Your SlideShare is downloading. ×
Getting started with IPv6
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Getting started with IPv6

6,630

Published on

You may have hoped to retire before IPv6 became a reality, but unfortunately the IPv4 address exhaustion came too fast. For the rest of us, we’re going to bite off a small piece of the 15-year old …

You may have hoped to retire before IPv6 became a reality, but unfortunately the IPv4 address exhaustion came too fast. For the rest of us, we’re going to bite off a small piece of the 15-year old IPv6 pie and talk about how to get started!

• Address format refresher
• IPv4 and IPv6 protocol comparison
• IPv6 neighbor discovery and auto-configuration
• Current migration and coexistence strategies
• ICMPv6, DHCPv6, and DNSv6
• How to get started at home

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
6,630
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
241
Comments
0
Likes
2
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • Watch IPv4 Addresses run outhttp://www.potaroo.net/tools/ipv4/index.htmlIPv4 Internetwww.google.comwww.microsoft.comwww.*.comIPv6 Internetv6.cisco.comipv6.google.com
  • APNIC only has the remaining /8 from the trigger IANA release. They will be
  • Also in the Cisco world, CLI output of IPv6 features are ugly (lack of readability) compared to their IPv4 counterparts. For example: show ip interface brief vs show ipv6 interface brief show ipeigrp neighbors vs show ipv6 eigrp neighbors
  • DHCPv6http://technet.microsoft.com/en-us/magazine/2007.03.cableguy.aspx Options include DNS server IP, domain name, NTP server, etc.DNS (RFC3484)A client may show preference for DNS AAAA (IPv6) records over IPv4 and thus attempt to connect to the destination server via IPv6.IPv6 makes heavy use of ICMP multicast/unicast messages and must be allowed via ACLs
  • Routable addresses can be either local (think RFC1918 private IP’s) or global (public IP address).RFC4941: Privacy Extensions for Stateless Address Autoconfiguration in IPv6. Keep IP for 1-7 days.Q: How do L2 switches handle IPv6 addresses?A: L2 switches are only looking at the SMAC/DMAC so IPv6 addressing is transparent to them. Exceptions to this would be a QoS or VACL/PACL applied to the interface examining L3/L4 portions of the header.
  • 1 base-2 binary position = 2 bits (e.g., 0 or 1)1 base-16 hex position = 4 bits (e.g., 0-9, A-F). In other words, it takes 4 binary positions (2^4) to represent 16 unique values (0-9 and A-F) per position.http://en.wikipedia.org/wiki/IPv6_subnetting_reference
  • See http://www.iana.org/assignments/ipv6-multicast-addresses/ipv6-multicast-addresses.xml for details on multicast address spaceIPv4 has a documentation prefix as well (see RFC5737): 192.0.2.0/24 (TEST-NET-1), 198.51.100.0/24 (TEST-NET-2), and 203.0.113.0/24 (TEST-NET-3)
  • /64 prefix: 128-bits = 64 for network and 64 for hostWhy prefix lengths in increments of 8? Because then your IPv6 address fits nicely within the : boundaries /48 = 2001:1 Format: [Global:ISP:Org:Subnet:Host:Host:Host:Host] /56 = 2001:1:1 Format: [Global:ISP:ISP:(Org & Subnet):Host:Host:Host:Host] /64 = 2001:1:1:1 Format: [Global:ISP:ISP:Subnet:Host:Host:Host:Host]Some equipment may have issues assigning a mask other than /64. /64 required for automatic IP address configuration.Prefix examples:/48 /64 /120
  • IPv6 NDP allows host & router/gateway discoveryCisco and Windows-based commands shownStateless Address AutoConfiguration (SLAAC) Uses Modified EUI-64 or Privacy Extensions (RFC4941/Microsoft)
  • IPv6 OnlyDual StackRecommended approachTunnel IPv4 or MPLSSee Basic Transition Mechanisms for IPv6 Hosts and Routers (RFC4213)6to4 Tunnels (RFC 3056) 2002:IPv4::/48 IPv6 Range Route 2002/16 to tunnel interface
  • NAT-PT is the only transition NAT protocol supported in most Cisco devices today, but it is generally regarded as obsolete.http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-nat_trnsln_ps6350_TSD_Products_Configuration_Guide_Chapter.htmlThat leaves no good options to NAT IPv4 addresses to IPv6 addresses.
