• Save
Introduction to ipv6 v1.3
Upcoming SlideShare
Loading in...5
×
 

Introduction to ipv6 v1.3

on

  • 1,524 views

 

Statistics

Views

Total Views
1,524
Views on SlideShare
1,523
Embed Views
1

Actions

Likes
3
Downloads
0
Comments
1

1 Embed 1

https://www.linkedin.com 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Introduction to ipv6 v1.3 Introduction to ipv6 v1.3 Presentation Transcript

  • Introduction To IPv6 Draft Version 1.3 Prepared By Karunakant Rai © Tata Consultancy Services ltd. * 1
  • Agenda IPV6 Introduction BGP4+ Limitation of IPV4 IPv6 Filtering (Access Control Lists) Features of IPV6 IPv6 firewall Handling IPv4-v6 Co-existence/Transition Difference between IPV4 and IPV6 IPv6 Support – Operating Systems Benefit in case of deploying IPV6 IPv6 Deployment Analysis IPV6 address syntax and packet Deployment Issues Types of IPv6 addresses. ICMPv6 Path MTU Discovery Neighbor Discovery Protocol Tunnelling DHCPv6 RIPng OSPFv3 2
  • IPv6 An Internet Layer protocol for packet-switched internetworks. Designated as the successor of IPv4 3
  • Limitation of IPv4• Recent exponential growth of the Internet and the impending exhaustion of the IPv4 address space• Need for simpler configuration: Most current IPv4 implementations are either manually configured or use a stateful address configuration protocol such as Dynamic Host Configuration Protocol (DHCP).• No security at the Internet layer• Need better support for prioritized and real-time delivery of data 4
  • Features of IPv6• Simplification of header format:  The IPv6 header is much simpler than the IPv4 header and has a fixed length of 40 bytes. This allows for faster processing. It basically accommodates two times16 bytes for the Source and Destination address and only 8 bytes for general header information.• Large address space : • IPv6 has 128-bit (16-byte) source and destination addresses Improved support for options and extensions  IPv4 integrates options in the base header, whereas IPv6 carries options in so called extension headers, which are inserted only if they’re needed. Again, this allows for faster processing of packets. The base specification describes a set of six extension headers, including headers for routing, Mobile IPv6, and quality of service and security. Efficient and hierarchical addressing and routing infrastructure Stateless and stateful address configuration 5
  • Features of IPV6 (contd.)• Better support for prioritized delivery : • Traffic Class field and Flow Label field in header helps in supporting prioritized delivery.• New protocol for neighboring node interaction : • The Neighbor Discovery protocol replaces and extends the Address Resolution Protocol, ICMPv4 Router Discovery, and ICMPv4 Redirect messages with efficient multicast and unicast Neighbor Discovery messages. . 6
  • Difference between IPv6 and IPv4 IPv4 IPv6• Source and destination addresses are • Source and destination addresses are 32 bits (4 bytes) in length. 128 bits (16 bytes) in length.• IPsec header support is optional • IPsec header support is required.• No identification of packet flow for • Packet flow identification for prioritized prioritized delivery handling by routers delivery handling by routers is present is present within the IPv4 header. within the IPv6 header using the Flow Label field.• Fragmentation is performed by the sending host and at routers, slowing • Fragmentation is performed only by router performance. the sending host. 7
  • Difference between IPv6 and IPv4 (contd.) IPv4 IPv6 Has no link-layer packet-size  Link layer must support a 1280-byte requirements, and must be able to packet and be able to reassemble a reassemble a 576-byte packet 1500-byte packet. Header includes a checksum.  Header does not include a checksum. Header includes options.  All optional data is moved to IPv6 extension headers. ARP uses broadcast ARP Request  ARP Request frames are replaced with frames to resolve an IPv4 address to a multicast Neighbor Solicitation link-layer address. messages. 8
  • Difference between IPv6 and IPv4 (contd.) IPv4 IPv6 Broadcast addresses are used to send  There are no IPv6 broadcast traffic to all nodes on a subnet. addresses. Instead, a link-local scope all-nodes multicast address is used.• Must be configured either manually or  Does not require manual through DHCP for IPv4. configuration or DHCP for IPv6. 9
  • Benefits in the case to deploy IPv6 Solves the Address Depletion Problem Solves the Disjoint Address Space Problem Solves the International Address Allocation Problem Restores End-To-End Communication Uses Scoped Addresses and Address Selection Has More Efficient Forwarding Has Support for Security and Mobility 10
  • IPv6 Address Syntax An IPv6 address has 128 bits, or 16 bytes. The address is divided into eight 16-bithexadecimal blocks separated by colons. For example:2001:DB8:0000:0000:0202:B3FF:FE1E:8329To make life easier, some abbreviations are possible. For instance, leading zeros in a 16- bit block can be skipped. The example address now looks like this:2001:DB8:0:0:202:B3FF:FE1E:8329A double colon can replace consecutive zeros or leading or trailing zeros within the address. If we apply this rule, our address looks as follows:2001:DB8::202:B3FF:FE1E:8329.More than one double-colon abbreviation in an address is invalidSo the IPv6 address 2001:DB8:0000:0056:0000:ABCD:EF12:1234 can be represented in the following ways (note the two possible positions for the double colon):2001:DB8:0000:0056:0000:ABCD:EF12:12342001:DB8:0:56:0:ABCD:EF12:12342001:DB8::56:0:ABCD:EF12:12342001:DB8:0:56::ABCD:EF12:1234 11
  • IPv6 Address Syntax (contd.) IPv6 address in binary form 001000000000000100001101101110000000000000000000001011110011101 0000001010101010000000001111111111111110 001010001 0 01110001011010 Divided along 16-bit boundaries 0010000000000001 0000110110111000 0000000000000000 0010111100111011 0000001010101010 0000000011111111 1111111000101000 1001110001011010 Each 16-bit block is converted to hexadecimal and delimited by using colons 2001:0DB8:0000:2F3B:02AA:00FF:FE28:9C5A Suppress leading zeros within each block 2001:DB8:0:2F3B:2AA:FF:FE28:9C5A 12
