I pv6 tutorial
 

Like this? Share it with your network

Share

I pv6 tutorial

on

  • 733 views

 

Statistics

Views

Total Views
733
Views on SlideShare
733
Embed Views
0

Actions

Likes
1
Downloads
28
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

I pv6 tutorial Document Transcript

  • 1. IPV6INF RMER 1st D B C A APRIL 2012 Fred Bovy EIRL - IPv6 For Life! (c) 2012
  • 2. Fred Bovy EIRL - IPv6 For Life! (c) 2012 CONTENTS TOOMUCHINFORMATION THE IPV4 NETWORK WAS DESIGNED 30 YEARS AGO FOR A MILITARY NETWORK OF A FEW THOUSANDS HOSTS! The Internet needs in the 70s are drastically different from the Internet of today. 32 bits were considered as much more that we will never need for the Internet. Mobility and Security were not even considered! Many protocols ere considered to replace IPv4 in the 90s like OSI or ATM but finally IPv6 won the PUBLISHER Fred Bovy EDITOR battle and became the solution for the Internet future. In the meantime NAT permitted to create Private Networks and extended the life of IPv4 for 20 more years. But NAT also broke the peer to peer facility which was a key driver for TCP/IP adoption in the 90s with Client-Server Architecture and downsizing. Today, even double NAT cannot scale enough! Fred Bovy - fred@fredbovy.com Fred Bovy ASSOCIATE EDITOR GLOBAL CONNECTION Fred Bovy Fred Bovy GLOBAL EDITOR Fred Bovy RELEASES Fred Bovy Fred Bovy 2 FUNDAMENTALS 5 MULTICAST CREATIVE DIRECTOR 3 ROUTING PROTOCOLS 6 B WIRELESS & SENSORS 3 TRANSITION TO IPV6 7 DESIGN & CASE STUDIES 4 SECURITY 8 TROUBLESHOOTING Fred Bovy DESIGNERS Fred Bovy Fred Bovy WORDS Fred Bovy No More NAT! FUNDAMENTALS DETAILS Fred Bovy 2 INTRODUCTION 5 3 IPV6 ADDRESSING 6 IPV6 HEADER 7 AUTOCONFIGURATION 4 CISCO NETWORK SERVICES 8 CAMPUS CASE STUDY Nat had been very helpfull when it was started and bought some time for IPv6 to get ready but became very harmful later when the people started to get addicted to it. No more NAT in 6. DHCPV6 3 PROJECT INTRO TO MOBILITY IMAGES Fred Bovy Fred Bovy UNLIMITED ADDRESSES 128 bits, 4 times larger than IPv4! Fred Bovy There will be some more releases coming after these one. This is the beginning of a serie which will also be specifically designed for Service Providers, Enterprises, home users and everybody. ADVERTISING Fred Bovy Fred Bovy The Informer DEDICATION COMMITMENT FLEXIBILITY 2 3.403 x 10 . Only Unicast, Multicast and Anycast remain in IPv6! The Broadcast disappeared! In IPv4 there was an all-IPv4-node multicast also in IPv6.Anycast cannot be differenciated 128 = MANAGING DIRECTOR 2 A Unicast, Multicast and Anycast remain in IPv6. Exit Broadcast! No more NAT which broke the peer-to-peer mode of TCP/IP. ONLINE EDITOR INTERNS D VERSABILITY 38 SIMPLER HEADER Aligned on 64 bits. No more Checksum. No more fragmentation only performed by a source. Option can be daisy chained. Extension headers SHOULD follow a specific order. Services can now e added at the Network Layer! FLEXIBILITY - MOBILITY The new header accept Extension Headers which permits to create applications at the Network Layer. This was not possible in IPv4. Mobile IPv6 is an excellent example of what can be done with the Extension Header. The Informer 3
  • 3. 34028236692093846346337460743176821 NO BROADCAST, MULTICAST! IPV6 ADDRESSES The multicast are used to replace all the broadcasts in IPv6.! IPv6 ADDRESSES NOTATION 2100:DB8:90:95:45:50:35:61/64 is a valid address for a LAN workstation! Written as 8 times 16 bits in Hexadecimal separated by : A long serie of zeroes can be replaced by :: 2128 ADDRESSES IS VIRTUALLY INFINITE 295 addresses for each of the roughly 6.5 billion (6.5×109) people alive today. 