Getting started with IPv6
Upcoming SlideShare
Loading in...5
×

Like this? Share it with your network

Share

Getting started with IPv6

  • 6,877 views
Uploaded on

You may have hoped to retire before IPv6 became a reality, but unfortunately the IPv4 address exhaustion came too fast. For the rest of us, we’re going to bite off a small piece of the 15-year old......

You may have hoped to retire before IPv6 became a reality, but unfortunately the IPv4 address exhaustion came too fast. For the rest of us, we’re going to bite off a small piece of the 15-year old IPv6 pie and talk about how to get started!

• Address format refresher
• IPv4 and IPv6 protocol comparison
• IPv6 neighbor discovery and auto-configuration
• Current migration and coexistence strategies
• ICMPv6, DHCPv6, and DNSv6
• How to get started at home

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
6,877
On Slideshare
6,876
From Embeds
1
Number of Embeds
1

Actions

Shares
Downloads
227
Comments
0
Likes
2

Embeds 1

http://www.linkedin.com 1

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide
  • Watch IPv4 Addresses run outhttp://www.potaroo.net/tools/ipv4/index.htmlIPv4 Internetwww.google.comwww.microsoft.comwww.*.comIPv6 Internetv6.cisco.comipv6.google.com
  • APNIC only has the remaining /8 from the trigger IANA release. They will be
  • Also in the Cisco world, CLI output of IPv6 features are ugly (lack of readability) compared to their IPv4 counterparts. For example: show ip interface brief vs show ipv6 interface brief show ipeigrp neighbors vs show ipv6 eigrp neighbors
  • DHCPv6http://technet.microsoft.com/en-us/magazine/2007.03.cableguy.aspx Options include DNS server IP, domain name, NTP server, etc.DNS (RFC3484)A client may show preference for DNS AAAA (IPv6) records over IPv4 and thus attempt to connect to the destination server via IPv6.IPv6 makes heavy use of ICMP multicast/unicast messages and must be allowed via ACLs
  • Routable addresses can be either local (think RFC1918 private IP’s) or global (public IP address).RFC4941: Privacy Extensions for Stateless Address Autoconfiguration in IPv6. Keep IP for 1-7 days.Q: How do L2 switches handle IPv6 addresses?A: L2 switches are only looking at the SMAC/DMAC so IPv6 addressing is transparent to them. Exceptions to this would be a QoS or VACL/PACL applied to the interface examining L3/L4 portions of the header.
  • 1 base-2 binary position = 2 bits (e.g., 0 or 1)1 base-16 hex position = 4 bits (e.g., 0-9, A-F). In other words, it takes 4 binary positions (2^4) to represent 16 unique values (0-9 and A-F) per position.http://en.wikipedia.org/wiki/IPv6_subnetting_reference
  • See http://www.iana.org/assignments/ipv6-multicast-addresses/ipv6-multicast-addresses.xml for details on multicast address spaceIPv4 has a documentation prefix as well (see RFC5737): 192.0.2.0/24 (TEST-NET-1), 198.51.100.0/24 (TEST-NET-2), and 203.0.113.0/24 (TEST-NET-3)
  • /64 prefix: 128-bits = 64 for network and 64 for hostWhy prefix lengths in increments of 8? Because then your IPv6 address fits nicely within the : boundaries /48 = 2001:1 Format: [Global:ISP:Org:Subnet:Host:Host:Host:Host] /56 = 2001:1:1 Format: [Global:ISP:ISP:(Org & Subnet):Host:Host:Host:Host] /64 = 2001:1:1:1 Format: [Global:ISP:ISP:Subnet:Host:Host:Host:Host]Some equipment may have issues assigning a mask other than /64. /64 required for automatic IP address configuration.Prefix examples:/48 /64 /120
  • IPv6 NDP allows host & router/gateway discoveryCisco and Windows-based commands shownStateless Address AutoConfiguration (SLAAC) Uses Modified EUI-64 or Privacy Extensions (RFC4941/Microsoft)
  • IPv6 OnlyDual StackRecommended approachTunnel IPv4 or MPLSSee Basic Transition Mechanisms for IPv6 Hosts and Routers (RFC4213)6to4 Tunnels (RFC 3056) 2002:IPv4::/48 IPv6 Range Route 2002/16 to tunnel interface
  • NAT-PT is the only transition NAT protocol supported in most Cisco devices today, but it is generally regarded as obsolete.http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-nat_trnsln_ps6350_TSD_Products_Configuration_Guide_Chapter.htmlThat leaves no good options to NAT IPv4 addresses to IPv6 addresses.
  • The popular solution today is end-to-end dual stack configuration where an end node runs both IPv4 and IPv6.With Cisco, only the ASR 1000 series router supports NAT64 todayJuniper supports stateful NAT64 todayNAT64 gateway for Linux. http://ecdysis.viagenie.ca/
  • IPv6 Native Dual Stack Over DOCSIS Comcast: IPv6 Native Dual Stack for users (January 31, 2011) Content natively over both IPv6 and IPv4 Allocating 18,446,744,073,709,551,616 (18 quintillion) per user (/64)
  • Notable NotesIf you have IPv6 and IPv4 enabled on your machine, IPv6 (and DNSv6) will be preferred.Websites already setup for IPv6c:\\ruby>ping www.comcast6.netPinging www.comcast6.g.comcast.net [2001:558:1004:9:69:242:76:78] with 32 bytes of data: c:\\ruby>ping ipv6.google.comPinging ipv6.l.google.com [2001:4860:b006::68] with 32 bytes of data:
