Your SlideShare is downloading. ×
Next Generation
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Next Generation

1,779

Published on

Examining the IPv6 readiness of networks and applications.

Examining the IPv6 readiness of networks and applications.

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,779
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
131
Comments
0
Likes
2
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. SYSADMIN IPv6 krockenmitte, photocase.com Examining IPv6 on today’s Internet NEXT GENERATION Is the world ready for the next generation Internet Protocol? We take a look at Linux with IPv6. BY JÖRG FRITSCH AND PATRICK NEST T he TCP/IP protocol, which began also provided other potential benefits ing [1]. The proliferation of as an obscure experiment for a with an assortment of new rout- Internet-ready mobile phones and handful of academics and U.S. ing, security, and quality of other embedded devices raises new Department of Defense officials, sud- service features. (See concerns about the viability of IPv4 ad- denly became popular in the late 1980s “IPv6 Benefits”.) dress space. At the same time, the prom- and 1990s with the meteoric rise of the The indus- try was ise of sophisticated IPv6 quality of ser- Internet. By the early 1990s, the IP ad- poised for a transition vice capabilities offers potential benefits dress space – which had seemed quite to the new IP, but for for future voice and video applications vast in the early days – was beginning various reasons, this great if developers will shift their focus to to look all too finite, and the experts migration never really hap- writing for the IPv6 environment. began to wonder what would pened. New techniques, such as In August 2007, the IETF published a happen if the Internet ever Network Address Translation (NAT) and draft version of a transition plan for mi- ran out of addresses. Classless Internet Domain Routing grating the Internet from “… a predomi- Work began on a (CIDR), staved off the end of the old nantly IPv4-based connectivity model to new version of the Inter- IPv4 address space, and although hard- a predominantly IPv6-based connectivity net Protocol (IP) ware and software vendors implemented model” [2]. According to that would put an end various forms of IPv6 support, Internet the plan – which theoreti- to worries of overcrowd- service providers were slower to adopt. cally expires in February ing. A plan for the new protocol, Because the specifications ensure the 2008 and may be updated which came to be known as “IP Next compatibility of IPv6 with IPv4 environ- Generation” (IPng), was adopted by the ments, the next generation protocol has Internet Engineering Task Force (IETF) functioned more as a rarely used exten- in 1994, and the details for the IPv6 pro- sion of IPv4 than as a separate environ- tocol were released through a flotilla of ment with a full range of documents surrounding the RFC 2460 new features. IPv6 specification. Recently, however, the The huge spaces within the 128-bit situation has been chang- IPv6 address promised a nearly limitless supply of unique addresses, and IPv6 66 ISSUE 88
  • 2. SYSADMIN IPv6 In a production environment, it is ob- 2007- 2009 2010 - 2011 viously not enough to set up a working Preparation period Transition period IPv6 topology. Businesses need at least a working name server or directory server, along with a web server, a mail server, 2012 - 2013 and possibly a proxy cache and a Samba IPv6 mandatory server to support heterogeneous envi- ronments. 2008 2009 2010 2011 2012 2013 To access the Internet with IPv6, you 2007 2013 need the following: • IPv6 connectivity via your ISP or, for Figure 1: The IPv6 migration plan envisages final IPv6 migration between 2010 and 2011. developers and testers, via an IPv6 by the time you read this article – the ficult to type and remember, despite the tunnel broker transition will occur between 2010 and possible shortcuts (see the box titled • IPv6 Routing 2011 (Figure 1). At the end of this period, “IPv6 Shortcuts”). To make IPv6 easier • IPv6 DNS/Directory Services – Internet providers will have to offer their to work with, you should use name and forward, reverse lookup customers IPv6, which will reduce the directory services whenever you can. Tunnel Brokers incentive for software vendors to focus For your first steps in a trial environ- ment, an /etc/hosts file is probably the development around the more limited The IPv6 specifications provide a