  • Prefix Representation Representation of prefix is just like CIDR In this representation you attach the prefix length Like IPv4 address:198.10.0.0/16 IPv6 address is represented the same way: 2001:db8:12::/40 13
  • IPv6 Packet Format 14
  • IPv4 & IPv6 header comparison 15
  • Packet Description Version  Version 6 (4-bit IP version). Traffic class  Packet priority (8-bits). Priority values subdivide into ranges: traffic where the source provides congestion control and non-congestion control traffic. Flow label  QoS management (20 bits). For real time applicationsPayload length  Payload length in bytes (16 bits).Next header  Specifies the next encapsulated protocol.Hop limit  Replaces the time to live field of IPv4 (8 bits).Source and destination addresses  128 bits each. 16
  • Comparison between IPv4 and IPv6 packet header 17
  • Types of IPv6 addresses Unicast  A unicast address uniquely identifies an interface of an IPv6 node. A packet sent to a unicast address is delivered to the interface identified by that address. Multicast  A multicast address identifies a group of IPv6 interfaces. A packet sent to a multicast address is processed by all members of the multicast group. Anycast  An anycast address is assigned to multiple interfaces (usually on multiple nodes).  A packet sent to an anycast address is delivered to only one of these interfaces, usually the nearest one.No more broadcast Address No more broadcast addresses 18
  • Unicast IPv6 Addresses• Global unicast addresses• Link-local addresses• Site-local addresses• Unique local addresses• Special addresses 19
  • Global Unicast Addresses Equivalent to public IPv4 addresses Globally routable and reachable Scope is the entire IPv6 Internet 20
  • Link-local Unicast AddressesLink-Local Addresses Used For: Mandatory Address for Communication between two IPv6 device (Like ARP but at Layer 3). Automatically assigned by Router as soon as IPv6 is enabled. Also used for Next-Hop calculation in Routing Protocols. Only Link Specific scope. Remaining 54 bits could be Zero or any manual configured value. 21
  • Site-local Unicast Addresses Do not have a global scope and can be reused. Scope is site. Used between nodes communicating with other nodes in the same organization Not automatically configured and must be assigned either through stateless or stateful address auto configuration This is specially used for two purpose, for the replacement of ARP, and DAD. 22
  • Unique Local Addresses Provide a private addressing alternative to global addresses for intranet traffic Address unique across all the sites of the organization Used For Local communications and Inter-site VPNs Not routable on the Internet 23
  • Special IPv6 Addresses Unspecified address  The unspecified address (0:0:0:0:0:0:0:0 or ::) is used only to indicate the absence of an address  Used as a source address when a unique address has not yet been determined  Never assigned to an interface or used as a destination address.  Equivalent to the IPv4 unspecified address of 0.0.0.0 Loopback Address  The loopback address (0:0:0:0:0:0:0:1 or ::1) is assigned to a loopback interface, enabling a node to send packets to itself.  Equivalent to the IPv4 loopback address of 127.0.0.1  Packets addressed to the loopback address must never be sent on a link or forwarded by an IPv6 router 24
  • Multicast IPv6 Addresses Cannot be used as source addresses or as intermediate destinations in a Routing extension header 25
  • Multicast IPv6 Addresses (contd.) Flag  first low-order bit is the Transient (T) flag.0 -> permanent address. 1-> temporary address  second low-order bit is for the Prefix (P) flag, which indicates whether the multicast address is based on a unicast address prefix.  The third low-order bit is for the Rendezvous Point Address (R) flag, which indicates whether the multicast address contains an embedded rendezvous point address. Scope  Indicates the scope of the IPv6 network for which the multicast traffic is intended to be delivered .Ex 2-> link local scope,5->site local scope, E-> global scope 26
  • Solicited-Node Address Facilitates the efficient querying of network nodes during link-layer address resolution IPv6 uses the Neighbor Solicitation message to perform link-layer address resolution which uses solicited-node multicast address The solicited-node multicast address is constructed from the prefix FF02::1:FF00:0/104 and the last 24 bits (6 hexadecimal digits) of a unicast IPv6 address 27
  • Anycast Address Assignment Routers along the path to the destination just process the packets based on network prefix. Routers configured to respond to anycast packets will do so when they receive a packet send to the anycast address. Anycast allows a source node to transmit IP datagrams to a single destination node out of a group destination nodes with same subnet id based on the routing metrics 28
  • Type prefixes for IPv6 addresses 29
  • IPv6 Address hierarchy 30
  • Hierarchical Addressing and Aggregation 31
  • ICMPv6• ICMPv6, while similar in strategy to ICMPv4, has changes that makes it more suitable for IPv6. ICMPv6 has absorbed some protocols that were independent in version 4.• One of the fundamental differences between IPv6 ND and its IPv4 counterpart suite of protocols (ARP, IPCP, and so on) is the positioning in the IP protocol stack. Although IPv4 same-link-related protocols are split between ARP/RARP, right above the link layer, and ICMP, running above IP, IPv6 ND is implemented entirely within ICMPv6. 32
  • Comparison of network layers in version 4 and version 6 33
