Fred Bovy, profile picture
Uploaded byFred Bovy
1,343 views

Fb i pv6-sparchimanv1.0

This document provides an overview and agenda for a course on Introduction to IPv6 for Service Providers. The course covers IPv6 essentials such as addressing, operations, applications/services, routing protocols, and transition strategies. It discusses the rationale for adopting IPv6 including the depletion of IPv4 addresses and the need to support the growing number of internet-connected devices. The document outlines some of the key limitations of IPv4 like fragmentation and the issues with long-term reliance on Network Address Translation (NAT) to overcome the address space depletion.

Embed presentation

Downloaded 37 times
1 / 456
2 / 456
3 / 456
4 / 456
5 / 456
6 / 456
7 / 456
8 / 456
9 / 456
10 / 456
11 / 456
12 / 456
13 / 456
14 / 456
15 / 456
16 / 456
17 / 456
18 / 456
19 / 456
20 / 456
21 / 456
22 / 456
23 / 456
24 / 456
25 / 456
26 / 456
27 / 456
28 / 456
29 / 456
30 / 456
31 / 456
32 / 456
33 / 456
34 / 456
35 / 456
36 / 456
37 / 456
38 / 456
39 / 456
40 / 456
41 / 456
42 / 456
43 / 456
44 / 456
45 / 456
46 / 456
47 / 456
48 / 456
49 / 456
50 / 456
51 / 456
52 / 456
53 / 456
54 / 456
55 / 456
56 / 456
57 / 456
58 / 456
59 / 456
60 / 456
61 / 456
62 / 456
63 / 456
64 / 456
65 / 456
66 / 456
67 / 456
68 / 456
69 / 456
70 / 456
71 / 456
72 / 456
73 / 456
74 / 456
75 / 456
76 / 456
77 / 456
78 / 456
79 / 456
80 / 456
81 / 456
82 / 456
83 / 456
84 / 456
85 / 456
86 / 456
87 / 456
88 / 456
89 / 456
90 / 456
91 / 456
92 / 456
93 / 456
94 / 456
95 / 456
96 / 456
97 / 456
98 / 456
99 / 456
100 / 456
101 / 456
102 / 456
103 / 456
104 / 456
105 / 456
106 / 456
107 / 456
108 / 456
109 / 456
110 / 456
111 / 456
112 / 456
113 / 456
114 / 456
115 / 456
116 / 456
117 / 456
118 / 456
119 / 456
120 / 456
121 / 456
122 / 456
123 / 456
124 / 456
125 / 456
126 / 456
127 / 456
128 / 456
129 / 456
130 / 456
131 / 456
132 / 456
133 / 456
134 / 456
135 / 456
136 / 456
137 / 456
138 / 456
139 / 456
140 / 456
141 / 456
142 / 456
143 / 456
144 / 456
145 / 456
146 / 456
147 / 456
148 / 456
149 / 456
150 / 456
151 / 456
152 / 456
153 / 456
154 / 456
155 / 456
156 / 456
157 / 456
158 / 456
159 / 456
160 / 456
161 / 456
162 / 456
163 / 456
164 / 456
165 / 456
166 / 456
167 / 456
168 / 456
169 / 456
170 / 456
171 / 456
172 / 456
173 / 456
174 / 456
175 / 456
176 / 456
177 / 456
178 / 456
179 / 456
180 / 456
181 / 456
182 / 456
183 / 456
184 / 456
185 / 456
186 / 456
187 / 456
188 / 456
189 / 456
190 / 456
191 / 456
192 / 456
193 / 456
194 / 456
195 / 456
196 / 456
197 / 456
198 / 456
199 / 456
200 / 456
201 / 456
202 / 456
203 / 456
204 / 456
205 / 456
206 / 456
207 / 456
208 / 456
209 / 456
210 / 456
211 / 456
212 / 456
213 / 456
214 / 456
215 / 456
216 / 456
217 / 456
218 / 456
219 / 456
220 / 456
221 / 456
222 / 456
223 / 456
224 / 456
225 / 456
226 / 456
227 / 456
228 / 456
229 / 456
230 / 456
231 / 456
232 / 456
233 / 456
234 / 456
235 / 456
236 / 456
237 / 456
238 / 456
239 / 456
240 / 456
241 / 456
242 / 456
243 / 456
244 / 456
245 / 456
246 / 456
247 / 456
248 / 456
249 / 456
250 / 456
251 / 456
252 / 456
253 / 456
254 / 456
255 / 456
256 / 456
257 / 456
258 / 456
259 / 456
260 / 456
261 / 456
262 / 456
263 / 456
264 / 456
265 / 456
266 / 456
267 / 456
268 / 456
269 / 456
270 / 456
271 / 456
272 / 456
273 / 456
274 / 456
275 / 456
276 / 456
277 / 456
278 / 456
279 / 456
280 / 456
281 / 456
282 / 456
283 / 456
284 / 456
285 / 456
286 / 456
287 / 456
288 / 456
289 / 456
290 / 456
291 / 456
292 / 456
293 / 456
294 / 456
295 / 456
296 / 456
297 / 456
298 / 456
299 / 456
300 / 456
301 / 456
302 / 456
303 / 456
304 / 456
305 / 456
306 / 456
307 / 456
308 / 456
309 / 456
310 / 456
311 / 456
312 / 456
313 / 456
314 / 456
315 / 456
316 / 456
317 / 456
318 / 456
319 / 456
320 / 456
321 / 456
322 / 456
323 / 456
324 / 456
325 / 456
326 / 456
327 / 456
328 / 456
329 / 456
330 / 456
331 / 456
332 / 456
333 / 456
334 / 456
335 / 456
336 / 456
337 / 456
338 / 456
339 / 456
340 / 456
341 / 456
342 / 456
343 / 456
344 / 456
345 / 456
346 / 456
347 / 456
348 / 456
349 / 456
350 / 456
351 / 456
352 / 456
353 / 456
354 / 456
355 / 456
356 / 456
357 / 456
358 / 456
359 / 456
360 / 456
361 / 456
362 / 456
363 / 456
364 / 456
365 / 456
366 / 456
367 / 456
368 / 456
369 / 456
370 / 456
371 / 456
372 / 456
373 / 456
374 / 456
375 / 456
376 / 456
377 / 456
378 / 456
379 / 456
380 / 456
381 / 456
382 / 456
383 / 456
384 / 456
385 / 456
386 / 456
387 / 456
388 / 456
389 / 456
390 / 456
391 / 456
392 / 456
393 / 456
394 / 456
395 / 456
396 / 456
397 / 456
398 / 456
399 / 456
400 / 456
401 / 456
402 / 456
403 / 456
404 / 456
405 / 456
406 / 456
407 / 456
408 / 456
409 / 456
410 / 456
411 / 456
412 / 456
413 / 456
414 / 456
415 / 456
416 / 456
417 / 456
418 / 456
419 / 456
420 / 456
421 / 456
422 / 456
423 / 456
424 / 456
425 / 456
426 / 456
427 / 456
428 / 456
429 / 456
430 / 456
431 / 456
432 / 456
433 / 456
434 / 456
435 / 456
436 / 456
437 / 456
438 / 456
439 / 456
440 / 456
441 / 456
442 / 456
443 / 456
444 / 456
445 / 456
446 / 456
447 / 456
448 / 456
449 / 456
450 / 456
451 / 456
452 / 456
453 / 456
454 / 456
455 / 456
456 / 456
INTRODUCTION TO IPV6 FOR SERVICE PROVIDERS Version 1.0 Student Guide
COURSE INTRODUCTION Introduction to IPv6 for Service Providers (FB-IPv6SPArchiMan) (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
COURSE OVERVIEW This course on IPv6 addresses the knowledge and skill requirements for Architects and Projects Managers supporting IPv6 design and implementation for Service Provider customers. The course covers IPv6 Essentials details. As a Prerequisites, taking the “IPv6 For Life!” Free On-Line Tutorial will help. You can find the 3 Flash modules from http://fredbovy.com. For further Study, the book “Understanding IPv6 Concepts” dig in depth all the concepts explained in this course. Migration strategies for a full range of scenarios are discussed.
COURSE CONTENT The High-Level Objectives for this course are as follows: § Overview of IPv6 § IPv6 Addressing in depth § IPv6 Operations § IPv6 Applications and Services § IPv6 routing protocols § Introduction to IPv6 Multicast § IPv6 Transition and customer integration Strategies including dual stack, 6to4 and 6RD Tunnels, NAT64 and DNS64 translation, Large Scale Nat (LSN or CGN) NAT444, NAT464, DS-Lite, 6PE and 6VPE. § Introduction to IPv6 Security (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
ABOUT THE AUTHOR:
§ Lesson 1: The origin: IPv4 and the rationale for IPv6 § Lesson 2: IPv6 Protocol and Addresses § Lesson 3: ICMPv6 and Neighbor Discovery § Lesson 4: IPv6 Services § Lesson 5: IPv6 Routing Protocols § Lesson 6: IPv6 Multicast § Lesson 7: Transition to IPv6 – Dual-Stack – Tunneling – Translating § Lesson 8: QoS in IPv6 Networks § Lesson 9: IPv6 and Security – Routing Protocols Security – IPSec – Threat on NDP and SEND COURSE AGENDA (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
TYPOGRAPHIC CONVENTIONS Convention Type of Information Italic Font Book titles. Word or characters that require special attention. Variable names or placeholders for information you must supply, for example: Enter the following command: ifstat [-z] {-a interface} Interface is the name of the interface for which you want to view statistics. Monospaced font! Command names, daemon names, and option names. Information displayed on the system console or other computer monitors. The contents of files. Bold monospaced font! Words or characters you type, for example: Enter the following command: options httpd.enable on!
(C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
Introduction to IPv6 INTRODUCTION TO IPV6 FOR SERVICE PROVIDERS
IPV4 AND ASSOCIATED PROTOCOLS § IPv4 was a Network designed for the Army that was supposed to interconnect thousands of hosts § The Internet was not open to the public and you had to sign that you will not use the Internet for business § Autoconfig was not needed § No smartphones, no sensors, no game console, no iPAD, no ADSL, no cable home access and no Internet Access at home § IPv4 delivers a best-effort service § It was associated with other protocols: § ARP to resolve MAC address based on IP address § DHCP for centralized configuration of end nodes
IPV4 HEADER Version Header Length D T 0 R E Total Length Fragment ID Flag Fragment Offset Time To live (TTL) Protocol header checksum Source Address Destination Adress Options (+ padding) P P P DF M
FRAGMENTATION Identification (16 bits) § To identify all fragments from the same datagram Fragment Offset (13 bits) § To reorder the fragments Flag § DF – Do not Fragment § MF - More Fragment
PMTUD: 1ST ROUTER DROP MTU=1300 § The source sends a datagram MTU=1500 § 1st router MTU=1300 § Drop § ICMP Pkt Too big MTU=1300
PMTUD: 2ND ROUTER DROP MTU=1100 (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
PMTUD: PACKET REACHES THE DESTINATION
IPV4 ADDRESSES § Address IP Source/Destination § Class A. Addresses 1.0.0.0 to 126.255.255.255. § 10.0.0.0. to 10.255.255.255 is private § 128 domains (Networks) and 16.777.214 class A hosts per domain § Class B. 127.0.0.0 to 191.255.255.255. § 172.16.0.0. to 172.31.255.255 is private § 16.000 domains and 65.534 Class B hosts per domain § Class C. 192.0.0.0 to 223.255.255.255. § 192.168.0.0. à 192.168.255.255 is private § 2.000.000 domains and 254 Class C Hosts per domain § Class D. 224.0.0.0 to 239.255.255.255 Multicast § Class E. 240.0.0.0 to 247.255.255.255 Experimental § 4 billion node maximum § VLSM et CIDR have removed the class limitation which were wasting a lot of addresses § NAT/Private Address Space (RFC1918)
NAT/PAT § NAT allows the translation of private to public addresses § PAT allows many private addresses to use the same public address § RFC2993 Architectural Implications of NAT § Cons: § Bottleneck § Single point of failure § Applications must be NAT Friendly § Does not allow end-to-end security and permit undetected MITM attacks § High hidden costs to have applications support § Pro: § Hide the private networks topology
SOME DISCUSSIONS ABOUT NAT RFC 1579 - Firewall Friendly FTP RFC 2663 - IP Network Address Translator (NAT) Terminology and Considerations RFC 2709 - Security Model with Tunnel-mode IPsec for NAT Domains RFC 2993 - Architectural Implications of NAT RFC 3022 - Traditional IP Network Address Translator (Traditional NAT) RFC 3027 - Protocol Complications with the IP Network Address Translator (NAT) RFC 3235 - Network Address Translator (NAT)-Friendly Application Design Guidelines RFC 3715 - IPsec-Network Address Translation (NAT) Compatibility RFC 3947 - Negotiation of NAT-Traversal in the IKE RFC 5128 - State of Peer-to-Peer (P2P) Communication across Network Address Translators (NATs)
OPTIONS Limited number of possible options: § Class 0 - 0 - 00000 – End of the option list (padding). - 1 - 00001 – No Operation. - 2 - 00010 – Security and management restriction used by military applications. - 3 - 00011 – Loose Source Routing. - 7 - 00111 – Route Recording. - 8 - 01000 – Connection identification. - 9 - 01001 – Strict Source Routing. § Class 2 - 4 - 00100 – Internet Timestamp.
DHCP § For end nodes, centralized configuration § Everything is configured from a DHCP server: § IP Address § Default Router § DNS Servers Addresses § SIP Server Addresses § Domain Names
IPV6 RATIONALE IN THE SERVICE PROVIDER ENVIRONMENT § The question is not “if” it will happen, but “when” will it happen § IPv4 addresses depleted as of February 2011 § Number of connected devices continues to increase § IPv4 can accommodate 4 billion on nodes § Exceed 15 billion in 2015 and 50 billion in 2020 § Over 100 billions Microcontrollers; 10 billions shipped per year § Devices are always connected, from anywhere § It will eliminate IPv4 issues once fully deployed § NAT § Network efficiency and scalability § It has integrated features (services) § Global addresses § Mobility § Security
NAT/PAT IS THE HEROINE OF THE INTERNET § NAT/PAT with private addresses was invented as a workaround for address depletion in the 1990s. Then people started to use it and found that NAT/PAT was the solution for everything: Security, multihoming, and address independency with the Service Provider. § Most people do not realize the huge hidden costs which go with NAT. All the new applications must be engineered to bypass and support NAT. There are more than 77 RFCs about NAT if you do a simple search on the IETF with NAT keyword, then look at the result. § NAT denies end-to-end security, is a problem for real security protocols like IPSec or DNSSEC. § NAT seems to be the solution for everything ,while actually it breaks a lot (most) of the network applications and does not permit end-to-en security. It gives an opportunity for undetected MITM exploits which could be prevented with end-to-end security. § When people have start to use NAT/PAT they cannot imagine any network without it or how the Internet was before the introduction of NAT/PAT.. § NAT creates more issues than it solves problems. Without NAT, we would not have sleep for 20+ years before starting a protocol more appropriate than IPv4. Do you know that before it was prohibited by Law in the USA in 1959 and in France in 1963, Heroine was sold in Pharmacy as a Miracle Medicine for almost everything?
WHO IS RUNNING IPV6 ? A lot of ISPs and enterprises already use IPv6: § Free SAS § RENATER § The Cable Operators with DOCSIS 3.0 § COMCAST – Running IPv6 internally for years – General roll out scheduled to be completed in 2012 § Time Warner – General roll out scheduled to start next year § Mobile Phone – 4G: Designed for IPv6, 3G supports IPv6 – T-Mobile: IPv6 only – Verizon LTE: IPv6 is primary protocol – Sprint: Deploying IPv6 in 2012
SERVICE PROVIDER IPV6 TRANSITION STRATEGIES § An end-to-end IPv6-only core is the ultimate goal. § Transition strategies require Carrier Grade solutions: § Native IPv4 core § Dual Stack § Large Scale NAT (Carrier Grade NAT, AFT) § MPLS enabled core § 6PE § 6VPE § The solution must support any customer connection. § Keeping two protocols is expensive. AT&T predicts the end of IPv4 in 2020.
SERVICE PROVIDER DRIVERS FOR ADOPTION OF IPV6 § IPv4 growth potential is finite even with double NAT § Structured migration path to IPv6 § Be one of the first to market with IPv6 enabled services § Customers will require access to new IPv6 content from content providers § SPs will be competing for services that are IPv6 dependant § Some devices, like smartphones, will be very soon IPv6-only § NAT cannot be the solution for all applications and all users § See IDC and Renater Migration Case Studies
CONCLUSION § IPv4 is not designed to support multiple addresses per user § NAT cannot be a solution for some applications § IPv4 Options are not extensible § New transport are introduced to support new applications § IPv4 cannot permit an address for each device which will need connection to the Internet
(C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
FEATURES AND BENEFITS § No more fragmentation info in each packet § No more Header CHECKSUM § It is now mandatory for UDP § Traffic Class (8 bits) replaces the Precedence and ToS Byte § The Flow Label (20 bits) identifies a flow § Addresses are 128 bits long § No More NAT needed § Alignment on 64 bytes § Header size increases from 20 bytes to 40 bytes § Autoconfiguration
TRANSITION RICHNESS § Dual-Stack § Translation § NAT, LSN, CGN § NAT-PT = NAT46+NAT64+ALG § NAT64/DNS64, NAT444, NAT464 § Tunneling § 6to4, 6RD, 4RD § DS-Lite = 4RD + LSN § IPv6 Over IPv4/MPLS § 6PE § 6VPE
IPv6 Operations INTRODUCTION TO IPV6 FOR SERVICE PROVIDERS
IPV6 ADDRESSING ARCHITECTURE (RFC 4291) § Unicast (one-to-one) § To identify a network interface § Three scopes of addresses: § IPv6 Global § Link-Local § Unique Local Address (equivalent RFC1918) § Multicast (one-to-many) § To identify a set of interface on the network § Traffic is routed to all of these interfaces § Scope: interface, link, site, organization, global § Anycast (one-to-nearest) § To identify a set of interfaces on the network § The traffic is routed to the nearest interface § IPv6 Addressing Architecture § http://tools.ietf.org/html/rfc4291
REPRESENTATION (RFC 4291) § X:X:X:X:X:X:X:X § X is a Hexa field on 16 bits § Consecutive 0 are represented by :: but this can be used only once in the address § 2000:1::0102:1234:4222 § FF01:0:0:0:0:0:0:1 or FF01::1 § 0:0:0:0:0:0:0:0 or :: § In an URL, the address is surrounded by [ ] § http://[2001:1:4::11]:8080/index.html
GLOBAL UNICAST ADDRESS (RFC 4291) § Global unicast host address: – 2000:0001:0002:0000:0000:0005:0006:0007 – 2000:0001:0002::0005:0006:0007 § Network Prefix: – 2000:0001:0002::/48 – 2000:1000:0001:0010::/64 § In the Internet 2000::/3 global unicast address: – http://www.iana.org/assignments/ipv6-unicast-address-assignments/ipv6-unicast-address- assignments.xml – http://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry. xml Provider . 48 bits Site . 16 bits Host. 64 bits Global Routing Prefix SLA Interface ID
IPV6 GLOBAL UNICAST ADDRESS FORMAT (RFC 3587) Initial Format Provider . n bits 64 .n bits Host. 64 bits Global Routing Prefix Subnet ID Interface ID IETF assigned 001 for Global Unicast, 2620::/12 assigned to American Registry for Internet Numbers 16 Bits 3 9 bits 36 bits Host. 64 bits 00 1 ARIN RIR or ISP Subnet ID Interface ID RFC 2374: Aggregatable Global Unicast Address Structure Public Topology Site Topology Interface Identifier 13 8 24 16 3 64 bits FP TLA ID RES NLA ID SLA ID Interface ID
AGGREGATABLE GLOBAL UNICAST ADDRESS STRUCTURE (RFC 2374) § FP: Format Prefix (001) § TLA ID: Top-Level Aggregation Identifier § A default free router will have a route to each TLA ID plus the specific routes for the TLA ID it belongs to. § RESERVED for future utilization § NLA ID: Next-Level Aggregation Identifier § Identify sites within an organization. § SLA ID: Site-Level Identifier § Identify the subnets within an organization § Same as the IPv4 Subnets § Supports 65.535 Subnets § Interface Identifier Public Topology Site Topology Interface Identifier 13 8 24 16 3 Host. 64 bits NLA ID SLA ID Interface ID FP TLA ID RES
LINK-LOCAL ADDRESS (RFC 4291) § Allows automatic address configuration without router § Equivalent in IPv4: 169.254.0.0/16 (RFC 3927) § FE80::/10 128bits All 0s Interface ID 11111 1010 FE80::/10 64 bits
SCOPED ADDRESS ARCHITECTURE (RFC 4007) § At the beginning the Site-Locale was defined § fec0::/10 § This was deprecated by RFC 3879 § All addresses but the unspecified have a scope § RFC 4007 defines a « Scope Zone » or Zone as a connected region with a given scope § It is noted with the sign % § Example: fe80::1%5
UNIQUE-LOCAL ADDRESS (RFC 4193) § For private addresses like RFC 1918 for IPv6 § Network Prefixes: § FC00::/7 Globally Managed § FD00::/8 Locally Managed § To reserve an address: § http://www.sixxs.net/tools/grh/ula/ 48 bits 16 bits Host. 64 bits Global ID 40 bits Subnet ID Interface ID 1111 1100 1111 1101 FC00::/7 FD00::/8
INTERFACE ID DERIVED FROM THE MAC: EUI-64 § Mac Address 48 bit § X=1 Unique § X=0 Not Unique 00 90 59 02 E0 F9 00 90 59 FF FE 02 E0 F9 000000X0
RANDOM INTERFACE ID (RFC 4941) § If the interface ID is derived from the MAC address, it will be constant. § There is no NAT, this can be used to track a user. § Privacy Extension uses a randomized ID to configure the interface ID.