  • Not all clients support DHCPv6, opting to support SLAAC only.DHCP-PD: Allows you to delegate a prefix which may contain multiple subnets to a router that can assign subnets on LAN segments.
  • http://inconcepts.biz/~jsw/IPv6_NDP_Exhaustion.pdfhttps://wikispaces.psu.edu/download/attachments/15162205/Cisco+IPv6+security+slide.pdf?version=1&modificationDate=1251830658000
  • List of IPv6 Tunnel Brokers: http://en.wikipedia.org/wiki/List_of_IPv6_tunnel_brokers
  • See RFC 2473 and RFC 3056 for IPv6 tunnel encapsulation information
  • IGP just uses link local address. No need for global IP address on interface.IPv6 management done by an IPv6 loopback.To verify IPv6 configuration, use:show ipv6 interface briefshow ipv6 router discovery
  • EUI = Extended Unique IdentifierMore details, see http://packetlife.net/blog/2008/aug/4/eui-64-ipv6/Solicited-node addressThe solicited-node address facilitates efficient querying of network nodes during address resolution. In IPv4, the ARP Request frame is sent to the MAC-level broadcast, disturbing all nodes on the network segment, including those that are not running IPv4. IPv6 uses the Neighbor Solicitation message to perform address resolution. However, instead of using the local-link scope all-nodes address as the Neighbor Solicitation message destination, which would disturb all IPv6 nodes on the local link, the solicited-node multicast address is used. The solicited-node multicast address consists of the prefix FF02::1:FF00:0/104 and the last 24-bits of the IPv6 address that is being resolved.For example, for the node with the link-local IPv6 address of FE80::2AA:FF:FE28:9C5A, the corresponding solicited-node address is FF02::1:FF28:9C5A. To resolve the FE80::2AA:FF:FE28:9C5A address to its link layer address, a node sends a Neighbor Solicitation message to the solicited-node address of FF02::1:FF28:9C5A. The node that is using the address of FE80::2AA:FF:FE28:9C5A is listening for multicast traffic at the solicited-node address and, for interfaces that correspond to a physical network adapter, has registered the corresponding multicast address with the network adapter.The result of using the solicited-node multicast address is that address resolution, which commonly occurs on a link, is not required to use a mechanism that disturbs all network nodes. In fact, very few nodes are disturbed during address resolution. In practice, because of the relationship between the Ethernet MAC address, the IPv6 interface ID, and the solicited-node address, the solicited-node address acts as a pseudo-unicast address for very efficient address resolution.http://technet.microsoft.com/en-us/library/cc781068%28WS.10%29.aspxRouter join “All Routers” multicast group FF02::2
  • Firewall shown is the stateful IOS Firewall/CBAC. Zone-based firewall configuration should work as well. For configuration example, see: https://supportforums.cisco.com/message/3194077Items in red are implicit rules for every ACLnd-na = neighbor discovery, neighbor advertisement (L2 resolution reply/unsolicited addr announcement)nd-ns = neighbor discovery, neighbor solicitation (L2 resolution request)
  • IP: Consider using the last 1-2 octets of the IPv4 address in the IPv6 address to help with device recognition.DNS:When creating a DNSv6 reverse lookup zone, enter the address including prefix, e.g., fc00:a::/64DHCP: In Windows Server 2008 R2 the DHCPv6 scope prefixes are fixed at /64.
  • Windows 7 supports DHCPv6 in addition to SLAAC and manual modes.The Link Local address is dynamically generated for you.To use IPv4 instead of IPv6 in prefix policies (e.g. DNS queries):http://support.microsoft.com/kb/929852Disable Automatic Tunnelingnetsh interface 6to4 set state state=disabled undoonstop=disablednetsh interface isatap set state state=disablednetsh interface teredo set state type=disabled
  • No DHCPv6 Support. Either SLAAC or Manual.Link local (fe80) address is assigned automaticallyIPv6 ULA address is learned from the ICMP router advertisement
  • SEND = Secure Neighbor DiscoveryWindows 7 can enable/disable privacy extensions by using:netsh interface ipv6 set global randomizeidentifiers=disablednetsh interface ipv6 set global randomizeidentifiers=enabledRecommendation is to use RFC4941 privacy extensions for external use, and EUI-64/DHCPv6 for internalDisable Rogue Tunnelsnetsh interface 6to4 set state state=disabled undoonstop=disablednetsh interface isatap set state state=disablednetsh interface teredo set state type=disabledEnable Mac OS X privacy extensions: Edit "/etc/sysctl.conf" and add net.inet6.ip6.use_tempaddr=1. Then reboot.Enable Linux privacy extensions: Edit "/etc/sysctl.conf" and add net.inet6.ip6.use_tempaddr=2. Then reboot.Assignment of DNS via SLAAC RDNSS options
  • Defined in RFC4291