  • Path MTU Discovery (PMTUD) for IPv6 Fragmentation in IPv6 is not performed by intermediary routers. The source node may fragment packets by itself only when the path MTU is smaller than the packets to deliver. 34
  • Example of PMTUD forIPv6 used by a source node. 35
  • Example of PMTUD for IPv6 used by a source node.(cont) First, the source node that sends the first IPv6 packet to a destination node uses 1500 bytes as the MTU value (1). Then, the intermediary Router A replies to the source node using an ICMPv6 message Type 2, Packet Too Big, and specifies 1400 bytes as the lower MTU value in the ICMPv6 packet (2). The source node then sends the packet but instead uses 1400 bytes as the MTU value; the packet passes through Router A (3). However, along the path, intermediary Router B replies to the source node using an ICMPv6 message Type 2 and specifies 1300 bytes as the MTU value (4). Finally, the source node resends the packet using 1300 bytes as the MTU value. The packet passes through both intermediary routers and is delivered to the destination node (5). The session is now established between source and destination nodes, and all packets sent between them use 1300 bytes as the MTU value (6). 36
  • Neighbor Discovery (ND) Protocol built on top of ICMPv6 (RFC 2463) The Neighbor Discovery Protocol (ND) is a protocol in the Internet Protocol Suite used with Internet Protocol Version 6 (IPv6). It operates at the Network Layer of the Internet model and is responsible for address autoconfiguration of nodes, discovery of other nodes on the link, determining the Link Layer addresses of other nodes, duplicate address detection, finding available routers and Domain Name (DNS) servers, address prefix discovery, and maintaining reachability information about the paths to other active neighbor nodes Combination of IPv4 protocols (ARP, ICMP, IGMP,…) 37
  • IPv6 nodes use Neighbor Discovery for the following purposes Router discovery: hosts can locate routers residing on attached links. Prefix discovery: hosts can discover address prefixes that are on-link for attached links. Parameter discovery: hosts can find link parameters (e.g., MTU). Address autoconfiguration: stateless configuration of addresses of network interfaces. Address resolution: mapping between IP addresses and link-layer addresses. Next-hop determination: hosts can find next-hop routers for a destination. Neighbor unreachability detection (NUD): determine that a neighbor is no longer reachable on the link. Duplicate address detection (DAD): nodes can check whether an address is already in use. Redirect: router can inform a node about better first-hop routers. 38
  • ICMPv6 Messages Defined for NDP Router Solicitation Router Advertisement Neighbor Solicitation Neighbor Advertisement Redirect 39
  • Router Solicitation (RS) When an interface becomes enabled, hosts may send out Router Solicitations that request routers to generate Router Advertisements immediately rather than at their next scheduled time. RS is ICMPv6 type 133 and Code 0 Source address of the IPv6 Packet encapsulating the RS can be one of the two 1. IPv6 address of the originating interface 2. Unspecified address ::/0 (All Zeros) if the host interface has not yet been assigned an IPv6 address The destination address is the All-Routers multicast address which is FF02::2 The options field can carry the following information 1. Link layer address of the RS originating interface 2. If the source IPv6 address is sent as unspecified then the link layer address is not included in the options field 40
  • Router Advertisement (RA) Routers advertise their presence together with various link and Internet parameters either periodically, or in response to a Router Solicitation message. RA is ICMPv6 Type 134 and Code 0. Source address of the Ipv6 packet encapsulating the RA is always IPv6 Link-Local address of the interface. The Destination address can be either the link-local address of the host which sent an RS requesting for an RA or ALL-Nodes multicast address FF02::1 for the RA generated periodically by the router with the default being 600Seconds (can be set between 4 and 1800 seconds) and the minimum period between advertisement of RAs is 200 Seconds by default). Unsolicited RAs are to be generated periodically by the router to make the presence of the router known on the link. The Period between transmission of the RAs can be between 4 and 1800 seconds, and the default is 600 seconds. Also the minimum period between advertisement of RAs is 200 seconds by default. 41
  • Neighbor Solicitation (NS) Sent by a node to determine the link-layer address of a neighbor, or to verify that a neighbor is still reachable via a cached link-layer address. Neighbor Solicitations are also used for Duplicate Address Detection. NS is ICMPv6 Type 135 and Code 0 Source address of the IPv6 Packet encapsulating the NS can be one of the two 1. IPv6 address of the originating interface 2. Unspecified address ::/0 (All Zeros) if the NS is sent for Duplicate Address Detection The destination address of NS can be one of the two 1. Solicited-Node Multicast Address corresponding to the the target address 2. The Target address itself note: Target address is the IPv6 address of the target of the solicitation and is never a multicast address. Options Field of the NS can contain the link-layer address of the interface originating the NS 42
  • Neighbor Advertisement (NA) A response to a Neighbor Solicitation message. A node may also send unsolicited Neighbor Advertisements to announce a link-layer address change.. NA is ICMPv6 Type 136 and Code 0 Source Address of the IPv6 packet encapsulating the NS is always the IPv6 address of the originating interface. The Destination address can be one of the Two 1. Source address of the packet containing the NS for which the NA is being sent in response. 2. All-Nodes Multicast Address FF02::1 Flags: R: The Router Flag, is set when the originator of the NA is a router. S: The Solicited Flag, is set when the NA is being sent in response to an NS O: The override Flag, is set to indicate that the information in this NA should override any existing neighbor cache entry and update the link layer address. When O bit is cleared the NA will not override the existing neighbor cache entry 43