SPECIAL ADDRESSES (RFC 4291) § Unspecified § 0:0:0:0:0:0:0:0 or:: § Used when the node does not have an address configured § Loopback § 0:0:0:0:0:0:0:1 § ::1 § 127.0.0.1 for ipv4 § IPv4-Mapped § ::ffff:192.168.0.11 § Another RFC 5156 compiles the special addresses which should not be routed on the Internet § http://tools.ietf.org/html//rfc5156
Flag – 4 bits § O if permanent § 1 if temporary Scope – 4 bits § 1=node § 2=link § 4=admin § 5=site § 8=Organization § E=Global MULTICAST (RFC 4291) Only the link-local is automatically filtered by routers. Other scope must be implemented with Access-List FF Flag Scope 0 Interface ID 128 bit (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
MULTICAST ADDRESS RESERVED § FF01::1 Interface-local Scope All node address § FF01::2 Interface-local Scope All routers address § FF02::1 Link-local Scope all node adress § FF02::2 Link-local Scope All routers address § FF05::1 Site-local Scope All node address § FF05::2 Site-local Scope all routers address § FF05::1:3 Site-local Scope all DHCP server
SOLICITED-NODE MULTICAST ADDRESS § Unicast Address § 805B:2D9D:DC28::FC57:D4C8:1FFF § Prefix § FF02:0:0:0:0:1:FF § Solicited-node multicast adress § FF02:0:0:0:0:1:FFC8:1FFF § Automatically configured for each unicast Prefix Interface Identifier FF02 O 0001 FF 24 bits 128 bits
IPV6 ADDRESS SPACE http://www.iana.org/assignments/ipv6-address-space/ipv6-address-space.xml
IPV6 ADDRESS SUMMARY These addresses include: § ::/128 Unspecified Adddress § ::1/128 loopback Address § 2001::/32 Teredo prefix § 2001:db8::/32 reserved for training and documentation by RFC 3849 § 2002::/16 prefix used by 6to4 Prefix Description ::/8 Address Reserved 2000::/3 Internet Routed Global Unicast Address fc00::/7 Site Local Address (deprecated) fe80::/10 Link-Local Address ff00::/8 Multicast Address http://www.iana.org/assignments/ipv6-address-space/ipv6-address-space.xml
ADDRESSES REQUIRED FOR AN IPV6 NODE § A Link-local for each interface § Loopback § Assigned Unicast § All-nodes Multicast § Solicited-node multicast for each unicast § Multicast
ADDRESSES REQUIRED FOR A ROUTER All the addresses needed for a node plus: § Anycast address is a particular service needs it § All-Routers Multicast § Routing protocols specific multicast addresses
IPV6 IN ETHERNET Protocole IPv6: Ox86DD Dest Ethernet Adress Source Ethernet Adress 0x86DD IPv6 Header and charge
MULTICAST MAPPING ON ETHERNET IPv6 Multicast Address § FF02:0:0:0:0:1:FF90:FE53 § 128 bits Mac Address § 33:33:FF:90:FE:53 § 48 bits FF02:0:0:0:0:1:FF90:FE53 33:33:FF:90:FE:53
sa13-72c(config-if)#do show ipv6 int gig0/2 GigabitEthernet0/2 is up, line protocol is up § IPv6 is enabled, link-local address is FE80::20B:60FF:FEB4:9C1A No Virtual link-local address(es): § Stateless address autoconfig enabled Global unicast address(es): § 2000:1::20B:60FF:FEB4:9C1A, subnet is 2000:1::/64 [EUI/CAL/PRE] § Valid lifetime 2591911 preferred lifetime 604711 Hosts use stateless autoconfig for addresses Joined group address(es): § FF02::1 § FF02::2 § FF02::1:FFB4:9C1A § MTU is 1500 bytes § ICMP error messages limited to one every 100 milliseconds § ICMP redirects are enabled § ICMP unreachables are sent § ND DAD is enabled, number of DAD attempts: 1 § ND reachable time is 30000 milliseconds (using 23319) § ND advertised reachable time is 0 (unspecified) § ND advertised retransmit interval is 0 (unspecified) § ND router advertisements are sent every 200 seconds § ND router advertisements live for 1800 seconds § ND advertised default router preference is Medium CISCO IPV6 INTERFACE (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
ASSIGNMENT OF ADDRESSES IANA 2a01:0e35:2f26:d340:acaa:4946:9234:1379! RIR ISP/LIR EU/ISP EU RIR NIR ISP/LIR EU Regional Internet Registries (ARIN, APNIC, RIPE, NCC) National Internet Registries Local Internet Registries End Users http://www.ripe.net/ripe/docs/ripe-512
IPV6 ADDRESS ALLOCATION § IPv6 addresses are 4 time bigger than IPv4 § Must be carefully managed not to explode the size of routing tables § Bloc of addresses are allocated by IANA or a RIR § To be eligible for address allocation: § Must be a LIR § Have a plan to provide addresses to customers within two years § Minimum allocation to a LIR is a /32
ADDRESSES ASSIGNMENT TO A USER § The assignment of addresses to end users is done by LIR § RFC 3177 obsoleted by RFC6177 § Standard is no more /48 but between /48 and /64 § For a large customer § /47 or larger can be assigned § Or multiple /48 § /64 for a single subnet § /128 for a single host § By default the assignment is temporary § For multihomed users Provider Independant (PI) addresses § RIPE Looking Glass: http://stat.ripe.net/2a01:e00::/26! http://stat.ripe.net/2804:258::/32!
INTERNET HIERARCHY ISP1 21ae:db8::/32 Cust1 21ae:db8:1::/48 RIR1 21ae::/8 Cust2 21ae:db9:1::/48 Cust4 2001:db8:2::/48 ISP2 21ae:db9::/32 Cust3 2001:db8:1::/48 (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE! ISP3 2001:db8::/32 IANA 2000::/3 RIR2 2001::/8
PROVIDER ASSIGNED ADDRESS SPACE § FP: Format Prefix (001) § TLA ID: Top-Level Aggregation Identifier § RESERVED pour utilisation future § NLA ID: Next-Level Aggregation Identifier § SLA ID: Site-Level Identifier § Interface Identifier Site Public Topology Topology Interface Identifier 13 8 24 16 3 Host. 64 bits FP TLA ID RES NLA ID SLA ID Interface ID
MULTIHOMING ISP1 2001:db8::/32 assign 2001:db8:1::/48 ISP2 2001:db9::/32 assign 2001:db9:100::/48 Site 2001:db8:1::/48 2001:db9:100::/48 (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
PROVIDER-ASSIGNED ADDRESS § The /48 prefix is assigned by ISP § The address belongs to the ISP and should be returned by the end of the contract. ISP1 2001::db8::/32 2001:db8:1::/48 ISP2 2001:db9::/32 2001:db9:100::/48 2001:db8:1::/48 2001:db9:100::/48 2001:db8:1::/48 2001:db9:100::/48
PROVIDER-ASSIGNED – MULTIHOMED WORKSTATIONS ISP1 2001:db8::/32 ISP2 2001:db9::/32 § End node now has two addresses 2001:db9:100::/48 2001:db8:1::/48 2001:db9:100:99:42:345F:1:1/64 2001:db8:1:99:42:345F:1:1/64
PROVIDER-ASSIGNED – FAULT TOLERANCE(1) ISP1 ISP2 § Better route from ISP2 § A session is started 2001:db9:100::/ 48 2001:db9:100:99:42:345F:1:1/64 2001:db8:1:99:42:345F:1:1/64 2001:db8:1::/48
PROVIDER-ASSIGNED – FAULT TOLERANCE (2) § Dest thru ISP2 is no longer reachable § The session fails ISP1 ISP2 2001:db9:100::/48 2001:db8:1::/48 2001:db9:100:99:42:345F:1:1/64 2001:db8:1:99:42:345F:1:1/64
PROVIDER-ASSIGNED – FAULT TOLERANCE (3) ISP1 ISP2 § A new session must be started 2001:db9:100::/48 2001:db8:1::/48 2001:db9:100:99:42:345F:1:1/64 2001:db8:1:99:42:345F:1:1/64
PROVIDER-ASSIGNED MULTIHOMING § Routing based Solution § RFC 3178 § Need to establish tunnels with ISPs § Does not protect upstream ISP failure scenario § Quite complex to setup § Host based sloution § Shim6. RFC 5533, RFC 5534, RFC 5535 § http://www.shim6.org/ § http://datatracker.ietf.org/wg/shim6/charter/ § Many solution proposed § Need to update software on the hosts § Prefix Translation stateless (NPT6 no NAT66 !) § Experimental Draft RFC6296 § http://fredbovyipv6.blogspot.com/2011/09/from-nat66-to-ipv6-to-ipv6-network.html § The solution should conform to RFC 3852 § https://www.ietf.org/rfc/rfc3582.txt
PA MULTIHOMING (RFC 3178)
PA MULTIHOMING: SHIM6 http://www.shim6.org/ AP1 AP2 … APn TCP/UDP IP identifie r End-Point Shim6 Layer Locator Forwar d Shim6 Layer Shim6 Protocol
PROVIDER-INDEPENDANT ADDRESS: MULTIHOMING § Same as IPv4 § No more renumbering if one change of ISP ISP1 2001:db8:1::/48 2001:db8:66::/48 ISP2 2001:db8:100::/48 2001:db8:66::/48 2001:db8:66::/48 2001:db8:1::/48 2001:db8:1::/48 2001:db8:100::/48 2001:db8:66::/48 2001:db8:100::/48 2001:db8:66::/48
PROVIDER-INDEPENDANT VERSUS PROVIDER-ASSIGNED § Provider Assigned § It was the only solution until 2009 § Keep routing table size quite low § Multihoming may be hard to setup § Provider Independent § Allocated by the RIR § Solve the multihoming problem § In Europe this is allocated by the RIPE § Must be Multihomed § Need to comply with: http://www.ripe.net/ripe/docs/ripe-452 § No more aggregation of the routing table
CONCLUSION § No more address limitation § No more NAT limitation § Extensible with Option headers § Performance-oriented header, but twice bigger § Multicast replaces the broadcast § Multihoming is still an open debate
(C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
IPV6 HEADER Ver Traffic Class Flow Label Payload Length Next Header=Hop-By-Hop Hop Limit Source IPv6 Address Next Header=Routing Hdr Next Header=TCP DDeessttininaattioionn IIPPvv66 A Addddrreessss Hop-By-Hop Routing Header TCP Header
IPV6 HEADER Ethernet II, Src: ca:02:42:76:00:08 (ca:02:42:76:00:08), Dst: IPv6mcast_00:01:00:02 (33:33:00:01:00:02) Destination: IPv6mcast_00:01:00:02 (33:33:00:01:00:02) Source: ca:02:42:76:00:08 (ca:02:42:76:00:08) Type: IPv6 (0x86dd) Internet Protocol Version 6 0110 .... = Version: 6 [0110 .... = This field makes the filter "ip.version == 6" possible: 6] .... 1110 0000 .... .... .... .... .... = Traffic class: 0x000000e0 .... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000 Payload length: 56 Next header: UDP (0x11) Hop limit: 255 Source: fe80::38b1:e73c:c0f0:4442 (fe80::38b1:e73c:c0f0:4442) Destination: ff02::1:2 (ff02::1:2) User Datagram Protocol, Src Port: dhcpv6-client (546), Dst Port: dhcpv6-server (547) Source port: dhcpv6-client (546) Destination port: dhcpv6-server (547) Length: 56 Checksum: 0x86f0 [validation disabled] (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
TRAFFIC CLASS § One byte § Same as ToS+Precedence in IPv4 § Carry the DSCP § Can be changed by routers (mutable)
FLOW LABEL (RFC3697) § To Identify a flow of data § Not currently used by applications § Is not modified by routers (Unmutable) § A flow is identified by addresses and flow label. § Not encrypted by IPSec § Not fragmented if fragmentation occurs § Not very used because it could be used by DoS Attacks
IPV6 OPTION HEADER § IPv4 protocol field replaced by Next Header § Each option is formatted as a TLV (Type Length Value) 8 bits 8 bits Option Type Option Length Option data
HOP-BY-HOP OPTION § Hop-by-Hop (Next header=0) option must be inspected by all nodes § Used by Jumbogram to reach 65,536 octets § RFC 2711 Router Alert used by MLD, RSVP § Each router need to check this option § IANA manage a list of allocated numbers § 0 to 35 have been allocated § 36 to 65535 should be rejected § Must be the first option
ROUTING HEADER § Type 0: Source Routing § Loose Source Routing § Deprecated http://www.ietf.org/rfc/rfc5095.txt § Type 1: Obsolete § Type 2: RFC3775 Used by Mobile IPv6
OTHER IPV6 OPTION HEADER § Destination Option § An option for the destination IPv6 address only § Fragment Header § Fragmentation is only permitted by the source § Routers cannot fragment packet anymore § Authentication Header § ESP Header § Mobility Header
OPTIONS ORDERING § Hop-by-hop § Destination options (if routing present) § Routing § Fragment § Authentication § ESP § Mobility § Destination option (if routing absent) § Upper layer
IPV6 PACKET CAPTURE Internet Protocol Version 6 0110 .... = Version: 6 .... 1010 0000 .... .... .... .... .... = Traffic class: 0x000000a0 .... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000 Payload length: 60 Next header: IPv6 hop-by-hop option (0x00) Hop limit: 64 Source: 2005::2 (2005::2) Destination: 2005::1 (2005::1) Hop-by-Hop Option Next header: IPv6 destination option (0x3c) Length: 0 (8 bytes) PadN: 6 bytes Destination Option Next header: ICMPv6 (0x3a) Length: 0 (8 bytes) PadN: 6 bytes (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
MAXIMUM TRANSMISSION UNIT IPv4 § MTU >= 68 Octets IPv6 § MTU >= 1280 Octets § PMTUD Link-Layer Frame Frame Header IPv6 Packet Frame Trailer Minimum MTU = 1280 Octets
ICMPv6 INTRODUCTION TO IPV6 FOR SERVICE PROVIDERS
TOPICS § Introduction § ICMPv6 § MLD (IGMP) § ICMPv6 Protection § ICMPv6 Error Messages § Destination Unreachable § Time Exceeded § Packet too Big § Parameter Problem § Information Messages § Echo Request § Echo Reply § Cisco and ALU 7750 Example
INTRODUCTION § RFC 4443 § IPv6 extension header type 58 § Path MTU Discovery § ICMPv6 carry Neighbor Discovery Protocol, MLD
ICMPV6/NDP HEADER http://www.iana.org/assignments/icmpv6-parameters § List all types, codes and more Type Code Checksum Message Body
MLD (IGMP) § Router and Multicast Receivers Protocol § MLDv1 (RFC 2710) § IGMPv2. RFC 2236 § Multicast Listener Query. ICMPv6 Type 130 § Multicast Listener v1. Report. ICMPv6 Type 131 § Multicast Listener Done. ICMPv6 Type 132 § MLDv2 § IGMPv3. RFC 3376 § Multicast Listener Query. ICMPv6 Type 130 § Multicast Listener Report. v2. ICMPv6 Type 143
ICMPV6 PROTECTION The following messages MUST have a hop limit = 255 § RS:133, RA:134 § NS:135, NA:136 § Redirect: 137 § Inverse Neighbor Discovery Solicitation: 141 § Inverse Neighbor Discovery Advertisement: 142 § Certificate Path Solicitation (SEND): 148 § Certificate Path Advertisement (SEND): 149
ICMPV6 INFORMATION MESSAGE § pingv6 § Echo Request § Echo Reply sa13-72c>ping 2000:1::100! Type escape sequence to abort.! Sending 5, 100-byte ICMP Echos to 2000:1::100, timeout is 2 seconds:! !!!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/4 ms! sa13-72c>! Apr 21 05:56:54: ICMPv6: Sent echo request, Src=2000:1::20B:60FF:FEB4:9C1A, Dst=2000:1::100! Apr 21 05:56:54: ICMPv6: Received echo reply, Src=2000:1::100, Dst=2000:1::20B:60FF:FEB4:9C1A! Apr 21 05:56:54: ICMPv6: Sent echo request, Src=2000:1::20B:60FF:FEB4:9C1A, Dst=2000:1::100! Apr 21 05:56:54: ICMPv6: Received echo reply, Src=2000:1::100, Dst=2000:1::20B:60FF:FEB4:9C1A! Apr 21 05:56:54: ICMPv6: Sent echo request, Src=2000:1::20B:60FF:FEB4:9C1A, Dst=2000:1::100! Apr 21 05:56:54: ICMPv6: Received echo reply, Src=2000:1::100, Dst=2000:1::20B:60FF:FEB4:9C1A! Apr 21 05:56:54: ICMPv6: Sent echo request, Src=2000:1::20B:60FF:FEB4:9C1A, Dst=2000:1::100! Apr 21 05:56:54: ICMPv6: Received echo reply, Src=2000:1::100, Dst=2000:1::20B:60FF:FEB4:9C1A! [SNIP]!