252 addresses for every observable UNICAST, MULTICAST, ANYCAST. NO BROADCAST! A UNICAST CAN BE A GLOBAL UNICAST ADDRESS, A LINK-LOCAL, A UNIQUE LOCAL ADDRESS OR AN IPV4 MAPPED ADDRESS. ANYCAST CANNOT BE DIFFERENTIATED FROM A UNICAST! L ink-local Addresses. Unicast addresses can be link local addresses. This is a new 2100 concept in IPv6.. A link local address only has a local signication on the link where it is configured. A Link-Local address is mandatory on each IPv6 interfce, this is not optional. FE80:: Prefix. LINK-LOCAL local are! These addresses are not optionnal. They are used as nexthop in most cases. They are only valid on the link where they are configured and must be completed in a ping or a configuration command with an index which represents the outgoing interface or the interface name itself. P2P interfaces can use only a link-local. Global Unicast are not mandatory, link- ZONE SCOPED ADDRESS ARCHITECTURE 4 The Informer The concept of Scoped Zones is very important in IPv6. Each zone has its own Routing Table.There is a Zone with each interface Link-Local Address. We also find this concept strongly used for Multicast but not much for Unicast except for DEDICATION UNIQUE LOCAL ADDRESSES Link-Local. The concept is similar to a VRF. SLAAC, DHCPV6 & AUTOCONFIG IPv6 is designed since day 1 with Autoconfig. This means that the node don’t need manual setup to get all their configurations including IPv6 Addresses, default Gateway and more. This can be done COMMITMENT with or without the help of a DHCPv6 Server or even with a combination of IPv6 processes (SLAAC) anlogicald DHCPv6! IPv4 Private Addresses were overlapping when two private networks were DB8 95 45 50 35 60 IPV6 IS NOT IPV4 BUT ADDRESSING IS SIMILAR TO VLSM 48 bits 16 bits 64 bits GLOBAL ROUTING SUBNET INTERFACE ID INTERFACE IDENTIFIER EUI-64 Derived from the MAC ADDRESS Random or Temporary Interface Identifier SUBNETS The Subnets bits can be used like IPv4 VLSM. Typically, an Enterprise will have 16 bits of subnetting. These 16 bits can be used to match the organisation needs. For instance 4 bits may be used to identify the site, 4 bits to identify the sub-sites and 8 bits for the subnets. 3 LOGICAL PARTS OF A GLOBAL UNIQUE ADDRESS The 128 bits Address of a Global Unique Address is actually split with a Global Prefix: /48, /56 or /60 which is the Customer Prefix. Then some VERSABILITY 90 GLOBAL ROUTING PREFIX The Global Routing Prefix is provided by the Service Provider. This is your Unique Prefix on the IPv6 Internet. It is itself splitted in many parts: IANA: 0010 as 2000::/3 are reserved by IANA for the Global Unicast Addresses. RIR: Prefix. Each Region has some prefixes. LIR Prefix for each SP. Minimum /32 FLEXIBILITY Fred Bovy EIRL - IPv6 For Life! (c) 2012 The Informer 5
  • 4. IPV6 ADDRESSES (UTILIZATION) IPV6 MULTICAST ADDRESSES UNSPECIFIED :: or All zeros address is the Unspecified.. It is is used during the Autoconfiguration Process. LOOPBACK IPv4 has 127.0.0.1, IPv6 has ::1. It is usd for the same thing that in IPv4 8 bits 4 4 112 FF::/8 Flag Scope Group Identifier Bits 54 64 bits FE80::/10 Zeroes Interface Identifier Link-Local addresses are Mandatory. There MUST be a Link-Local Address on each interface Example: fe80::345d:542a:fd01:1 RESERVED RESERVED 9 10 bits Meaning when 0 Meaning when 1 8 FE80::/10 Link-Local Addresses Flags (R) RENDEZ-VOUS POINT RENDEZ-VOUS POINT RENDEZ-VOUS POINT EMBEDDED NOT EMBEDDED 10 (P) PREFIX WITHOUT PREFIX INFORMATION ADRESS BASED ON NETWORK PREFIX 11 (T) TRANSCIENT WELL-KNOWN DYNAMIC ASSIGNED Scope Value RESERVED 0X1 INTERFACELOCAL INTERFACE-LOCAL SCOPE SPANS ONLY A SINGLE INTERFACE ON A NODE, AND IS USEFUL ONLY FOR LOOPBACK TRANSMISSION OF MULTICAST. LINK-LOCAL LINK-LOCAL AND SITE-LOCAL MULTICAST SCOPES SPAN THE SAME TOPOLOGICAL REGIONS AS THE CORRESPONDING UNICAST SCOPES. ADMIN-LOCAL ADMIN-LOCAL SCOPE IS THE SMALLEST SCOPE THAT MUST BE ADMINISTRATIVELY CONFIGURED, I.E., NOT AUTOMATICALLY DERIVED FROM PHYSICAL CONNECTIVITY OR OTHER, NON- MULTICAST-RELATED CONFIGURATION. 