  • Neighbor Advertisement (NA) (contd.) Target Address: IS the address to which the NA is directed to, so it will be the source address of the NS to which the NA is being sent to as a response. If the NA is being sent as an Unsolicited NA (that is not in response to any NS), then the target address is the originators address. An Unsolicited NA is sent only to advertise a change, that is if the node has changed its link layer address then to advertise it , an unsolicited NA is sent, and therefor lists its own address as the target address. The Options field of the NA can contain the target link-layer address, the link layer address of the NAs originating interface. 44
  • Redirect Used by routers to inform hosts of a better first hop for a destination Redirect is ICMPv6 Type 137 and Code 0. Source Address of the IPv6 packet encapsulating the Redirect message is always the Link- Local IPv6 address of the interface which has originated the Redirect. The Destination address is always the source address of the packet which triggered the Redirect. The Target address of the Redirect is usually the Link-Local address of another router on the same link. The Destination address Field in the Redirect message will contain the IPv6 address of the destination that will be redirected to the target address. The Options field will contain the link layer address of the target. The Options field will have a value of Type/Length/Value (TLV) triplets. The TLV consists of 8- Bit Type which specifies the type of information its carrying, 8 Bit length which specifies the length in units of 8 octets of the value field, and it also contains the variable length value field. The Redirect message can contain a max value of 1280 bytes. 45
  • Router Advertisement Flow 46
  • Address ResolutionThe neighbor solicitation and neighbor advertisement packets are used to perform several critical node operations: Link-layer address resolution Duplicate address detection (DAD) Neighbor unreachability detection (NUD) 47
  • Address-Resolution Flow 48
  • Differences between IPv6 ND and its IPv4 counterpart suite of protocols One of the fundamental differences between IPv6 ND and its IPv4 counterpart suite of protocols (ARP, IPCP, and so on) is the positioning in the IP protocol stack. Although IPv4 same-link-related protocols are split between ARP/RARP, right above the link layer, and ICMP, running above IP, IPv6 ND is implemented entirely within ICMPv6. 49
  • IPv6 and DNS IPv4 IPv6Hostname to A record: AAAA record:IP address www.abc.test. A 192.168.30.1 www.abc.test AAAA 3FFE:B00:C18:1::2IP address to PTR record: PTR record:hostname 1.30.168.192.in-addr.arpa. 2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.0.8.1.c.0. PTR www.abc.test. 0.0.b.0.e.f.f.3.ip6.arpa PTR www.abc.test. 50
  • DHCPv6 Dynamic Host Configuration Protocol (DHCP) has been updated to support IPv6. DHCPv6 can provide stateful autoconfiguration to IPv6 hosts. DHCPv6 handles the addressing architecture and new features of the IPv6 protocol as follows:  It enables more control on nodes than stateless autoconfiguration.  It can be used concurrently on networks where stateless autoconfiguration is available.  It can provide IPv6 addresses to hosts in the absence of routers on a network.  It can be used to delegate /48 or /64 prefixes to Customer Premises Equipment (CPE) routers such as a home gateway. DHCPv6 Addressing  All_DHCP_Agents: ff02::1:2  All_DHCP_Servers: ff05::1:3 51
  • IPv6 auto-configuration IP configuration in IPV6 is carried out by IPV6 auto-configurationIPv6 auto-configuration Stateless  nodes configure addresses themselves with information from routers (if available);  no managed addresses Stateful  nodes use DHCPv6 to obtain addresses.  Duplicate address detection (DAD) used to avoid duplicated addresses 52
  • DHCPv6 Basic Message Format01234567012345670123456701234567Msg-type Transaction-id Options (variable)• SOLICIT • RELEASE• ADVERTISE • DECLINE• REQUEST • RECONFIGURE• CONFIRM • INFORMATION-REQUEST• RENEW • RELAY-FORW• REBIND • RELAY-REPL• REPLY 53
  • DHCPv6 Message Type OptionsMessage Type MeaningSOLICIT(1) A client sends a Solicit message to locate servers.ADVERTISE (2) A server sends an Advertise message to indicate that it is available for DHCP service, in response to a Solicit message received from a client.REQUEST (3) A client sends a Request message to request configuration parameters, including IP addresses, from a specific server.REPLY (4) A server sends a Reply message containing assigned addresses and configuration parameters in response to a Solicit, Request, Renew, Rebind message received from a Client.RENEW (5) A client sends a Renew message to the server that originally provided the clients addresses and configuration parameters to extend the lifetimes on the addresses assigned to the client.REBIND (6) A client sends a Rebind message to any available server to extend the lifetimes on the addresses assigned to the client. 54
  • DHCPv6 to DHCPv4 Message Comparison 55
  • DHCP Messages Messages exchanged using UDP  Client port – udp/546  Server Port – udp/547 Client uses Link-Local address or addresses determined using other methods to transmit and receive DHCP messages. Server receives messages from clients using a reserved, Link-Scoped multicast address. 56
  • DHCP Multicast Addresses All_DHCP_Relay_Agents_and_Servers  Link-scoped multicast address used by a client to communicate with on-link relay agents and servers  FF02::1:2 All_DHCP_Servers  Site-scoped multicast address used by a relay agent to communicate with servers  FF05::1:3 57
