Your SlideShare is downloading. ×
0
Exploring IPv6The end of the Internet as we        know today?          Gratien Dhaese          IT3 Consultants          g...
Conclusion ●   The end of the Internet as we know today?       ●   IPv4 address space is getting scarce       ●   IPv4 wil...
Abbreviations ●   IPv4/6: Internet Protocol 4/6 ●   ISC: Internet Systems Consortium ●   IANA: Internet Assigned Numbers A...
IPv6 history ●   Designed in 1994 [RFC 1752 and many more] ●   In the nineties estimated run-out of IPv4     addresses was...
The IPv4 host count till today                                           (data coming from ISC)2011-11-06 | Gratien Dhaese...
IPv4 Address Space ●     32-bit number => 232 (4.294.967.296) ●   4 dotted decimal notation, e.g. 18.2.45.78 ●   Divided i...
IPv4 Depletion rate                                        www.potaroo.net/tools/ipv4/2011-11-06 | Gratien Dhaese   Explor...
IPv6 history ●   Backbone routers (vendors): took time to     become IPv6 ready       ●   Today these limitations are behi...
IPv6 enabled ASs in global routing                                                http://v6asns.ripe.net/2011-11-06 | Grat...
Is your ISP IPv6 ready ? ●   Have a look at       ●   http://ripeness.ripe.net/4star/BE.html       ●   http://www.vyncke.o...
IPv6 Addressing      128                         38●    2 = 3.4 x 10 addresses (128 bits!!)    = 340.282.366.920.938.463.4...
IPv6 Addressing (cont.) ●   Notation       ●   IPv6 address written as eight groups of four           hexadecimal digits  ...
IPv6 Addressing Types ●   Unicast       ●   Identify one system on the Internet       ●   Globally routable       ●   High...
Addressing Types                                                                                  Unique           Link   ...
IPv6 Address Types (cont.)Address Type                   Binary Prefix           Prefixunspecified                    000....
Unicast Addresses ●   Global Unicast addresses are in 2000::/3 block       ●   2001:5c0:1400:b::9773/1282011-11-06 | Grati...
Anycast Addresses ●   The same anycast address is assigned to a     group of interfaces (nodes) ●   However, a packet sent...
Multicast Addresses ●   In IPv6 multicast replaces IPv4 “broadcast”         11111111              flag scope        Reserv...
Multicast Scope ●   A 4-bit field ●   Likely values are       ●   1 : Node-local scope (interface)       ●   2 : Link-loca...
Well-known multicast group-numbers      Multicast Address                       Meaning      FF02::1                      ...
Solicited node multicast                                  addresses (for NDP)●    Multicast address built from unicast add...
Neighbor Discovery Protocol ●   Used to discover other hosts and routers on     local network (stateless autoconfiguration...
Address Autoconfiguration Process ●   Create a Link Local Address (FE80::/10)       ●   No router or server required ●   I...
Link-Local Address ●   Each interface has a Link-Local Address based     on their MAC Address (IEEE EUI-64 - Extended     ...
Stateless Address Autoconfiguration ●   Routers advertise prefixes that identify the     subnet(s) associated with a link ...
Router Solicitation (RS) ●   Host sends a multicast Router solicitation when     an interface is enabled       ●   To disc...
Router Advertisement (RA) ●   Router multicasts periodically (or on demand)     its availability ●   Router advertisements...
Radvd daemon ●   Stateless autoconfiguration with “router     advertisement daemon (radvd)”     # cat /etc/radvd.conf     ...
Stateful Address Autoconfiguration ●   Clients obtain address and other optional     parameters from DHCPv6 server ●   DHC...
Domain Name Server ●   Using ISC BIND ●   A system can now have an IPv4 and IPv6     address       ●   sloeber            ...
DNS/Service Discovery                                             @home ●   How do I find my local file server? ●   Multic...
Multicast DNS (mDNS) @home                                                      (1) mDNS Query to FF02::FB, port 5353,    ...
Transition Mechanisms ●   Transition mechanisms are needed for IPv6     only host to reach IPv4 services. ●   In the futur...
Dual Stack ●   Dual stack host can speak both IPv4 and IPv6       ●   Communicate with IPv4 host by IPv4       ●   Communi...
Tunneling●   Through an IPv4 tunnel we can connect two    IPv6 networks●   Ideal to start experimenting with IPv6 topology...
Tunnel brokers●   There are free tunnel brokers available     ●   Require user registration     ●   Request an IPv6 addres...