0X5 Private addresses can be locally or centrally Managed and are not routed on the IPv6 Internet. You can request a Unique Local Address from: http://www.sixxs.net/tools/grh/ula/ Scope Name 0X0 FC00::/7 Unique Local Addresses SITE-LOCAL LINK-LOCAL AND SITE-LOCAL MULTICAST SCOPES SPAN THE SAME TOPOLOGICAL REGIONS AS THE CORRESPONDING UNICAST SCOPES. 0X8 ORGANIZATIONLOCAL ORGANIZATION-LOCAL SCOPE IS INTENDED TO SPAN MULTIPLE SITES BELONGING TO A SINGLE ORGANIZATION. 0XE GLOBAL 0XF RESERVED 0X2 2000::/3 Global Unique Addresses The block reserved by IANA for Public Unicast addresses for the Internet 0X4 FF::/8 Multicast FF02::1Fxx:xxxx Sollicited Node The sollicited node multicast address is used during the MAC Address Resolution using Neighbor Discovery Protocol over ICMPv6. The last 24 bits of the Unicast address is used at the end of the Multicast prefix. These addresses are automatically configured DEDICATION 6 The Informer COMMITMENT VERSABILITY Fred Bovy EIRL - IPv6 For Life! (c) 2012 RESERVER FLEXIBILITY Notes The Informer 7
  • 5. IPV6 ADDRESING CASE STUDY /48 IS NOT A RULE Some companies may receive a larger prefix or multiple /48. LOOPBACK IPv4 has 127.0.0.1, IPv6 has ::1. It is usd for the same thing that in IPv4 MOST COMPANIES HAVE 16 BITS FOR SUBNETTING 48 bits 16 bits 64 bits GLOBAL ROUTING SUBNET INTERFACE ID Each Campus has a Backbone router which advertizes a /52. All the Campus Routers are interconnected with a meshed or Hub & Spoke Network. Each Building has a Distribution router which advertizes a /56. Each distribution router located in a building can be connected to a Campus Gateway and eventually another as a Backup. In each building there can be up to 255 /64 LANs as P2P connections do not require a Global Unique Address. /48 may not be enough for big companies, some companies may need /40 for instance. 16 Campus with a /52 each Each Campus can have 16 Bldg Each Building can have 255 Subnets Internet Campus 1 2001:db8:e01:1000::/52 Bld 1-1 2001:db8:e01:1100::/56 16 Campuses, 16 Building of 255 subnets 1ST Subnet All Sites 1st Site Subnet 1ST Site , 2nd Sub site All Subnets 1st 0000 0001 0000 0001 0000 0010 0000 0001 0000 0011 0000 0001 2nd Site 1st Subnet 0001 0001 0000 0001 8 The Informer 1st Site Subnets 0000 0010 0000 0001 0000 0010 0000 0010 0000 0010 0000 0011 0000 0010 0000 0100 0000 0010 0000 0101 Campus 2 2001:db8:e01:2000::/52 Bld 1-2 2001:db8:e01:1100::/56 LAN 1-2-1 2001:db8:e01:1101::/64 Bld 2-1 2001:db8:e01:2100::/56 Bld 2-2 2001:db8:e01:2200::/56 LAN 1-2-2 2001:db8:e01:1102::/64 Fred Bovy EIRL - IPv6 For Life! (c) 2012 The Informer 9
  • 6. IPV6 TRANSITION MOBILE IPV6 Some operators like T.Mobile have started IPv6 Only networks. Facebook, Yahoo, Google and Akamai are on IPv6! WIRELESS SENSORS NETWORKS Many new applications were developed from Moobile IPv6 et permitted the Wireless Sensors Networks,. MAR IT IS THE FIRST TIME WE HAVE SO MANY TOOLS AND WE TAKE SO MUCH TIME TO UPGRADE A NETWORK PROTOCOL! I Pv6 was released with the Dual- 2100 Stack and Static TunneL RFC1933. l It was the first time that a protocol was shipped with transition tools, which permitted to build the 6BONE as a testbed to heko IPv6 development on the 1st IPv6 Internet! he first IPv6 applications were tested BEST CHOICE? T 6RD is OK for tunneling IPv6/ IPv4. If A+P becomes available, all the SP will leave DS-Lite. thanks to the 6BONE. The address was 3ffe::/16. At its peak in mid-2003, over 150 6bone top level 3FFE::/16 TUNNNELING IPV6 OVER IPV4 Then followed very soon the multipoint automatic tunnels 6to4. In the meantime CISCO released the 6PE/6VPE protocol to transport IPv6 over MPLS. Later, from 6to4 came 6RD for IPv6 over IPv4 fo a SP (FREE) w/o MPLS. These are still the best