  • DHCPv6 option format and base option01234567012345670123456701234567 Option-code Option length Options data(option –len octets)• Client Identifier • Authentication• Server Identifier • Server Unicast• Identity Association for Non-temporary • Status Code Addresses • Rapid Commit• Identity Association for Temporary • User Class Addresses • Vendor Class• IA Address • Vendor-specific Information• Option Request • Interface-Id• Preference • Reconfigure Message• Elapsed Time • Reconfigure Accept• Relay Message 58
  • DHCP Unique Identifer (DUID) Each DHCP client and server has a DUID. DHCP servers use DUIDs to identify clients for the selection of configuration parameters and in client Identity Associations.  Unique across all clients and servers  Should not change over time (if possible)  Must be < 128 octets long 59
  • Identity Association An identity association (IA) is a construct through which a server and client can identify, group, and manage a set of related IP addresses.  Client must associate at least one distinct IA with each network interface requesting assignment of IP addresses from DHCP server (IAID)  Must be associated with exactly one interface  Must be consistent across restarts by the client 60
  • DHCPv6 working SOLICIT ADVERTISE ADVERTISETIME REQUEST Client select one advertise REPLY server B Client Now use address and parameter for lifetime DHCP DHCP DHCP server client Client renew life time server A RENEW B REPLY Client releases address when shutting down RELEASE 61
  • DHCPv6 Client-Server Message Exchange 62
  • Dhcpv6 operation : Client sends messages to link-local multicast address Server unicasts response to client Information-Request / Reply - provide client configuration information but no addresses Confirm / Reply - assist in determining whether client moved Reconfigure - allow servers to initiate a client reconfiguration Basic client/server authentication capabilities in base standard. DHCP Unique Identifier (DUID) used to identify clients & servers Identity Association ID (IAID) used to identify a collection of addresses Relay Agents used when server not on-link Relay Agents may be chained 63
  • DHCPv6 Installation (Linux)Dhcpv6 server :  Update with dhcpv6-0.10-11_FC3.i386.rpm using # rpm -U dhcpv6-0.10-11_FC3.i386.rpm  Create a database directory #mkdir /var/db/dhcpv6  Copy sample server configuration file # cp dhcp6s.conf /etc/dhcp6s.conf  Start the server daemon using # dhcp6s –dDf eth0 64
  • DHCPv6 Installation (Linux) (contd.)Dhcpv6 client :  Update with dhcpv6_client-0.10-11_FC3.i386.rpm using # rpm -U dhcpv6_client-0.10-11_FC3.i386.rpm  Copy sample client configuration file # cp dhcp6c.conf /etc/dhcp6c.conf  Start the client daemon using # dhcp6c –dDf eth0 65
  • DHCPv6 ConfigurationIn Fedora core 3 following files are configured :Server configuration :/etc/sysconfig/dhcp6s/etc/dhcp6s.confFile : /etc/sysconfig/dhcp6s Specify the interface for dhcp6s DHCP6SIF=eth0 66
  • DHCPv6 Server configuration...File : /etc/dhcp6s.conf interface eth0 { server-preference 255; renew-time 60; rebind-time 90; prefer-life-time 130; valid-life-time 200; allow rapid-commit; link BBB { pool{ range 2001:0E30:1402:2::4 to 2001:0E30:1402:2::ffff/64; prefix 2001:0E30:1402::/48; }; }; }; 67
  • DHCPv6 Client configurationIn Fedora core 3 following files are configured :Client configuration :/etc/sysconfig/network-scripts/ifcfg-eth0/etc/dhcp6c.confFile : /etc/sysconfig/network-scripts/ifcfg-eth0 IPV6INIT=yes DHCP6C=yesFile : /etc/dhcp6c.confinterface eth0 {#information-only;send rapid-commit;#request prefix-delegation;#request temp-address;address { 2001:0E30:1402:1:9656:3:4:56/64; };}; 68
  • Testing DHCPv6Start the server daemon in debug mode in foreground#dhcp6s –dDf eth0Restart the network service of client#service network restartSee the address assignment#ifconfig 69
  • RIPngRouting Information Protocol next generation (RIPng) is the counterpart of RIPv2, but for IPv6. As defined in RFC 2080, RIPng for IPv6, RIPng has most of the same capabilities of RIPv2  Distance vector—RIPng is a distance vector protocol based on the Bellman- Ford algorithm.  Radius of operation—Like RIP, RIPng is limited to a radius of 15 hops.  UDP-based protocol—RIPng uses UDP datagrams to send and receive routing information.  Broadcast information—Periodic broadcasts can be sent using multicast addresses to reduce traffic on nodes that are not listening to RIP messages. 70
  • Updates Added in RIPng Destination prefix—Destination prefixes are based on 128-bit instead of 32-bit (as in IPv4). Next-hop address—Next-hop addresses are based on 128-bit instead of 32-bit (as in IPv4). Transport—RIPng messages are sent over IPv6 packets. UDP port number—The standard UDP port number for IPv6 is 521 instead of 520, as in IPv4.This UDP port sends and receives routing information between RIPng routers. Link-local address—RIPng updates are sent to adjacent RIPng routers using the link-local address FE80::/10 as the source address. Multicast address—The standard multicast address used with RIPng is FF02::9, instead of 224.0.0.9 in IPv4. The FF02::9 represents the all-RIP-routers multicast address on the link-local scope. 71
  • OSPFv3The OSPFv3 specification is mainly based on OSPFv2, but with some enhancements. Adding IPv6 support in the OSPFv2 protocol required important rewrites of the code to remove the IPv4 dependencies, such as the multicast IPv4 addresses 224.0.0.5 and 224.0.0.6, which are not useful in IPv6. After having been updated to support IPv6, OSPFv3 can distribute IPv6 prefixes and run natively over IPv6. Both OSPFv2 and OSPFv3 can be used concurrently, because each address family has a separate SPF. 72