Transcript

  • 1. A toe-dip into the volatile world of IPv6 transitions
    Getting Started with IPv6
    Tanner
    04.29.2011
  • 2. Goals and Status
    GOAL
    Get IPv6 dual-stack running on a lab/home network and connect to the IPv6 internet.
    STATUS
    IPv4 Exhaustion Timeline
    IPv6 Today
    Google, Microsoft, Apple, Netflix, Cisco, Facebook, Gov’t Agencies
    Service Provider Plan
    Enterprise Plan
  • 3. IPv4 Exhaustion Schedule
    3
  • 4. Advantages
    Lots of Addresses
    Automatic IP Address Configuration
    Duplicate Address Detection (DAD)
    Only available option post-IPv4
    Still disagreements on implementation / transition methods
    Immature device / OS / application support
    Remembering long addresses
    IPv6 Mechanics
    Disadvantages
  • 5. Interface Addressing
    Manual
    SLAAC
    DHCPv6
    Link Local
    DNS
    Increased reliance due to lengthy addresses
    AAAA (“Quad A”) Records
    IPv6 Building Blocks
    Routable
    2002:d82a:3bcc:deff:baca:3f97:872d:d00d/64
    ICMPv6
    Neighbor Discovery
    Routing
    EIGRPv6, OSPFv3
  • 6. IPv6 Addressing
    2002:adb8:85a3:af90:b8b8:8a2e:1773:ff31/64
    8 x 16-bits separated by a :(colon)
    Prefix length in CIDR format
    NOT255.255.255.255.255.255.255.255.0.0.0.0.0.0.0.0
    Each interface has a:
    Link local address
    Routable address
    [Modified] EUI-64
    Auto w/privacy extensions
    Manual
    Neighbor Discovery
    Heavy use of ICMP and Multicast
  • 7. IPv6 Subnetting
    # of bits
    Host portion
    16
    4
    8
    2001:0DB8:0800:3333:AAAA:BBBB:CCCC:DDDD
    /16
    Network/Subnet portion
    /48
    /64
    /120
    /128
    CIDR
  • 8. Key Prefixes
  • 9. Prefix Sizes
    1Assumes using the “standard” allocation of /64 for all links and segments
  • 10. Comparison Table
  • 11. Dual stack
    NAT
    NAT64 & DNS64 / NAT46 / NAT44 / NAT66 / NAT-PT / CGNAT / NAT444 / NAT464 / DS-Lite
    Tunnels
    6to4 (RFC 3056)
    6in4
    ISATAP (RFC 5214)
    GRE/IPv6 over DMVPN
    6rd
    LISP
    Reverse Proxy/Load Balancers
    Transition Technologies
  • 12. Current
    FinalState
  • 13. Transitional
    Transitional
  • 14. Make sure there are no DNS AAAA records
    Alternate: Disable IPv6 on all devices
    Enable IPv6 in core, then firewall, then internet router
    Enable select DMZ servers / inside clients
    Dual Stack Transition Plan
  • 15. DNSv6 and DNS64
    Name Resolution
    IPv4
    set type=a
    www.comcast6.net
    Address:  68.87.29.36
    IPv6
    set type=aaaa
    www.comcast6.net
    Address: 2001:558:1002:4:68:87:29:36
    DNS64
    IPv6 client makes DNS AAAA query, DNS64 gateway translates IPv4 response to AAAA format
  • 16. Client detects presence of routers on the link using Router Solicitation
    Uses link-local address as the source IP
    No gateway needed. Learned from RA’s.
    DHCPv6
  • 17. IPv6 Attacks
    IPv6 NDP Exhaustion
    Configuring /64’s per subnet is akin to configuring an IPv4 /8 on a LAN