Translation ●   An extension to NAT techniques to translate     header formats as well as addresses ●   Translate IPv6 onl...
Security: protect yourself ●   Once you start with IPv6 you must turn on     ip6tables ●   The radvd daemon will automatic...
Security Considerations ●   MAC addresses are globally unique (?) ●   SLAAC – Interface ID is derived from MAC addr ●   Us...
How to become IPv6 ready?●   Buy only new equipment that is IPv6 compliant●   New software must be IPv6 capable●   Make an...
Do and Donts ●   Phased approach                    ●   Dont separate IPv6 ●   Change requirements                    feat...
Make software IPv6 aware ●   If you maintain an Open Source project invest     time to make it IPv6 aware (if it uses IPv4...
Upcoming SlideShare
Loading in...5
×

Exploring I Pv6

919

Published on

The End of the Internet as we know it today? presented at T-Dose 2011, Eindhoven, NL (6 Nov. 2011)

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
919
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
35
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Exploring I Pv6"

  1. 1. Exploring IPv6The end of the Internet as we know today? Gratien Dhaese IT3 Consultants gratien.dhaese@it3.be
  2. 2. Conclusion ● The end of the Internet as we know today? ● IPv4 address space is getting scarce ● IPv4 will still be available for a long time ● IPv6 is getting slowly deployed ● IPv6 will boost from this year on – Not because we like it, but because we have no choice – No need to be afraid of IPv6 (after this talk :) – Dual stack with IPv4, or 6to4 tunnels2011-11-06 | Gratien Dhaese Exploring IPv6 2
  3. 3. Abbreviations ● IPv4/6: Internet Protocol 4/6 ● ISC: Internet Systems Consortium ● IANA: Internet Assigned Numbers Authority ● RIR: Regional Internet Number Registries ● CIDR: Classless Inter-domain Routing ● NAT: Network Address Translation ● AS: Autonomous System2011-11-06 | Gratien Dhaese Exploring IPv6 3
  4. 4. IPv6 history ● Designed in 1994 [RFC 1752 and many more] ● In the nineties estimated run-out of IPv4 addresses was expecting between 2000-2008 ● The usage of CIDR and NAT slowed down the depletion of IPv4 addresses, but also ● The dot com crisis, and ● Financial crisis in 2008-2009 ● The Internet still grows rapidly (mobile devices,...)2011-11-06 | Gratien Dhaese Exploring IPv6 4
  5. 5. The IPv4 host count till today (data coming from ISC)2011-11-06 | Gratien Dhaese Exploring IPv6 5
  6. 6. IPv4 Address Space ● 32-bit number => 232 (4.294.967.296) ● 4 dotted decimal notation, e.g. 18.2.45.78 ● Divided into classes ●A Class: 8-bit network (128 * 16,8 million) ● B Class: 16-bit network (16.384 * 65.536) ● C Class: 24-bit network ( 2 million * 256) ● 70% of A and B Classes are allocated to big companies and incredible under-used (approx. 3 billion addresses wasted)2011-11-06 | Gratien Dhaese Exploring IPv6 6
  7. 7. IPv4 Depletion rate www.potaroo.net/tools/ipv4/2011-11-06 | Gratien Dhaese Exploring IPv6 7
  8. 8. IPv6 history ● Backbone routers (vendors): took time to become IPv6 ready ● Today these limitations are behind us ● But, are all ISPs capable for serving IPv6 traffic? ● The main Operating Systems (Linux, Mac OS/X and Windows) now support IPv6 ● IPv6 has been implemented more widely in Europe and Asia than in the USA.2011-11-06 | Gratien Dhaese Exploring IPv6 8
  9. 9. IPv6 enabled ASs in global routing http://v6asns.ripe.net/2011-11-06 | Gratien Dhaese Exploring IPv6 9
  10. 10. Is your ISP IPv6 ready ? ● Have a look at ● http://ripeness.ripe.net/4star/BE.html ● http://www.vyncke.org/ipv6status/detailed.php? country=be&type=ISP ● Most ISPs will deliver IPv6 to home consumers not before 2012 (or 2013?) ... ● Around 48% ISPs can provide IPv6 addresses – See http://ripeness.ripe.net/pies.html – Mostly through IPv6-to-IPv4 tunneling – One year ago it was only 31%2011-11-06 | Gratien Dhaese Exploring IPv6 10
