IPv6 was created to address the limited address space of IPv4 as global IPv4 address allocation was running out. Some of the key differences between IPv4 and IPv6 include IPv6's significantly larger 128-bit address space compared to IPv4's 32-bit addresses, as well as changes to areas like packet headers, fragmentation, and neighbor discovery. Transition technologies like dual stack, NAT64, and DS-Lite were developed to help transition from IPv4 to IPv6, while ensuring IPv6 connectivity even for networks and devices that still use IPv4. Fully enabling IPv6 requires changes to network infrastructure like firewalls, routers, and switches to support the new protocol.
IPv6 Segment Routing is a major IPv6 extension that provides a modern version of source routing that is currently being developed within the Internet Engineering Task Force (IETF). We propose the first open-source implementation of IPv6 Segment Routing in the Linux kernel. We first describe it in details and explain how it can be used on both endhosts and routers. We then evaluate and compare its performance with plain IPv6 packet forwarding in a lab environment. Our measurements indicate that the performance penalty of inserting IPv6 Segment Routing Headers or encapsulat- ing packets is limited to less than 15%. On the other hand, the optional HMAC security feature of IPv6 Segment Routing is costly in a pure software implementation. Since our implementation has been included in the official Linux 4.10 kernel, we expect that it will be extended by other researchers for new use cases.
Presented at ANRW'17 https://irtf.org/anrw/2017/program.html on behalf of David Lebrun
Keynote given at DRCN2018, shows that innovation is back in the transport and network layer with a description of Multipath TCP, QUIC and IPv6 Segment Routing.
IPv6 Segment Routing is a major IPv6 extension that provides a modern version of source routing that is currently being developed within the Internet Engineering Task Force (IETF). We propose the first open-source implementation of IPv6 Segment Routing in the Linux kernel. We first describe it in details and explain how it can be used on both endhosts and routers. We then evaluate and compare its performance with plain IPv6 packet forwarding in a lab environment. Our measurements indicate that the performance penalty of inserting IPv6 Segment Routing Headers or encapsulat- ing packets is limited to less than 15%. On the other hand, the optional HMAC security feature of IPv6 Segment Routing is costly in a pure software implementation. Since our implementation has been included in the official Linux 4.10 kernel, we expect that it will be extended by other researchers for new use cases.
Presented at ANRW'17 https://irtf.org/anrw/2017/program.html on behalf of David Lebrun
Keynote given at DRCN2018, shows that innovation is back in the transport and network layer with a description of Multipath TCP, QUIC and IPv6 Segment Routing.
These slides summarise the 0-RTT converters that were proposed in the IETF MPTCP working group to aid the deployment of Multipath TCP. Additional details are available in https://www.ietf.org/internet-drafts/draft-bonaventure-mptcp-converters-01.txt
Slides supporting the "Computer Networking: Principles, Protocols and Practice" ebook. The slides can be freely reused to teach an undergraduate computer networking class using the open-source ebook.
NAT and firewall presentation - how setup a nice firewallCassiano Campes
This is a presentation I did during my internship @ PARKS in 2014. It shows how to configure NAT & firewall rules using IPTABLES.
I hope this can be useful to somebody in the future.
Slides from ONOS/CORD meetup in Tokyo 2018. 20th April 2018.
http://www.e-side.co.jp/onoscordmeetup/#P4_2
Future Mobile User Plane is heavily discussed in many SDOs like 3GPP, IETF etc. and still not concreate. P4 lang is usefull to prototype such changing protocol on software switch and on ASIC/NPU.
This slide introudce one candidate for future Mobile User Plane protocol, SRv6 for Mobile User Plane and proto-type implemented in P4-14.
https://datatracker.ietf.org/doc/draft-ietf-dmm-srv6-mobile-uplane/
CMAF live Ingest protocol and DASH live ingest as developed by DASH Industry forum for uplink (push based) CMAF, DASH and HLS. With CMAF live ingest you can upload CMAF content and archive it or package it on the fly to HLS and/or DASH
Presentation given at MPLS+SDN+NFVWORLD 2019 in Paris that shows how network architects can leverage the support for IPv6 Segment that is included in the Linux kernel to develop new end-to-end services that use IPv6 Segment Routing on clients, routers and servers.
Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)Thomas Graf
Open vSwitch (OVS) has long been a critical component of the Neutron's reference implementation, offering reliable and flexible virtual switching for cloud environments.
Being an early adopter of the OVS technology, Neutron's reference implementation made some compromises to stay within the early, stable featureset OVS exposed. In particular, Security Groups (SG) have been so far implemented by leveraging hybrid Linux Bridging and IPTables, which come at a significant performance overhead. However, thanks to recent developments and ongoing improvements within the OVS community, we are now able to implement feature-complete security groups directly within OVS.
In this talk we will summarize the existing Security Groups implementation in Neutron and compare its performance with the Open vSwitch-only approach. We hope this analysis will form the foundation of future improvements to the Neutron Open vSwitch reference design.
Slides supporting the "Computer Networking: Principles, Protocols and Practice" ebook. The slides can be freely reused to teach an undergraduate computer networking class using the open-source ebook.
IDNIC OPM 2023: IPv6 deployment planning and security considerationsAPNIC
APNIC Network Analyst / Technical Trainer Awal Haolader gives the technical keynote presentation on IPv6 deployment and security considerations at the IDNIC OPM 2023, held from 5 to 7 December 2023 in Bandung, Indonesia.
These slides summarise the 0-RTT converters that were proposed in the IETF MPTCP working group to aid the deployment of Multipath TCP. Additional details are available in https://www.ietf.org/internet-drafts/draft-bonaventure-mptcp-converters-01.txt
Slides supporting the "Computer Networking: Principles, Protocols and Practice" ebook. The slides can be freely reused to teach an undergraduate computer networking class using the open-source ebook.
NAT and firewall presentation - how setup a nice firewallCassiano Campes
This is a presentation I did during my internship @ PARKS in 2014. It shows how to configure NAT & firewall rules using IPTABLES.
I hope this can be useful to somebody in the future.
Slides from ONOS/CORD meetup in Tokyo 2018. 20th April 2018.
http://www.e-side.co.jp/onoscordmeetup/#P4_2
Future Mobile User Plane is heavily discussed in many SDOs like 3GPP, IETF etc. and still not concreate. P4 lang is usefull to prototype such changing protocol on software switch and on ASIC/NPU.
This slide introudce one candidate for future Mobile User Plane protocol, SRv6 for Mobile User Plane and proto-type implemented in P4-14.
https://datatracker.ietf.org/doc/draft-ietf-dmm-srv6-mobile-uplane/
CMAF live Ingest protocol and DASH live ingest as developed by DASH Industry forum for uplink (push based) CMAF, DASH and HLS. With CMAF live ingest you can upload CMAF content and archive it or package it on the fly to HLS and/or DASH
Presentation given at MPLS+SDN+NFVWORLD 2019 in Paris that shows how network architects can leverage the support for IPv6 Segment that is included in the Linux kernel to develop new end-to-end services that use IPv6 Segment Routing on clients, routers and servers.
Taking Security Groups to Ludicrous Speed with OVS (OpenStack Summit 2015)Thomas Graf
Open vSwitch (OVS) has long been a critical component of the Neutron's reference implementation, offering reliable and flexible virtual switching for cloud environments.
Being an early adopter of the OVS technology, Neutron's reference implementation made some compromises to stay within the early, stable featureset OVS exposed. In particular, Security Groups (SG) have been so far implemented by leveraging hybrid Linux Bridging and IPTables, which come at a significant performance overhead. However, thanks to recent developments and ongoing improvements within the OVS community, we are now able to implement feature-complete security groups directly within OVS.
In this talk we will summarize the existing Security Groups implementation in Neutron and compare its performance with the Open vSwitch-only approach. We hope this analysis will form the foundation of future improvements to the Neutron Open vSwitch reference design.
Slides supporting the "Computer Networking: Principles, Protocols and Practice" ebook. The slides can be freely reused to teach an undergraduate computer networking class using the open-source ebook.
