Prefix Unique. So in case one day you need to merge two Private Networks using ULA Addresses you may not haveFor instance, in a Datacenter your router HSRPv6 Group could be 2001:db8:a01::1 and you may con- to renumber your Network.figure a static default route on all your Servers. Actually there are two kinds of ULA, the Locally Managed and the Centrally Managed. If you make aYou make sure that your system will not waste anytime or receive any Rogue information! Reservation and use the Centrally Managed Addresses, there is absolutely no risk of finding a dupli- cate subnet. With Locally Managed, the risk exist.IPv6 Global unicast address Format (RFC 3587) You can make a reservation at this URL: IPv6 Global Unicast Address Format (RFC 3587) At the beginning of IPv6, they was no ULA but a prefix for site-local addresses: fec0::/10. But with this approach we had the same problem as with RFC1928 IPv4 Addresses so this prefix is no more re- served for Site-Local Addresses, which are deprecated and replaced by ULA. Initial Format Provider . n bits 64 .n bits To access the Internet from a ULA Address you may need Proxies. For instance, if your internal Serv- Host. 64 bits ers only need http or ftp access to the Internet for SW Updates at night, ULA + Proxy may be the right approach. Global Routing Prefix Subnet ID Interface ID IETF assigned 001 for Global Unicast, 2620::/12 assigned to American 1.4.3 Link-­‐local  Addresses Registry for Internet Numbers 36 bits 16 Bits Host. 64 bits Link-local Addresses are the Only Mandatories Addresses for each interface. When an IPv6 interface 3 9 bits is coming up, the first step is to validate that its Link-local address is unique (Valid). If not, the IPv6 00 Interface is disabled. The interface could be used for other protocols but not IPv6! ARIN RIR or ISP Subnet ID Interface ID 1 IPv6 Link-local addresses are only valid on the interface where they are configured. If you have many interfaces on a host or a router, it is no problem to use the same address for all the interfaces. RFC 2374: Aggregatable Global Unicast Address Structure They all start with the prefix fe80::/10. Public Topology Site Topology Interface Identifier 128bits 3 13 8 24 16 64 bits 11111 Tout à 0 Interface ID FP TLA ID RES NLA ID SLA ID Interface ID 1010 © Frédéric Bovy - October 2011 - 37 64 bits FE80::/101.4.2 Unique  Local  Addresses  (Private.  R FC4193) Link-local Address When you are using a Link-local address in a command, you must specify the Outgoing interface byThe ULA are Private Unicast Addresses not routable on the Internet. its name or its index with the % sign in between like: fe80::34f:a011:2:d78%FastEthernet1 on Cisco Router or 13
  15. 15. fe80::34f:a011:2:d78%15 on Microsoft Windows, 15 is the interface index. These addresses do not have any reserved prefix so you cannot recognize an Anycast Address from a Unicast.In IPv4 it is similar to the address (RFC 3927).All the Next Hop but recursive static or BGP routes use a Link-local address.1.4.4 Special  Addresses 1.6  I Pv6  Mul5cast  Addresses1.4.4.1 Unspecified  Address  is  ::/0 This is a one to many addressing.The Unspecified is only used as a source address when a node is booting, and it is verifying its Link-local Address. There is no Broadcast in IPv6 only Multicast. But you have an address for all IPv6 nodes (ff02::1) as in IPv4 an address for all IPv4 nodes ( The prefix ff02:: is reserved just like 224.0.0.x for IPv4.A router MUST NOT route a packet with an unspecified source address. Multicast Addresses are used like in IPv4, when a source needs to send a packet to a Group of Re- Loopback  Address  is  ::1 ceivers.The loopback address is a Link-local address to the node itself. It must not be assigned to any physi-cal interface. It is similar to the IPv4 address. IPv4  Mapped  AddressThis is used when you need to code an IPv4 address in the IPv6 format. For instance with 6PE or6VPE, the destination IPv6 Address will have the Egress PE IPv4 Loopback interface. This is illegalfor BGP to advertise a destination with a next hop of another Address Family. So the Next Hop iscoded as an IPv4 Mapped Address. The Flags are used for the Embedded RP Address. This is new in IPv6 and allows the RP Address to be embedded in the Group Address. We will studyYou got 80 bit set to 0, then 16 bits set to ffff and then the 32 bits of your IPv4 address: the Flags when we cover the Multicast in detail.If the next hop was, it would be