    Allocate /64, Configure a /120
    Breaks SLAAC
    Ping/Ping or Ping/Pong attack
    ND vulnerabilities
    ICMP must be open to inside hosts
    Dual Stack Hosts – IPv6 may not be locked down
  • 18. Additional Resources
    Books
    Deploying IPv6 in WAN/Branch Networks
    Cisco Deploying IPv6 Networks
    Cisco Global IPv6 Strategies
    ARIN IPv6 Wiki
    Measuring IPv6 Adoption
    www.cisco.com/go/ipv6
    Cisco IOS IPv6 Configuration Guide
    http://ipv6.he.net/certification/index.php
    http://www.iana.org/assignments/ipv6-address-space/ipv6-address-space.xml
    http://www.potaroo.net/ispcol/2011-02/transtools-part1.html
    http://www.potaroo.net/ispcol/2011-03/transtools-part2.html
    http://www.openwall.com/presentations/IPv6/index.html
    http://blogs.cisco.com/security/ipv6-whats-new/
    http://www.openwall.com/presentations/IPv6/index.html
    http://owend.corp.he.net/ipv6/
    http://www.infoblox.com/ipv6wp
    http://test-ipv6.com
    http://www.deepspace6.net/projects/ipv6calc.html
    ipv6forum.com
  • 19. APPENDIX A
    Device Configuration Examples
  • 20. Dual Stack ISP
    Request dual stack support from ISP
    or
    IPv6 Tunnel Broker
    Sign up for free IPv6 tunnel broker service (tunnelbroker.net from Hurricane Electric)
    IPv6 Internet Access
    Step
    1
  • 21. Cisco Router Security (IPv4)
    Step
    2
    Access List
    ip access-list extended ACL-OUTSIDE-IN
    remark --- Allow IPv6 Tunnel Broker
    permit icmp host 66.220.2.74 any echo
    permit 41 host 216.218.226.238 any
    permit …
    deny ip any any log
    interface F4
    description Internet Interface
    ip access-group ACL-OUTSIDE-IN in
    • Encapsulated traffic must be permitted in/out physical interface.
    • 22. IP Protocol 41is reserved for IPv6 encapsulation
    IP will change depending on IPv6 broker endpoint used
  • 23. Cisco Router Configuration (IP)
    Step
    3
    ipv6 unicast-routing
    ipv6 cef
    interface Tu0
    description IPv6 Internet
    ipv6 enable
    ipv6 address 2001:DB8:F::2/64
    tunnel source F4
    tunnel destination 216.218.226.238
    tunnel mode ipv6ip
    interface G0
    description LAN Segment
    ipv6 address 2001:DB8:1::1/64
    ipv6 address 2001:DB8:1::/64 EUI-64
    ipv6 enable
    ipv6 route ::/0 Tu0
    Assigned from HE
    Internet Interface
    IPv6 Broker Endpoint
    IPv6 Encapsulated in IPv4
    IP from /48 allocation
    IPv6 default route
  • 24. Cisco Router IP Autoconfig
    IPV6-Router# shipv6 int
    GigabitEthernet0 is up, line protocol is up
    [Hardware is PQII_PRO_UEC, address is 68EF.BD61.4D13]
    IPv6 is enabled, link-local address is FE80::6AEF:BDFF:FE61:4D13
    No Virtual link-local address(es):
    Stateless address autoconfig enabled
    Global unicast address(es):
    2001:DB8:1:0:6AEF:BDFF:FE61:4D13, subnet is 2001:DB8:1::/64[EUI/CAL/PRE]
    valid lifetime 2591835 preferred lifetime 604635
    Joined group address(es):
    FF02::1
    FF02::1:FF61:4D13
    MTU is 1500 bytes