  11. 11. IPv6 Addressing 128 38● 2 = 3.4 x 10 addresses (128 bits!!) = 340.282.366.920.938.463.463.374.607.431.768.211.456● IPv6 address is divided into Network ID Interface ID 64 bits 64 bits 3 45 16 64 Subnet 001 Global Routing Prefix ID Interface ID public topology site interface identifier topology2011-11-06 | Gratien Dhaese Exploring IPv6 11
  12. 12. IPv6 Addressing (cont.) ● Notation ● IPv6 address written as eight groups of four hexadecimal digits – 2001:0db9:85a6:07c4:1243:8a81:0301:7351 ● Leading zeros may be dropped – 2001:9a03:0000:12c2:0000:0000:0fa1:0001 – 2001:9a03:0:12c2:0:0:fa1:1 ● Up to one double colon substitution is permitted – 2001:9a03:0:12c2::fa1:1 – :: means one or more groups of 16 bits of zeroes2011-11-06 | Gratien Dhaese Exploring IPv6 12
  13. 13. IPv6 Addressing Types ● Unicast ● Identify one system on the Internet ● Globally routable ● Highest order bits are 001 (of Network Id) ● Multicast ● Deliver to an entire group of systems ● Anycast ● Deliver to any one of a group of systems ● Ideal for mobile devices2011-11-06 | Gratien Dhaese Exploring IPv6 13
  14. 14. Addressing Types Unique Link Global Local Local Multicast Multicast Unicast Anycast Aggregatable Assigned Solicited node Link Local Global Unique Local FF00::/8 FF02::1:FF00:0000/104 FF80::/10 2001::/16 FC00::/7Unspecified Aggregatable Link Local Global Unique Local IPv4 Compatible Loopback ::/128 FF80::/10 2001::/16 FC00::/7 0:0:0:0:0:0::/96 ::1/128 2011-11-06 | Gratien Dhaese Exploring IPv6 14
  15. 15. IPv6 Address Types (cont.)Address Type Binary Prefix Prefixunspecified 000...0 (128 bits) ::/128loopback 000...01 (128 bits) ::1/128link-local unicast 1111 1110 10 FE80::/10multicast 1111 1111 FF00::/8global unicast All other addresses2011-11-06 | Gratien Dhaese Exploring IPv6 15
  16. 16. Unicast Addresses ● Global Unicast addresses are in 2000::/3 block ● 2001:5c0:1400:b::9773/1282011-11-06 | Gratien Dhaese Exploring IPv6 16
  17. 17. Anycast Addresses ● The same anycast address is assigned to a group of interfaces (nodes) ● However, a packet sent to an anycast address is delivered to the nearest one having this address ● Assigned from unicast address range ● Usage in the area of DNS discovery and Universal Plug and Play, but also used for multiple name, web and mail servers2011-11-06 | Gratien Dhaese Exploring IPv6 17
  18. 18. Multicast Addresses ● In IPv6 multicast replaces IPv4 “broadcast” 11111111 flag scope Reserved (all zeros) Group ID 8 4 4 80 32 ● Identify a participating group of hosts ● Start with 0xFF (8 1-bits) ● One flag indicates transient (=1) or permanent (=0 or well-known address assigned) ● Must define a scope (global, site, link, node) ● Group ID: 1 = all nodes; 2 = all routers; etc2011-11-06 | Gratien Dhaese Exploring IPv6 18
  19. 19. Multicast Scope ● A 4-bit field ● Likely values are ● 1 : Node-local scope (interface) ● 2 : Link-local scope (e.g. LAN) ● 5 : Site-local (deprecated) ● 8 : Organization-local scope ● E : Global scope ● No broadcast address in IPv6, multicast to “all nodes on the local link” (scope 2; group-ID 1) FF02::12011-11-06 | Gratien Dhaese Exploring IPv6 19
  20. 20. Well-known multicast group-numbers Multicast Address Meaning FF02::1 All nodes on this link FF02::2 All routers on this link FF02::5 All OSPF routers on this link FF02::9 All RIP routers on this link FF02::1:2 All DHCP agents on this link FF05::1:3 All DHCP servers on this link FF05::101 All NTP servers on this link FF02:0:0:0:1:FF::/104 combined with Solicited-node multicast group (used 24 low order bits from IPv6 address to map MAC addresses)2011-11-06 | Gratien Dhaese Exploring IPv6 20