coded: The Scope is also new in IPv6 and allowed to set the Scope of the Mul-0:0:0:0:0:ffff:<32 bits IPv4 Address> ticast Group:::ffff: or::ffff:c009:1 1 is Node Local 2 is Link-local scope. Example:ff02::1 4 is Admin-local1.4.4.4 Encapsula>on  of  I Pv6  in  Ethernet 5 is Site-local 8 is Organization-localIPv6 Protocol is 0x86dd E is a Global Group Example: Dest Ethernet Source Ethernet Adress Adress 0x86DD IPv6 Header and charge ff02::1:2 All DHCP Servers and Relay. Link-local Scope ff05::1:3 All DHCP Servers. Site-local Scope (used by Relays)IPv6 in Ethernet ff02::2 All IPv6 Routers. Link-local Scope ff02::5 All IPv6 OSPFv3 Routers. Link-local Scope1.5  I Pv6  Anycast  Addresses ff02::6 All IPv6 OSPFv3 DR Routers. Link-local ScopeThis is a one to any addressing. ff02::9 All IPv6 RIPng Routers. Link-local ScopeAnycast Addresses are like duplicated Unicast Addresses. The goal is to find the nearest server imple- ff02::A All IPv6 EIGRP Routers. Link-local Scopementing a function.It was already existing in IPv4 for the DNS Root Servers. We have only 13 addresses, which repre- Only the Link-local Scope is automatically filtered and not forwarded by Routers. All the other Scopessent more than 200 physical servers. must be implemented with ACLs.In IPv4 it was also used by Anycast RP to find the nearest RP in a redundant RP mode using MSDPto make the RPs communicate with each other. 14
  16. 16. For each unicast or anycast address configured, the IPv6 node automatically configures a SolicitedNode Multicast Address derived address. This address is setup with a common Multicast Prefix andthe last 24 bits of the Unicast Address.Example:Unicast Address2001:DB8:DC28::FC57:D4C8:1FFFSolicited Node Multicast PrefixFF02:0:0:0:0:1:FFSolicited-node multicast addressFF02:0:0:0:0:1:FFC8:1FFFThe solicited node multicast address derived from the unicast Préfixe Interface Identifier FF02 O 0001 FF 24 bits 128 bits IPv6 Address Plan Example1.7 IPv6  Address  Plan  Example 2001:db8:abcd::/48 has been assigned for the USA offices of this company. Each Regional largest office aggregates the traffic for the area as a /52 route. In the address2001:db8:abcd::/48 has been assigned for the USA offices of this company. 2001:db8:abcd:9000::/52, 9 identifies the West Coast.Each Regional largest office aggregates the traffic for the area as a /52 route. In the address Each office has a /56 prefix. In the address 2001:db8:abcd:9100::/56, 91 identifies the San Francisco2001:db8:abcd:9000::/52, 9 identifies the West Coast. Office.Each office has a /56 prefix. In the address 2001:db8:abcd:9100::/56, 91 identifies San Francisco Of- Then 2001:db8:abcd:9101::/64 may be the first LAN in SF.fice.Then 2001:db8:abcd:9101::/64 may be the first LAN in SF. 15
  17. 17. Internet Admin hierarchy1.8 The  Mul5homing  Issue IPv6  Addressing  Hierarchy Regional Internet Registries EU/ISP (ARIN, APNIC, RIPE, NCC) Cust1 ISP/ RIR 21ae:db8:1::/48 ISP1 LIR EU 21ae:db8::/32 RIR1 IANA 21ae::/8 ISP/ RIR NIR EU Cust2 ISP2 LIR 21ae:db9:1::/48 National 21ae:db9::/32 IANA Internet Local Internet End Users 2000::/3 Registries Registries Cust3 2001:db8:1::/48 RIR2 1.8.2 Mul5homing  Issue  and  solu5ons ISP3 2001::/8 Cust4 2001:db8::/32 This works very well as long as a customer does not want to use more than one SP for Redundancy 2001:db8:2::/48 or other reasons like best price in different regions of the world for instance. In this case, the customer will have to deal with multiple Prefixes. This is not a problem again as anyIPv6 Addressing Aggregation IPv6 interface can be configured with multiple Prefixes.Having an address 4 times bigger, the IPv6 designers didnt want to need 4 times more memory! So The problem is for resiliency and load-balancing.they designed a model to maximize Aggregation. There is a Flash animation in my Free On-Line Tutorial Fundamentals #2.IANA has allocated the block 2000::/3 for Global Unicast Addresses. Then in your address you willhave a Prefix which identifies each Regional Internet Registry: RIPE-NCC, ARIN, APNIC, AfricNIC,LACNIC. And a Prefix for each SP ISP2 ISP1 2001:db9::/32The end user does not own a Prefix, and if he changes the SP, he will have to renumber its Network 2001::db8::/32 2001:db9:100::/48with a new Prefix. 2001:db8:1::/48The goal is to maximize route Aggregation, allowing each SP to summarize all its client with one or afew Prefixes. This is what we call Provider Assigned (PA) Prefixes. 2001:db8:1::/48 2001:db9:100::/48 2001:db8:1::/48 2001:db9:100::/48 Provider Assigned Address 16