    ND DAD is enabled, number of DAD attempts: 1
    ND reachable time is 30000 milliseconds (using 30000)
    Default router is FE80::215:C6FF:FE53:9EC8 on GigabitEthernet0
    Interface MAC
    EUI-64 Insertion
    U/L bit flip
    Learned via ND from upstream router
    All IPv6 nodes, link local
    Solicited node addr for replies
    Link local addr used for next hop
  • 25. Cisco Router Security (IPv6)
    Step
    4
    Access List
    IOS Firewall (CBAC)
    ipv6 access-list ACL-IPV6-IN
    remark --- Block AfriNIC/APNIC
    deny ipv6 2001:4200::/23 any
    deny ipv6 2C00:0000::/12 any
    deny ipv6 2001:0200::/23 any
    deny ipv6 2001:0C00::/23 any
    deny ipv6 2001:0E00::/23 any
    deny ipv6 2001:4400::/23 any
    deny ipv6 2001:8000::/19 any
    deny ipv6 2001:A000::/20 any
    deny ipv6 2001:B000::/20 any
    deny ipv6 2400:0000::/12 any
    remark --- Allow Neighbor Discovery
    permit icmp any anynd-na
    permit icmp any anynd-ns
    remark --- Block everything else
    deny ipv6 any any log
    interface Tunnel0
    ipv6 traffic-filter ACL-IPV6-IN in
    ipv6 inspect alert-off
    ipv6 inspect routing-header
    ipv6 inspect max-incomplete low 100
    ipv6 inspect max-incomplete high 200
    ipv6 inspect one-minute low 100
    ipv6 inspect one-minute high 200
    ipv6 inspect udp idle-time 15
    ipv6 inspect tcp idle-time 1800
    ipv6 inspect tcpfinwait-time 1
    ipv6 inspect tcpsynwait-time 15
    ipv6 inspect tcp max-incomplete host 500 block-time 0
    ipv6 inspect name FW1 ftp
    ipv6 inspect name FW1 tcp
    ipv6 inspect name FW1 udp
    ipv6 inspect name FW1 icmp
    interface G0
    ipv6 inspect FW1 in
    ipv6 inspect FW1 out
  • 26. Windows Server Configuration
    Step
    5a
    Manually Configure Server IP Address
    DHCPv6 scope created with local fc00 addressing (ULA)
    (Optional)
    View of DNS A and AAAA Record
  • 27. Windows 7 Configuration
    Step
    5b
    Enable IPv6
    Disable IPv6 tunnels (6to4, isatap, teredo)
    Prefer IPv4 over IPv6 during transition (KB929852)
    LAN Network Connection:
       Physical Address. . . . . . . . . : 00-22-68-1A-E1-4C
       DHCP Enabled. . . . . . . . . . . : Yes
       Autoconfiguration Enabled . . . . : Yes
    IPv6 Address. . . . . . . . . . . : 2001:db8:1::222:68ff:fe1a:e14c(Preferred)
    Temporary IPv6 Address. . . . . . : 2001:db8:1::a1fd:f339:f800:f7ff(Preferred)
       Link-local IPv6 Address . . . . . : fe80::688f:1818:28fc:f11e%12(Preferred)
       IPv4 Address. . . . . . . . . . . : 172.16.0.122(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       Default Gateway . . . . . . . . . : 172.16.0.1
       DHCP Server . . . . . . . . . . . : 172.16.0.10
       DHCPv6 IAID . . . . . . . . . . . : 218112349
       DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-14-C0-65-37-00-23-54-66-DF-67
      DNS Servers . . . . . . . . . . . : 2001:db8:1::10
    172.16.0.10
  • 28. Mac OS X
    Step
    5c
  • 29. OS Support Comparison
    1Feature supported in IOS 12.4(24)T and later.
    2EUI-64 capability disabled by default. Privacy extensions must be disabled to use.
    3Privacy extensions disabled by default.
  • 30. Test Connectivity
    Step
    6
    Ping Test
    c:> ping ipv6.google.com
    Pinging ipv6.l.google.com [2001:4860:800d::63] with 32 bytes of data:
     