IDNIC OPM 2023: IPv6 deployment planning and security considerationsAPNIC
APNIC Network Analyst / Technical Trainer Awal Haolader gives the technical keynote presentation on IPv6 deployment and security considerations at the IDNIC OPM 2023, held from 5 to 7 December 2023 in Bandung, Indonesia.
You may have hoped to retire before IPv6 became a reality, but unfortunately the IPv4 address exhaustion came too fast. For the rest of us, we’re going to bite off a small piece of the 15-year old IPv6 pie and talk about how to get started!
• Address format refresher
• IPv4 and IPv6 protocol comparison
• IPv6 neighbor discovery and auto-configuration
• Current migration and coexistence strategies
• ICMPv6, DHCPv6, and DNSv6
• How to get started at home
Module 4: Configuring and Troubleshooting IPv6 TCP/IP
This module introduces you to IPv6, a technology that will help ensure that the Internet can support a growing user base and the increasingly large number of IP-enabled devices. The current Internet Protocol Version 4 (IPv4) has served as the underlying Internet protocol for almost thirty years. Its robustness, scalability, and limited feature set is now challenged by the growing need for new IP addresses, due in large part to the rapid growth of new network-aware devices.
Lessons
Overview of IPv6
IPv6 Addressing
Coexistence with IPv6
IPv6 Transition Technologies
Transitioning from IPv4 to IPv6
Lab : Configuring an ISATAP Router
Configuring a New IPv6 Network and Client
Configuring an ISATAP Router to Enable Communication Between an IPv4 Network and an IPv6 Network
Lab : Converting the Network to Native IPv6
Transitioning to a Native IPv6 Network
After completing this module, students will be able to:
Describe the features and benefits of IPv6.
Implement IPv6 addressing.
Implement an IPv6 coexistence strategy.
Describe and select a suitable IPv6 transition solution.
Transition from IPv4 to IPv6.
Troubleshoot an IPv6-based network.
Linux-wpan: IEEE 802.15.4 and 6LoWPAN in the Linux Kernel - BUD17-120Linaro
"Session ID: BUD17-120
Session Name: Linux-wpan: IEEE 802.15.4 and 6LoWPAN in the Linux Kernel - BUD17-120
Speaker: Stefan Schmidt
Track: LITE
★ Session Summary ★
Adding support for IEEE 802.15.4 and 6LoWPAN to an embedded Linux system opens up new possibilities to communicate with tiny devices. The mainline kernel
supports the wireless protocols to connect such devices to the internet, acting
as border router for such networks.
This talk will show the current kernel support, how to enable and configure the
subsystems to use it and how to communicate between Linux and IoT operating
systems like RIOT, Contiki or Zephyr.
---------------------------------------------------
★ Resources ★
Event Page: http://connect.linaro.org/resource/bud17/bud17-120/
Presentation: https://www.slideshare.net/linaroorg/linuxwpan-ieee-802154-and-6lowpan-in-the-linux-kernel-bud17120
Video: https://youtu.be/6YNeF2H2i-U
---------------------------------------------------
★ Event Details ★
Linaro Connect Budapest 2017 (BUD17)
6-10 March 2017
Corinthia Hotel, Budapest,
Erzsébet krt. 43-49,
1073 Hungary
---------------------------------------------------
Keyword: linux-wpan, kernel, IEEE, Stefan Schmidt
http://www.linaro.org
http://connect.linaro.org
---------------------------------------------------
Follow us on Social Media
https://www.facebook.com/LinaroOrg
https://twitter.com/linaroorg
https://www.youtube.com/user/linaroorg?sub_confirmation=1
https://www.linkedin.com/company/1026961"
CodiLime Tech Talk - Dawid Trzebiatowski i Wojciech Urbański: Opening the Flo...CodiLime
Tech Talk CodiLime 22.04.2020.
YT: https://youtu.be/66S5LFM12JQ
In this talk, we’re going to introduce the general public to our approach to simplified Spinnaker management using Floodgate, our open-source tool as well as Spinnaker-provided components, such as Sponnet.