means functionality of IPv4. right choice, but you will quickly dis- for encapsulating an IPv6 packet within Governments and political organiza- cover the virtues of an IPv6 name server an IPv4 packet. Several tunnel brokers tions are already starting to pay more at- that at least supports normal forward support delivery of IPv6 packets over the tention to IPv6, and the first IPv6-only name resolution (name to IPv6 address). IPv4 Internet through tunneling. Typi- production networks are projected to cally, a tunnel broker (RFC 3053) is the IPv6 for Small Businesses come online by July 2008. Given the re- only practical solution for operating IPv6 cent resurgence of interest, we decided Just because the administrator can ping networks on the Internet. Examples of the time was right for a look at the cur- one host from another after setting up tunnel brokers include Hurricane [3] and rent state of IPv6 in Linux environments. IPv6 does not mean that the network is SixXS [4]. ready for production use. A tunnel broker sets up an IP-IP tun- Practical IPv6 Many Internet HOWTOs recommend nel, which is also known as Generic Most Linux distributions included IPv6 the use of ping after completing the IPv6 Routing Encapsulation (GRE). The tun- support. For some applications, you install to prove that all is well – but with nel connects the two endpoints via a have to enable IPv6 in a configuration reverse lookup disabled for the IPv6 ad- normal IPv4 network. This configuration dress of the response package (ping6 -n). file. For example, the Bind name server creates virtual tunnel interfaces at both typically needs an additional option, lis- IPv6 Benefits ten-on-v6 { any; }, in its named.conf. For Sendmail, you need to modify the The creators of IPv6 weren’t just worried tually added to IPv4 through technolo- sendmail.cf file to tell both the client and about the address space. IPv6 offers gies such as IPsec. the daemon to listen on a defined IPv6 a number of additional benefits. Some • Payload – The payload of an IPv6 address (enter the inet6 address family of the new features are intended to packet can be as large as 4GB – an as- in ClientPortOptions and DaemonPort- address problems with IPv4, and others tronomical increase over the 64KB are simply an attempt to capitalize on Options). payload capacity of an IPv4 packet. new developments in the evolution of Linux hosts, as well as Mac OS X These “jumbograms” could result in networking. hosts, Windows Vista systems, and most increased efficiency and throughput Other changes include: over networks designed to accommo- open source applications, support IPv6 date them. • Autoconfiguration – IPv6 can be con- after the first boot. In production envi- figured automatically through a sys- ronments, many admins just ignore IPv6 • Quality of Service – IPv6 provides a tem of ICMP-based router discovery means for specifying the priority of a and leave it running without any man- messages. According to some reports, packet, which could lead to reduced agement or control. The result is an un- this feature could eventually replace latency for streaming video and other managed TCP/IP protocol stack, which DHCP. time-sensitive transmissions. is a disaster from a security point of • Multicasting – Multicasting, which was Of course, the IPv6 protocol primarily view. Even if you don’t plan to roll out added as an afterthought to IPv4, is provides a networking environment; it is an IPv6-ready network implementation, part of the IPv6 base specification. up to the applications on either end of it makes sense to come to terms with Multicasting lets you address a packet the connection to use these new features IPv6 so you can manage the services to a group of recipient addresses. effectively. Many of the best IPv6 fea- that might already be running on your • Security – IPv6 includes native support tures will not benefit the user until pro- network. for network-layer encryption and au- grammers start writing applications that IPv6 means a lot of typing. The sheer thentication, a feature that was even- leverage IPv6 enhancements. length of IPv6 addresses makes them dif- MARCH 2008 67 ISSUE 88