ERROR MESSAGES § Destination Unreachable § Packet Too Big § Time Exceeded § Parameter Problem
TYPE: DESTINATION UNREACHABLE Code Description Utilization 0 No route to destination The packet was dropped because the router did not have a route to the destination 1 Communication administrativement prohibited The packet was filtered by a router (ACL) 3 Unreachable address The data link layer cannot be resolved 4 Port unreachable The UDP or TCP destination port does not exist or is ignored by the host (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
TYPE: TIME EXCEEDED Code: Hop Limit Exceeded in Transit § The hop limit is decremented at each hop. § When it reaches zero. § The packet is dropped § ICMPv6 TIME EXCEEDED CODE: Hop limit exceeded in transit is sent to the source address of the packet § This mitigates the consequences of a routing loop in a network. Code: Fragment reassembly Time exceeded § When a station receives the first fragment of a packet, it starts a timer § If the timer reaches zero before the original datagram get reassembled § All fragments get dropped § TIME EXCEEDED, CODE: Fragment reassembly time exceeded is sent to the source of the packet
TYPE: PACKET TOO BIG § When a router must forward a datagram on a link with an MTU smaller than the packet size § It drops the packet § It sends an ICMPv6 Packet Too Big providing the MTU of the link § The source must § Send a new and smaller packet with a length matching the available MTU § Or send the original datagram fragmented with a fragment size matching the available MTU § The minimum MTU in IPv6 MUST be 1280 bytes
TYPE: PARAMETER PROBLEM § A pointer helps this type to find the right field or option § Packet with such problem MUST be discarded and an ICMPv6 Parameter Problem SHOULD be sent Code Description Utilization O Erroneous header field encountered A field in the header is wrong 1 Unrecognized next header type encountered The next header is not recognized. 2 Unrecognized IPv6 option encountered The option field is not recognized
ALU 7750: SHOW ROUTER ICMP6 A:SR-3>show>router>auth# show router icmp6 =============================================================================== Global ICMPv6 Stats =============================================================================== Received Total : 14 Errors : 0 Destination Unreachable : 5 Redirects : 5 Time Exceeded : 0 Pkt Too Big : 0 Echo Request : 0 Echo Reply : 0 Router Solicits : 0 Router Advertisements : 4 Neighbor Solicits : 0 Neighbor Advertisements : 0 ------------------------------------------------------------------------------- Sent Total : 10 Errors : 0 Router Solicits : 0 Router Advertisements : 0 Neighbor Solicits : 5 Neighbor Advertisements : 5 =============================================================================== A:SR-3>show>router>auth# (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
CONCLUSION § ICMPv6 is quite similar to ICMP for IPv4 § Information message: Echo Request, Echo Reply § Error Messages § ICMPv6 is also used to transport § Neighbor Discovery Protocol § MLD for multicast
Neighbor Discovery Protocol INTRODUCTION TO IPV6 FOR SERVICE PROVIDERS
NDP FEATURES § RFC 4861, RFC 4862 § Router Discovery § Neighbor Discovery § Prefix Discovery § Parameter Discovery § Address Auto-Configuration § Address Resolution § Next-hop Determination § Neighbor Unreachability Detection § Duplicate Address Detection § Redirection § Default Router and More Specific route Selection § Proxying node
NEIGHBOR SOLICITATION (NS) § MAC Address Resolution § NS are sent to the neighbor Solicited Node Multicast Address to resolve its MAC address based on its IPv6 Address § Same purpose a ARP in IPv4 § Optimized as the NS provides the sender MAC address § Neighbor Unreachability Detection § After « reachable time » without neighbor reachability confirmation from upper layer, a NS is sent to the neighbor Unicast address to check the neighbor reachability § Duplicate Address Detection § Before an IPv6 can be used DAD is performed
NS TO RESOLVE THE NEIGHBOR MAC ADDRESS § Sent to the solicited node address, this is to ask the neighbor MAC address from its IPv6 Address
NS PROBE TO CHECK NEIGHBOR REACHABILITY § Sent to the Unicast address, this is a probe for Reachability
ND – NEIGHBOR ADVERTISEMENT § To reply with the MAC address or to acknowledge reachability
NEIGHBOR CACHE MANAGEMENT FSM (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
NEIGHBOR UNREACHABILITY DETECTION § ND Protocol can detect that a neighbor is unreachable § This may be useful to use a new default router § This can be detected by: § Upper layer protocol acknowledge traffic § NA received in response of an NS § This is configured on a Cisco Router with two parameters: § IPv6 nd ns-interval <milliseconds> § IPv6 nd reachable-time <milliseconds>
STATE MACHINE FOR REACHABILITY NA1 – Receive a NA with Solicited=0 NA2 – Receive a NA with Solicited=1 NA3 – Receive a NA with Solicited=1 and Override=1 or Override=0 and the link-layer identical to the one in cache NA4 – Receive a NA with solicited=1, Override=0 abd link-layer different of the one in cache NA5 – Receive a NA with solicited=0, override=1, and link-layer different from cache O – Receive another paquet ND with a link-layer different from the cache. S – Send a packet T – Timeout Te – Timeout with no more retry U – Upper Layer confirmed Create Entry Send NS Incomplete NA2 Stale Delay Probe Reachable Te NA1 Report Error Delete Entry NA3 Or U T or O or NA4 or NA5 T Retry NS NA3 ou U Retry NS Send NS NA5 ou O S NA3 ou U NA5 ou O T Te T T
NEIGHBOR STATES § INCOMPLETE § Address resolution is being performed on the entry. Specifically, a Neighbor Solicitation has been sent to the solicited-node multicast address of the target, but the corresponding Neighbor Advertisement has not yet been received. § REACHABLE § Positive confirmation was received within the last ReachableTime milliseconds that the forward path to the neighbor was functioning properly. While REACHABLE, no special action takes place as packets are sent. § STALE § More than ReachableTime milliseconds have elapsed since the last positive confirmation was received that the forward path was functioning properly. While stale, no action takes place until a packet is sent. The STALE state is entered upon receiving a unsolicited Neighbor Discovery message that updates the cached link-layer address. Receipt of such a message does not confirm reachability, and entering the STALE state ensures reachability is verified quickly if the entry is actually being used. However, reachability is not actually verified until the entry is actually used. § DELAY § More than ReachableTime milliseconds have elapsed since the last positive confirmation was received that the forward path was functioning properly, and a packet was sent within the last DELAY_FIRST_PROBE_TIMEseconds. If no reachability confirmation is received within DELAY_FIRST_PROBE_TIME seconds of entering the DELAY state, send a Neighbor Solicitation and change the state to PROBE. The DELAY state is an optimization that gives upper-layer protocols additional time to provide reachability confirmation in those cases where ReachableTime milliseconds have passed since the last confirmation due to lack of recent traffic. Without this optimization, the opening of a TCP connection after a traffic lull would initiate probes even though the subsequent three-way handshake would provide a reachability confirmation almost immediately. § PROBE § A reachability confirmation is actively sought by retransmitting Neighbor Solicitations every RetransTimer milliseconds until a reachability confirmation is received.
NEIGHBOR DISCOVERY TRACE ON A CISCO ROUTER § No DROP during ND MAC address resolution. This is because packet is buffered and this can be used for a DoS Attack sa13-72c#ping 2000:1::100! Type escape sequence to abort.! Sending 5, 100-byte ICMP Echos to 2000:1::100, timeout is 2 seconds:! !!!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/4 ms! sa13-72c#! Apr 18 08:36:03: ICMPv6-ND: DELETE -> INCMP: 2000:1::100! Apr 18 08:36:03: ICMPv6-ND: Sending NS for 2000:1::100 on GigabitEthernet0/2! Apr 18 08:36:03: ICMPv6-ND: Resolving next hop 2000:1::100 on interface GigabitEthernet0/2! Apr 18 08:36:03: ICMPv6-ND: Received NA for 2000:1::100 on GigabitEthernet0/2 from 2000:1::100! Apr 18 08:36:03: ICMPv6-ND: Neighbour 2000:1::100 on GigabitEthernet0/2 : LLA 0008.201a.7c38! Apr 18 08:36:03: ICMPv6-ND: INCMP -> REACH: 2000:1::100! Apr 18 08:36:08: ICMPv6-ND: Received NS for 2000:1::1 on GigabitEthernet0/2 from FE80::208:20FF:FE1A: 7C38! Apr 18 08:36:08: ICMPv6-ND: DELETE -> INCMP: FE80::208:20FF:FE1A:7C38! Apr 18 08:36:08: ICMPv6-ND: Neighbour FE80::208:20FF:FE1A:7C38 on GigabitEthernet0/2 : LLA 0008.201a. 7c38! Apr 18 08:36:08: ICMPv6-ND: INCMP -> STALE: FE80::208:20FF:FE1A:7C38! Apr 18 08:36:08: ICMPv6-ND: Sending NA for 2000:1::1 on GigabitEthernet0/2! Apr 18 08:36:08: ICMPv6-ND: STALE -> DELAY: FE80::208:20FF:FE1A:7C38
NEIGHBOR SOLICITATION CAPTURE § The Source Layer Address is provided to avoid the request in the other direction Internet Protocol Version 6 0110 .... = Version: 6 [0110 .... = This field makes the filter "ip.version == 6" possible: 6] .... 1110 0000 .... .... .... .... .... = Traffic class: 0x000000e0 .... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000 Payload length: 400 Next header: ICMPv6 (0x3a) Hop limit: 255 Source: fe80::2027:9779:3775:5cf8 (fe80::2027:9779:3775:5cf8) Destination: fe80::38b1:e73c:c0f0:4442 (fe80::38b1:e73c:c0f0:4442) Internet Control Message Protocol v6 Type: 135 (Neighbor solicitation) Code: 0 Checksum: 0x64e3 [correct] Target: fe80::38b1:e73c:c0f0:4442 (fe80::38b1:e73c:c0f0:4442) ICMPv6 Option (Source link-layer address) Type: Source link-layer address (1) Length: 8 Link-layer address: ca:03:42:76:00:08 SNIP The Source Layer Address is provided to avoid the request in the other direction
DUPLICATED ADDRESS DETECTION (DAD) § ICMP Type = 135 § Dst = solicited node multicast address of A § Data = link-layer of A § Query: What is your link layer address ? § If no NA received, the address can be considered unique § A sends a NA to claim this address
DUPLICATE ADDRESS DETECTION DEBUG § DAD Debug on a Cisco Router Apr 18 09:57:31: ICMPv6-ND: L3 came up on GigabitEthernet0/2 Apr 18 09:57:31: IPv6-Addrmgr-ND: DAD request for 2000:1::1 on GigabitEthernet0/2 Apr 18 09:57:31: ICMPv6-ND: Sending NS for 2000:1::1 on GigabitEthernet0/2 Apr 18 09:57:32: IPv6-Addrmgr-ND: DAD: 2000:1::1 is unique. Apr 18 09:57:32: ICMPv6-ND: Sending NA for 2000:1::1 on GigabitEthernet0/2 Apr 18 09:57:32: IPv6-Address: Address 2000:1::1/64 is up on GigabitEthernet0/2
REDIRECT § A Redirect is sent by a Router to provide a better Next-hop for a destination § This is sent after the Router has forwarded a packet on the interface used to receive a packet § Can be used by DoS Attacks (IPv4 or IPv6) § May be disabled by most OS (IPv4 or IPv6)
REDIRECT: H1 DEFAULT ROUTE VIA R1 (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
REDIRECT: H1 ROUTE TO H2 VIA R2 (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
ROUTER ADVERTISEMENT (RA) § A Router Advertisement is sent by a Router to announce its availability as a Router with its Link-local IPv6 Address § Router Advertisement also provides a configuration parameter to use on the link: § MTU § Availability of DHCPv6 for configuration § Hop Limit § Available Prefixes on the link and whether these prefixes can be used for autoconfiguration § Addresses of DNS Servers § Router Advertisement can be sent Unsolicited on a regular basis § Router Advertisement can be requested by a Router Solicitation § May be used by hacker (RFC6102)
ND – ROUTER ANNOUNCEMENT (RA) § ICMP Type = 134 § Src = Router Link-Local § Dst = All nodes multicast address, FF02::1 § Data = Options, prefix, lifetime, autoconfig flag § Cisco Router configuration § Ipv6 unicast-routing
RA FIELDS DESCRIPTION § Router link-local address § Lifetime: The time that this router will be considered active. A Lifetime of zero is used by a router which cannot be used as a default router. § Hops: Default Hop-Limit to use on this link. § MTU: Default MTU to use on this link § Reachable time: Used by NUD. A length of time that a node considers a neighbor reachable until another reachability confirmation is received from that neighbor. § Retransmit time: Used by Address Resolution and NUD. It specifies the minimum time, in milliseconds, between retransmitted Neighbor Solicitation messages. § AddrFlag: This is the Managed Address flag used to signal the use of DHCPv6 for Address and Other configuration.When set the OtherFlag is redundant. § OtherFlag: Used to signal the use of DHCPv6 for other parameter configuration. § There is also a 1-bit autonomous address-configuration flag in the Prefix Option. When set indicates that this prefix can be used for stateless address configuration
RA ON CISCO ROUTER - SHOW IPV6 ROUTERS hote#show ipv6 routers Router FE80::2038:148E:B9DF:FD6D on FastEthernet0/0, last update 2 min Hops 64, Lifetime 1800 sec, AddrFlag=0, OtherFlag=0, MTU=1500 HomeAgentFlag=0, Preference=Medium Reachable time 0 (unspecified), Retransmit time 0 (unspecified) Prefix 2001::/64 onlink autoconfig Valid lifetime 2592000, preferred lifetime 604800 Note: A router which cannot be used as a default router sends RA with Lifetime=0
RA CAPTURE Internet Protocol Version 6 0110 .... = Version: 6 [0110 .... = This field makes the filter "ip.version == 6" possible: 6] .... 0000 0000 .... .... .... .... .... = Traffic class: 0x00000000 .... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000 Payload length: 104 Next header: ICMPv6 (0x3a) Hop limit: 255 Source: fe80::207:cbff:fe3e:b6b3 (fe80::207:cbff:fe3e:b6b3) Destination: ff02::1 (ff02::1) Internet Control Message Protocol v6 Type: 134 (Router advertisement) Code: 0 Checksum: 0xf74b [correct] Cur hop limit: 64 Flags: 0x00 Router lifetime: 1800 Reachable time: 0 Retrans timer: 0 ICMPv6 Option (Prefix information) Type: Prefix information (3) Length: 32 Prefix length: 64 Flags: 0xc0 Valid lifetime: 86400 Preferred lifetime: 86400 Prefix: 2a01:e35:2f26:d340:: ICMPv6 Option (Recursive DNS Server) Type: Recursive DNS Server (25) Prefix Length: 40 Reserved DNS Servers Address Lifetime: 600 Recursive DNS Servers: dns3.proxad.net (2a01:e00::2) Recursive DNS Servers: dns2.proxad.net (2a01:e00::1) ICMPv6 Option (MTU) Type: MTU (5) Length: 8 MTU: 1480 ICMPv6 Option (Source link-layer address) Type: Source link-layer address (1) Length: 8 Link-layer address: 00:07:cb:3e:b6:b3 Source MAC @ MTU All node link-local address Router Lifetime (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
§ RA can include the DNS Server Addresses (Recursive DNS Option) § MAC OS X 10.7 supports this option § RDNSS config in rtadvd.conf to configure the Linux rtadvd daemon interface eth0 { AdvSendAdvert on; prefix 2001:db8:cafe:1::/64 { AdvOnLink on; AdvAutonomous on; }; rdnss 2001: db8:cafe:1::1 { }; } DNS SERVER ANNOUNCED IN RA (RFC 6106)
ALU 7750 CONFIGURATION OF THE RA RA must be authorized as they are not generated by default. CLI Syntax: config>router# router-advertisement interface ip-int-name current-hop-limit number managed-configuration max-advertisement-interval seconds min-advertisement-interval seconds mtu mtu-bytes other-stateful-configuration prefix ipv6-prefix/prefix-length autonomous on-link preferred-lifetime {seconds | infinite} valid-lifetime {seconds | infinite} reachable-time milli-seconds retransmit-time milli-seconds router-lifetime seconds no shutdown use-virtual-mac
ALU 7750 RA CONFIGURATION Router-advertisement Syntax router-advertisement Context config>router Description This command configures router advertisement properties. By default, it is disabled for all IPv6 enabled interfaces. The no form of the command disables all IPv6 interface. However, the no interface interface-name command disables a specific interface. Default disabled
ALU 7750 RA CONFIGURATION Prefix Syntax [no] prefix [ipv6-prefix/prefix-length] Context config>router>router-advert>if Description This command configures an IPv6 prefix in the router advertisement messages. To support multiple IPv6 prefixes, use multiple prefix statements. No prefix is advertised until explicitly configured using prefix statements. Default none Parameters ip-prefix The IP prefix for prefix list entry in dotted decimal notation. Values ipv4-prefix a.b.c.d (host bits must be 0) ipv4-prefix-length 0 — 32 ipv6-prefix x:x:x:x:x:x:x:x (eight 16-bit pieces) x:x:x:x:x:x:d.d.d.d x: [0 — FFFF]H d: [0 — 255]D ipv6-prefix-length 0 — 128 prefix-length Specifies a route must match the most significant bits and have a prefix length. Values 1 — 128
ND – ROUTER SOLICITATION § ICMP Type = 133 § Src = :: or link-local address § Dst = All routers multicast address § When a station boots, it must send a RS message to request routers information
NEXT-HOP DETERMINATION § This is different from IPv4 as two nodes can be neighbors with different prefixes. § A neighbor will be considered on-link if: § It is covered by a prefix of the link § It has received a NA for this address § It has received any ND message from this address § It has received an RA with this prefix in the prefix list § It has received a REDIRECT message with a target equal to this address
STATELESS ADDRESS AUTOCONFIGURATION (SLAAC) RFC 4862, IPv6 Stateless Address Autoconfiguration § RS/RA to request prefixes available to build addresses § DAD to test the new addresses
AUTOCONFIGURATION WITH DHCPV6 § Stateful Autoconfiguration avec DHCPv6 RFC3315 § DHCPv6 provides address and other parameters (DNS, domain name, SIP…) § Stateless Autoconfiguration with DHCPv6 § SLAAC used for address configuration § DHCPv6 for the other information (DNS, Domain Name) § Prefix Delegation § DHCPv6 can be used to provide a prefix which can be subnetted § The Service Provider useS DHCPv6 PD to allocate a block of addresses for the customer
STATEFUL OR STATELESS AUTOCONFIG DHCPV6 § IPv6 routers signal how DHCPv6 can be used by end nodes § RA M bit « Managed Address Configuration » is set if DHCPv6 must be used for address configuration. If M bit is set, the O bit is redundant as DHCPv6 will be used to get all the configs. § RA O bit « Other Stateful Configuration » is set if DHCPv6 must be used for other configurations § M and possibly O bits are set in the RA for DHCPv6 stateful autoconfiguration § M = 0 and O = 1 in the RA for DHCPv6 stateless autoconfiguration § DHCPv6 clients and relays use IPv6 Multicast addresses § « ff02::1:2 » All relays agents and servers link-local address § « ff05::1:3 » All DHCPv6 servers site-local address
AUTOCONFIGURATION (STATEFUL DHCPV6) Address and Other parameters are configured from DHCPv6 DHCPv6 with Rapid Commit (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
AUTOCONFIGURATION (STATELESS DHCPV6) DHCPv6 with Rapid Commit Address configuration from the prefix received in the RA (SLAAC) Other parameters are given by a DHCPv6 Server (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
FULL AUTOCONFIGURATION PROCESS (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
MAIN ALGO OF AUTOCONFIGURATION PROCESS (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE! Derive the link-local address FE80::[Interface ID] Send NS to the solicited node multicast address derived from the link-local NA received ? Stop Initialize the link-local Send RS RA Received ? Use DHCPv6 and exit Set Hop Limit, Reachable Time, Retrans Timer, MTU Prefix Information present ? A B Managed Address Configuration Flag = 1 ? Other Configuration Flag = 1 ? Use DHCPv6 Stop Yes No Yes No Yes No Yes No Yes No Start
TENTATIVE IS THE AUTOCONF PROCESS STARTING… § First Step § Address verification with « Duplicate Address Detection (DAD) » § Can only receive a response to the DAD NS Request Valid Preferred Deprecated Tentative Invalid Preferred Lifetime Valid Lifetime
AUTOCONFIG: PREFERRED LIFETIME § The address is verified by DAD and can be used to send and receive unicast traffic. § The address can be used for new connections or by existing one § The Preferred Lifetime is determined by the field Preferred Lifetime included in the RA Prefix Information or the Preferred-Lifetime Option in the DHCPv6 IA Address Valid Preferred Deprecated Tentative Invalid Preferred Lifetime Valid Lifetime
AUTOCONFIG: DEPRECATED § The address has been verified by DAD § A New connection should not use this address § Existing communications can use this address Valid Preferred Deprecated Tentative Invalid Preferred Lifetime Valid Lifetime
AUTOCONFIG: VALID LIFETIME § The address can be used to send and receive unicast traffic § Valid state includes preferred and deprecated § The Valid Lifetime is determined by the field Valid Lifetime included in the RA Prefix Information or the Valid-Lifetime Option in the DHCPv6 IA Address Valid Preferred Deprecated Tentative Invalid Preferred Lifetime Valid Lifetime
RA PREFIX OPTION ipv6 nd prefix <prefix/mask>[Valid] [Preferred][no-advertise| off-link | no-autoconfig] A Take the first prefix information On-Link Flag = 0 ? Ignore the prefix Autonomous Flag = 0 ? No No Derive the Stateless address Prefixe:[interface ID] Send NS to the matching solicited node multicast address NA Received ? Other prefixes to process Yes Initialise the Stateless address Go to next prefix B No No Yes Do not initialize the stateless address Preferred > Yes Valid Valid = 0 Ignore the prefix Ignore the prefix Ignore the prefix No Yes Yes Yes
AUTOCONFIG: INVALID § The address cannot be used to send or receive traffic § The address reaches the Invalid state when the Valid Lifetime has expired Valid Preferred Deprecated Tentative Invalid Preferred Lifetime Valid Lifetime
AUTOCONFIG - SHOW IPV6 INTERFACE hote#sh ipv6 int fa0/0 FastEthernet0/0 is up, line protocol is up IPv6 is enabled, link-local address is FE80::38B1:E73C:C0F0:4442 No Virtual link-local address(es): Global unicast address(es): BAD:1:2:FC64:8ECC:593A:15C3:654, subnet is BAD:1:2:FC64:8ECC:593A: 15C3:654/128 2001::20EC:31D3:14CB:A7A, subnet is 2001::/64 Joined group address(es): FF02::1 FF02::1:FFC3:654 FF02::1:FFCB:A7A FF02::1:FFF0:4442 MTU is 1500 bytes ICMP error messages limited to one every 100 milliseconds ICMP redirects are enabled ICMP unreachables are sent ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds (using 37164) Default router is FE80::2038:148E:B9DF:FD6D on FastEthernet0/0 hote# (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
RFC 2894 ROUTER RENUMBERING FOR IPV6 § Node renumbering is performed, thanks to RA § Old prefix is announced with Preferred Lifetime very small or null and the new prefix with a normal Preferred Lifetime § Hosts will have two prefixes § Address built from old prefix will be deprecate § New connections use the new prefix § After some time, the connections will be set on the new prefix § Router only announces the new prefix § The Old prefix will be invalid
RENUMBERING SCENARIO Routers Configuration RA Preferred Prefix: 2001:db8:cafe:2::/64 Deprecated Prefix: 2001:db8:cafe:1::/64 Host Preferred address: 2001:db8:cafe:2:1:4567:9f0:1 Deprecated address: 2001:db8:cafe:1:4567:9f0:1 Valid Preferred interface Ethernet0 ipv6 nd prefix 2001:db8:cafe:1::/64 43200 0 ipv6 nd prefix 2001:db8:cafe:2::/64 43200 43200
NDP PDU SUMMARY Message Goal ICMP Code Sender Target Option Router Solicitation (RS) Resuest an immediate RA 133 Host All Routers SLLA Router Advertisement (RA) Announce: defaut router, prefixes, parameters 134 Routers RS Sender or all host SLLA, MTU, Prefix, Route, Interval, Home Agent info Neighbor Solicitation (NS) Request the Link layer address of the target. Also used to send probe (NUD) 135 Hosts Multicast Solicited node address or unicast of the target SLLA Neighbor Advertisement (NA) Answer to the NS 136 Hosts Sender of the NS or all hosts TLLA Redirect Information of a better next hop for a destination 137 Routers Host which triggers the Redirect TLLA Redirected header Inverse neighbor Solicitation (INS) Request an IPv6 address matching a Link layer address 141 Hosts All hosts SLLA, TLLA, MTU, Source address list Inverse Neighbor Advertisement (INA) Answer to INA 142 Hosts INS Sender SLLA, TLLA, Target addresses list, MTU (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
INTERESTING RFCS § RFC 2460 IPv6 Specification § RFC 5095 Deprecation of Type 0 Routing Headers in IPv6 § RFC 4291 IPv6 Addressing Architecture § RFC 4861 Neighbor Discovery § RFC 4862 IPv6 Stateless Auto config § RFC 4443 ICMPv6 Specification § http://tools.ietf.org/html/rfc4443
CONCLUSION § NDP is part of any IPv6 stack § NDP provides many services allowing address and default router autoconfiguration § NDP checks the Neighbor availability § NDP is vulnerable to DoS attacks. See RFC3756.