CodiLime Tech Talk - Michał Pawluk: Our production deployment in AWS (HashiCo...CodiLime
For someone who does not usually work with AWS, deploying a service may often be akin to starting up a virtual machine and exposing it to the world. This might be a good educated guess in other contexts, but it's not adjusted to the AWS workflow, and sometimes may even be harmful.
During our tech talk, we described a deployment of a production service in AWS and the best practices that we utilized, based on our experience with the HashiCorp Vault deployment. We talked about solutions provided by AWS which we utilized in our deployment. We also talked about our experiences with automation and maintaining infrastructure as code, as well as our impression of the tools we used for these purposes.
CodiLime Tech Talk - Maciej Sawicki: Streamline application deployments with ...CodiLime
Tech Talk CodiLime 31.01.2018 DevOps by Example
CodiLime Tech Talk - Maciej Sawicki: Streamline application deployments with Kubernetes and Helm
You can find the recording here: https://youtu.be/6hazvmPOWHY
CodiLime Tech Talk - Jarek Łukow: You need a cloud to test a cloud: using Ope...CodiLime
Tech Talk CodiLime 31.01.2018 DevOps by Example
Jarek Łukow: You need a cloud to test a cloud: using OpenStack's CI framework for developing an SDN platform
You can find the recording here: https://youtu.be/T4fswB0hDY4
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
2. IPv6 - Internet Protocol ver. 6
1) Yes there was IPv1/v2/v3 (pre: TCP - “We are screwing up in our design of internet
protocols by violating the principle of layering.”)
2) Yes there was even IPv5 (developed for streaming) as well
1) 2)
3. Agenda
● Why?
● IPv6: basics
● IPv6 address on the interface
● Transition methods
● Codilime story
● IPv6 and hardware
● Who is using?
● Q & A
4. Why?
Year 1981 declarations:
● "640KB ought to be enough for anybody."
● 2^32 IP address space (however):
○ 12.0.0.0/8 AT&T Services
○ 16.0.0.0/8 Hewlett-Packard Company
○ 17.0.0.0/8 Apple Inc.
○ 12 x X.0.0.0/8 US Department of Defense
○ etc. (there are at least 40 x /8 allocated ~15% of IPv4 address space)
6. ● APNIC - On 15 April 2011, the APNIC pool reached the last /8 of available
IPv4 addresses, triggering the “Final /8 policy”. Each LIR (Local Internet
Registry) is to received only one small block (a /22), and that APNIC
regularly receives returned IPv4 resources when LIRs close.
● RIPE NCC - On 14 September 2012, the RIPE NCC began to allocate IPv4
address space from the last /8 of IPv4 address space.RIPE NCC members
can request a one time /22 allocation (1,024 IPv4 addresses). No new IPv4
Provider Independent (PI) space will be assigned.
● LACNIC - From 15 February 2017 only assignments from the equivalent of
a /22 to a /24 may be made from this pool. Each new member may only
receive one initial assignment from this space.
● ARIN - On 24 September 2015, ARIN issued the final IPv4 addresses in its
free pool. ARIN will continue to process and approve requests for IPv4
address blocks. Those approved requests may be fulfilled via the Wait
List for Unmet IPv4 Requests, or through the IPv4 Transfer Market.
● AFRINIC - AFRINIC has IPv4 address space available in its free pool. It can
assign IPv4 address space to its members according to justified need as
documented in the current policy.
Why?
Year 2018
7. Why?
IPv4 advertised prefixes
by https://bgp.potaroo.net/
BGP - FIB size
● each prefix segmentation
consumes FIB memory
● convergence time matters
● old equipment (Cisco 6500/7600
were limited to 512K entries)
● it will only get worse
8. IPv6: basics
Since 1998 till now
● described in RFC 2460 (year 1998)
● 2^128b address space
● NOT backwards compatible w/ IPv4
● every (well almost) IPv6 address is a
public one
● transparent support int DNS (AAAA)
IPv6 advertised prefixes
https://bgp.potaroo.net/
9. Main differences
IPv4
● 32 bit address space
● min. packet size: 576B
● can be fragmented in transit
● IP header size varies from 20B
(IHL field)
● NAT on daily basis
● broadcast & multicast
● ARPs
IPv6: basics
IPv6
● 128 bit address space
● min. packet size: 1280B
● only sender do fragmentation
● fixed header size 40B (optional ext.