    Reply from 2001:4860:800d::63: time=45ms
    Reply from 2001:4860:800d::63: time=42ms
    Web Test
  • 31. APPENDIX B
    Restrictions, Caveats, Considerations, and Tools
  • 32. Does your L3 switch support hardware-based forwarding for IPv6?
    Platform Limitations
  • 33. Do log parsing applications recognize IPv6?
    Syslog, etc.
    IP address calculation formulas in spreadsheets
    IP-enabled A/V equipment
    Network Video Recording software
    Application Compatibility
  • 34. 3560/3750
    sdm prefer dual-ipv4-and-ipv6 default
    Others: ipv6 mld snooping
    IPv6 CEF disabled by default
    IPv6 will use resources from the IPv4 pool
    Cisco Notes
  • 35. Tools
    stealthyb@nms2:~$ sudo aptitude install sipcalc
    stealthyb@nms2:~$ sipcalc2001:db8:1::/48
    -[ipv6 : 2001:db8:1::/48] - 0
    [IPV6 INFO]
    Expanded Address - 2001:0db8:0001:0000:0000:0000:0000:0000
    Compressed address - 2001:db8:1::
    Subnet prefix (masked) - 2001:db8:1:0:0:0:0:0/48
    Address ID (masked) - 0:0:0:0:0:0:0:0/48
    Prefix address - ffff:ffff:ffff:0:0:0:0:0
    Prefix length - 48
    Address type - Aggregatable Global Unicast Addresses
    Network range - 2001:0db8:0001:0000:0000:0000:0000:0000 -
    2001:0db8:0001:ffff:ffff:ffff:ffff:ffff
  • 36. Q: How do I specify a port in an IPv6 URL?
    A: http://[2001:db8::dade:55]:8080/
    Q: What are the group of addresses called in between each : (colon)?
    A: Depending on your source, they can be called “fields”, “groups”, “quads”, “hextets”, or “hexadecatet”.
    Q&A