solution for this 10 The Informer need. FROM NAT-PT TO NAT64/DNS64 In y2k was designed NAT-PT, a protocol translator which was doing too much and was too heavy to meet any success. But NAT64/DNS64 was derived from it for IPv6 ONLY customers to access IPv4 resources. It can be stateless for DEDICATION a 1:1 translation or stateful for a one to many translation saving IPv4 addresses. CGN AKA LSN SOLUTIONS The idea was to run NAT on the SP side rather (DS-Lite) or in addition (NAT444) to the CPE. Many solutions were derived from this idea to share a public IPv4 address among many customers. But it came at the cost of many new problems and limitations! LSN means maintaining a lot of translations and logs. that LSN without having to maintain all these states like dIVI-pd or a more advanced solution currently based on dIVI-pd and 4RD and some COMMITMENT 90 WHAT ABOUT THE ENTERPRISES? Basically , the best way for a large Enterprise to interconnect multiple sites was to rely on a SP 6PE or 6VPE backbone! This was been the best solution for many years. Other solutions were to use 6to4, VERY DANGEROUS and totally unsafe or to used secured tunnels. STATELESS PROTOCOLS & A+P There are stateless protocols providing the same benefit DB8 SUBSCRIBE Stay tuned A+P is still Work in Progress! VERSABILITY An alternative for 6to4 for the home users was TEREDO tunnel but again, TEREDO is absolutely not secured and is just good enough for a home users who must deal with NAT and had no other choice but TEREDO which pass some NAT devices! Today 6to4 and TERDO together on the Internet represents less than FLEXIBILITY 95 45 0,01% of the total traffic of the IPv6 Internet which is negligeable. The other choice for a customer to interconnect many site like 5, 10, 20, 30 but after you risk a lot if you have many site to site communication. This secured IPv6 site over IPv4 communication is DMVPN, a CISCO solution which uses IPSec for the Data protection, NHRP to establish site to site shortcut from the hub and spoke config with the Next Hop Server (NHS) on the hub. 50 35 60 tunnel. And that’s pretty much it for the enterprises and the end users! It manages IPSec and establish direct tunnel betzeen tzo nodes anytime it is needed. So for the Enterprise my recommendation would be to use a SP IPv6 Service as it is more and more widely available in most countries. If the SP has a native backbone it is better but 6PE,6VPE or 6RD are OK too in second place as you will have some restriction for the Multicast and 6PE/6VPE which is not supported with multicast. so you only need to configure one NHRP Server address which is also the NHRP Server regardles how many sites must be interconnected with only one IPSec configuration. DMVPN is a very helpfull solution as you only need to configure just one Fred Bovy EIRL - IPv6 For Life! (c) 2012 The Informer 11
  • 7. BIG PICTURE INTERNET USE B A WORLD INTERNET USAGE AT A GLANCE C RIPE P1 IS ARIN IXP A IANA Other RIRs 2000::/3 B ISP2 IXP C RIPE-NCC D Many Prefixes 2A00::/12... INITIAL ASSIGNMENTS MULTIHOMING RIPE NCC 2001:0000::/29 2001:01F8::/29 IANA 2001:0200::/29 2001:03F8::/29 APNIC, and Customer who need connections to multiple IXP The RIPE manage Europe, Middle-East. Many IPv6 Prefixes ISP need PROVIDER IANA & 5 RIR The Internet is built from IANA (2000::/3) and 5 Regional Internet Registries INDEPENDANT ADDRESSES IANA IS THE CENTRAL MANAGEMENT OF THE INTERNET ADDRESSES, AUTONOMOUS SYSTEMS AND MORE. GLOBAL UNICAST ADDRESSES FROM 2000:://3 RIPE IPV6 INTERNET GROWTH IPv6 is an important part of ensuring continued growth and accessibility of your services to the rest of the Internet and emerging markets in particular. As the Internet progressively becomes a dual IPv4/IPv6 network, ensuring that you are IPv6 enabled will be critical for retaining universal Internet connectivity for your clients, users, and subscribers, business partners and suppliers. Indeed, as the difficulty and cost of obtaining IPv4 address space increases, it is inevitable that some sites will only support IPv6. Connectivity with such sites (and customers) will require IPv6. DEDICATION 12 The Informer COMMITMENT VERSABILITY APNIC AFRINIC 2% LACNIC 4% 21% ARIN 46% 27% FLEXIBILITY Fred Bovy EIRL - IPv6 For Life! (c) 2012 The Informer 13