  • The popular solution today is end-to-end dual stack configuration where an end node runs both IPv4 and IPv6.With Cisco, only the ASR 1000 series router supports NAT64 todayJuniper supports stateful NAT64 todayNAT64 gateway for Linux. http://ecdysis.viagenie.ca/
  • IPv6 Native Dual Stack Over DOCSIS Comcast: IPv6 Native Dual Stack for users (January 31, 2011) Content natively over both IPv6 and IPv4 Allocating 18,446,744,073,709,551,616 (18 quintillion) per user (/64)
  • Notable NotesIf you have IPv6 and IPv4 enabled on your machine, IPv6 (and DNSv6) will be preferred.Websites already setup for IPv6c:\\ruby>ping www.comcast6.netPinging www.comcast6.g.comcast.net [2001:558:1004:9:69:242:76:78] with 32 bytes of data: c:\\ruby>ping ipv6.google.comPinging ipv6.l.google.com [2001:4860:b006::68] with 32 bytes of data:
  • Not all clients support DHCPv6, opting to support SLAAC only.DHCP-PD: Allows you to delegate a prefix which may contain multiple subnets to a router that can assign subnets on LAN segments.
  • http://inconcepts.biz/~jsw/IPv6_NDP_Exhaustion.pdfhttps://wikispaces.psu.edu/download/attachments/15162205/Cisco+IPv6+security+slide.pdf?version=1&modificationDate=1251830658000
  • List of IPv6 Tunnel Brokers: http://en.wikipedia.org/wiki/List_of_IPv6_tunnel_brokers
  • See RFC 2473 and RFC 3056 for IPv6 tunnel encapsulation information
  • IGP just uses link local address. No need for global IP address on interface.IPv6 management done by an IPv6 loopback.To verify IPv6 configuration, use:show ipv6 interface briefshow ipv6 router discovery
  • EUI = Extended Unique IdentifierMore details, see http://packetlife.net/blog/2008/aug/4/eui-64-ipv6/Solicited-node addressThe solicited-node address facilitates efficient querying of network nodes during address resolution. In IPv4, the ARP Request frame is sent to the MAC-level broadcast, disturbing all nodes on the network segment, including those that are not running IPv4. IPv6 uses the Neighbor Solicitation message to perform address resolution. However, instead of using the local-link scope all-nodes address as the Neighbor Solicitation message destination, which would disturb all IPv6 nodes on the local link, the solicited-node multicast address is used. The solicited-node multicast address consists of the prefix FF02::1:FF00:0/104 and the last 24-bits of the IPv6 address that is being resolved.For example, for the node with the link-local IPv6 address of FE80::2AA:FF:FE28:9C5A, the corresponding solicited-node address is FF02::1:FF28:9C5A. To resolve the FE80::2AA:FF:FE28:9C5A address to its link layer address, a node sends a Neighbor Solicitation message to the solicited-node address of FF02::1:FF28:9C5A. The node that is using the address of FE80::2AA:FF:FE28:9C5A is listening for multicast traffic at the solicited-node address and, for interfaces that correspond to a physical network adapter, has registered the corresponding multicast address with the network adapter.The result of using the solicited-node multicast address is that address resolution, which commonly occurs on a link, is not required to use a mechanism that disturbs all network nodes. In fact, very few nodes are disturbed during address resolution. In practice, because of the relationship between the Ethernet MAC address, the IPv6 interface ID, and the solicited-node address, the solicited-node address acts as a pseudo-unicast address for very efficient address resolution.http://technet.microsoft.com/en-us/library/cc781068%28WS.10%29.aspxRouter join “All Routers” multicast group FF02::2
  • Firewall shown is the stateful IOS Firewall/CBAC. Zone-based firewall configuration should work as well. For configuration example, see: https://supportforums.cisco.com/message/3194077Items in red are implicit rules for every ACLnd-na = neighbor discovery, neighbor advertisement (L2 resolution reply/unsolicited addr announcement)nd-ns = neighbor discovery, neighbor solicitation (L2 resolution request)
  • IP: Consider using the last 1-2 octets of the IPv4 address in the IPv6 address to help with device recognition.DNS:When creating a DNSv6 reverse lookup zone, enter the address including prefix, e.g., fc00:a::/64DHCP: In Windows Server 2008 R2 the DHCPv6 scope prefixes are fixed at /64.