  21. 21. Solicited node multicast addresses (for NDP)● Multicast address built from unicast address● Concatenation of FF02::1:FF00:0/104 and ● 24 low order bits of unicast address (interface id)● Nodes build their own IPv6 solicited node multicast address● Nodes can use this technique to find of a destination host its MAC address, e.g. ● 2001:001A:003F:1021:0100:0028:003F:0020 ● FF02:0000:0000:0000:0000:0001:FF00:0000/104 ● FF02:0000:0000:0000:0000:0001:FF3F:0020 ● 33-33-FF-3F-00-20 (multicast MAC address)2011-11-06 | Gratien Dhaese Exploring IPv6 21
  22. 22. Neighbor Discovery Protocol ● Used to discover other hosts and routers on local network (stateless autoconfiguration) ● Makes use of the IPv6 multicast addresses (no ARP anymore) ● Uses ICMPv6 messages ● Neighbor solicitation ● Neighbor advertisement ● Router solicitation ● Router advertisement ● redirect2011-11-06 | Gratien Dhaese Exploring IPv6 22
  23. 23. Address Autoconfiguration Process ● Create a Link Local Address (FE80::/10) ● No router or server required ● IPv6 address node configuration ● Network ID – Manual – Auto (stateful or stateless) – Pre-defined well known prefix (link-local unicast FF80::/10) ● Interface ID – Manual – Auto (stateful or stateless)2011-11-06 | Gratien Dhaese Exploring IPv6 23
  24. 24. Link-Local Address ● Each interface has a Link-Local Address based on their MAC Address (IEEE EUI-64 - Extended Unique Identifier)2011-11-06 | Gratien Dhaese Exploring IPv6 24
  25. 25. Stateless Address Autoconfiguration ● Routers advertise prefixes that identify the subnet(s) associated with a link ● Hosts generate an "interface token" that uniquely identifies an interface on a subnet ● Based on EUI-64 MAC address (security?) ● Privacy Extensions: echo 1 > /proc/sys/net/ipv6/conf/all/use_tempaddr ● An address is formed by combining the two2011-11-06 | Gratien Dhaese Exploring IPv6 25
  26. 26. Router Solicitation (RS) ● Host sends a multicast Router solicitation when an interface is enabled ● To discover IPv6 routers present on the link ● To request an immediate Router advertisement ● Sent to All-Router Multicast Address ● Source link layer address of sender may be sent as an option ● IPv6 address ● Source: unspecified (all zeros, ::/128) ● Destination: sollicited-node multicast2011-11-06 | Gratien Dhaese Exploring IPv6 26
  27. 27. Router Advertisement (RA) ● Router multicasts periodically (or on demand) its availability ● Router advertisements carry ● Lifetime as a default router ● Managed flag to inform hosts how to perform Address Autoconfiguration ● List of prefixes used for a link ● Link-layer address ● Advertise an MTU for hosts to use on the link2011-11-06 | Gratien Dhaese Exploring IPv6 27
  28. 28. Radvd daemon ● Stateless autoconfiguration with “router advertisement daemon (radvd)” # cat /etc/radvd.conf interface eth0 { AdvSendAdvert on; MinRtrAdvInterval 30; MaxRtrAdvInterval 100; prefix 2001:470:1f09:11b8::/64 # IPv6 address received for tunnel { AdvOnLink on; AdvAutonomous on; AdvRouterAddr off; }; }; # echo 1 > /proc/sys/net/ipv6/conf/all/forwarding2011-11-06 | Gratien Dhaese Exploring IPv6 28
  29. 29. Stateful Address Autoconfiguration ● Clients obtain address and other optional parameters from DHCPv6 server ● DHCP server maintains the database and controls the address assignment ● Clients send DHCP solicit (DHCPv6 multicast address) ● Server responds with a DHCPv6 advertisement2011-11-06 | Gratien Dhaese Exploring IPv6 29
  30. 30. Domain Name Server ● Using ISC BIND ● A system can now have an IPv4 and IPv6 address ● sloeber IN A 192.168.0.13 sloeber IN AAAA 2001:470:1f09:11b8::1 ● Reverse delegation ● 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.b.1.1.9.0.f.1.0.7.4.0 .1.0.0.2.ip6.arpa. IN PTR ● $ORIGIN 8.b.1.1.9.0.f.1.0.7.4.0.1.0.0.2.ip6.arpa. 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR2011-11-06 | Gratien Dhaese Exploring IPv6 30
  31. 31. DNS/Service Discovery @home ● How do I find my local file server? ● Multicast DNS (mDNS) = serverless DNS ● DNS queries over IP Multicast in a small network where no DNS server is installed ● Network prefix can change after modem reboots (no need to update /etc/hosts file!) ● mDNS doesnt cross router boundary ● Service Discovery ● DNS Service Discovery (mDNS/DNS-SD) ● Universal Plug and Play (UPnP)2011-11-06 | Gratien Dhaese Exploring IPv6 31