  • 8. IANA http://www.iana.org/assignments/ipv6-unicast-address-assignments/ipv6-unicast-address-assignments.xml WORLD WIDE INTERNET GLOBALIZATION REQUIRES GLOBAL CONNECTIVITY ARIN North America 2001:1800::/23 More... LATIN AMERICAN Need to communicate with India, China, Brazip and other countries where IPv4 addresses re totally depleted LATIN AMERICA The Informer IANA allocated a block 2000::/3 for Global Unicast Addresses, then each RIR as a few Prefixes to manage from this block. Other prefixes are also reserved like AfriNIC Africa 2001:4200::/23 More... LACNIC Latin America 2800:0000::/12 More... 14 RIPE-NCC Europe & Middle East 2001:0600::/23 More... Fred Bovy EIRL - IPv6 For Life! (c) 2012 NORTH AMERICAN Need to communicate with India, China, Brazip and other countries where IPv4 addresses re totally depleted NORTH AMERICA AFRICA Need to communicate with the rest of the world. There are still IPv4 addresses available in AFRICA AFRICA EACH RIR MAINTAINS MUTIPLE PREFIXES APNIC Asia - Pacific 2001:0200::/23 EUROPE & MIDDLE-EAST RIP is the most advanced Region for IPv6 deployment RIP-NCC EUROPE. MIDDLE-EAST ASIA PACIFIC The need for IPv6 is also important since IPv6 is very implememented in Asia ASIA - PACIFIC The Informer 15
  • 9. GO WITH THE FLOW KEY DRIVERS TO SWITCH TO IPV6 The most evident one is to stay connected with the world as more and more new emerging countries and new kind of devices require a connection to the Internet, only IPv6 will match There are plenty of good reasons to swotch to IPv6. AFTER 20 YRS SLEEPING THE INTERNET IS BACK ON 1 AUTO START 1 340 TRILLONS ADDRESSES AUTOCONFIGURATION IPv6 devices are designed to be plug and play. All configuration must be automatic. 2 NEW COUNTRIES AND DEVICES MOBILITY - ALLWAYS CONNECTED 2 3 4 OPERATIONS NO NAT 10 GOOD REASONS SECURITY MULTICAS T Voice, conferencing P2P MOBILITY 04 Autoconfiguration 6 06 Cable Networks 07 4G/LTE 08 Peer to Peer 7 09 No NAT Required 10 No NAT = More The Informer Fred Bovy EIRL - IPv6 For Life! (c) 2012 NO NAT MEANS MORE SOURCES FLEXIBILITY 05 Wireless Sensors 16 More addresses and more multicast possible source addresses is a plus for Multicast Application, 5 03 Security LINK-LOCAL PRIVATE OUTPUT PUBLIC MULTICAST BETTER MULTICAST RATED 02 Mobility ULA IPV6 IS MORE SECURITY Multicast must be able to do the Reverse Path Forwarding Algo against the Source 01 More Addresses GUA Privacy extension allows to change the address every day for a new random. The only real security is end-toend security like IPSec with KEys PRIVACY No more need to reconnect every time a node move to another location. The new applications will be allways connected to the Internet. NO NAT DOES NOT MEAN NO PRIVACY 8 Extension Headers permit to sipport many applications at the Network Layer. New application welcome. Mobile IPv6 is the first application which can be permitted thanks to extension headers. Wireless Sensors Networks is another great applica- CONNECTING EMERGING COUNTRIES We need IPv6 to connect all the Emerging Countries to the Internet CONNECTING NEW DEVICES 9 IPAD, Tablet, Smartphones, Game Consoles, Sensors and many new devices require connectivity The Informer 17
  • 10. Coming Up! IPv6 Header, Extension Header ICMPv6, Neighbor Discovery in-depth, Autoconfiguration,.... Stay Tuned: http://www.ipv6forlife.com 18 The Informer