  • 3. SYSADMIN IPv6 endpoints; the interfaces are then con- discovery does not figured as if they were two physical work on all the Application interfaces connected directly by wire. nodes. The configu- The administrator can configure these ration also relies on interfaces with IPv6 addresses and use the tunnel working TCP UDP them as the default IPv6 route. The correctly and being endpoint, which can be a single host available. For opera- or a router, appears as if it were wired tional networks, the directly to the rest of the native IPv6 tunnel broker op- IPv4 IPv6 world. This sounds complex, but de- tion is probably not pending on your choice of operating a good idea. system, the configuration requires just DataLink / Ethernet The First six commands (see Listings 1 and 2). IPv6 Request Some tunnel brokers simplify IPv6 name resolution and reverse resolution After you set up the Figure 2: A dual-stack environment supports both IPv4 and IPv6. in their Internet portals or offer the connection, it’s time option of configuring Border Gateway for an initial test. Protocol (BGP) as the routing protocol. You can start by accessing an IPv6-capa- ing IPv4 content, so the benefits of Although a tunnel broker is easy to ble website in your browser. The results browsing with IPv6 on today’s Internet configure, the solution comes with the of an ordinary browser session are typi- are limited. same costs all IP tunnels have, such as cally quite sobering: When DNS name Big websites such CNN or Google are overhead because of the smaller MTU resolution returns an IPv4 A Record and not reachable via IPv6, although some and related data transfer issues if path an IPv6 AAAA record, all browsers use sites are preparing for the transition. the IPv4 variant and request the IPv4 Google has reserved an IPv6 /20 subnet, Automatic version of the HTML page. This is true of and there is some speculation as to all applications that run in mixed IPv4/ whether Google might be planning to Theoretically, an administrator can sim- IPv6 environments. offer ISP services in the future. Ebay ply configure the router on a network Another problem you could face when was assigned a /41 subnet a couple of with IPv6 interface identifiers (i.e., with browsing with IPv6 is that is that many months ago. EUI 64 addresses). Any clients that es- of the IPv6-enabled sites have long dis- tablish a connection to the network are DNS Obstacles appeared. IPv6 link lists are often fairly automatically configured with an IPv6 address and router address (via Neigh- ancient, and at least half of the links If you want to offer or access network bor Discovery, ND, and Router Adver- might not even exist. services, name resolution is imperative. tisements, RA). You don’t need a DHCP The most reliable website we could For your first experiments, you can start server. This method is referred to as by using an /etc/hosts file and relying find with respect to IPv6 support is the stateless autoconfiguration. Of course, on nsswitch.conf with the files option, KAME project [5] (Figure 3). Some other an autoconfigured network without sites offer IPv6 support, but IPv6 content which tells the system to search the name service isn’t much use because is typically the same as the accompany- hosts file first for name resolution. This it doesn’t support any kind of name res- olution. The IPv6 address for the name IPv6 Shortcuts server does not autoconfigure. IPv6 admins use two approaches for The second method is to define a con- Various draft proposals have attempted shortening the extremely long IPv6 stant prefix for your own network. In the to improve this, for example, by Router addresses. previous example, the prefix could be 20 Advertisements or Anycast addresses 01:0000:0000:0090::/60. If your ISP gives The first approach is to collate multi- (RFC 4339) to configure the DNS server. you a subnet of /60, the prefix on your ple leading zeros and just leave them Thus far, none of these proposals has own network will never change, so you out. Each IPv6 address comprises been implemented. can define it in your applications and eight hexadecimal integers separated Even though the name server cannot be leave it out after doing so. The IPv6 by colons. Assuming you have the located if you rely on stateless autocon- name server administrator would just number :0090:, you can abbreviate figuration, it does not actually cause any define this once, and you can then just it to :90:, and if you just have zeros work with the remaining four hexadeci- problems in today’s dual-stack environ- between two colons, :0000:, you can mal integers. The prefix need not be ments (Figure 2) because each host has leave them out completely. This mentioned in internal network plans, in an IPv4 name server that can respond means that documentation, or in correspondence. with IPv6 address records, if necessary. 