(C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
OBJECTIVES § Understand DHCPv6 § Understand the support of DNS for IPv6 § Understand Mobile IPv6 § Find a list of IPv6 ready network application § 1949 applications supporting IPv6 § http://www.ipv6-to-standard.org/ § How to test your stack and ISP § http://test-ipv6.com/
DHCPv6
STATEFUL DHCPv6 SIGNALIZATION § Stateful Autoconfiguration with DHCP for IPv6 RFC3315 § IPv6 routers signal the use of DHCPv6 § M-bit flag « Managed Address Configuration » is set when address and network parameters configuration are available from DHCPv6 § O-bit flag « Other Stateful Configuration » is set when Other parameters configuration must be performed with DHCPv6
DHCP MOST IMPORTANT TERMINOLOGY DHCP = Unique IDentifier http://tools.ietf.org/html/rfc3315#section-9 DHCP Client or Server has its DUID. It is based on the LL Address, the Vendor, the enterprise, the Time… What I have seen the Most for the moment was Link Layer (LL or MAC Address). Veryy important as DHCP uses multicast to communicate with ALL DHCP nodes. DUID is the used to fins the right node. IA = Identity Association http://tools.ietf.org/html/rfc3315#section-10 Each IA must be associated with exactly one interface. Each Interface May have multiple prefixes but will have ONE IA. This is a logic construct that can be used for a group of interfaces which play the same role. « Each address in an IA has a preferred lifetime and a valid lifetime, as defined in RFC 2462 [17]. The lifetimes are transmitted from the DHCP server to the client in the IA option. The lifetimes apply to the use of IPv6 addresses, as described in section 5.5.4 of RFC 2462. » From RFC 3315 Section 10. IMPORTANT: When theses timers need to be changed, it is from the Server, the source! Changing the routers timers has no effects.
HOW ADDRESSES ARE TRANSPORTED ? OPTION_IA_NA option-len IAID T1 T2 IA_NA-options OPTION_IA_TA option-len IAID IA_TA-options IA_NA OPTION_IAADDR OPTION_LEN IPv6 ADDRESS PREFERRED_LIFETIME VALID_LIFETIME IAaddr-options IA_TA IA Address Option Non Temporary Addresses With DHCPv6 Timers Temporary Addresses No Timers, Managed by the Upper Layer! IPv6 Address and Timers. 0xffffffff is infinity
DHCPV6 MULTICAST ADDRESSES § "ff02::1:2" Link-local scope. All Relay agent and servers § "ff05::1:3" Site-Local scope. All DHCPv6 servers DHCPv6 Client DHCPv6 Server SOLICIT ff02::1:2 Advertize fe80::1 Request ff02::1:2 Reply fe80::1 fe80::1 YES. I am here and I can provide you with blah blah blah! I Want to reserve: 2001:db8:12:FD:45:fa:F And Use domain fredbovy.com And DNS Server: 2a01::1, 2a01::2 YES You got it! It’s all for you!
DHCPv6 CLIENT – SERVER DHCPv6 Client DHCPv6 Server Solicit Dst:All_DHCP_Relay_Agents_and_Servers (FF02::1:2) Src: Client Link-local address Advertise Dst: Client Link-local address Src: Server Link-local address Request Dst: Server Dst:All_DHCP_Relay_Agents_and_Servers (FF02::1:2) Src: Client Link-local address Reply Dst: Client Link-local address Src: Server Link-local address (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
DHCPv6 CLIENT – RELAY – SERVER DHCPv6 Client DHCPv6 Server Solicit Dst:All_DHCP_Relay_Agents_and_Servers (FF02::1:2) Request Dst: Server Dst:All_DHCP_Relay Agents_and_Servers (FF02::1:2) Src: Client Link-local address Relay-reply Dst: Client Link-local address Src: Server Link-local address DHCPv6 Relay Relay-Forward to All_DHCP_Servers (FF05::1:3) Relay-reply Advertise Relay-Forward to All_DHCP_Servers (FF05::1:3) Reply (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
DHCPv6 SOLICIT (1) Internet Protocol Version 6 0110 .... = Version: 6 [0110 .... = This field makes the filter "ip.version == 6" possible: 6] .... 1110 0000 .... .... .... .... .... = Traffic class: 0x000000e0 .... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000 Payload length: 56 Nxt header: UDP (0x11) Hop limit: 255 Source: fe80::38b1:e73c:c0f0:4442 (fe80::38b1:e73c:c0f0:4442) Destination: ff02::12 (ff02::1:2) User Datagram Protocol, Src Port: dhcpv6-client (546), Dst Port: dhcpv6-server (547) Source port: dhcpv6-client (546) Destination port: dhcpv6-server (547) Length: 56 Checksum: 0x86f0 [validation disabled] Link-Local All Servers and Relays dhcpv6-client: 546 dhcpv6-server: 547 (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
DHCPv6 SOLICIT (2) DHCPv6 Message type: Solicit (1) Transaction-ID: 0x00b44306 Elapsed time option type: 8 option length: 2 elapsed-time: 0 ms Client Identifier option type: 1 option length: 10 DUID type: link-layer address (3) Hardware type: Ethernet (1) Link-layer address: ca:02:42:76:00:08 Option Request option type: 6 option length: 4 Requested Option code: DNS recursive name server (23) Requested Option code: Domain Search List (24) Identity Association for Non-temporary Address option type: 3 option length: 12 IAID: 262145 T1: 0 T2: 0 DNS Server Address Domain Name Non-Temporary Address (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
DHCPv6 ADVERTISE (2) DHCPv6 Message type: Advertise (2) Transaction-ID: 0x00b44306 Server Identifier option type: 2 option length: 10 DUID type: link-layer address (3) Hardware type: Ethernet (1) Link-layer address: ca:03:42:76:00:08 Client Identifier option type: 1 option length: 10 DUID type: link-layer address (3) Hardware type: Ethernet (1) Link-layer address: ca:02:42:76:00:08 Server Identifier Client Identifier Identity Association for Non-temporary Address option type: 3 option length: 40 IAID: 262145 T1: 43200 T2: 69120 IA Address option type: 5 option length: 24 IPv6 address: bad:1:2:2d98:8e14:c0b1:6ef5:8548 Preferred lifetime: 86400 Valid lifetime: 172800 Domain Search List option type: 24 option length: 14 DNS Domain Search List Domain: fredbovy.com IPv6 Address Domain Name (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
DHCPV6 SERVER STATUS R4>show ipv6 dhcp This device's DHCPv6 unique identifier(DUID): 00030001CA0342760008 R4>show ipv6 dhcp int FastEthernet0/0 is in server mode Using pool: fred Preference value: 0 Hint from client: ignored Rapid-Commit: disabled R4#show ipv6 dhcp pool DHCPv6 pool: fred Static bindings: Binding for client BADCAF0E IA PD: IA ID not specified Prefix: DEAD:BEEF::/48 preferred lifetime 604800, valid lifetime 2592000 Address allocation prefix: DEAD:BEEF:1:2:3::/64 valid 172800 preferred 86400 (1 in use, 0 conflicts) Domain name: fredbovy.com Active clients: 1 (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
DHCPV6 SERVER ALLOCATION R4#show ipv6 dhcp bind Client: FE80::38B1:E73C:C0F0:4442 DUID: 00030001CA0242760008 Username : unassigned IA NA: IA ID 0x00040001, T1 43200, T2 69120 Address: DEAD:BEEF:1:2:6090:18A5:E017:DE5C preferred lifetime 86400, valid lifetime 172800 expires at Aug 11 2010 03:23 PM (172554 seconds) (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
DHCPv6 CLIENT hote#show ipv6 dhcp interface FastEthernet0/0 is in client mode Prefix State is IDLE Address State is OPEN Renew for address will be sent in 11:39:08 List of known servers: Reachable via address: FE80::2027:9779:3775:5CF8 DUID: 00030001CA0342760008 Preference: 0 Configuration parameters: IA NA: IA ID 0x00040001, T1 43200, T2 69120 Address: BAD:1:2:FC64:8ECC:593A:15C3:654/128 preferred lifetime 86400, valid lifetime 172800 expires at Aug 11 2010 02:36 PM (171549 seconds) Domain name: fredbovy.com Information refresh time: 0 Prefix Rapid-Commit: disabled Address Rapid-Commit: disabled Configuration: interface FastEthernet0/0 ipv6 address dhcp (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
DHCPv6 OPERATION *Aug 9 15:34:32.806: IPv6 DHCP: Received REPLY from FE80::2027:9779:3775:5CF8 on FastEthernet0/0 *Aug 9 15:34:32.806: IPv6 DHCP: IA_NA 00040001 contains status code NOADDRS-AVAIL *Aug 9 15:34:32.806: IPv6 DHCP: DHCPv6 address changes state from REQUEST to SOLICIT (ADDR_NAK) on FastEthernet0/0 *Aug 9 15:34:32.806: IPv6 DHCP: Received REPLY from FE80::2027:9779:3775:5CF8 on FastEthernet0/0 *Aug 9 15:34:32.806: IPv6 DHCP: No matching transaction ID in REPLY from FE80::2027:9779:3775:5CF8 on FastEthernet0/0 *Aug 9 15:34:33.782: IPv6 DHCP: Sending SOLICIT to FF02::1:2 on FastEthernet0/0 *Aug 9 15:34:33.786: IPv6 DHCP: Received ADVERTISE from FE80::2027:9779:3775:5CF8 on FastEthernet0/0 *Aug 9 15:34:33.786: IPv6 DHCP: Adding server FE80::2027:9779:3775:5CF8 *Aug 9 15:34:33.786: IPv6 DHCP: Received ADVERTISE from FE80::2027:9779:3775:5CF8 on FastEthernet0/0 *Aug 9 15:34:34.858: IPv6 DHCP: Sending REQUEST to FF02::1:2 on FastEthernet0/0 *Aug 9 15:34:34.858: IPv6 DHCP: DHCPv6 address changes state from SOLICIT to REQUEST (ADDR_ADVERTISE_RECEIVED) on FastEthernet0/0 *Aug 9 15:34:34.858: IPv6 DHCP: Received REPLY from FE80::2027:9779:3775:5CF8 on FastEthernet0/0 *Aug 9 15:34:34.858: IPv6 DHCP: Processing options *Aug 9 15:34:34.862: IPv6 DHCP: Adding address DEAD:BEEF:1:2:C541:3F5C:EA1A:BE21/128 to FastEthernet0/0 *Aug 9 15:34:34.870: IPv6 DHCP: T1 set to expire in 43200 seconds *Aug 9 15:34:34.870: IPv6 DHCP: T2 set to expire in 69120 seconds *Aug 9 15:34:34.870: IPv6 DHCP: Configuring domain name fredbovy.com *Aug 9 15:34:34.870: IPv6 DHCP: DHCPv6 address changes state from REQUEST to OPEN (ADDR_REPLY_RECEIVED) on FastEthernet0/0 *Aug 9 15:34:34.870: IPv6 DHCP: Received REPLY from FE80::2027:9779:3775:5CF8 on FastEthernet0/0 *Aug 9 15:34:34.870: IPv6 DHCP: DHCPv6 address changes state from OPEN to OPEN (ADDR_REPLY_RECEIVED) on FastEthernet0/0 (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
STATELESS DHCPV6 § IPv6 Routers signal the DHCPv6 utilization § M bit = 0 « Managed Address Configuration » to use SLAAC for address autoconfiguration § O bit = 1 « Other Stateful Configuration » to use DHCPv6 for Other parameter configuration § Address is configured by SLAAC § Other parameters are then requested to the DHCPv6 Server
DHCP PREFIX DELEGATION § DHCPv6 PD Server allocates a block of addresses § The block received by the client is then subnetted to configure each interface
ISENTITY ASSOCIATION IA_PD IA_PD Prefix option IPv6 prefix (16 octets) (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE! IA_PD option Option_IA_PD option-length IAID (4 Octets) T1 T2 OPTION_IAPREFIX option-length preferred-lifetime valid-lifetime prefix-length IPprefix-options IA _PD-options
DHCP PREFIX DELEGATION IPv6 2001:db8:1:1::/64 DHCP PD Client DHCP PD Server 2001:db8:1::/48 RA ISP 2001:db8::/32 2001:db8:2:1::/64 RA 2001:db8:2:2::/64 RA 2001:db8:2::/48 (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
DHCP-PD OPERATION 2001:db8:678::/32 DHCP-PD Server (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE! 2001:db8:678::1/64 DHCPv6 Client IPv6 Internet DHCP-PD Relay 2001:341f::1:57/64 2001:341f::/32 Router Advertisement Prefix-List 2001:db8:678::/64 M=0, O=0 (SLAAC) DHCPv6-PD Client May Use LL for the p2p Link Address
5:00AM FIRST HOME OFFICE DHCP-PD USER COMES UP! IPv6 Internet 2001:341f::1:57/64 IPv6 Private Network 2001:db8:678::1 2001:db8:678:1::/56 2001:db8:658::/48 8 bits for Subnets (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE! 2001:db8:678:10::/64 2001:db8:678:11::/64 ... DHCP-PD Server Relay_Forward (Solicit) Advertize Request IA_PD First Block Reply IA_PD 2001:db8:678::/56 IPv6 Internet IPv6 Internet AS 610 AS 413 2001:413::/32 AS 341F 2001:341F::/32 FTTH Solicit IA_PD Home Network 2001:db8:678::/64 2001:db8:678:d340:98:22ac:f9:1 Router Advertisement Managed=0, Other=0 MTU=1500, Hop Limit=64 Retrans Timer=0 (Unsp) Reachable Time=0 (Unsp) Prefix: 2001:db8:678::/56 On-Link=1 Autonomous=1 Valid=7200 Preferred=1200 3 1a 1b 2b DHCP-PD Relay
7:00 AM DHCP-PD FIRST OFFICE COMES UP (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE! IPv6 Internet 2001:341f::1:57/64 IPv6 Private Network 2001:db8:658::/48 2001:db8:678:1::/56 8 bits for Subnets 2001:db8:678:10::/64 2001:db8:678:11::/64 ... DHCPv6-PD Client DHCP-PD Server Relay_forward (Solicit IA_PD) Request IA_PD Reply IA_PD First Block 2001:db8:678::/56 Home Network 2001:db8:678::/64 IPv6 Internet IPv6 Internet AS 610 2001:610::/32 AS 413 2001:413::/32 AS 341F 2001:341F::/32 FTTH DHCPv6 Relqy P2P LL Address SOLICIT IA_PD Relay_Reply(Solicit IA_PD) Advertise IA_PD REPLY IA_PD Request IA_PD
(C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
DOMAIN NAME SERVICES (DNS) § RFC1035, RFC1036 § To Provide Name to addresses resolution § To Provide address to name resolution § To Find Mail Servers in a domain to allow eMail routing § Key component in network architecture § Request and Replies are encapsulated in UDP port 53 messages § DNS Message Length is limited to 512 bytes § DNSSEC is an effort to offer a secure DNS service § Nodes and even Subnets discovery became difficult with IPv6 addresses therefore DNS is likely to get used to discover target
THE DNS TREE STRUCTURE . Root « . » arpa edu gov net com ca au za In-addr ip6 coca-cola mcDo company google bill sec head TLD Second Level Domain Third Level Domain (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
RESOLUTION OF FRED.EXAMPLE.COM DNS Root DNS « . » TLD DNS .com. Domain DNS example.com. Query=fred.example.com Referral to .com gTLD DNS Query=fred.example.com Referral to example.com DNS Query=fred.example.com Authoritative Answer (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
§ For Address to Name Resolution http://www.iana.org/domains/arpa/ http://tools.ietf.org/html/rfc5855 REVERSE MAPPING . arpa edu In-addr ip6 0 1 2 194 195 47 37 2 2.37.47.195.in-addr.arpa
ROOT DNS SERVERS § They return the addresses of the TLD Servers § 13 IP anycast addresses are used § 13 ipv4 addresses can be sent in a 512 (436) bytes UDP message! § 200+ physical servers around the globe § Domain root-servers.net: a.root-servers.net through m.root-servers.net § In Europe, RIPE Servers k.root-servers.net are located in Amsterdam, Athens, Doha, Frankfurt, London and Milan. IPv4:193.0.14.129, IPv6:2001:7fd::1 § IPv6 addresses are already supported by 9 of the 13 root-servers § Requirements of a Root Server are in RFC2870 § http://www.iana.org/domains/root/
TOP LEVEL DOMAIN (TLD) DNS SERVERS § They return the address of the NS for a User domain § The full list is at http://www.iana.org/domains/root/db/ § Generic Top-Level-Domains (gTLD): § .com § .edu § .net § .org § .mil, etc… § Country Code Top-Level-Domains (ccTLD): § .us, .ca, .fr, .uk, etc…
THE EXAMPLE.COM DNS SERVERS § Primary or Master and Secondary or Slave DNS Server § To increase performance and reliability of DNS, there is more than one DNS server for each domain. § The Master Zone file describing the zone is located on the Primary server § The Secondary Server is synchronized with the Primary, thanks to Zone Transfer DNS Slave Zone DNS Slave Zone § Caching only Servers DNS Master Zone DNS Slave Zone Zone Transfer Master Zone File
ZONE AND ZONE FILES: CONFIG FOR A ZONE § Zone files translate the domain name into operational entities § Zone Files contain: § Data that describe the zone authority, known as the Start of Authority (S0A) Resource Record. § All the hosts within the zones. § A Resource Record for an IPv4 Address § AAAA Resource Record for an IPv6 Address § Data that describes global information for the zone. MX Resource Records for the domain’s mail servers and NS Resource Records for the Name Servers § In the case of a subdomain delegation, the name servers are responsible for this subdomain…
RECURSIVE AND ITERATIVE QUERIES § The simplest mode for the server is non-recursive, since it can answer queries using only local information: the response contains an error, the answer, or a referral to some other server "closer" to the answer. § All name servers must implement non-recursive queries. § The simplest mode for the client is recursive, since in this mode the name server acts in the role of a resolver and returns either an error or the answer, but never referrals. § This service is optional in a name server. The name server may also choose to restrict the clients that can use recursive mode.