headers)
● no NAT by design (w/ exceptions)
● no broadcast (just multicast)
● ARPs replaced by ICMPv6
IPv4/IPv6 by Cisco
10. Making IPV6 address shorter
● we drop leading leading 0’s in each octet
● we aggregate octets build only from “0” to ::
Example A:
1. 2001:0db8:0000:0000:0000:ff00:0042:8329
2. 2001:db8:0:0:0:ff00:42:8329
3. 2001:db8::ff00:42:8329
Example B (loopback 127.0.0.1):
1. 0000:0000:0000:0000:0000:0000:0000:0001
2. ::1
acebook IPv6:
2a03:2880:f003:c07:face:b00c::2
IPv6: basics
IPv4/IPv4 notation:
64:ff9b::c000:0201
same as:
64:ff9b::[c0.0.2.1]
64:ff9b::[192.0.2.1]
11. Main address ranges in IPv6
1. fe80::/10 – link-local unicast addressing. Unique IPv6 address on one L2
segment (similar to 169.254.X.X)
2. ::1/128 – IPv6 loopback (127.0.0.1)
3. fc00::/7 – unique local addresses (ULA) (RFC1918 equivalent)
4. ff00::/8 – multicast range (from ICMPv6 NS/NA, via DHCP up to PIM)
5. 64:ff9b::/96 - used for mappings between address families (NAT64)
IPv6: addresses
12. Addressing IPv6 interface
● IPv6 compliant machine must support more than one address
on each interface
● each interface must have assigned address from fe80::/10 range
● often mask /64 is used (for one L2 segment)
● last 64 bits can be based on hardware MAC (EUI-64):
IPv6: addresses
adam@sw-core-0p-1> show interfaces ge-0/0/39
[...]
Current address: ec:13:db:fb:a4:2a, Hardware address:ec:13:db:fb:a4:2a
adam@sw-core-0p-1> show interfaces ge-0/0/39.1010
[...]
Destination: fe80::/64, Local: fe80::ee13:db03:f2fb:a42a
13. Addressing IPv6 interface (cont.)
● Router advertisement (each router advertises periodically via multicast):
○ GW address
○ IPv6 prefix (ie 2001:1a68:10:1::/64)
○ DNSs
○ lifetime
○ bit stating if DHCP be used as well (to get extra info)
● DHCP:
○ different ports than on IPv4
○ client no longer identified by MAC (DUID)
○ GW is not provided! (see RA)
○ no broadcast - multicast + fe80::/10 class
● Static
IPv6: addresses
14. ICMPv6
● Neighbor Solicitation (replaces ARP request)
○ sent from link-local unicast address
○ sent towards specific ff02::[EUI-64] multicast address
○ used as well for DAD
● Neighbor Advertisement (replaces ARP reply)
○ sent from link-local unicast address
○ sent towards link-local unicast address
● Router Solicitation
○ hosts uses Router Solicitation messages to locate routers on an attached link.
● Router Advertisement
○ Router response/periodic advertisement regarding LAN configuration
IPv6: addresses
15. Transition
Why is it taking so long?
● IPv4 still works / plenty of NATs /
somehow it will be
● HW / SW incompatibility / issues
● 🐔/ problem:
○ no content (there are no users)
○ no users (there is no content)
Broken link-local support in VMware ESXi 5
17. Dual Stack
● each machine has IPv4 and IPv6 stack running at the same time
● IPv6 protocol is preferred over IPv4
● Ideal scenarios involves public IPv4 address, although RFC1918 is
acceptable (NAT444 on CGN)
Transition
18. DS-Lite
● CPE connected only via IPv6 on WAN
● PC on LAN is getting IPv4 (RFC1918) and IPv6
address
● All IPv4 traffic toward Internet is encapsulated into
IPv6, forwarded to CG-NAT and NATted there.