2001:0000:0000:0090:00AD:0000:1234: abcd becomes 2001::90:AD:0000:1234: Right now, all native IPv6 addresses start However, if this problem is not solved, it with 2001:. Previous IPv4 addresses con- abcd. will eventually detract from the elegance verted to IPv6 start with 2002:. of the IPv6 network. Generally, you can To ensure uniqueness, the last group of zeros can’t be abbreviated; otherwise it (The specifications define a way of calcu- expect all servers to have static IP ad- would be unclear how many zeros went lating unique IPv6 addresses from IPv4 dresses and all clients to self-configure in each :: abbreviation space. addresses.) using stateless autoconfiguration. MARCH 2008 68 ISSUE 88
  • 4. SYSADMIN IPv6 so on, remain Managing this many IPv6 addresses unchanged. with a spreadsheet would be difficult. Expect some Instead, you should opt for an IP address complications management tool. Currently, we are only with configuring aware of commercial tools – for example, name resolution BT INS IPControl [6], BlueCat Networks because, again, [7], and Infoblox [8]. applications will Network Equipment look for IPv4 first. Vendors The “IPv6 Com- mands” box The equipment supplied by most major shows an over- network equipment vendors (e.g., Juni- view of the tool per and Cisco) has had IPv6 support for options. Vendors a couple of years, and you do not need are inconsistent to worry about switches or routers. How- with regard to the ever, there are some differences between syntax of the IPv6 major network equipment suppliers with DNS information respect to firewalls. in the nsswitch. Cisco’s ASA firewall only supports conf file. Red Hat IPv6 at the command line, but the Juni- lets the adminis- per ISG Firewall can handle IPv6 ad- trator keep the dresses at the command line and in its dns keyword browser-based GUI. Cisco supports the Figure 3: The KAME project offers reliable IPv6 support. for IPv6, whereas dual IPv4/IPv6 protocol stack in wireless SUSE insists on dns6, and Solaris configuration works for IPv6, too. As networks. Other more specialized prod- requires ipnodes. with IPv4, you can add IPv6 host ad- ucts, like load balancers (such as F5 and dresses and names to /etc/resolv.conf. Nortel Alteon), also support IPv6, and IPAM This solution will not scale, but it does often they have useful features for mi- save some typing and trouble. Currently, IPv6-capable ISPs in Europe grating from IPv4 to IPv6. We did not At a minimum, you’ll need to make typically assign /52 subnets to their cus- investigate the extent of IPv6 support three major changes to the name server tomers. We would advise larger compa- for low-priced, consumer-grade hubs. configuration: nies to apply for more addresses. In the Native IPv6 • named.conf (must bind to the IPv6 United States, IPv6-capable ISPs are not address of the network interface) as mean and have been known to assign Right now, the typical approach to using • zone file AAAA (must exist in the /48 subnets to bigger customers. Con- IPv6 natively is a dual-stack implementa- zone files for IPv6 hosts) verting these subnet numbers to abso- tion. You rent an IPv4 DSL connection • reverse lookup file lute decimal numbers does not help or a leased line, and the ISP gives you AAAA records are the IPv6 counterpart much; the number of IPv6 addresses in a a static /48 IPv6 subnet (equivalent to 65536 /64 subnets) via the same connec- to the A records used by IPv4. All other /64 subnet – for an ADSL router or home tion with dual stacking. Typically, the as- attributes, such as MX RR, CNAME, and user – is greater than you can imagine. signed IPv6 addresses are static, even if your IPv4 addresses are assigned by Listing 1: IP Tunnel with linux-route2 means of DHCP. IPv6 was advertised as 01 modprobe ipv6 a “service feature” with DSL four or five years ago, but some ISPs have stopped 02 ip tunnel add he-ipv6 mode sit remote 209.51.161.14 local actively promoting IPv6. 83.84.117.191 ttl 255 In the past three years, it has become 03 ip link set he-ipv6 up increasingly difficult to use IPv6 on your 04 ip addr add 2001:470:1f06:12f::2/64 dev he-ipv6 own network. 05 ip route add ::/0 dev he-ipv6 Native IPv6 without IPv4 connectivity does exist; however, it is very rarely of- 06 ip -f inet6 addr fered, typically only in the U.S. and Asia. After connecting your operational net- Listing 2: IP Tunnel with *BSD and OS X work to the IPv6-only Internet, you can’t even exchange email with the rest of the 01 ifconfig gif0 tunnel 83.84.117.191 209.51.161.14 world. Again, if you try to establish a monoculture (either IPv4 or IPv6), you 02 ifconfig gif0 inet6 alias 2001:470:1f06:12f::2 2001:470:1f06:12f::1 will need to invest a fair amount of time prefixlen 128 permanently disabling the other proto- 03 route -n add -inet6 default 2001:470:1f06:12f::1 col stack throughout your network. MARCH 2008 69 ISSUE 88