RECURSIVE QUERY § All servers do not support Recursive Query § Root and TLD servers do not support Recursive Query 1 Name Server Root Name Server Authoritative Name Server for TLD com Authoritative Name Server for 2 3 4 5 Cache company.com Client Resolver
ITERATIVE QUERY Name Server Root Name Server Authoritative Name Server for TLD com Authoritative Name Server for company.com Client Resolver 2 Query Referal 1 Query Referal 4 Query Authoritative answer 3 Query Referal 5 Cache All servers support Iterative Query (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
IPV6 SUPPORT IN DNS § RFC1886 describes how to accommodate IPv6 Addresses in DNS § AAAA Resource Record to store 128 bits addresses § IPv6 reverse mapping uses the PTR RR in the first place under domain ip6.int replaced by ip6.arpa § More complex solution A6/DNAME § After many discussions, this was moved to Experimental status § DNS requests must be transported in IPv6 § DNS Root servers and Top-level domains must support IPv6 § 9 of the 13 root-servers are IPv6 ready § DNS messages larger than 512 bytes must be supported (EDNS0) and not filtered by firewalls
AAAA AND IPV6.ARPA § AAAA is written like an IPv6 address. Leading zeros can be omitted § ipv6-host IN AAAA 2001:db8:1:2:3:4:567:89ab § Ip6.arpa is the reverse-mapping name space for IPv6 addresses. Each level of subdomain under ip6.arpa represents four bits of the 128-bit address. Omitting leading zeros is not allowed, so there are always 32 hex digits and 32 levels of subdomain below ip6.arpa in a domain name corresponding to a full ipv6 address. § b.a.9.8.7.6.5.0.4.0.0.0.3.0.0.0.2.0.0.0.1.0.0.0.8.b.d. 0.1.0.0.2.ip6.arpa.
AAAA RESOURCE RECORD SYNTAX name ttl class ipv6 § ipv6-host IN AAAA 2001:db8:1:2:3:4:567:89ab § name: ipv6-host.The name is unqualified, causing the $ORIGIN directive value to be substituted. You could have written this as ns1.example.com. (using the FQDN format), which may be more understandable. § ttl: There is no ttl value defined for the RR, so the zone default from the $TTL directive will be used. § class: IN. Defines the class to be Internet § ipv6: 2001:db8:1:2:3:4:567:89ab. This is a Global Unicast address.
ADDING AAAA TO FORWARD-MAPPING ZONES § A and AAAA can coexist for dual-stack hosts: Skydive IN A 192.239.120.111 IN AAAA 2001:db8:cafe:f1::e1 § Another option is to create one entry for each protocol Skydive IN A 192.239.120.111 skydive-v6 IN AAAA 2001:db8:cafe:f1::e1 or skydive.v6 IN AAAA 2001:db8:cafe:f1::e1
ZONE FILE WITH IPV6 SUPPORT EXAMPLE (1) ; transitional IPv6/IPv4 zone file for example.com $TTL 2d ; default TTL for zone SOA Resource $ORIGIN example.com. Record ; Start of Authority RR defining the key characteristics of the zone (domain) @ IN SOA ns1.example.com. hostmaster.example.com. ( 2003080800 ; sn = serial number 12h ; refresh 15m ; retry = update retry 3w ; expiry 2h ; min = minimum ) ; name server RRs for the domain IN NS ns1.example.com. ; the second name server is ; external to this zone (domain) . IN NS ns2.example.net. Name Servers (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
ZONE FILE WITH IPV6 SUPPORT EXAMPLE (2) ; mail server RRs for the zone (domain) 3w IN MX 10 mail.example.com. ; the second mail server is ; external to the zone (domain) IN MX 20 mail.example.net. ; domain hosts includes NS and MX records defined above ; plus any others required ; the following hosts are in IPv6 subnet 1 ns1 IN A 192.168.254.2 ns1 IN AAAA 2001:db8:0:1::1 mail IN A 192.168.254.4 mail IN AAAA 2001:db8:0:1::2 ; these hosts are defined to be in the IPv6 subnet 2 joe IN A 192.168.254.6 joe IN AAAA 2001:db8:0:2::1 www IN A 192.168.254.7 www IN AAAA 2001:db8:0:2::2 ; aliases ftp (ftp server) to an external location ftp IN CNAME ftp.example.net (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
IPV6 REVERSE-MAPPING ZONES § The subnet where skydive.v6.movie.edu is on 2001:db8:cafe:f9::/64 would correspond to the reverse-mapping zone: § 9.f.0.0.e.f.a.c.8.b.d.0.1.0.0.2.ip6.arpa § IPv6 reverse-mapping zones contain PTR records, SOA record and one or more NS record: $TTL 1d @ IN SOA terminator.movie.edu. hostmaster.movie.edu. ( 2011030800 ; Serial number 1h ; Refresh (1 hour) 15m ; Retry (15 minutes) 30d ; Expire (30 days) 10m ) ; Negative-caching TTL (10 minutes) IN NS terminator.movie.edu. IN NS wormhole.movie.edu. 3.d.0.0.0.0.0.0.0.0.0.0.0.0.0.0 PTR skydive.v6.movie.edu. 4.d.0.0.0.0.0.0.0.0.0.0.0.0.0.0 PTR super8.v6.movie.edu.
IPV6 PTR RESOURCE RECORD The PTR RR is standardized in RFC 1035 and maps an IPv6 address to a particular interface ID. Syntax is : – name ttl class rr name § name: This is the subnet ID and interface ID parts of the IPv6 address written in reverse nibble format. While this looks like a number, it is in fact treated as a name. The name is unqualified causing the $ORIGIN directive value to be substituted. § ttl: There is no ttl value defined for the RR, so the zone default from the $TTL directive will be used. § class: IN defines the class to be Internet § name: Defines that the query for <address> will return name Example: 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.0 IN PTR joe.example.com.
REVERSE IPV6 ZONE FILE FOR EXAMPLE.COM (1) ; reverse IPV6 zone file for example.com Prefix for all the addresses $TTL 2d ; default TTL for zone $ORIGIN 0.0.0.0.8.b.d.0.1.0.0.2.IP6.ARPA. ; Start of Authority RR defining the key characteristics of the zone (domain) @ IN SOA ns1.example.com. hostmaster.example.com. ( 2003080800 ; sn = serial number 12h ; refresh = refresh 15m ; retry = update retry 3w ; expiry = expiry 2h ; min = minimum ) ; name server RRs for the domain IN NS ns1.example.com. ; the second name server is ; external to this zone (domain) . IN NS ns2.example.net. (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
REVERSE IPV6 ZONE FILE FOR EXAMPLE.COM (2) ; PTR RR maps a IPv6 address to a host name ; hosts in subnet ID 1 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.0 IN PTR ns1.example.com. 2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.0 IN PTR mail.example.com. ; hosts in subnet ID 2 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.0 IN PTR joe.example.com. 2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.0 IN PTR www.example.com. name: 2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.0 This is the subnet ID and interface ID parts of the IPv6 address 0.0.0.0.0.0.1.0.0.0 written in reverse nibble format. While this looks like a number, it is in fact treated as a name. The name is unqualified causing the $ORIGIN directive value to be substituted. You could have written this as 2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.IP6.ARPA. ttl: There is no ttl value defined for the RR, so the zone default of 2d from the $TTL directive will be used. Class: IN defines the class to be Internet Name: www.example.com Defines that a query for 2001:db8:0:2:0:0:0:2 will return www.example.com (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
BUILT-IN EMPTY REVERSE-MAPPING ZONES § These special addresses are resolved locally by BIND without forwarding any request on the Internet. Reverse-mapping Zone Name Function IPv4 Equivalent 0...ip6.arpa Unspecified IPv6 address 0.0.0.0 1.0...ip6.arpa IPv6 Loopback Address 127.0.0.1 8.b.d.0.1.0.0.2.ip6.arpa IPv6 Documentation Network 192.0.2/24 d.f.ip6.arpa Unique Local Addresses 10/8, etc.(RFC1918) 8.e.f.ip6.arpa Link-Local Addresses 169.254/16 9.e.f.ip6.arpa Link-Local Addresses 169.254/16 a.e.f.ip6.arpa Link-Local Addresses 169.254/16 b.e.f.ip6.arpa Link-Local Addresses 169.254/16
DNS REQUEST TRANSPORTED IN IPV6 Internet Protocol Version 6 0110 .... = Version: 6 [0110 .... = This field makes the filter "ip.version == 6" possible .... 0000 0000 .... .... .... .... .... = Traffic class: 0x00000000 .... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000 Payload length: 145 Next header: UDP (0x11) Hop limit: 255 Source: fe80::61e:64ff:feec:73a9 (fe80::61e:64ff:feec:73a9) Destination: ff02::fb (ff02::fb) User Datagram Protocol, Src Port: mdns (5353), Dst Port: mdns (5353) Source port: mdns (5353) Destination port: mdns (5353) Length: 145 Checksum: 0x5753 [validation disabled] Domain Name System (response) mDNSv6 Link-local Multicast destination (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
IPV6 ADDRESSES IN DNS: AAAA RECORD Type AAAA Name: power-mac-g5-de-fred-bovy-6.local Type: AAAA (IPv6 address) .000 0000 0000 0001 = Class: IN (0x0001) 1... .... .... .... = Cache flush: True Time to live: 2 minutes Data length: 16 Addr: 2a01:e35:2f26:d340:61e:64ff:feec:73a9
DNS CAPTURE Internet Protocol Version 6 0110 .... = Version: 6 [0110 .... = This field makes the filter "ip.version == 6" possible: 6] .... 0000 0000 .... .... .... .... .... = Traffic class: 0x00000000 .... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000 Payload length: 145 Next header: UDP (0x11) Hop limit: 255 Source: fe80::61e:64ff:feec:73a9 (fe80::61e:64ff:feec:73a9) Destination: ff02::fb (ff02::fb) User Datagram Protocol, Src Port: mdns (5353), Dst Port: mdns (5353) Source port: mdns (5353) Destination port: mdns (5353) Length: 145 Checksum: 0x5753 [validation disabled] Domain Name System (response) [Request In: 788] [Time: -404.306754000 seconds] Transaction ID: 0x0000 Flags: 0x8400 (Standard query response, No error) Questions: 0 Answer RRs: 1 Authority RRs: 0 Additional RRs: 3 Answers power-mac-g5-de-fred-bovy-6.local: type A, class IN, cache flush, addr 192.168.0.15 Name: power-mac-g5-de-fred-bovy-6.local Type: A (Host address) .000 0000 0000 0001 = Class: IN (0x0001) 1... .... .... .... = Cache flush: True Time to live: 2 minutes Data length: 4 Addr: 192.168.0.15 mDNSv6 multicast address MDNS port 5353 (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
DNS CAPTURE (SUITE) Additional records power-mac-g5-de-fred-bovy-6.local: type AAAA, class IN, cache flush, addr fe80::61e:64ff:feec:73a9 Name: power-mac-g5-de-fred-bovy-6.local Type: AAAA (IPv6 address) .000 0000 0000 0001 = Class: IN (0x0001) 1... .... .... .... = Cache flush: True Time to live: 2 minutes Data length: 16 Addr: fe80::61e:64ff:feec:73a9 power-mac-g5-de-fred-bovy-6.local: type AAAA, class IN, cache flush, addr 2a01:e35:2f26:d340:61e:64ff:feec:73a9 Name: power-mac-g5-de-fred-bovy-6.local Type: AAAA (IPv6 address) .000 0000 0000 0001 = Class: IN (0x0001) 1... .... .... .... = Cache flush: True Time to live: 2 minutes Data length: 16 Addr: 2a01:e35:2f26:d340:61e:64ff:feec:73a9 power-mac-g5-de-fred-bovy-6.local: type NSEC, class IN, cache flush, next domain name power-mac-g5-de-fred-bovy-6.local Name: power-mac-g5-de-fred-bovy-6.local Type: NSEC (Next secured) .000 0000 0000 0001 = Class: IN (0x0001) 1... .... .... .... = Cache flush: True Time to live: 2 minutes Data length: 8 Next domain name: power-mac-g5-de-fred-bovy-6.local RR type in bit map: A (Host address) RR type in bit map: AAAA (IPv6 address) AAAA Record (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
RECURSIVE NAME SERVERS PRIMING FOR IPV6 § Most recursive name servers perform a bootstrap process called priming to determine the current list of root name servers, since information in the local copy of the root hints file could be out of date. § To prime, a recursive name server sends a DNS query of type NS for the root (".") to one of the root name servers listed in the local root hints file. § The recursive name server uses the list of root name servers in the response returned from a live root name server for resolution purposes. § Priming ensures that a recursive name server always starts operation with the most up-to-date list of root name servers. § The operators of nine root name servers - a, d, f, h, i, j, k, l, m - have assigned IPv6 addresses to their systems.
IPV6 AND EDNS0 SUPPORT § Including the IPv6 addresses at the root level of the DNS involves two related actions on the parts of the IANA and the DNS Root Server Operators: § Add Resource Records of Type AAAA to the hints file. The IANA maintains the authoritative root hints file at ftp://ftp.internic.net/ domain/. § Provision the 13 root name servers to return the Type AAAA records when name server resolvers bootstrap, perform what is known as a priming.
IPV6 AND EDNS0 SUPPORT (CONT.) § RFC1035 specifies the maximum DNS UDP message to 512 bytes: § 13 IPv4 anycast addresses were used to represent 200+ Servers for the announcement to fit in a 512 bytes message. 436 bytes actually leave room for some options. § With only 5 IPv6 addresses added to the Additional Section of the DNS Type NS response message root server operators return during the priming exchange, the size of the response message increases from 436 bytes to 576 bytes. § 9 Root Servers have been assigned IPv6 addresses § When all 13 root name servers are assigned IPv6 addresses, the priming response will increase in size to 811 bytes .
IPV6 AND EDNS0 SUPPORT (CONT.) Conditions for the successful completion of a priming exchange: § Resolvers and any intermediate systems that are situated between resolvers and root name servers must be able process DNS messages containing Type AAAA resource records. § Additionally, resolvers must use DNS Extensions (EDNS0, RFC 2671) to notify root name servers that they are able to process DNS response messages larger than the 512 byte maximum DNS message size specified in RFC1035. § Intermediate systems must be configured to forward UDP-encapsulated DNS response messages larger than the 512 byte maximum DNS message size specified in RFC1035 to resolvers that issued the priming request.
TEST THE EDNS0 SUPPORT § To test the action a firewall implementation takes when it receives a UDP-encapsulated DNS response message larger than 512 bytes, a network or firewall administrator can perform the following DNS lookup using: § dig ns +bufsize=4096 @192.33.4.12 OR § dig ns +bufsize=4096 @2001:500:2D::D § This command should elicit a 699 bytes response that contains AAAA resource records § If no response is received, network and firewall administrators should first determine if a security policy other than the vendor's default processing for DNS messages is blocking large response messages or large UDP messages. If no policy other than the vendor's default processing is configured, note the implementation and version, and contact your vendor to determine if an upgrade or hot fix is available.
DNSSEC § DNSSEC is detailed in RFC4033, RFC4034 and RFC4035. A discussion of operational practices relating to DNSSEC can be found in RFC4641. § In DNSSEC, a secure response to a query is one which is cryptographically signed and validated. § In DNSSEC, there is no Protection against DoS attack § DNSSEC adds new Resource Record types: Resource Record Signature (RRSIG), DNS Public Key (DNSKEY), Delegation Signer (DS) and Next Secure (NSEC) § A signed zone will contain the 4 additional security-related records § DNSSEC requires support for EDNS0 (RFC2671) and DNSSEC OK (DO) EDNS bit EDNS0 (RFC 3225) § In DNSSEC, the Root Zone is signed § http://data.iana.org/root-anchors/draft-icann-dnssec-trust-anchor.html
DYNAMIC DNS § DNS Servers can be updated dynamically § Address allocated with DHCPv6 or SLAAC automatically update the DNS § DNSUpdates in the Domain Name System (DNS UPDATE) § http://tools.ietf.org/html/RFC2136 § Secure Domain Name System (DNS) Dynamic Update § http://tools.ietf.org/html/RFC3007 § Operational Considerations and Issues with IPv6 DNS § http://tools.ietf.org/html/rfc4472
IPV6 DEVICES MANAGEMENT § SNMP for IPv6 § SNMP transported by IPv6 § IPv6 supported by MIB. § First approach was to implement separate MIBs for IPv4 and IPv6 § RFC2465 and RFC2466 now deprecated § Unified MIB for IPv4 and IPv6 in RFC4293 § TELNET, SSH for IPv6 § FTP, TFTP for IPv6 § SYSLOG for IPv6 § HTTP for IPv6 § Ping, traceroute
MOBILE IPV6: RFC 3775 § The mobile node can roam from subnet to subnet, but its source address is unchanged for the applications. § No session is lost § The network can be hidden from the correspondent node § This existed in IPv4 but IPv6 greatly improved it
MOBILE IPV6 TERMINOLOGY Home Agent The router which switches the traffic to the mobile node. Mobile Node The roaming user Home Address The initial network address. All the communications of the mobile node come from this address. Home Link The link where the mobile node is permanently attached. Care-Of-Address The temporary address on the visited network. Correspondant Node The node (not mobile) communicating with the mobile node. (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
MOBILE NODE ACQUIRES A COA § Mobile node visits a new subnet § It must acquire its Care of Address (CoA) Mobile Node acquires its Care of Address from SLAAC or DHCPv6
HOME AGENT ADDRESS DISCOVERY (ANYCAST) § Home Agent (HA) may have move § New HA may have been installed § Anycast address may be used to find the HA
COA BINDING AND TUNNEL CREATION § Mobile Node register its CoA with the Home Agent § Signaling uses a Mobility Option § IPv6 in IPv6 Tunnel is setup between the MN and the HA Mobile Node 1 2
BIDIRECTIONNEL TUNNELING § The packets from the CN are routed to the MN via the tunnel in both directions. § The Home Agent intercepts the NS on the Home Link and answers in Proxy- ND. § Transparent for the Corresponding Node Mobile Node
BIDIRECTIONNEL TUNNELING Mobile Node Src @ Dst @ MN IPv6 Home @ CN IPv6 @ Out Src Out Dst In Src In Dst MN IPv6 CoA HA IPv6 @ MN IPv6 Home @ CN IPv6 @ Src @ Dst @ CN IPv6 @ MN IPv6 Home @ Out Src Out Dst In Src In Dst HA IPv6 @ MN IPv6 CoA CN IPv6 @ MN IPv6 Home @ (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
RETURN ROUTABILITY PROCEDURE § Traffic is routed via the Home Agent until the Return Routability Procedure § CN must support Mobile IPv6 § The CN verifies that the Mobile Node can be reached at its CoA and its Home Address Mobile Node MN proves to the CN that it receives the Keygen Tokens
RETURN ROUTABILITY PROCEDURE § Verify that the MN who sends the Binding Update is the same MN who sends the data packets. Mobile Node A IPv6 Home Address IPv6 CoA Home Agent CoTI COT Visited Networks A Local Network B Correspondent Node HoTI: Home Test Init CoTI: Care-of Test Init HoT: Home Test COT: Care-of Test
MOBILITY HEADER FEATURES Type Message Feature 0 Binding Refresh Request (BRR) Binding Update sent by the MN to the HA or the CN 1 Home Test Init (HoTI) Sent by the CN to the Home address of the MN to initialize the Return Routability process. The HoTI is routed via the HA. 2 Care-of Test Init (CoTI) Sent by the CN to the MN CoA to initialize the Return Routability process. 3 Home Test (HoT) HoTI response of the MN to the CN 4 Care-of Test (CoT) CoTI response of the MN to CN 5 Binding Update (BU) Sent by the MN to notify the HA or the CN that it has changed its network point of attachment and has a new CoA. 6 Binding Acknowledgement (BA) Acknowledgement of the BU sent by the HA or the CN. 7 Binding Error (BE) Sent by the CN or the MN to signal an error. For example, if the MN send a message with a Destination Option including a Home Address but the CN does not have a CoA in its Binding Database. (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
ROUTE OPTIMIZATION SIGNALING § The MN registers its binding to the CN § This Mode must be supported by the CN § This can be avoided for security reason as the CN is now aware that the mobile node is no longer on its Home Link. § By default, the signaling is not crypted. Mobile Node Binding Update Binding Ack
ROUTE OPTIMIZATION (ID VERIFICATION) § The Mobile Node identity is verified § An IPSec Tunnel is established between the MN and the CN Mobile Node
DESTINATION OPTION INCLUDES THE MN SOURCE @ Mobile Node Dst Opt Src @ Dst @ MN IPv6 CoA CN IPv6 @ MN IPv6 Home @ The CN replaces the MN IPv6 CoA with the IPv6 Home @ from the Destination Option: Datagram comes from the MN (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
ROUTING OPTION INCLUDES THE MN SOURCE @ Mobile Node The MN replaces the MN IPv6 CoA with the MN IPv6 Home @ from the Routing Option: Datagram is sent to the MN Home @ Src @ Dst @ Routing CN IPv6 @ MN IPv6 CoA MN IPv6 Home @ (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
MOBILE IPV6 APPLICATIONS § Mobile Router or Nemo § RFC 3963: NEMO Basic Support Protocol § A router is moving with all its networks and connected hosts § RFC 5555: Mobile IPv6 Support for Dual Stack Hosts and Routers § Ad Hoc dynamic mobile networks or Manet § Nodes discover their neighbors dynamically § They join a network dynamically
NEMO: THE MOBILE ROUTER Mobile Router may receive a block of addresses from DHCPv6-PD Dual Stack avec DSMIPv6 Bluetooth Nemo Mobile Router
MOBILE AD HOC NETWORKING: MANET § MANET nodes discovers theirs neighbors dynamically § OSPFv3 § EIGRP Wireless Uplink
RFC5213: PROXY MOBILE IPV6 A proxy mobility agent performs signaling on behalf of a mobile device attached to the network. Two new network functions are defined in PMIPv6: § The Local Mobility Anchor (LMA) § Provides the home agent function within a PMIPv6 domain, being the topological anchor point for the mobile node’s care-of address. § The Mobile Access Gateway (MAG) § A function of an access router responsible for triggering the mobility-related signaling on behalf of the attached mobile device.