  18. 18. 1.8.3 Provider  Independant  Addresses   Dest thru ISP2 is no longer reachable   The session fails ISP1 ISP2 ISP1 ISP2 2001:db8:100::/48 2001:db8:1::/48 2001:db8:66::/48 2001:db8:66::/48 2001:db8:1::/48 2001:db8:1::/48 2001:db8:100::/48 2001:db9:100::/48 2001:db9:100:99:42:345F:1:1/64 2001:db8:66::/48 2001:db8:1:99:42:345F:1:1/64 2001:db8:1::/48 2001:db8:100::/48 2001:db8:66::/48 In this case your RIR will allocate a Prefix to the end-user who is authorized to advertise its own prefix to multiple SPs. Below is an example. 2001:678:e01::/48 has been assigned to this company and the same prefix is advertised to SP ACME andThe best solution, which may be expensive in some regions, is the P ABC! So each of these SPs will have to advertise this Prefix in the IPv6 Internet if it does not fall underProvider Indendant (PI) Prefixes. the summaries of each SP.They have been available since 2009, and we can see that the number of IPv6 prefixes has started to It is seen as a short term solution as a long term solution should permit maximum aggregation andincrease tremendously since this date. First, because there was no solution to this problem before and must be managed by Hosts or Routers.then because we cannot Aggregate the PI PRefix since it punched a hole in the summary address foreach SP where it does not fall into one of its summary and must be advertised independantly.   A new session must be started   Better route from ISP2   A session is started ISP2 ISP1 ISP1 ISP2 2001:db8:1::/48 2001:db9:100::/48 2001:db8:1::/48 2001:db9:100::/ 48 2001:db9:100:99:42:345F:1:1/64 2001:db8:1:99:42:345F:1:1/64 2001:db9:100:99:42:345F:1:1/64 2001:db8:1:99:42:345F:1:1/64 17
  19. 19. Internet 2001:678:e01:3000::/52 2001:678:e01::/48 2001:db8:1001:f000::/52 Campus 3 BB Router Campus 1 Backbone Router ISP ABC ISP ACME Bldg 3-2 2001:678:e01::/48 2001:678:e01:3200::/52 2001:db8:1001:f1000::/52 2001:678:1001:f000::/52 Campus 2 BB Router Bldg 3-2 2001:678:1001:f100::/56 2001:678:1001:f1000::/52 2001:678:e01:3100::/52 255 user /64 LANs per Building 2001:678:1001:f101::/64 Bldg 2-2 Bldg 2-1 2001:678:1001:f1200::/52 2001:678:1001:f1100::/52 Bldg B 1-1 2001:678:1001:f102::/641.8.4 Other  Solu5onsThere are some host based and routers based solutions to solve this problem without losing the maxi-mum Aggregation of the PA Prefixes. Some solutions are host based like shim6 or HIP, which alsomanaged Mobility, and some others are managed by the routers like LISP."The basic idea behind the Loc/ID split is that the current Internet routing and addressing architecturecombines two functions: Routing Locators (RLOCs), which describe how a device is attached to thenetwork, and Endpoint Identifiers (EIDs), which define who the device is, in a single numbering space, the IP address. Proponents of the Loc/ID split argue thatthis "overloading" of functions makes it virtually impossible to build an efficient routing system withoutforcing unacceptable constraints on end-system use of addresses. Splitting these functions apart byusing different numbering spaces for EIDs and RLOCs yields several advantages, including improvedscalability of the routing system through greater aggregation of RLOCs. To achieve this aggregation,we must allocate RLOCs in a way that is congruent with the topology of the network ("Rekhters Law").Todays provider-allocated IP address space is an example of such an allocation scheme. EIDs, onthe other hand, are typically allocated along organizational boundaries. Because the network topologyand organizational hierarchies are rarely congruent, it is difficult (if not impossible) to make a singlenumbering space efficiently serve both purposes without imposing unacceptable constraints (such asrequiring renumbering upon provider changes) on the use of that space.LISP, as a specific instance of the Loc/ID split, aims to decouple location and identity. This decouplingwill facilitate improved aggregation of the RLOC space, implement persistent identity in the EID space,and, in some cases, increase the security and efficiency of network mobility." 18
  20. 20. IPv6 Header4 To summarize the IPv6 Header we could say: longer addresses and a simple efficient versatile, flexible, powerful Network Layer! The daisy chained IPv6 Extension header is a major important step for any application in the future! Mobile IPv6 is the first example of this power!