  • 5. SYSADMIN IPv6 IPv4 tunnel IPv4 protocol 41 IPv4 tunnel IPv4 tunnel IPv4 IPv6 IPv6 Legacy Internet Internet IPv6 IPv6 IPv6 IPv6 Appears as a direct link between router A and router B. Figure 4: Tunnel brokers provide tunneled access to an IPv6 network via IPv4. Professional administrators should stack for the next couple of years makes All told, these trivial issues won’t keep check to see whether new hardware they far more sense. IPv4 is unlikely to disap- IPv6 down for long. You can find a de- intend to purchase (e.g., proxy caches, pear soon. tailed list of IPv6-capable applications mail servers, and so on) supports IPv6. Basically, you can say that all IPv4 se- on the Internet [9]. Although IPv6 should not be a required curity settings are meaningless in IPv6 Conclusions criterion for new acquisitions, it makes and vice versa. Administrators have to sense to know what difficulties you’ll manage firewall rules for both worlds Although most network equipment and face when migrating your own infra- separately – as if the neighboring world open source applications implement structure to IPv6. does not even exist. This parallel con- IPv6, the “next-generation Internet” is figuration is easier to handle than you nothing more than a neat experiment Security: Fear of the might think. Because IPv6 is not very right now because of unresolved issues Unknown widespread, a firewall with just a couple and ISP inertia. As of this writing, it is Native IPv6 environments are hard to of rules and an IPv6 clean-up rule as a still impossible to build mission-critical implement. Because of the affinity of catch-all will do the trick, and the same services on IPv6. all operating systems and applications thing applies to access lists on routers. Still, IPv6 is a neat toy if you want to to IPv4, it is difficult to imagine perma- But you have to be bold enough to trust demonstrate your skills and carve a nently disabling IPv4. Living with a dual the IPv6 implementation on your fire- swath at the cutting edge of the network wall device just as much as you trust the universe. I IPv6 Commands IPv4 implementation. INFO For troubleshooting purposes, you’ll Gaps in the Puzzle need a tool that reveals routes, open [1] Government Computer News: Currently, the future of IPv6 is full of connections, and ports. netstat does not http://www.gcn.com/IPv6 gaps. The biggest problem is the lack of understand IPv6 unless you insist on it [2] IPv6 migration plan: commitment on the part of Internet ser- with the -A inet6 option. For example, http://www.ietf.org/internet-drafts/ vice providers, which makes the use of netstat -A inet6 -rn displays your routes. draft-jcurran-v6transitionplan-01.txt IP tunnels (tunnel brokers) inevitable The -n switch suppresses reverse [3] Hurricane Electric Tunnel Broker: lookup so that you will not wait forever (Figure 4). http://tunnelbroker.net for a response if IPv6 reverse lookup is Draft proposals for DNS support in [4] SixXS Tunnel Broker: broken anywhere on the path. auto configuration have been around for http://www.sixxs.net The IPv6 equivalent to ping is called years, but they remain drafts. And IPv6 [5] KAME.net: http://www.kame.net ping6; again, it is a good idea to disable support from major network device sup- [6] BT Diamond IP: reverse lookup by specifying -n. pliers is still uneven. In our lab, devices http://bt.ins.com/software from two major vendors had trouble The arp command does not exist for [7] BlueCat Networks: IPv6. The Neighbor Discovery Protocol with the ICMPv6 Neighbor Discovery http://www.bluecatnetworks.com replaces ARP. Some distributions and Protocol (counterpart to ARP). [8] Infoblox: http://www.infoblox.com *nixes use the ndp command instead, Although these issues have been fixed, whereas others give you ip command [9] IPv6-capable open source applica- customers looking for support often hear options to display the same information, tions: http://www.deepspace6.net/ things like, “You’re the first one to ever docs/ipv6_status_page_apps.html such as ip -6 neigh. ask me that.” MARCH 2008 70 ISSUE 88

×