1) PMIPV6: MN AUTHENTICATION 1. The MN enters the PMIPv6 domain and attach to an access-link. 2. The MAG verifies the MN Identity and Authorizations. 3. If OK, the MAG helps the MN to get all the configuration: address, default gateway,… 4. The MN considers the PMIPv6 domain as a link Authentication The LMA provides the Mobile IPv6 HA function Local Mobility Anchor (LMA1) IPv6 Network Mobile Node MN1 Mobile Access Gateway (MAG1) Mobile Access Gateway (MAG3) Mobile Access Gateway (MAG2) Local Mobility Anchor (LMA2) Mobile Node MN2
Local Mobility Anchor (LMA1) 2) PMIPV6: MN JOINS THE IPV6 NETWORK 1. The MN sends a RS (Router Solicitation) to the MAG. 2. For updating the LMA about the MN location, the MAG sends a Mobile Node MN1 Mobile Access Gateway (MAG1) PBU (Proxy Binding Update) to the MN’s LMA. 3. The LMA sends a PBA (Proxy Binding Acknowledgement) including the MN home network prefixes. It creates the Binding Cache entry and sets up its endpoint of the bi-directional tunnel to the MAG. 4. The MAG sends a RA: Router Advertisement to the MN. The MAG can emulate the MN’s Home Link 5. The MN can be configured using SLAAC or DHCPv6 n PBA/PBU Signaling must be protected with IPSec ! n Data Protection is Optional RS PBU PBA including the MN home network prefixe(s) RA 1 2 3 4 The LMA provides the Mobile IPv6 HA function
CONCLUSION § DHCPv6 § Stateful § Stateless § Prefix Delegation § All the applications required to build and manage a network are available § Root DNS Servers are now also IPv6, so there is no longer any requirement to run dual stack for DNS § Mobile IPv6 is built from the IPv6 flexibility and requires three Options Headers
(C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
First Hop Routing Protocol
INTRODUCTION § Provide a fault tolerant default router § Transparent for hosts § FHRP protocol provides a virtual IPv6 address used by the end node as default route § This virtual address is configured on several routers § Also possible to track an interface or any objects as an IPv6 route
DEFAULT ROUTER SOLUTIONS § FHRP Protocols § HSRP for IPv6: The first implementation § GLBP for IPv6: For lad-balancing § VRRP for IPv6: An open standard § The cheapest solution § Neighbor Discovery (NDP) § The most expensive § Run a routing protocol on the hosts § RIPng, OSPFv3
INTRODUCTION TO HSRPV6 § HSRP was ported to IPv6 as HSRPv6 § Allows a virtual link-local address § UDP Hello to track neighbors § Default priority is 100 § The active router sends the RA § An interface can be tracked and priority decremented if it fails Hello P=100 Hello P=128
HSRPV6 STEP BY STEP Hello P=100 Hello P=128 RA FE80::1
HSRPV6 ON A CISCO ROUTER § For IPv6 HSRP, configure version: 2 standby version 2 § Configuration of the standby ipv6 address can be automatic standby 1 ipv6 <address❘autoconfig> § Configuration of interface tracking standby 1 preempt standby 1 track Ethernet1/0 § Verification of HSRPv6 show standby
HSRPV6: INTERFACE OR OTHER OBJECT TRACKING § Interface Tracking automatically decrements the HSRPv6 router priority if the interface fails § With preempt mode enabled, the STANDBY router becomes ACTIVE Standby Active
AS Routing Protocols
TOPICS § RIPv2 § OSPFv3 § ISIS § EIGRP for IPv6 § BGPv4
RIPNG § RFC 2080 § Based on RIPv2 § Distance Vector § Routing by rumour § Spit-horizon, poison reverse § Metric: Hop Count § Same limit as RIPv2 § Maximum Hop=15 § Use Link-Local Addresses § UDP Port 521 § Multicast announces FF02::9 § Cisco IOS support 4 instances of RIPng § Configured by interface
RIPNG. T=0 (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
RIPNG. T=30 (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
RIPNG. T=60 (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
EIGRP FOR IPV6 § Next Header 88 § Distance Vector optimized with techniques from Link-State protocols § Neighbor discovery with fast multicast Hello § Full routing table exchanged during initialization § Then only Updates are sent § Reliable and Easy to configure § 3 New TLVs § IPv6_REQUEST_TYPE § IPv6_Metric_Type § IPv6_Exterior_Type § MD5 Authentication § Automatic Summarization disabled § No Split Horizon
COMPOSITE METRIC : F(⨊DELAY+MINBW) § Default Metric EIGRP = 256 * (107/BWmin + Sum(Delays)/10) § Example: A link to a destination with the smallest available bandwidth is 128k and the sum of the delays is 84000 microseconds § Emetric = 256 *(107/128 + 84000/10) § Emetric = 256*86525 = 22150400
EIGRP FOR IPV6 EXAMPLE interface Ethernet0/0 no ip address ipv6 address 4::1/64 ipv6 eigrp 100 interface Loopback0 no ip address ipv6 address CAFE:1::1/64 ipv6 eigrp 100 ipv6 router eigrp 100 eigrp router-id 1.1.1.2 no shutdown unix1b#sh ipv6 eigrp topology IPv6-EIGRP Topology Table for AS(100)/ID(1.1.1.2) Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply, r - reply Status, s - sia Status P 4::/64, 1 successors, FD is 281600 via Connected, Ethernet0/0 P CAFE:2::/64, 1 successors, FD is 128256 via Connected, Loopback0 P CAFE:1::/64, 1 successors, FD is 409600 via FE80::A8BB:CCFF:FE03:E900 (409600/128256), Ethernet0/0 unix1b#sh ipv6 eigrp interface IPv6-EIGRP interfaces for process 100 Xmit Queue Mean Pacing Time Multicast Pending Interface Peers Un/Reliable SRTT Un/Reliable Flow Timer Routes Et0/0 1 0/0 8 0/2 50 0 Lo0 0 0/0 0 0/1 0 0 unix1b#sh ipv6 eigrp neighbor IPv6-EIGRP neighbors for process 100 H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num 0 Link-local address: Et0/0 10 00:06:18 8 200 0 3 FE80::A8BB:CCFF:FE03:E900" (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
OSPFV3 FOR IPV6 § OSPF is recommended by the lETF for IPv4 et IPv6 § Link-State § Routing by propaganda § RFC 2740 § OSPFv3 is executed by link § OSPFv3 uses Multicast § FF02::5 OSPF Routers § FF02::6 OSPF designated routers § OSPF discovers its neighbors and becomes adjacent with some of them § Two routers are adjacents if they exchange their LSA directly
OSPFV3 ARCHITECTURE § Area 0 is the Backbone (area) § A router in one area is an Internal router § A router internal in the area 0 is a backbone router
OSPFV3 FEATURES § The ABR summarizes the routes between areas § The ASBR summarizes the routes between AS § Within an area OSPF has a Link State protocol behavior § Between two areas or two AS, it behaves as a Distance-Vector protocol
LSA MODIFICATIONS § Inter-area LSA § Summary (type 3) replaced by Inter-area Prefix LSA (Type 3) § ASBR Summary remplaced by Inter-area Router LSA (Type 4) § Router and Network LSA only contains Identifiers (no more prefix) § 2 new LSAs: § Link LSA (Type 8) § Link local scope contains the Link-Local addresses § Intra-Area Prefix LSA (Type 9) § Carry the IPv6 prefixes
NEIGHBOR OSPF – INIT (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
NEIGHBOR OSPF – 2WAY (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
NEIGHBOR OSPF – EXSTART: ELECTION MASTER (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
NEIGHBOR OSPF – LOAD - SYNCHRONIZATION (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
NEIGHBOR INITIALIZATION § Many OSPF instances are supported on a link § OSPF looks for neighbors of the same instance § The neighbor states are: – DOWN – INIT § Interface receives a Hello – 2WAY § One can see itself in the other router Hello. At this stage a DR should be elected on a multi-access network – EXSTART § The two neighbors elect the Master to drive the DB exchange. – LOAD § The DB are initializing between two neighbors – FULL § The neighbors are fully initialized
OSPF NETWORK TYPES § Point to Point Networks § Point to Point § Point to Multipoint § Both uses the multicast address FF02::5 § Point to multipoint nonbroadcast § Uses the unicast address of the neighbor § Multiple Access Networks § BROADCAST § Multicast addresses used are FF02::5 and FF02::6 § NBMA (Non Broadcast Multiple Access) § No broadcast and no multicast. Neighbor configuration must be done manually.
MULTIPLE ACCESS NETWORK: DR AND BDR § Two neighbors which synchronize their Databases are adjacents § On a multi-access network, a DR and a BDR are elected § Each router has a priority which is sent in the hello. § Highest priority win! § Priority 0 = cannot be elected § Non pre-emptive election. The elected DR and BDR are not replaced if a neighbor with a better priority comes up. § Neighbors are only Adjacents with the DR and BDR § This change the adjacencies from: n*(n-1)/2 which is O(n^2) (n-1)*2 which is O(2n) § For 7 neighbors we will have 12 adjacencies instead of 24 § For 20 neighbors we will have 38 adjacencies instead of 190
ISIS § ISIS for ISO 10589 § CLNP/CLNS § Integrated ISIS for IPv4 - RFC 1195 § Very similar to OSPF § Info is coded as TLV § ISIS for IPv6 uses Protocol 0X8E § 2 new TLV § IPv6_Reachability (0XEC) § IPv6_Interface_Address (0XE8)
ISIS FOR IPV6 CONFIGURATION router isis fred net 49.0001.0000.0000.0000.0200 passive-interface Loopback0 ! ! interface Ethernet0/0 no ip address ipv6 address FE80::3 link-local ipv6 address 2000::1/100 ipv6 router isis fred standby version 2 standby 1 ipv6 FE80::5 standby 1 preempt standby 1 track Ethernet1/0 end (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
Border Gateway Protocol (BGP) MP-BGP FOR MULTI PROTOCOL BGP FOR IPv6
INTRODUCTION § References § RFC 1770, 1772,1773, 1774, 2545 § The Internet Routing Architecture by Bassam Halabi § Path Vector Protocol § BGP runs over TCP port 179 § Path Attribute § Mandatory: In all updates § Well-known: Must be implemented § Discretionary: Not implemented § Transitive: Not sent to neighbors if not implemented § Most important are AS_PATH and NEXT_HOP § Full BGP Tables are exchanged at startup § Only updates are sent after
BGP ROUTING § eBGP and iBGP § Only eBGP changes the Next Hop § Peers are manually configured § Hold time negotiated § A routing protocol must run in each AS
PATH ATTRIBUTES : WELL-KNOWN MANDATORY § Origin (Type code 1) § Well-known, Mandatory § 0: IGP § 1: EGP § 2: Incomplete § AS_PATH (Type code 2) § Well-known, Mandatory § 1: AS_SET § 2:AS_SEQUENCE § NEXT_HOP (Type Code 3) § Well-known, Mandatory
OTHER ATTRIBUTES… § MULTI_EXIT_DISC (Type Code 4) § Optional, Non-Transitive § LOCAL_PREF (Type Code 5) § Well-known, Discretionary § ATOMIC-AGGREGATE (Type Code 6) § Well-known, Discretionary § AGGREGATOR (Type Code 7) § Optional, transitive § Community § Cluster § MP_REACH_NLRI
§ Synchronization § Next-Hop joinables § Weight (Cisco Proprietary) § Local Preference § AS_PATH le plus court § Multi Exit Discriminator § bgp always-compare-med § bgp bestpath med-confed § bgp deterministic med § eBGP avant iBGP § Multipath § eBGP Multipath § maximum-paths n § iBGP Multipath § maximum-paths ibgp n § eiBGP Multipath § maximum-paths eibgp n § Oldest Path BEST PATH ALGORITHM (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
EXAMPLE unix1a#sh bgp ipv6 600:11:22:62::/64 BGP routing table entry for 600:11:22:62::/64, version 900 Paths: (2 available, best #2, table Default) Flag: 0x820 Not advertised to any peer 1 55570 47418 39654 24266 44837 18778 7481 30006 26443 58269 46052 30397 45086 7253 {2680,19823,56986} 2000:100::100 from 2000:100::100 (5.5.5.5) Origin EGP, metric 1311, localpref 100, valid, external 1 55570 47418 39654 {24266,44837,18778} 2000::100 from 2000::100 (1.1.1.1) Origin EGP, metric 1174, localpref 100, valid, external, best 0 (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
BGP MESSAGE § Open § Open a BGP session § Update § Contains the routing information § Routes to add or to withdraw § Notification § Reset the connection after an error § Keepalive § Keep the connection open
OPEN Ethernet Packet: 127 bytes Dest Addr: AABB.CC03.F000, Source Addr: AABB.CC03.E900 Protocol: 0x86DD IPV6 Version: 0x6, Traffic_Class: 0xC0, (Prec=Internet Contrl) Flow_Label: 0x000000, Payload_Length: 73 Next_Header: 6, Hop_Limit: 1 Source: 2000::1 Dest: 2000::100 TCP Src Port: 179, Dest Port: 11044 Seq #: 0x90D41545, Ack #: 0x0223D0B8, Hdr_Len: 5 Flags: 0x18 ACK PSH, Window: 16347, Checksum: 0x624D (OK) Urgent Pointer: 0 BGP Marker: FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF When IPv6 is used AFI: IPv6 SAFI: Unicast Length: 53, Type: 1 (Open) Version: 4, AS: 65000, Hold Time: 180, BGP ID: 10.1.1.1 Option length: 24 Type:2 Len:6 : Capability: (Code: 1 Len:4) MultiProtocol Ext. AFI: IPv6, SAFI: Unicast, Type:2 Len:2 : Capability: (Code:128 Len:0) Route Refresh (old) Type:2 Len:2 : Capability: (Code: 2 Len:0) Route Refresh Type:2 Len:6 : Capability: (Code: 65 Len:4) Unknown Capability: 4104 0000 FDE8 (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
UPDATE (MP_REACH_NLRI) BGP Marker: FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF Length: 178, Type: 2 (Update) Unfeasible Routes Length: 0 Total Path Attribute Length: 155 Attr Flags: 0x40, Type: 1 ORIGIN: 1 (EGP) Attr Flags: 0x40, Type: 2 AS_PATH: Path Type: 2 (AS_SEQ), Len: 6; 1, 42040, 60532, 26199, 13743, 42950, Path Type: 1 (AS_SET), Len: 2; 2238, 12373, Attr Flags: 0x80, Type: 4 MULTI_EXIT_DISC: 2454 Attr Flags: 0x40, Type: 5 LOCAL_PREF: 70553 Attr Flags: 0x80, Type: 14 MP_REACH_NLRI: Len: 111 AFI: IPv6, SAFI: Unicast, NEXT_HOP: 2000::100 NLRI: Len: 64 bits, 600:11:22:14:: NLRI: Len: 64 bits, 600:11:22:15:: NLRI: Len: 64 bits, 600:11:22:16:: NLRI: Len: 64 bits, 600:11:22:17:: NLRI: Len: 64 bits, 600:11:22:18:: NLRI: Len: 64 bits, 600:11:22:19:: NLRI: Len: 64 bits, 600:11:22:1A:: NLRI: Len: 64 bits, 600:11:22:1B:: NLRI: Len: 64 bits, 600:11:22:1C:: NLRI: Len: 64 bits, 600:11:22:1D:: MP_REACH_NLRI AFI: IPv6 SAFI: Unicast (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
NOTIFICATION Ethernet Packet: 97 bytes Dest Addr: AABB.CC03.F000, Source Addr: AABB.CC03.E900 Protocol: 0x86DD IPV6 Version: 0x6, Traffic_Class: 0xC0, (Prec=Internet Contrl) Flow_Label: 0x000000, Payload_Length: 43 Next_Header: 6, Hop_Limit: 1 Source: 2000::1 Dest: 2000::100 TCP Src Port: 179, Dest Port: 11068 Seq #: 0xD7C221D4, Ack #: 0x3A33542E, Hdr_Len: 5 Flags: 0x18 ACK PSH, Window: 16347, Checksum: 0x74D9 (OK) Urgent Pointer: 0 BGP Marker: FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF Length: 23, Type: 3 (Notification) Error Code: 2, OPEN Message Error Error SubCode: 2, Bad Peer AS Error Data: 0001 Reason for the BGP Session Reset: BAD Peer AS ! (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
EBGP VERSUS IBGP § iBGP sessions do not change the NEXT_HOP § iBGP sessions do not repeat a message received from iBGP § iBGP needs a full mesh § Cluster & Confederation § Cluster and Route Reflector allows an iBGP peer to repeat a message § Confederation creates sub-AS. iBGP session between Sub-AS behaves as eBGP
DUAL STACK IPV4/IPV6 § It is possible to use the same BGP session to announce IPv4 and IPv6 routes or to use different sessions for each protocol. § The same IPv4 session can be used for both IPv4 and IPv6 routes. § For 6PE, the IPv6 routes are announced in IPv4 sessions. The next hop of IPv6 routes are IPv4. § If IPv4 is used to announce IPv6 routes, the next hop must be configured.