(multiple customers using one public IPv4 address)
Transition
19. NAT64
● CPE/device connected via IPv6 uplink
● Each DNS requested (for IPV4 resource)
is translated to 64:ff9b:: IPV6 space
● That space is translated on on
IPv6->IPv4 NAT
● 464XLAT extension for pure (DNSless)
IPV4 traffic (or ALG like FTP, SIP, Skype etc)
Transition
20. MAP-T
● Provides stateless IPv6-IPv4 translation - stateful part (NAT) is done on CPE
● Customer gets only part of one IPv4 address (ie IP [202.254.1.2] + range of
ports [1000-2000]) - so one IP is shared between multiple users
● All NAT translation is done on CPE and IPV4 addresses are encoded into IPv6
ones:
○ packet from 192.168.1.100 port 9020 to 3.3.3.3 port 1050
○ becomes 2001::[202.254.1.2] port 1048 to 4001::[3.3.3.3] port 1050 (after CPE)
○ becomes 202.254.1.2 port 1048 to 3.3.3.3 port 1050 (after CGN)
● IPv4 extraction is done on ISP core devices statelessy
● MAP-E is similar but encapsulation is used instead of IPv6 / IPv4 encoding
Transition
21. PCP
● Port Control Protocol (PCP) allows to control how the incoming IPv4/v6
packets are translated and forwarded by upstream CG-NAT
● Allows to set explicit port forwarding rules on ISP CGN
● Successor to the NAT Port Mapping Protocol (NAT-PMP)
● Operations:
○ MAP - Creates or renews a mapping for inbound forwarding (port forward)
○ PEER - Creates or renews an outbound mapping (translate out. traffic to specific IP/port)
Transition
22. 6in4 tunnels
● Uses tunneling to encapsulate IPv6 traffic over pure IPv4 networks
● Traffic is sent inside IPv4 packets whose IP headers have the IP protocol
number set to 41 (it’s not a L4 protocol - beware of NAT)
● Free providers are available: Hurricane Electric (USA), 6project.org (USA),
pemsy (EU), IP4Market (Russia)
● One can get from /128 up to /48 IPv6 class for her/his use
Transition
23. Codilime story
Four parts story (from edge to center):
● Request IPv6 prefix from ISP
● Enable IPv6 protocol on edge FWs
● Enable IPv6 on core/access switches
● Those little things
24. Codilime story
Request IPv6 prefix
● It’s free
● We’ve got /48 prefix
○ 65k of /64 networks
● But not always available
○ primary ISP responded on NBD
○ secondary ISP has no support for IPv6 at all
25. Codilime story
Enable IPv6 on FWs
● We added family inet6 on interconnecting interfaces
○ link-local address is OK for most of the cases - no need to put public IPv6 there
● OSPFv3 protocol/FW policies had to be added/adjusted
● No changes needed on policy rules for forwarding traffic (in most of the cases)
● However IPv6 flow mode had to be enabled on FW (otwherwise all IPv6 traffic was dropped)
adam@fw# set security forwarding-options family inet6 mode flow-based
[edit]
adam@fw# commit
warning: You have enabled/disabled inet6 flow.
You must reboot the system for your change to take effect.
If you have deployed a cluster, be sure to reboot all nodes.
commit complete
26. Codilime story
Enable IPv6 on core switches
Enabling IPv6 on core switches was more fluent but the checklist was long:
● Add family inet6 on dedicated interfaces
○ remember to allow multicast/link-local addresses on interface filters
● Filter protect-re for IPv6 family had to specified separately
● We had to enable OSPFv3 protocol as well to exchange IPv6 prefixes
● Explicitly blackholed /48 prefix on core to avoid routing loop between our FW and ISP PE
● To enable RA on users interfaces, the protocol router-advertisement had to be enabled:
adam@sw-core1> show configuration protocols router-advertisement
interface irb.1120 {
max-advertisement-interval 60;
prefix 2001:1a68:10:1::/64;
}
27. Codilime story
Those little things
● enable IPv6 on DNS’s (Currently in backlog - since AAAA over IPv4 is working
fine)
● enable/configure ip6tables on servers
● update sFlow collector to interpret IPv6 records correctly
● inform users in advance (FAIL 😉)
“Since when do we have native IPv6 😲?”