  • OSPFv3 has some similarities to OSPFv2 OSPFv3 uses the same basic packet types as OSPFv2 such as hello, DBD (also called DDP database description packets), LSR (link-state request), LSU (link-state update), and LSA (linkstate advertisement). Mechanisms for neighbor discovery and adjacency formation are identical. Operations of OSPFv3 over the RFC-compliant nonbroadcast multiaccess (NBMA) and point-to-multipoint topology modes are supported. LSA flooding and aging are the same for both OSPFv2 and OSPFv3. 73
  • Differences between OSPFv3 and OSPFv2 OSPFv3 runs over a link—The network statement in the router subcommand mode of OSPFv2 is replaced by an OSPFv3 command to apply to the interface configuration. It is possible to have multiple instances per link. Router ID—This 32-bit number indicates that the router is not IPv6-specific. The router ID number is still based on 32-bit. This router ID identifies the OSPFv3 router. As for BGP4+, when no IPv4 address is configured, a router ID must be set. Link ID—This 32-bit number indicates that the links are not IPv6-specific. The link ID number is still based on 32-bit. Link-local address—OSPFv3 uses IPv6s link-local addresses to identify the OSPFv3 adjacency neighbors. New LSA types—The Link-LSA and Intra-Area-Prefix-LSA types are added in OSPFv3: Link-LSA (LSA type 0x0008)—There is one Link-LSA per link. This new type provides the routers link-local address and lists all IPv6 prefixes attached to the link. 74
  • Differences between OSPFv3 and OSPFv2 (contd) Intra-Area-Prefix-LSA (LSA type 0x2009)—There are multiple LSAs with different link-state IDs. The area flooding scope can be an associated prefix with the transit network referencing a Network-LSA, or it can be an associated prefix with a router or a stub referencing a Router-LSA. Transport—OSPFv3 messages are sent over IPv6 datagrams, allowing the configuration across IPv6-over-IPv4 tunnels. Multicast address—Two standard multicast addresses are used with OSPFv3:  FF02::5—Represents all SPF routers on the link-local scope. This multicast address is equivalent to 224.0.0.5 in OSPFv2.  FF02::6—Represents all Designated Router (DR) routers on the link-local scope. This multicast address is equivalent to 224.0.0.6 in OSPFv2. Security—OSPFv3 uses Authentication Headers (IPSec AH) and Encapsulating Security Payload (IPSec ESP) extension headers as an authentication mechanism instead of the variety of authentication schemes and procedures defined in OSPFv2. 75
  • OSPF for IPv6 Packet Header 76
  • Fields of the OSPF header Version (1 byte)  OSPF for IPv6 uses version number 3. Type (1 byte)  Defines the type of OSPF messages. Packet length (2 bytes)  This is the length of the OSPF protocol packet in bytes, including the OSPF header. Router ID (4 bytes)  The Router ID of the router originating this packet. Each router must have a unique Router ID, a 32-bit number normally represented in dotted decimal notation.The Router ID must be unique within the entire AS. 77
  • Fields of the OSPF header (contd) Area ID (4 bytes)  The Area ID identifies the area to which this OSPF packet belongs. Checksum (2 bytes)  OSPF uses the standard checksum calculation for IPv6 applications. The checksum is computed using the 16-bit one’s complement of the one’s complement sum over the entire packet. The checksum field in the OSPF packet header is set to 0. Instance ID (1 byte)  Identifies the OSPF instance to which this packet belongs. The Instance ID is an 8-bit number assigned to each interface of the router. The default value is 0. The Instance ID enables multiple OSPF protocol instances to run on a single link. If the receiving router does not recognize the Instance ID, it discards the packet. For example, routers A, B, C, and D are connected to a common link n. A and B belong to an AS different from the one to which C and D belong. To exchange OSPF packets, A and B will use a different Instance ID from C and D. This prevents routers from accepting incorrect OSPF packets. In OSPF for IPv4, this was done using the Authentication field, which no longer exists in OSPF for IPv6. 78
  • Two renamed LSAs1. Interarea prefix LSAs for area border routers (ABRs) (type 3)  Type 3 LSAs advertise internal networks to routers in other areas (interarea routes).  Type 3 LSAs may represent a single network or a set of networks summarized into one advertisement.  Only ABRs generate summary LSAs.  In OSPF for IPv6, addresses for these LSAs are expressed as prefix, prefix length instead of address, mask.  The default route is expressed as a prefix with length 0.2. Interarea router LSAs for ASBRs (type 4)  Type 4 LSAs advertise the location of an ASBR.  Routers that are trying to reach an external network use these advertisements to determine the best path to the next hop.  ASBRs generate type 4 LSAs 79
  • Two new LSAs1. Link LSAs (type 8)  Information which is only significant to two directly connected neighbors.  Type 8 LSAs have link-local flooding scope and are never flooded beyond the link with which they are associated.  Link LSAs provide the link-local address of the router to all other routers attached to the link.  Link LSAs also inform other routers attached to the link of a list of IPv6 prefixes to associate with the link, and allow the router to assert a collection of options bits to associate with the network LSA that will be originated for the link.2. Intra-area prefix LSAs (type 9)  Carries Prefixes for a referenced Link State ID.  Prefix changes in OSPFv2 (sent in Router and Network LSAs) causes an  SPF recalculation), but because they do not affect SPF tree, does not cause SPF recalculation in OSPFv3.  Makes OSPFv3 more scalable for large networks with large number of frequently changing prefixes 80
  • Ospf areas and their routing updates 81
  • BGP Multiprotocol Extension for IPv6 BGP4+BGP-4 carries only three pieces of information that are truly IPv4-specific: NLRI (feasible and withdrawn) in the UPDATE message contains an IPv4 prefix. NEXT_HOP path attribute in the UPDATE message contains an IPv4 address. BGP Identifier is in the OPEN message and in the AGGREGATOR attribute.To make BGP-4 available for other network layer protocols, the multiprotocol NLRI and its next hop information must be added. RFC 2858 extends BGP to supportmultiple network layer protocols. IPv6 is one of the protocols supported, as emphasized in a separate document (RFC 2545). 82