  • Windows 7 supports DHCPv6 in addition to SLAAC and manual modes.The Link Local address is dynamically generated for you.To use IPv4 instead of IPv6 in prefix policies (e.g. DNS queries):http://support.microsoft.com/kb/929852Disable Automatic Tunnelingnetsh interface 6to4 set state state=disabled undoonstop=disablednetsh interface isatap set state state=disablednetsh interface teredo set state type=disabled
  • No DHCPv6 Support. Either SLAAC or Manual.Link local (fe80) address is assigned automaticallyIPv6 ULA address is learned from the ICMP router advertisement
  • SEND = Secure Neighbor DiscoveryWindows 7 can enable/disable privacy extensions by using:netsh interface ipv6 set global randomizeidentifiers=disablednetsh interface ipv6 set global randomizeidentifiers=enabledRecommendation is to use RFC4941 privacy extensions for external use, and EUI-64/DHCPv6 for internalDisable Rogue Tunnelsnetsh interface 6to4 set state state=disabled undoonstop=disablednetsh interface isatap set state state=disablednetsh interface teredo set state type=disabledEnable Mac OS X privacy extensions: Edit "/etc/sysctl.conf" and add net.inet6.ip6.use_tempaddr=1. Then reboot.Enable Linux privacy extensions: Edit "/etc/sysctl.conf" and add net.inet6.ip6.use_tempaddr=2. Then reboot.Assignment of DNS via SLAAC RDNSS options
  • Defined in RFC4291
  • Transcript

    • 1. A toe-dip into the volatile world of IPv6 transitions
      Getting Started with IPv6
      Tanner
      04.29.2011
    • 2. Goals and Status
      GOAL
      Get IPv6 dual-stack running on a lab/home network and connect to the IPv6 internet.
      STATUS
      IPv4 Exhaustion Timeline
      IPv6 Today
      Google, Microsoft, Apple, Netflix, Cisco, Facebook, Gov’t Agencies
      Service Provider Plan
      Enterprise Plan
    • 3. IPv4 Exhaustion Schedule
      3
    • 4. Advantages
      Lots of Addresses
      Automatic IP Address Configuration
      Duplicate Address Detection (DAD)
      Only available option post-IPv4
      Still disagreements on implementation / transition methods
      Immature device / OS / application support
      Remembering long addresses
      IPv6 Mechanics
      Disadvantages
    • 5. Interface Addressing
      Manual
      SLAAC
      DHCPv6
      Link Local
      DNS
      Increased reliance due to lengthy addresses
      AAAA (“Quad A”) Records
      IPv6 Building Blocks
      Routable
      2002:d82a:3bcc:deff:baca:3f97:872d:d00d/64
      ICMPv6
      Neighbor Discovery
      Routing
      EIGRPv6, OSPFv3
    • 6. IPv6 Addressing
      2002:adb8:85a3:af90:b8b8:8a2e:1773:ff31/64
      8 x 16-bits separated by a :(colon)
      Prefix length in CIDR format
      NOT255.255.255.255.255.255.255.255.0.0.0.0.0.0.0.0
      Each interface has a:
      Link local address
      Routable address
      [Modified] EUI-64
      Auto w/privacy extensions
      Manual
      Neighbor Discovery
      Heavy use of ICMP and Multicast
    • 7. IPv6 Subnetting
      # of bits
      Host portion
      16
      4
      8
      2001:0DB8:0800:3333:AAAA:BBBB:CCCC:DDDD
      /16
      Network/Subnet portion
      /48
      /64
      /120
      /128
      CIDR
    • 8. Key Prefixes
    • 9. Prefix Sizes