EBGP PEERING CAN USE LINK-LOCAL OR GLOBAL § For eBGP peering, one can use the link-local instead of the Global address § The Outgoing interface must be configured § The Next Hop for advertised routes must be configured
BGP TABLE INTERNET § http://bgp.potaroo.net/v6/as2.0/index.html § BGP data obtained from AS2.Report last updated at Wed Jun 15 17:45:02 2011 (Australian Eastern Time)
RIPE LOOKING GLASS: HTTP://STAT.RIPE.NET/ 2A02:20::/32 (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
CONCLUSION § BGP is not a Routing Protocol. The next-hop is not always the neighbor router § The next hop must be found with a routing protocol § BGP routes are recursive § BGP does not discover the neighbors; they are configured § iBGP peers do not repeat Updates § iBGP peers do not change the next-hop § eBGP peers must be directly connected § eBGP peering can be done with loopback for load-balancing § eBGP peering can use link-local or global addresses § BGP sessions can be used for IPv4 or IPv6 addresses
CONCLUSION (CONT.) § Most popular routing protocols are available for IPv6 § RIPng is RIPv2 for IPv6 § OSPFv3 is OSPF for IPv6 with a few differences in the Link-State Database § MP-BGP carry the IPv6 routing updates in MP_REACH_NLRI and MP_UNREACH_NLRI
(C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
TOPICS § Multicast IPv6 Addresses § PIM § PIM SM § PIM-SSM § PIM Bidir § Rendezvous Point (RP) § Static § Anycast RP § BSR § MLD § MLDv1 § MLDv2
MULTICAST. RFC 4291 FF Flag Scope 0 Interface ID § R § Embedded Rendezvous § RFC 3956 § P § Multicast based unicast § RFC 3956 et RFC 3306 § T § 0 Permanent address § 1 for temporary 128 bits n Scope – 4 bits n 1=node n 2=link n 4=admin n 5=site n 8=Organization n E=Global n 6, 7, 9-D not assigned. F est reserved. n Only the link-local is filtered by the routers, others must be filtered by routers (Access-List)
MULTICAST IPV4 AND IPV6 IP Service IPv4 Solution IPv6 Solution Extended Address 32-bits, Class D 128 bits. 112 bits Groups Routing PIM, MBGP, DVMRP, MOSPF PIM and MBGP Forwarding PIM-DM, PIM-SM, PIM-SSM, PIM-Bidir PIM-SM, PIM-SSM, PIM-Bidir Groups Management IGMPv1, v2, v3 MLDv1, v2 Domain Control Boundary, Border Scope Interdomains Solutions MSDP Unic RP (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
PIMV6 BASICS § PIM uses the unicast routing protocol to implement the Reverse Path Forwarding § MP-BGP can be used to build divergent routing tables § PIMv6 between Routers, MLD between Hosts and Routers DR 1st Jump DR Last Jump DR Last Jump
PIMV6 SPARSE MODE BASICS. RFC 4601 § The rendezvous point allows Source and Receivers (listeners) to meet. § The result is a tree shared by all sources (shared tree) toward a group of listeners. § Once the traffic starts to flow on the Shared Tree, it is possible to switch on the Shortest Path Tree (SPT). DR 1st Jump DR Last Jump DR Last Jump
THE PIM DESIGNATED ROUTER § The 1st Hop Router, near the source is the PIMv6 Designated Router § Elected with PIMv6 Hello Protocol § Highest Priority § Highest IPv6 address § Forward traffic from the source to the RP (Register) DR 1st Jump DR Last Jump DR Last Jump
THE MLD QUERIER § The Last Hop Router is the MLD Querier § Lowest IPv6 Address § Discover the local Listeners and start to build a path to the RP § A shared tree is then built from the RP to the listener DR 1st Jump DR Last Jump DR Last Jump
MULTICAST ROUTING INITIALIZATION § Routers must be IPv6 Multicast Routing enabled § PIM and MLD are started on their interfaces § Rendezvous point address MUST be configured § Static, Embedded or § Dynamic with BSR DR 1st Jump DR Last Jump DR Last Jump
PIMV6-SM: SHARED TREE INITIALIZATION § When a listener starts to listen to a given group, it sends Unsolicited Reports § A (*,G) entry is created in the Last Hop Router Multicast Routing Table (MRIB) MLD Multicast Listener Report (*,G) Hop-by-Hop Router Alert. Hop Limit=1 (*,G) (*,G) DR 1st Jump DR Last Jump DR Last Jump
PIMV6-SM: PIM JOIN TRAVEL TOWARD THE RP § Because it has a (*,G) entry in its MRIB, the Last Hop Router starts to send PIM Join (*,G) to its Rendezvous Point Upstream Neighbor. § The reception of a PIM Join (*,G) creates a (*,G) entry in the MRIB which triggers the sending of a PIM Join (*,G) to its Rendezvous Point Upstream Neighbor. § PIM Join reaches the RP. (*,G) (*,G) (*,G) (*,G) PIM Join (*,G) Dest: ff02::d Router Alert DR 1st Jump DR Last Jump DR Last Jump MLD Multicast Listener Report (*,G) Hop-by-Hop Router Alert. Hop Limit=1
PIMV6-SM: SOURCE STARTS TO SEND TRAFFIC § The source can start to send traffic at any time § No Signaling required DR 1st Jump DR Last Jump DR Last Jump
PIMV6-SM: SOURCE REGISTERS WITH THE RP § First Hop Multicast Router intercepts the Multicast flow § Multicast traffic is encapsulated in PIM Register unicast packets to the RP Register DR 1st Jump DR Last Jump DR Last Jump
PIMV6-SM: REGISTER AT THE RP § The RP removes the unicast encapsulation of the PIM Register § The RP duplicates (if multiple outgoing interfaces) and forwards the multicast toward all the Listeners DR 1st Jump DR Last Jump DR Last Jump
PIMV6-SM: JOIN TOWARD THE SOURCE § When the RP receives multicast in Register packets, it initializes a native multicast path by sending a PIM Join (S,G) toward the source § It travels hop by hop to until it reaches the first hop router PIM Join (S,G) DR 1st Jump DR Last Jump DR Last Jump
PIMV6-SM: BUILDING THE MULTICAST SHARED TREE § When the First Hop DR receives the PIM join, it is able to forward the multicast natively to the RP § When the RP receives two copies of the same multicast packet, it discards the encapsulated copy DR 1st Jump DR Last Jump DR Last Jump
PIMV6-SM: REGISTER-STOP § … and sends a PIMv6 Register-Stop to the First Hop DR. § The DR knows that it does not have to encapsulate the multicast traffic in unicast anymore Register-Stop DR 1st Jump DR Last Jump DR Last Jump
PIMV6-SM: FLOWING DOWN THE SHARED TREE § Traffic can now travel from the Source to all the listeners using the Shared Tree DR 1st Jump DR Last Jump DR Last Jump
§ Last Hop Router notices that it receives the traffic from an interface which does not point to the best path back to the Source (RPF). PIMV6-SM: PIM LAST-HOP SWITCHOVER TO THE SPT !!! DR 1st Jump DR Last Jump DR Last Jump
PIMV6-SM: LAST-HOP SWITCHOVER TO THE SPT § Last Hop Router sends a PIMv6 Join (S,G) toward the Source § (S,G) states are created in the MRIB by the PIMv6 Join (S,G) travelling hop by hop to the Source DR 1st Jump PIM JOIN (S,G) DR Last Jump DR Last Jump
PIMV6-SM: BUILDING THE SHORTEST PATH TREE (SPT) § When the DR receives the PIM JOIN (S,G), it starts to forward packets down the Shortest Path Tree but also down the Shared Tree. DR 1st Jump DR Last Jump DR Last Jump
PIMV6-SM: PRUNING THE SHARED TREE § When the Last Hop router receives two copies of the same flow, it decides to prune the Shared Tree § It sends a (S,G,rpt-bit) Prune toward the RP (S,G,rpt-bit) Prune DR 1st Jump DR Last Jump DR Last Jump
PIMV6-SM: SHORTEST PATH TREE ONLY (SPT) § When the Shortest Path Tree has been Pruned, traffic only flows on the Shortest Path Tree § If traffic on the Shortest Path goes down below a configurable threshold, it is possible to switch back to the Shared Tree. DR 1st Jump DR Last Jump DR Last Jump
PIM-SM SUMMARY § Sources and Listeners meet at the Rendezvous point § It is possible to stay forever on the Shared Tree to minimize the states on the routers. § The Rendezvous point must be carefully chosen on the network § It is possible to use an Anycast Address for the RP with longest match prefix to choose a primary. § BSR is the only dynamic RP configuration method § Using MLDv2 and SSM, there is no more need for an RP
INTRODUCTION TO MLD § ICMPv6 with IPv6 Hop-by-Hop Router Alert Option § Hop Limit is 1 § On each link a Querier is elected. § Lower IPv6 address is elected. § The Querier sends a Query on a regular basis to ask if there is any receiver present. Query FE80:: 1 FF02:: 1 I am the Querier 1 FE80::1 I am the Querier FE80::100 2 I won ! 3
ROBUSTNESS § This is the basis for the computation of many parameters § MLD is robust to [Variable Robustness] – 1 packet loss § Default: 2. MLD has no problem losing one MLD packet Host A Host B State Change R FE80:: 1 FF02:: 1
INTRODUCTION TO MLDV1 § All MLD packets are sent with Link-Local address as source. § Hop Limit is 1 § MLDv1 (RFC 2710) is IPv6 version of IGMP Version 2 (RFC 2236) § Multicast Listener Query § General Query. Sent to the all-nodes Link-Local multicast address to figure out which group has members. § Address-Specific Query is used to identify the members of a given group. It is sent to the address of the group which is being queried. § Multicast Listener Report § Response to a Query § Multicast Listener Done § Sent by a Listener that does not listen to this group anymore.
PIM-SSM § With PIM-SSM the Listener must provide the Source address. § Rendezvous points are no longer needed. § The source can be configured statically § The source can be learned from DNS with the Record G § PIM-SSM is supported with MLDv2 § RFC 3306: Unicast-Prefix-based IPv6 Multicast Flags: 00PT. P=1, T=1 plen = 0 network prefix = 0 FF3x::/96 x = any valid scope
EMBEDDED RP – FLAGS FF75:0130:2001:db8:9abc::4321 Flags: 7 R: Rendezvous Point = 1 then P: Prefix =1 and T: Temporary Prefix = 1 (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
EMBEDDED RP – PREFIX FF75:0130:2001:db8:9abc::4321 Prefix length = 30 Hex = 48 dec 2001:db8:9abc:: (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
EMBEDDED RP – ADDRESS OF THE RP 7 5 1 FF75:0130:2001:db8:9abc::4321 Rendezvous Point Address 2001:db8:9abc::1 § RFC3956 (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
PIM BOOT STRAP ROUTER § Many routers are Candidates BSR (C-BSR). § The C-BSR elect a BSR by sending C-BSR message with priorities. § The message travels hop by hop. § The C-BSR with the best priority becomes the BSR. § During the election it announces its presence on the network. § This is similar to the election of the root of the spanning-tree. § Some routers are configured as Candidates RP (C-RP). § C-RP unicast their presence of C-RP to the C-BSR. § The C-BSR sends its list of C-RP to all the PIM routers. § All the PIM routers receive the list of C-RP and execute the same hashing function to choose an RP for each group.
(C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
1ST GENERATION: THE IPV6 PIONEERS § Tunnels for Experimental testing or Enterprises The Experimental 6BONE network was created from overlay IPv6 in IPv4 Tunnels over the IPv4 Internet. § Dual-Stack § Overlay IPv6 in IPv4 Tunnels • Manual 6in4 and automatic 6to4 • And more automatic tunnels • Again mostly introduced with Windows: TEREDO to bypass NAT devices and ISATAP to use IPv4 networks as a NBMA network for IPv6. § NAT and Private Addresses (RFC1918) • In parallel to make the most of the remaining IPv4 addresses, NAT44 and IPv4 private addresses (RFC1918) were introduced (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
2ND GENERATION: SPS TRANSITION 1ST PHASE, THE 2000S § SPs with MPLS/IPv4 Backbone: 6PE and 6VPE Most SPs were running IPv4/MPLS First Phase of the transition, deploy 6PE/6VPE § SPs with IPv4 Backbone: 6RD FREE a french SP deployed IPv6 in 5 Weeks from a 6to4 stack! § Carrier Grade NAT or Large Scale NAT (Testing) DS-Lite = IPv4 in IPv6 Tunnel + CGN § SPs who deployed IPv6 choose DS-Lite to support the existing IPv4 customers § They deploy it as soon as they migrated from 6PE/6VPE to Native IPv6 § Some of them planned to replace DS-Lite with A+P when it will be available Other protocols are designed, some of themare tested: CGN, NAT444, NAT464, dIVI, dIVI-pd § Network Address Translation Protocols (NAT) NAT-PT § First attempt to translate IPv6 to IPv4 protocols. Deprecated! NAT64/DNS64 (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
3RD GENERATION: GOING STATELESS, THE 2010s § Stateful Carrier Grade NAT issues Because of the Stateful CGN known issues, a lot of work is being done to develop and test some Stateless protocols to share the remaining IPv4 addresses without stateful NAT, CGN. § A+P Architecture and Stateless NAT solutions Testing To share the remaining IPv4 addresses using the IPv4 Source Ports Without any Stateful NAT in the SP backbone. § Users or CPE have some IP addresses and Source Ports assigned § Not a new solution, FT ORANGE planned A+P in 2009 while they were choosing DS-Lite in the first place § First proposal for A+P at the IETF Taipei 2011 is based on Stateless NAT464 aka dIVI, dIVI-pd and 4RD (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
TRANSITIONTOOLS - DEPLOYMENT (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE! Time IETF Taipei 82 – Nov 2011 2010 2007 2003 1996 Dual-Stack 6to4 6in4 NAT-PT 6VPE NAT64 NAT64 DS-Lite Testing dIVI-pd NAT444 DS-Lite 6RD A+P 6PE 6BONE 6PE 6RD 6VPE DS-Lite dIVI-pd NAT444 A+P Standardization IPv6 in IPv4 Tunnels IPv4 in IPv6 Tunnels NAT464
NETWORK ADDRESS TRANSLATION n NAT44 and IPv4 private addresses in the 90s n IPv6 to IPv4 translations • NAT-PT † AT-PT is NAT64 + NAT46 + DNS ALG • NAT-PT was replaced by NAT64 and DNS64 n Carrier Grade NAT or Large Scale NAT • NAT444 or double NAT • DS-Lite = IPv4 in IPv6 Tunnels + NAT44 (LSN) (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
DUAL STACK AND TUNNELING This was introduced at the very beginning of IPv6 in 1996 All clients are now configured by default as dual-stack nodes It is still the best approach for a smooth transition Tunnels are manually, statically configured It may be obvious but for dual-stack you still need IPv4 addresses! IPv4 IPv6 Host Tunneling Dual Stack Router Dual Stack Router IPv6 Host IPv6 Hosts IPv6 IPv4 IPv6 IPv4 IPv6 IPv4 IPv6 Packet IPv6 Hdr IPv4 Hdr (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
AUTOMATIC TUNNELS FOR ENTERPRISES: 6TO4 Tunnel destination IPv4 address is embedded in the IPv6 address ! 2002:C044:1::/48 prefix comes from 192.68.0.1 2002:C046:1::/48 prefix comes from 192.70.0.1 (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
6TO4 RELAY n Microsoft Public Relay: ü 6to4.ipv6.microsoft.com ü Anycast: 192.99.88.1 (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
SPS MPLS ENABLED: 6PE AND 6VPE In the very early 2000s, 6PE was introduced to help the SPs with an MPLS/IPv4 Background to provide an IPv6 Service No Backbone Routers Upgrade needed! (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
All IPv6 Addrpt4asses of a building Xlate to one IPv4 Addresses: 2001:DB8:678:1000::/48 -> IP 10.12.13.2/24 2001:DB8:678:1000::/48 -> IP 10.12.13.3/24 2001:DB8:678:1000::/48 -> IP 10.12.13.4/24 (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE! DHCPv6 Client IPv6 Internet STATEFUL NAT64 101.12.13.1/24 2001:db8:678::1/64 (SLAAC) DHCPv6-PD Client Use LL for the p2p Link Address to SP IPv6 Private Network 2001:db8:658::/48 2001:db8:678:1::/56 8 bits for Subnets 2001:db8:678:3::/56 8 bits for Subnets 2001:db8:678:2::/56 8 bits for Subnets First Subnet 2001:db8:678::/64 2001:db8:678:30::/64 2001:db8:678:31::/64 ... 2001:db8:678:20::/64 2001:db8:678:21::/64 ... 2001:db8:678:10::/64 2001:db8:678:11::/64 ... 1 2 IPv4 Only Host 10.12.13.1/24 10.12.13.2/24 10.12.13.3/24
6RD AUTOMATIC TUNNEL FOR SPS Free, a french SP customized a 6to4 stack to allow a custom prefix instead of 2002::/16 Free deployed 6RD in 5 weeks in 2007 and immediately started an IPv6 service over the IPv4 backbone, user configurable 4RD is IPv4 in IPv6 (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
DUAL STACK LITE OR DS-LITE Once the SP have migrated their backbone to IPv6, DS-Lite is used to support RFC1918 IPv4 Customers § IPv4 in IPv6 Tunnels + NAT44 (LSN at the SP) § LSN inside mapping uses Source IPv6 + Source IPv4 + Port § LSN allows to share the remaining IPv4 addresses efficienciently But LSN must keep a lot of states and is a Single Point of failure shared by Many Customers LSN (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
DS-LITE: HELP TRANSITION TO IPV6 (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
CONNECTING IPV6-ONLY WITH IPV4-ONLY: AFT64 Access Aggregation Edge Core IP/MPLS Residential IPv6 ONLY connectivity NAT64 DNS64 Public IPv4 Internet IPv4 Datacenter IPv4 ONLY New IPv6 clients must have access to IPv4 content § AFT64 technology is only applicable in case where there are IPv6 only end-points that need to talk to IPv4 only end-points (AFT64 for going from IPv6 to IPv4) § AFT64:= “stateful v6 to v4 translation” or “stateless translation”, ALG still required § Key components includes NAT64 and DNS64 § Assumption: Network infrastructure and services have fully transitioned to IPv6 and IPv4 has been phased out (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
PROTOCOL TRANSLATION: NAT64, DNS64 § Client requests the IPv6 Address § DNS64 translates the request to an IPv4 Address DNS64 Web Server IPv4 DNS h2.exemple.com ? h2.exemple.com ? A: 192.0.2.1 AAAA 64:ff9b::c0:201 NAT64 IPv6 IPv4 (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
NAT64 AND DNS64 § The session is initialized by IPv6 client § Traffic route the 64:ff9b::/96 prefix to the NAT64 Router § NAT64 then convert headers in both directions DNS64 Web Server IPv4 DNS SYN 64:ff9b::c0:201 SYN+ACK h2.exemple.com ? h2.exemple.com ? A: 192.0.2.1 AAAA 64:ff9b::c0:201 NAT64 SYN 192.0.2.1 IPv6 IPv4 SYN+ACK (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
NAT444: A SECOND LEVEL OF NAT44 Solution to share the remaining IPv4 addresses among multiple customers (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
NAT444: LSN SCALABILITY ISSUE n How many streams LSN will be able to manage ? n LSN is a Single Point of failure (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
NAT444: OVERLAPPING PRIVATE ADDRESS ! (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
NAT444: 2 CUSTOMERS BEHIND SAME LSN (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
NAT444 NETWORK DESIGN ISSUES § Overlapping Addresses If one of the customers network uses the same private network number than the NAT CPE to LSN link we have a sever duplicate network issue !!! § Two Customers behind the same LSN want to communicate Packets with a private source address may be dropped by customer policy (Firewall, ACL, host policy). So LSN must be used also for local traffic § Plus all the LSN Based solutions: – Scalability Behind each CPE NAT there can be many devices. Each device may generate many application streams. How mansy stream will be supported by LSN ? We have not enough experience to say ??? – Single Point of Failure The LSN device keeps many states. If it reboot, many users will have to restart their applications. (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
DS-LITE: CONNECT THE IPV4 USERS Another solution to share the remaining IPv4 addresses among multiple customers (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