  • Changes in BGP for IPv6 support To accommodate the new requirement for multiprotocol support, BGP-4 adds two new attributes to advertise and withdraw multiprotocol NLRI. The BGP Identifier stays unchanged. BGP-4 routers with IPv6 extensions therefore still need a local IPv4 address. To establish a BGP connection exchanging IPv6 prefixes, the peering routers need to advertise the optional parameter BGP capability to indicate IPv6 support. BGP connections and route selection remain unchanged. Each implementer needs to extend the RIB to accommodate IPv6 routes. Policies need to take IPv6 NLRI and next hop information into consideration for route selection. An UPDATE message advertising only IPv6 NLRI sets the unfeasible route length field to 0 and carries no IPv4 NLRI. All advertised or withdrawn IPv6 routes are carried within the MP_REACH_NLRI and MP_UNREACH_NLRI. The UPDATE must carry the path attributes ORIGIN and AS_PATH; in IBGP connections it must also carry LOCAL_PREF. The NEXT_HOP attribute should not be carried. If the UPDATE message contains the NEXT_HOP attribute, the receiving peer must ignore it. All other attributes can be carried and are recognized. 83
  • Changes in BGP for IPv6 support (contd) An UPDATE message can advertise both IPv6 NLRI and IPv4 NLRI having the same path attributes. In this case, all fields can be used. For IPv6 NLRI, however, the NEXT_HOP attribute should be ignored. IPv4 and IPv6 NLRI are separated in the corresponding RIB. MP_REACH_NLRI path attribute This optional nontransitive attribute allows the exchange of feasible IPv6 NLRI to a peer, along with its next hop IPv6 address. The NLRI and the next hop are delivered in one attribute. MP_UNREACH_NLRI path attribute This optional nontransitive attribute allows the sending peer to withdraw multiple IPv6 routes that are no longer valid. 84
  • Establishing a BGP connection 85
  • IPv6 Filtering (Access Control Lists)IPv6 Standard Access Control Lists IPv6 access-lists (ACL) are used to filter traffic and restrict access to the router IPv6 prefix-lists are used to filter routing protocol updates. IPv6 Standard ACL (Permit/Deny)  IPv6 source/destination addresses  IPv6 prefix-lists  On Inbound and Outbound interfaces 86
  • IPv6 Extended ACL Adds support for IPv6 option header and upper layer filtering Only named access-lists are supported for IPv6 IPv6 and IPv4 ACL functionality  Implicit deny any any as final rule in each ACL.  A reference to an empty ACL will permit any any.  ACLs are NEVER applied to self-originated traffic. 87
  • IPv6 ACL Implicit Rules Implicit permit rules, enable neighbor discovery The following implicit rules exist at the end of each IPv6 ACL to allow ICMPv6 neighbor discovery:  permit icmp any any nd-na  permit icmp any any nd-ns  deny ipv6 any any 88
  • IPv6 firewall Handling 89
  • IPv6 architecture and firewall - requirements No need to NAT – same level of security with IPv6 possible as with IPv4 (security and privacy) Even better: e2e security with IPSec IPv6 does not require end-to-end connectivity, but provides end-to-end addressability Support for IPv4/IPv6 transition and coexistence Support for IPv6 header chaining There are some IPv6-capable firewalls now Cisco ACL/PIX, iptables, ipfw, Juniper NetScreen. 90
  • IPv6 firewall setup Firewall must support ND/NA Firewall should support filtering dynamic routing protocol Firewall must support RS/RA if Stateless Address Auto-Configuration (SLAAC) is used Firewall must support MLD messages if multicast is required 91
  • IPv6 Firewall Filter RulesWhen you live in a dual-stack network, you will have two security concepts: one for the IPv4 world and another for the IPv6 world. And the two concepts do not have to match; they have to be designed according to the requirements of each protocol. Your firewalls may support both protocols, having two separate filter sets (one for each protocol), or you may have two boxes, one being the firewall for the IPv4 network and the other being the firewall for your IPv6 network. 92
  • security provisions and firewall filters that should be considered Ingress filter at perimeter firewall for internally used addresses. Filter unneeded services at the perimeter firewall. Deploy host-based firewalls for a defense in depth. Critical systems should have static, nonobvious (randomly generated) IPv6 addresses. Consider using static neighbor entries for critical systems (versus letting them participate in ND). Hosts for Mobile IPv6 operations should be separate systems (to protect them by separate rules). Ensure that end nodes do not forward packets with Routing Extension headers. Layer 3 firewalls should never forward link-layer multicast packets. Firewalls should support filtering based on Source and Destination address, IPv6 extension headers, and upper-layer protocol information. Check your network for external packets that did not enter through your main perimeter firewall as an indication of “backdoor” connections of surreptitious tunneling. 93
  • IPv4-IPv6 Co-existence/TransitionA wide range of techniques have been identified and implemented, basically falling into three categories:  Dual-stack techniques, to allow IPv4 and IPv6 to co-exist in the same devices and networks  Tunneling techniques, to avoid order dependencies when upgrading hosts, routers, or regions  Translation techniques, to allow IPv6-only devices to communicate with IPv4- only devices 94