      1Assumes using the “standard” allocation of /64 for all links and segments
    • 10. Comparison Table
    • 11. Dual stack
      NAT
      NAT64 & DNS64 / NAT46 / NAT44 / NAT66 / NAT-PT / CGNAT / NAT444 / NAT464 / DS-Lite
      Tunnels
      6to4 (RFC 3056)
      6in4
      ISATAP (RFC 5214)
      GRE/IPv6 over DMVPN
      6rd
      LISP
      Reverse Proxy/Load Balancers
      Transition Technologies
    • 12. Current
      FinalState
    • 13. Transitional
      Transitional
    • 14. Make sure there are no DNS AAAA records
      Alternate: Disable IPv6 on all devices
      Enable IPv6 in core, then firewall, then internet router
      Enable select DMZ servers / inside clients
      Dual Stack Transition Plan
    • 15. DNSv6 and DNS64
      Name Resolution
      IPv4
      set type=a
      www.comcast6.net
      Address:  68.87.29.36
      IPv6
      set type=aaaa
      www.comcast6.net
      Address: 2001:558:1002:4:68:87:29:36
      DNS64
      IPv6 client makes DNS AAAA query, DNS64 gateway translates IPv4 response to AAAA format
    • 16. Client detects presence of routers on the link using Router Solicitation
      Uses link-local address as the source IP
      No gateway needed. Learned from RA’s.
      DHCPv6
    • 17. IPv6 Attacks
      IPv6 NDP Exhaustion
      Configuring /64’s per subnet is akin to configuring an IPv4 /8 on a LAN
      Allocate /64, Configure a /120
      Breaks SLAAC
      Ping/Ping or Ping/Pong attack
      ND vulnerabilities
      ICMP must be open to inside hosts
      Dual Stack Hosts – IPv6 may not be locked down
    • 18. Additional Resources
      Books
      Deploying IPv6 in WAN/Branch Networks
      Cisco Deploying IPv6 Networks
      Cisco Global IPv6 Strategies
      ARIN IPv6 Wiki
      Measuring IPv6 Adoption
      www.cisco.com/go/ipv6
      Cisco IOS IPv6 Configuration Guide
      http://ipv6.he.net/certification/index.php
      http://www.iana.org/assignments/ipv6-address-space/ipv6-address-space.xml
      http://www.potaroo.net/ispcol/2011-02/transtools-part1.html
      http://www.potaroo.net/ispcol/2011-03/transtools-part2.html
      http://www.openwall.com/presentations/IPv6/index.html
      http://blogs.cisco.com/security/ipv6-whats-new/
      http://www.openwall.com/presentations/IPv6/index.html
      http://owend.corp.he.net/ipv6/
      http://www.infoblox.com/ipv6wp
      http://test-ipv6.com
      http://www.deepspace6.net/projects/ipv6calc.html
      ipv6forum.com
    • 19. APPENDIX A
      Device Configuration Examples
    • 20. Dual Stack ISP
      Request dual stack support from ISP
      or
      IPv6 Tunnel Broker
      Sign up for free IPv6 tunnel broker service (tunnelbroker.net from Hurricane Electric)
      IPv6 Internet Access
      Step
      1
    • 21. Cisco Router Security (IPv4)
      Step
      2
      Access List
      ip access-list extended ACL-OUTSIDE-IN
      remark --- Allow IPv6 Tunnel Broker
      permit icmp host 66.220.2.74 any echo
      permit 41 host 216.218.226.238 any
      permit …
      deny ip any any log
      interface F4
      description Internet Interface
      ip access-group ACL-OUTSIDE-IN in
      • Encapsulated traffic must be permitted in/out physical interface.