28. IPv6 and hardware
IPv6 support on network devices:
● Control Plane
● Forwarding plane
● > L4 services (NAT/PCP)
Juniper MX-Series routers and switches
29. IPv6 and hardware
Control plane
Routing protocols supporting IPv6 are divided into two approaches:
● integrated (IS-IS, MP-BGP4): can exchange both IPv4/v6 routing information at the same time:
+ efficiency: IPv4 and IPv6 addresses belonging to the same destination can be transported via
a single message
+ reactivity: if a fault or a network change occurs, the protocol discovers it for both address
families
- bugs: a problem in the protocol affects IPv4 and IPv6 networks in the same way
- migration: if the protocol uses IPv4 to transport Hello packets, IPv4 can not be abolished in
the network (MP-BGP4)
30. IPv6 and hardware
Control plane (cont.)
Routing protocols supporting IPv6 are divided into two approaches:
● native (RIPng, EIGRP, OSPFv3): can to exchange only IPv6 routing information:
- efficiency: given a destination, a message needs to be exchanged for its IPv4 address and
another message for its IPv6 address (twice as much Hellos)
- reactivity: if a fault or a network change occurs, both protocols have to discover it, each one
with its timings and duplicate messages
+ bugs: a problem in the protocol does not affect routing in the other one
+ migration: each routing protocol generates messages of the address family it belongs to.
31. IPv6 and hardware
Control plane (cont.)
Interoperability:
● RFC approval is taking time
○ VRRPv6: vendor “H” supporting final RFC for, vendor “J” is supporting draft version.
Result: both of them thinks that the second one is dead.
○ PCP (29 drafts! before RFC): CGN supports draft XXX/final RFC vs CPEs supports draft
YYY/final RFC (you can pick only two options)
● Communication with 3rd party components via IPv6 (AAA - Radius), logs, SNMP etc
● Router Advertisement, that is interpreted by hosts directly (Android, IOS, Linux, Windows, etc)
32. IPv6 and hardware
Forwarding plane:
● IPv6 is longer than IPv4 (128b vs 32b)
○ consumes more FIB memory
○ bigger address space -> more prefixes -> even more FIB memory needed
○ due to aboves: NH lookup takes longer
○ FIB size/speed vs IPv6 growth -> LISP protocol
● ICMPv6 protocol support is mandatory
● Traffic Class & Flow Label now takes 8 & 20 bits -> different QoS/ECMP handling
● ACL/policy (TCAM or ASIC) - first approach needs more memory, second different “code”
● On plus side - no fragmentation in transit (only ICMPv6 message to the packet origin)
● Some vendors has issues even now: “Recursive lookup is not working if gateway is link local
address”, “VPNv6 support” (both: “M” vendor)
33. IPv6 and hardware
> L4 services...
...while keeping IP core performance (>40/100/400Gb/s):
● Juniper MS-DPC / MS-MPC (DS-lite)
● Cisco Service card (DS-lite) or 400G / 200G Modular Line Cards and 4/8-Port 100 Gigabit
Ethernet Line Cards (MAP-T)
● Alcatel-Lucent/Nokia Multiservice Integrated Service Adapter (MS-ISA) (DS-lite)
All those services (DS-lite, NAT64, PCP):
● Introduces Layer 4 to core network devices
● Are stateful (which consumes Memory/CPU)
● Must support >10k-100k users at the same time
● Allows users to interact directly with core devices (PCP)
34. Who is using?
● Google / Youtube
● Facebook
● Netflix
● Wikipedia
● Yahoo
● Battle.net
● Github
● Orange / UPC (DS-lite and/or NAT64)
● Codilime 😉 (~ 20% of users traffic)
● Windows OS - since ver. 7
● Linux - since 2.6.x
● MAC OS X - since 10.7 (bugged)/ 10.11
● Android 5.0 + IOS 4.1
~ 80% of smartphones in USA largest providers
(AT&T, Sprint, T-Mobile i Verizon) are using IPv6.