  • IPv6 tunneling Tunneling provides a way to use an existing IPv4 routing infrastructure to carry IPv6 traffic. The key to a successful IPv6 transition is compatibility with the existing installed base of IPv4 hosts and routers. Maintaining compatibility with IPv4 while deploying IPv6 streamlines the task of transitioning the Internet to IPv6. While the IPv6 infrastructure is being deployed, the existing IPv4 routing infrastructure can remain functional, and can be used to carry IPv6 traffic. 95
  • Ways of Tunneling Router-to-Router IPv6 or IPv4 routers interconnected by an IPv4 infrastructure can tunnel IPv6 packets between themselves. In this case, the tunnel spans one segment of the end-to-end path that the IPv6 packet takes. Host-to-Router IPv6 or IPv4 hosts can tunnel IPv6 packets to an intermediary IPv6 or IPv4 router that is reachable through an IPv4 infrastructure. This type of tunnel spans the first segment of the packets end-to-end path. Host-to-Host IPv6 or IPv4 hosts that are interconnected by an IPv4 infrastructure can tunnel IPv6 packets between themselves. In this case, the tunnel spans the entire end-to-end path that the packet takes. Router-to-Host IPv6/IPv4 routers can tunnel IPv6 packets to their final destination IPv6 or IPv4 host. This tunnel spans only the last segment of the end-to-end path. 96
  • There are two types of tunnels in IPv61. Automatic tunnels: Automatic tunnels are configured by using IPv4 address information embedded in an IPv6 address – the IPv6 address of the destination host includes information about which IPv4 address the packet should be tunneled to.2. Configured tunnels: Configured tunnels must be configured manually. These tunnels are used when using IPv6 addresses that do not have any embedded IPv4 information. The IPv6 and IPv4 addresses of the endpoints of the tunnel must be specified. 97
  • Tunneling 98
  • Dual stack Dual stack node means:  Both IPv4 and IPv6 stacks enabled Applications can talk to both 99
  • IPv6 translationAddress and protocol translation mechanisms such as NAT-PT (NetworkAddress translation – protocol translation) and SIIT (Stateless IP-ICMPtranslation) can be used to help an IPv6 host talk to an IPv4 host, byconverting v6 packets into v4 and vice-versa. 100
  • IPv6 Support – Operating Systems 101
  • IPv6 Deployment Analysis 102
  • The Impact of IPv6 on Various Network Entities How IPv6 affects layer 2  The layer 2 switches process packets based on MAC addresses which are independent of IPv6.  Implementing IPv6 over layer 2 networks should not need significant changes to the layer 2 switches. However, IPv6 support for protocol VLANs may need hardware support. Functionality such as ACL (Access Control Lists) and MLD snooping (equivalent to IPv4 IGMP snooping) will need to take into account changes for IPv6. How IPv6 affects layer 3  For layer 3 support, in addition to the basic IPv6 modules, the routing and forwarding mechanism needs to be aware of IPv6. Hence, protocols such as RIPng and OSPFv3 will need to be deployed and the hardware will need to be IPv6 capable in order to do line rate processing of IPv6 packets.  A significant change to hardware and software functionality will be needed in routers to support IPv6. 103
  • The Impact of IPv6 on Various Network Entities (Contd) What IPv6 means to the desktop/hosts  The desktop operating system needs to support IPv6 in order to deploy IPv6 on hosts.  The enterprise and consumer applications need to be ported to IPv6 so that there is an application base for IPv6. New IPv6 applications will need to be developed that support end-to-end and peer-to-peer communications models on the Internet.  For hosts to communicate using IPv6, the necessary infrastructure needs to be in place to support IPv6. A transition plan needs to be formulated for the network and the strategy will figure out whether the transition will need specific software support from the host or whether it will be seamless. Again, depending on the network topology plan, DHCP or DNS support may be needed. 104
  • Deployment IssuesIPv6 technology promises to bring a number of benefits to network communications. But given the complexity of the entire IPv6 protocol family and the need for a robust infrastructure supporting the protocols, it would be wise for an enterprise to give thoughtful consideration to issues concerning IPv6 deployment. Protecting existing investment  Vendors need to protect existing investments in switches/routers/hosts. Thus they need a strategy which will maximize the returns on current investments Return on investment (ROI)  IPv6 will need software and hardware upgrades on hosts, switches and routers. It may need deployment of new applications. Also, IPv6 transition needs to be carefully planned and a pilot network is typically done to evaluate the strategy. All this requires time and adds to expenses. Hence, a clear business case needs to be made to trigger migration of enterprise networks to IPv6. 105
  • Deployment Issues (contd) Network planning  IPv6 can be deployed in two ways: having completely independent IPv6 and IPv4 networks or overlaying IPv4 and IPv6 networks. This strategy can affect the IPv6 features required on hosts, switches and routers. Instability in some IPv6 features  Certain standards like mobile IPv6, flow label are not stable yet, and this is necessary for successful deployment particularly to avoid interoperability issues. Service provider support  For enterprises which require IPv6 communication over the Internet, it is necessary to look into what IPv6 services and applications are offered by the service providers. 106
  • IPv6 on Windows Full support  Windows XP SP 1 and later (Adv Net or SP2 recommended)  Windows Server 2003 (no full application support) SP2 additions  Teredo client  host-specific relay support  IPv6 firewall Autoconfiguration is working  netsh interface ipv6 4  interface 1 – loopback  interface 2 – ISATAP  interface 3 - 6to4 interface  interface 4... – real network interfaces  interface 5 – Teredo interface 107
  • Thanks… 108