      • 22. IP Protocol 41is reserved for IPv6 encapsulation
      IP will change depending on IPv6 broker endpoint used
    • 23. Cisco Router Configuration (IP)
      Step
      3
      ipv6 unicast-routing
      ipv6 cef
      interface Tu0
      description IPv6 Internet
      ipv6 enable
      ipv6 address 2001:DB8:F::2/64
      tunnel source F4
      tunnel destination 216.218.226.238
      tunnel mode ipv6ip
      interface G0
      description LAN Segment
      ipv6 address 2001:DB8:1::1/64
      ipv6 address 2001:DB8:1::/64 EUI-64
      ipv6 enable
      ipv6 route ::/0 Tu0
      Assigned from HE
      Internet Interface
      IPv6 Broker Endpoint
      IPv6 Encapsulated in IPv4
      IP from /48 allocation
      IPv6 default route
    • 24. Cisco Router IP Autoconfig
      IPV6-Router# shipv6 int
      GigabitEthernet0 is up, line protocol is up
      [Hardware is PQII_PRO_UEC, address is 68EF.BD61.4D13]
      IPv6 is enabled, link-local address is FE80::6AEF:BDFF:FE61:4D13
      No Virtual link-local address(es):
      Stateless address autoconfig enabled
      Global unicast address(es):
      2001:DB8:1:0:6AEF:BDFF:FE61:4D13, subnet is 2001:DB8:1::/64[EUI/CAL/PRE]
      valid lifetime 2591835 preferred lifetime 604635
      Joined group address(es):
      FF02::1
      FF02::1:FF61:4D13
      MTU is 1500 bytes

      ND DAD is enabled, number of DAD attempts: 1
      ND reachable time is 30000 milliseconds (using 30000)
      Default router is FE80::215:C6FF:FE53:9EC8 on GigabitEthernet0
      Interface MAC
      EUI-64 Insertion
      U/L bit flip
      Learned via ND from upstream router
      All IPv6 nodes, link local
      Solicited node addr for replies
      Link local addr used for next hop
    • 25. Cisco Router Security (IPv6)
      Step
      4
      Access List
      IOS Firewall (CBAC)
      ipv6 access-list ACL-IPV6-IN
      remark --- Block AfriNIC/APNIC
      deny ipv6 2001:4200::/23 any
      deny ipv6 2C00:0000::/12 any
      deny ipv6 2001:0200::/23 any
      deny ipv6 2001:0C00::/23 any
      deny ipv6 2001:0E00::/23 any
      deny ipv6 2001:4400::/23 any
      deny ipv6 2001:8000::/19 any
      deny ipv6 2001:A000::/20 any
      deny ipv6 2001:B000::/20 any
      deny ipv6 2400:0000::/12 any
      remark --- Allow Neighbor Discovery
      permit icmp any anynd-na
      permit icmp any anynd-ns
      remark --- Block everything else
      deny ipv6 any any log
      interface Tunnel0
      ipv6 traffic-filter ACL-IPV6-IN in
      ipv6 inspect alert-off
      ipv6 inspect routing-header
      ipv6 inspect max-incomplete low 100
      ipv6 inspect max-incomplete high 200
      ipv6 inspect one-minute low 100
      ipv6 inspect one-minute high 200
      ipv6 inspect udp idle-time 15
      ipv6 inspect tcp idle-time 1800
      ipv6 inspect tcpfinwait-time 1
      ipv6 inspect tcpsynwait-time 15
      ipv6 inspect tcp max-incomplete host 500 block-time 0
      ipv6 inspect name FW1 ftp
      ipv6 inspect name FW1 tcp
      ipv6 inspect name FW1 udp
      ipv6 inspect name FW1 icmp
      interface G0
      ipv6 inspect FW1 in
      ipv6 inspect FW1 out
    • 26. Windows Server Configuration
      Step
      5a
      Manually Configure Server IP Address