  32. 32. Multicast DNS (mDNS) @home (1) mDNS Query to FF02::FB, port 5353, Asking for AAAA record for fileserverHome ImplementationsfileserverHome Apple: Bonjour Linux: Avahi (2) mDNS responder on fileserverHome responds To Multicast Group with AAAA record 2011-11-06 | Gratien Dhaese Exploring IPv6 32
  33. 33. Transition Mechanisms ● Transition mechanisms are needed for IPv6 only host to reach IPv4 services. ● In the future we will see also IPv4 hosts need to be able to reach IPv6 services. ● Dual Stack ● Tunneling ● Translation2011-11-06 | Gratien Dhaese Exploring IPv6 33
  34. 34. Dual Stack ● Dual stack host can speak both IPv4 and IPv6 ● Communicate with IPv4 host by IPv4 ● Communicate with IPv6 host by IPv62011-11-06 | Gratien Dhaese Exploring IPv6 34
  35. 35. Tunneling● Through an IPv4 tunnel we can connect two IPv6 networks● Ideal to start experimenting with IPv6 topology H1 H2 TUNNEL R1 R2 IPv6 network IPv6 network IPv4 network● Packet-structure with tunneling IPv4 header IPv6 header TCP header Application Data R1 → R2 H1 → H22011-11-06 | Gratien Dhaese Exploring IPv6 35
  36. 36. Tunnel brokers● There are free tunnel brokers available ● Require user registration ● Request an IPv6 address (128 and 48 prefix) ● Perfect to experiment with real IPv6 networking● Hurricane Electronic ● http://www.tunnelbroker.net/● SixXS ● http://www.sixxs.net/main/● GogoNET Freenet6 ● http://gogonet.gogo6.com/2011-11-06 | Gratien Dhaese Exploring IPv6 36
  37. 37. Translation ● An extension to NAT techniques to translate header formats as well as addresses ● Translate IPv6 only host to IPv4 host (vice versa is not trivial) ● Protocol translation ● Mapping address ● Unreliable and try to avoid it2011-11-06 | Gratien Dhaese Exploring IPv6 37
  38. 38. Security: protect yourself ● Once you start with IPv6 you must turn on ip6tables ● The radvd daemon will automatically configure interfaces on Windows (vista/windows7), Mac OS/X and Linux ● Your IPv6 tunnel will open the gate to the IPv6 world ● Attacker can send a Router Advertisement and gain access to your internal network (even youre safe on the IPv4 side)2011-11-06 | Gratien Dhaese Exploring IPv6 38
  39. 39. Security Considerations ● MAC addresses are globally unique (?) ● SLAAC – Interface ID is derived from MAC addr ● Users are mobile (home, office, hotel rooms,...) ● Network prefixes are changing ● Interface ID remains constant over time ● User can be identified and tracked ● Use Privacy Extensions (if required)2011-11-06 | Gratien Dhaese Exploring IPv6 39
  40. 40. How to become IPv6 ready?● Buy only new equipment that is IPv6 compliant● New software must be IPv6 capable● Make an inventory of all current hard- and software● Educate yourself via books, courses, and setup a lab environment● Replace hard- and software were required● Setup IPv6 DNS servers for public servers● Get connected natively or via tunneling● Use IPv6 for internal/external traffic (dual stack with IPv4)2011-11-06 | Gratien Dhaese Exploring IPv6 40
  41. 41. Do and Donts ● Phased approach ● Dont separate IPv6 ● Change requirements features from IPv4 for new hardware ● Dont do everything in ● Work outside-in; then one go inside-out ● Dont appoint an IPv6 ● Dual stack; tunnels specialist ● Think about possible ● Dont buy from future renumbering vendors unless they support IPv62011-11-06 | Gratien Dhaese Exploring IPv6 41
  42. 42. Make software IPv6 aware ● If you maintain an Open Source project invest time to make it IPv6 aware (if it uses IPv4 today)! ● Do what you preach: ● Relax and recover (rear) is IPv6 ready since 1.11.02011-11-06 | Gratien Dhaese Exploring IPv6 42
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×