  21. 21. Section 1IPv6 HeaderTopics1. IPv6 versus IPv4 headers2. Path MTU discovery3. Extension Headers4. Encapsulations of Packets in Layer 2 20
  22. 22. .1 IPv6  vs  I Pv4  Headers • No more Fragmentation fields (Fragment ID, Frag Offset, Flags). Fragmentation is no longer performed by Routers but only the source of the Traffic and an Extension Header will be used for the Fragmentation information • No more Header Checksum as it was redundant with the Link Layer and Transport Check- sum • Other fields have been renamed with more explicit names like Hop Limit instead of TTL • The Traffic Class used instead of ToS/Precedence but still transports a DSCP for QoS • IPv6 Addresses are 4 times larger. • The Protocol field is replaced with a Next Header as now the Headers can be daisy chained to add several options to a packet! • A new field pretty much unused so far: the Flow Label. It should be used to identify a flow with the Source and Destination Addresses. It is not used for two reasons:There is no common agreement to use it in a standard way.People are scared that a non default Flow Label (0) would give information to hackers about the sensi-tive traffic! The data are aligned on 64 bits for better memory access.2 Path  M TU  DiscoveryFragmentation is expensive as it consumes resources on the Router or the Host which fragments thepacket, and it also consumes resources on the destination host which reassembles the packets. The biggest improvement which really gives IPv6 more Flexibility and Versatility is the use of daisySome Firewall or NAT devices do the reassembly as they need the information contained in the first chained Extension Headers. Now, it becomes possible to push many headers in an IPv6 packet andfragment like the Port numbers. as these Headers are TLV (Type, Length, Value) you can add a new Header Extension to support aFragmentation is also a very easy to initiate DoS Attack, as a station sending traffic requiring a lot of new Network Layer Application.Fragmentation or Reassembly can kill this station overwhelming its CPU! The first great example of what we can do will be introduced in a later Module. This is for Mobile IPv6So Fragmentation is avoided in IPv4 already systematically for all TCP Traffic with a protocol called and the derived applications.Path MTU Discovery!An IPv6 router is not allowed to fragment a packet, only a source of a connection can, including a The Extension Headers are the following and SHOULD follow this order:router is it is the head-end of a tunnel and it encapsulates IPv6 in IPv6 but this is a special case. • Hop-by-hop. This Option MUST be checked by each router in the path. In IPv4 we had theThe principle is that the station starts sending at the maximum MTU, and every time a Router cannot Router Alert to do the same, and this Router Alert is transported in this Option when needed.route the packet because of MTU it drops the packet rather than fragmenting and sends an ICMP Re- It is used by Multicast (IGMP or PIM), RSVP and other applications.port providing the next Link MTU. The source sends the next packet at this MTU, and the operationmay eventually be repeated. Router Alert OptionMINIMUM MTU FOR IPv6 IS 1280 BYTES The Router Alert Option (RFC2711) tells the router that it must take a look at the packet. It is car- ried in an hop-by-hop option. Example : Frame 3836 (90 bytes on wire, 90 bytes captured).3 Extension  Headers Ethernet II, Src: ca:00:06:a9:00:1c (ca:00:06:a9:00:1c), Dst: IPv6mcast_00:00:00:01 (33:33:00:00:00:01) Destination: IPv6mcast_00:00:00:01 (33:33:00:00:00:01) Source: ca:00:06:a9:00:1c (ca:00:06:a9:00:1c) Type: IPv6 (0x86dd) 21
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.