      DHCPv6 scope created with local fc00 addressing (ULA)
      (Optional)
      View of DNS A and AAAA Record
    • 27. Windows 7 Configuration
      Step
      5b
      Enable IPv6
      Disable IPv6 tunnels (6to4, isatap, teredo)
      Prefer IPv4 over IPv6 during transition (KB929852)
      LAN Network Connection:
         Physical Address. . . . . . . . . : 00-22-68-1A-E1-4C
         DHCP Enabled. . . . . . . . . . . : Yes
         Autoconfiguration Enabled . . . . : Yes
      IPv6 Address. . . . . . . . . . . : 2001:db8:1::222:68ff:fe1a:e14c(Preferred)
      Temporary IPv6 Address. . . . . . : 2001:db8:1::a1fd:f339:f800:f7ff(Preferred)
         Link-local IPv6 Address . . . . . : fe80::688f:1818:28fc:f11e%12(Preferred)
         IPv4 Address. . . . . . . . . . . : 172.16.0.122(Preferred)
         Subnet Mask . . . . . . . . . . . : 255.255.255.0
         Default Gateway . . . . . . . . . : 172.16.0.1
         DHCP Server . . . . . . . . . . . : 172.16.0.10
         DHCPv6 IAID . . . . . . . . . . . : 218112349
         DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-14-C0-65-37-00-23-54-66-DF-67
        DNS Servers . . . . . . . . . . . : 2001:db8:1::10
      172.16.0.10
    • 28. Mac OS X
      Step
      5c
    • 29. OS Support Comparison
      1Feature supported in IOS 12.4(24)T and later.
      2EUI-64 capability disabled by default. Privacy extensions must be disabled to use.
      3Privacy extensions disabled by default.
    • 30. Test Connectivity
      Step
      6
      Ping Test
      c:> ping ipv6.google.com
      Pinging ipv6.l.google.com [2001:4860:800d::63] with 32 bytes of data:
       
      Reply from 2001:4860:800d::63: time=45ms
      Reply from 2001:4860:800d::63: time=42ms
      Web Test
    • 31. APPENDIX B
      Restrictions, Caveats, Considerations, and Tools
    • 32. Does your L3 switch support hardware-based forwarding for IPv6?
      Platform Limitations
    • 33. Do log parsing applications recognize IPv6?
      Syslog, etc.
      IP address calculation formulas in spreadsheets
      IP-enabled A/V equipment
      Network Video Recording software
      Application Compatibility
    • 34. 3560/3750
      sdm prefer dual-ipv4-and-ipv6 default
      Others: ipv6 mld snooping
      IPv6 CEF disabled by default
      IPv6 will use resources from the IPv4 pool
      Cisco Notes
    • 35. Tools
      stealthyb@nms2:~$ sudo aptitude install sipcalc
      stealthyb@nms2:~$ sipcalc2001:db8:1::/48
      -[ipv6 : 2001:db8:1::/48] - 0
      [IPV6 INFO]
      Expanded Address - 2001:0db8:0001:0000:0000:0000:0000:0000
      Compressed address - 2001:db8:1::
      Subnet prefix (masked) - 2001:db8:1:0:0:0:0:0/48
      Address ID (masked) - 0:0:0:0:0:0:0:0/48
      Prefix address - ffff:ffff:ffff:0:0:0:0:0
      Prefix length - 48
      Address type - Aggregatable Global Unicast Addresses
      Network range - 2001:0db8:0001:0000:0000:0000:0000:0000 -
      2001:0db8:0001:ffff:ffff:ffff:ffff:ffff
    • 36. Q: How do I specify a port in an IPv6 URL?
      A: http://[2001:db8::dade:55]:8080/
      Q: What are the group of addresses called in between each : (colon)?
      A: Depending on your source, they can be called “fields”, “groups”, “quads”, “hextets”, or “hexadecatet”.
      Q&A

    ×