STATEFUL NAT464 OR STATELESS DIVI, DIVI-PD dIVI is the stateless version to share IPv4 addresses among multiple users using source ports Stateless means NO NAT or LSN! (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
ADDRESS+PORT (A+P) § Experimental RFC6346 § Use some bits of the source port to share an IPv4 address without Stateful NAT, CGN or LSN. § Can be implemented on hosts or CPEs which may have to do some translation for the non upgraded hosts § Requires signaling to request which ports are granted § IPv4 Packets must be encapsulated/decapsulated to get sent into tunnels using the ports which are allocated for the host or the CPE § The first proposal at the IETF in 2011 relies on Stateless NAT464 aka dIVI, dIVI-pd and 4RD and does not require signaling § France Telecom-Orange has a software implementation: http://opensourceaplusp.weebly.com/ (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
DIVI, DIVI-PD OR STATELESS NAT464 A+P proposal at the IETF actually relies on dIVI-pd and 4RD. § dIVI-pd is Stateless NAT464 and permit to translate IPv6 addresses to IPv4 Address+Source Port It is then possible to share an IPv4 address among many users or CPEs. Without requiring any Stateful NAT with all the known problems associated A very interesting test in large SP domains : " For port configuration, since there are 65536 TCP/UDP ports for each IP address, and in fact one can use hundreds only for normal applications, so one IPv4 address can be shared by multiple customers. In our experiment, we selected ratio to be 128. That is to say, one IPv4 address is shared by 128 users, and there are 512 available ports per user." http://tools.ietf.org/html/draft-sunq-v6ops-ivi-sp-02#page-7 (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
CONCLUSION § Dual Stack is the preferred transition method § For enterprise many tunneling encapsulations are available § Transition techniques have serious Security implication § Tunnels if not secured with IPSec are very unsafe § Manual Tunnels are more secure, but can also be used to inject any kind of traffic § For Service Providers, 6PE and 6VPE over MPLS/IPv4 or 6RD over IPv4 § To support IPv4 Only Application, NAT64/DNS64 is a possible approach § To support IPv4 RFC1918 only clients over a new IPv6 infrastructure, DS-Lite will be the preferred approach
IPv6 on MPLS/IPv4 INTRODUCTION TO IPV6 FOR SERVICE PROVIDERS
WHY MPLS? § At the beginning MPLS was designed to replace a complex IP header with a simple one using a small label for a more efficient forwarding § MPLS introduced a connected mode § IP routers became very powerful and the performance was no longer the driver for MPLS adoption. So why MPLS? § MPLS enables the network for more services § MPLS-VPN § Traffic Engineering § IPv6: 6PE, 6VPE
MPLS-VPN ARCHITECTURE PE: Provider Edge CE: Customer Edge P: Provider PE MP-iBGP Nuage MPLS OSPF ou ISIS LDP ou RSVP P CE CE CE CE VRF Red PE PE PE P P P PE VRF Green VRF Green VRF Red (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
MPLS-VPN 2 LEVELS OF ROUTING § In the Core § OSPF or ISIS builds the IP routing table § LDP or RSVP distributes the labels in the core § At the edge: VRF § BGP builds the VRF routing table § BGP distributes the labels with the VRF routes § MP-BGP IP Routes are recursively resolved thanks to OSPF or ISIS
MPLS VPN: ROUTES AND LABELS EXCHANGES PE 192.168.1.0 label 34 CE CE Nuage MPLS P PE l0:193.13.13.1 P MP-iBGP 192.168.1.0 192.168.1.0 IP IP 34 15 193.13.13.1 POP 193.13.13.1 25 193.13.13.1 15 IP 34 25 IP 34 IP BGP label Exchange LDP label Exchange CE to CE packet travel
WHAT IS 6PE (RFC 4798)? § Provides IPv6 global connectivity over an IPv4-MPLS core § Transitioning mechanism for providing unicast IPv6 access over IPv4-signaled MPLS § Coexistence mechanism for combining IPv4 and IPv6 services over an MPLS backbone § As with other IPv6 “tunnel” technologies, it enables services such as the following: § “IPv6 Internet Access” § Peer-to-peer connectivity § Access to IPv6 services supplied by the SP itself
6PE ARCHITECTURE (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
MINIMUM INFRASTRUCTURE UPGRADE FOR 6PE
6PE: THE TECHNOLOGY § It is an implicit method to tie-up a v4-signalled label switch path with IPv6 routes announced via MP-BGP § It can apply RFC 2547bis architecture to IPv6: § IPv4/MPLS core infrastructure remains IPv6-unaware § PEs are updated to support dual stack/6PE § IPv6 reachability exchanged among 6PEs via MP-iBGP § IPv6 packets transported from 6PE to 6PE inside IPv4 LSPs
6PE OVERVIEW
6PE LSP SETUP
6PE: ROUTING
FORWARDING
WHAT IS 6VPE (RFC 4659)? § For VPN customers, IPv6 VPN service is exactly the same as IPv4 VPN service § Current 6PE is like VPN but is NOT VPN (that is, global reachability) § Coexistence mechanism for combining IPv4 and IPv6 VPN services over an MPLS backbone § It enables services such as: § IPv6 VPN Access § Carriers supporting carriers § Access to IPv6 services supplied by the SP itself § Internet Access § Hub and Spoke § InterAS Scenario A, B and C
6VPE ARCHITECTURE (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
VPNv4 6VPE RD 2 bytes:6 bytes TYPE:VALUE 2 bytes:6 bytes TYPE:VALUE RT (extended community) 2 bytes:6 bytes TYPE:VALUE 2 bytes:6 bytes TYPE:VALUE VPN address 8 bytes:4 bytes RD:IPv4-address [8 bytes]16 bytes [RD]IPv6-address MP_REACH-NLRI AFI=1 SAFI=128 AFI=2 SAFI=128 NLRI <length, IPv4-prefix,label> <length, IPv4-prefix,label> VRF (Virtual Routing & 1 VRF = 1 RIB + 1 FIB MP-VRF forwarding instance) Nexthop 0:IPv4-address [0]::FFFF:IPv4-address [0]:IPv6-address [0]:IPv6-LL-address Peering IPv4-address IPv4-address, IPv6-address IPv6-LL--address 6VPE: THE TECHNOLOGY
ROUTING PROTOCOLS LEVERAGED WITH 6VPE • IPv4-signalled LSP • iBGP VPNv6 AF peering between 6VPE (PE1, PE2) • eBGP IPv6+vrf AF peering with CE • Only eBGP and static route within VRF between CE-PE
ROUTING TABLES • At the 6VPE - A set of private IPv6 routing tables (red, blue) - A default routing table (IPv4 or IPv6) - A BGP table (AF VPNv6)
ROUTING TABLES: EXAMPLES PE1#show ipv6 route vrf blue IPv6 Routing Table -blue -7 entries C 2001:100::/64 [0/0] via Ethernet4/0, directly connected B 2001:300::/64 [200/0] via 200.10.10.1%Default-IP-Routing-Table, indirectly connected PE1#show ipv6 route vrf red IPv6 Routing Table - red - 10 entries C 2001:200::/64 [0/0] via Ethernet0/0, directly connected B 2001:400::/64 [200/0] via 200.10.10.1%Default-IP-Routing-Table, indirectly connected PE1#show ip route 200.10.10.0/32 is subnetted, 1 subnets i L1 200.10.10.1 [115/30] via 40.1.1.3, Ethernet1/0 31.0.0.0/24 is subnetted, 1 subnets i L1 31.1.1.0 [115/30] via 40.1.1.3, Ethernet1/0 200.11.11.0/32 is subnetted, 1 subnets C 200.11.11.1 is directly connected, Loopback0
BGP VPNV6 TABLE EXAMPLE PE1#show bgp vpnv6 unicast all Network Next Hop Metric Route Distinguisher: 100:1 (default for vrf blue) * 2001:100::/64 2001:100::72a 0 *> :: 0 *> i2001:300::/64 ::FFFF:200.10.10.1 0 Route Distinguisher: 200:1 (default for vrf red) *> 2001:200::/64 :: 0 *> 2001:400::/64 ::FFFF:200.10.10.1 0
FORWARDING
6VPE ADVANCED SERVICES § InterAS Scenario A, B or C (Also applies for 6PE) § Internet access Model 1 and 3 § Hub and spoke § Carrier’s carrier
VPN CLIENT CONNECTIVITY VPN sites attached to different MPLS VPN service providers RD:1:27:2001:db8:1::/48, RT=1:231, Label=(28) BGP, OSPF, RIPv2 2001:db8:1::/48,NH=CE-1" VPN-A-1 VPN-A-2 VPN-v4 update: PE-1 PE2 CE2 Edge Router1 Edge Router2 NH=PE-1 CE-1 AS #100 AS #200 149.27.2.0/24" VPN-A VRF Import routes with route-target 1:231" How to distribute routes between SPs?
VPNV6 DISTRIBUTION OPTIONS IN INTER-AS Several options available for distribution of VPNv6 prefix information PE-1 VPN-A-1 PE-2 VPN-A-2 CE-2 PE-ASBR-1 PE-ASBR-2 Back-to-back VRFs MP-eBGP for VPNv4 AS #100 AS #200 Multihop MP-eBGP between RRs CE-1 Multihop MP-eBGP Non-VPN Transit Provider
SCENARIO A: PARTNERSHIP BETWEEN TWO SPS § Recommended for fewer VRFs requiring simpler connectivity when ASBRs are directly connected over a physical interface § ASBRs are directly connected over a physical interface § Sub-interface per VRF is created and mapped § Packet is forwarded as an IP packet between the ASBRs § Each PE-ASBR router treats the other as a CE § PE-ASBR to PE-ASBR link may use any supported PE-CE routing protocol § Scalability issues if need to support large numbers of VRFs § Most used when two ISPs want to interconnect a few customers as it allows maximum control § Maximum Isolation between the 2 AS
SCENARIO A. BACK-TO-BACK VRF CONNECTIVITY VRF to VRF connectivity between PE-ASBRs PE-1 PE-ASBR-1 PE-ASBR-2 AS #100 AS #200 CE-1 CE-2 CE-3 VPN-A-1 PE-2 CE-4 VPN-A-2 VPN-B-1 VPN-B-2 One logical interface and VRF per VPN client
SCENARIO B. MP-EBGP FOR VPNV6 MP-BGP VPNv6 prefix exchange between gateway PE-ASBRs PE-1 MP-eBGP for VPNv6 Labels exchange between Gateway PE-ASBR routers using MP-eBGP CE-1 CE-2 CE-3 VPN-A-1 PE-2 CE-4 VPN-A-2 VPN-B-1 VPN-B-2 PE-ASBR-1 PE-ASBR-2 AS #100 AS #200
SCENARIO C: SAME ISP MERGING AS § This is the favorite method when an ISP want to merge multiple Autonomous System under its control. § No need to install the 2 additional ASBRs of Scenario B. § In this solution, the ASBRs are only needed to leak the 6VPE loopback /32 routes with associated labels. This can be done with eBGP IPv4 + Label (RFC3107) or running the IGP and LDP between the ASBR. § In this solution only the destination next hop on the ingress 6VPE is not the local ASBR but the egress 6VPE loopback /32 address. § Maximum fusion of the 2 ASs
SCENARIO C. MULTIHOP MP-EBGP FOR VPNV6 BETWEEN RRS Multihop MP-eBGP VPNv6 prefix exchange between Route Reflectors PE-1 Multihop MP-eBGP for VPNv6 with no next-hop- self CE-1 CE-2 CE-3 VPN-A-1 PE-2 CE-4 VPN-A-2 VPN-B-1 VPN-B-2 ASBR-1 RR-2 AS #100 AS #200 ASBRs exchange BGP next-hop addresses with labels" ASBR-2 RR-1 eBGP IPv4 + Labels
HUB AND SPOKE TOPOLOGY § The Hub and Spoke is used when the traffic has to take a given path for an application, like a firewall. CE1 CE2 PE2 PE3 PE1 Hub-CE Spoke-CE
INTERNET ACCESS: WHAT’S THE PROBLEM ? § The Internet routing table cannot be imported into each VRF. § The full Internet routing table must be kept in the global routing table. § Two Methods for 6VPE Access to the Internet: – Use one interface in the global table for Internet access and one interface in the VRF for the VPN access. This method does not require any specific features. OR – Only one interface for VRF and Internet access. The static routes may have destinations and next hop in different access spaces. These routes are redistributed in BGP.
CARRIER’SCARRIER: WHAT’S THE PROBLEM ? § We need to interconnect ISPs, which manage the full Internet routing tables. § The full routing tables cannot be imported in each VRF. § The customer advertises their Internet routing table between POPs via iBGP session throughout the 6VPE service, but they are never imported in the VRF. § The 6VPE VRF only has routes and labels for the Internet routes Next Hop. § The Carriers backbone receives a labeled packet for the BGP Next Hop destination Similar to MPLS-VPN where the P router don’t know the VPN routes. All they know it the Egress PE loopback address. With CsC, the Carrier don’t know the Internet routes BUT the Next-Hop of these routes!
CSC EXAMPLE INTERCONNECTING 2 POPS
CONCLUSIONS § 6PE and 6VPE are proven solutions and they do not have the performance and security concerns related to tunneling § All the Advanced Services supported with IPv4 and MPLS-VPN are supported with 6PE and 6VPE § Many operators provide IPv6 service to their customers with 6PE/6VPE § 6PE and 6VPE do not require any update of the MPLS/IPv4 backbone § For Operators who have not deployed MPLS, 6RD can be a good alternative
(C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
QOS FOR IPV6 § 8 bits, Traffic Class § 20 bits, Flow Label Ver Traffic Class Flow Label Payload Length Next Header=Hop-By-Hop Hop Limit Source IPv6 Address Destination IPv6 Address Next Header=Routing Hdr Next Header=TCP Hop-By-Hop Routing Header TCP Header
TRAFFIC CLASS – 8 BITS § Same use as the ToS + Precedence bit in IPv4 § Mutable Field, it can be remarked by intermediate router § It carries the DSCP bits to identify either: § Expedited Forwarding Class § typically used by VoIP § Assured Forwarding Class § AF1x to AF4x § where x is the drop probability of the packet
FLOW LABEL – 20 BITS § The Flow Label helps to identify a flow with a Source and Destination IPv6 address § Unmutable Field not changed by any intermediate router § Flow Label = 0 is the default Flow § Field not covered by encryption if IPSec is used § Field not fragmented if fragmentation occurred § There is no common agreement about its utilization § In addition, this field could be used by an attacker as it identifies a Flow and is not protected by IPSec § In practice the Flow Label is available for Application but not used
INTSERV § Defined 3 Class of Service § Guaranteed Services § Bandwidth Guarantee, delay and no loss of traffic § Controlled Load § Multiple levels of best effort § Best Effort § RFC 1633 § RSVP is used as a Signalling Protocol RFC2205 § Flow level granularity § End-to-End QoS
RESOURCE RESERVATION PROTOCOL (RSVP) § RFC 2205 RSVP Version 1 § RSVP is used to reserve Bandwidth in the Router’s Priority Queue § RSVP Service Types: § Controlled Load RFC 2211 § DiffServ similar to AF § Guaranteed Load RFC 2212 § DiffServ similar to EF
DIFFSERV § Granularity is the flow aggregate § Expedited Forwarding § RFC 2598 § DSCP 101110 § Real Time class for Voice and Video § RSVP can help to reserve Bandwidth § Match IntServ Guaranteed Services § Assured Forwarding § Classes AF1x to AF4x § CS1 to CS4 for compatibility with Precedence § Match IntServ Controlled Load
DIFF SERV CLASS SELECTOR PHB DSCP DSCP bin Intended Protocol Configuration IP Routing Class Selector 6 110000 BGP, OSPF, and so on Queuing=rate based. Small guaranteed min rate, WRED Streaming Video Class Selector 4 100000 Often Proprietary Admission control=RSVP, Queuing=rate based. Small guaranteed min rate, WRED Telephony Signaling Class Selector 3 011000 SIP, H323, etc…. Queuing=rate based. Small guaranteed min rate, WRED Network Management Class Selector 2 010000 SNMP Queuing=rate based. Small guaranteed min rate, WRED Scavenger Class Selector 1 0010000 User Selected Service Queuing=rate based. NO guaranteed min rate, WRED (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
Diff-Serv and MPLS INTRODUCTION TO IPV6 FOR SERVICE PROVIDERS
MPLS AND QOS 3 bits for 8 levels of priority in MPLS § Experimental bits 3 MPLS Transit modes § Uniform mode § Short Pipe mode § Pipe mode
MPLS EXP BITS § Label/Tag: 20 bits § MPLS Experimental bits: 3 bits § Bottom of Stack: S § Time To Live: 8 Bits Label/Tag 32 bits COS TTL 3 2 1 0 EXP S
UNIFORM MODE APPLICATION § The service is managed end-to-end by the same organization MPLS/VPN MPLS/VPN Fusion MPLS EXP-IP DSCP EXP->DSCP DSCP->EXP dscp
UNIFORM MODE § MPLS and IPv6 have the same QoS Strategy § DSCP is copied in EXP at the Ingress § EXP is copied in DSCP at the Egress
PIPE MODE § MPLS and IPv6 networks have a different QoS strategy § EXP and DSCP are completely independent of each other § MPLS EXP is used to schedule the packet at the Egress
SHORT PIPE MODE § MPLS and IPv6 have a different strategy but…. § At the egress, DSCP is used to schedule the packet
CONCLUSION § QoS in IPv6 is similar to QoS in IPv4 with the addition of the Flow Label field § QoS also apply to MPLS networks and 3 models provide 3 different strategies when IPv6 packets must cross a MPLS/IPv4 network
(C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
Security Management in IPv6 INTRODUCTION TO IPV6 FOR SERVICE PROVIDERS
IPSEC § IPSec is mandatory with IPv6 Stacks § Headers Authentication § Data Confidentiality § Data Integrity http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6- ipsec.html
IPSEC: AH AND ESP § Architecture. RFC 2401 § Authenticated Header § Integrity, Authentication and anti-replay § Each packet has a unique signature § Protocol 50 § Encapsulating Security Payload § Has all the AH features… § So why still use AH ? § ESP adds encryption of the payload for confidentiality § Protocol 51
IPSEC: TRANSPORT MODE § Used for Host-to-Host communication § Only the payload is encrypted and/or authenticated § Addresses cannot be changed without corrupting the header hash unless we use NAT Transversal (NAT-T) § RFC 3715: IPsec-Network Address Translation (NAT) Compatibility Requirements § RFC 3947: Negotiation of NAT-Traversal in IKE § RFC 3948: UDP Encapsulation of IPsec ESP Packets
MODE IPSEC: TUNNEL MODE § Used for Router-to-Router communication § The whole datagram is authenticated and/or encrypted § The original packet is then encapsulated in a new packet § This mode supports NAT in a very limited mode § See rfc3715: 4.1 IPSec Tunnel Mode
IPSEC ENCAPSULATIONS (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
IKE RFC 2409 § If someone can capture enough IPsec traffic, the IPSec key can be guessed § To avoid this, the key can be changed automatically and securely on a regular basis § Each time, IKE creates a new Security Association § Hybrid protocol based on ISAKMP, Oakley and KEME
SECURITY ASSOCIATION (SA) § Contains all the states needed to protect communication with a peer. § SA is unidirectional. § An SA is needed at each end of the IPSec connection. § If manually configured it has no Time to Live § If it is created dynamically with IKE, then it has a Time To Live. § SA is saved in a SADB § SA is identified by: § The source thanks to a Selector § The destination thanks to the Security Parameter Index (SPI) on 32 bits
SECURITY ASSOCIATION (SA) PARAMETERS § Sequence Number (32 bits) § outbound processing § Incremented for each secured packet § No more than 4G packet generated with the same key § Sequence Number Overflow § Outbound processing § Used if Sequence Number get over the maximum § The policy detemines the action in this case § Antireplay Window § Lifetime § Mode (Tunnel or Transport)
SECURITY ASSOCIATION (SA) PARAMETERS (CONT.) § Tunnel destination § For the tunnel mode § Parameters PMTU § Security Policy § All policies are stored in the SP Database § Determine the action for the protection § Selectors § Source and Destination Address § Name § Protocol § Upper Layer Ports
ESP HEADER AND TRAILER 32 bits Security Parameter Index (SPI) Sequence Number IV Protected Data Pad length Next Pad Header Authentication data (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
AH HEADER 32 bits Next Header Payload Reserved Length Security Parameter Index (SPI) Sequence Number Authentication data (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
ISAKMP § IKE is a hybrid protocol based on ISAKMP, Oakley and KEME § ISAKMP communicates on port UDP 500 § Defines how 2 peers communicate § Defines the states transitions between 2 peers § Initialization in two phases of the ISAKMP SA § ISAKMP SA analogous to IPSec SA § Cookies Exchange § Policy Negotiation
IKE EXCHANGE : CREATE AN IKE SA § Two exchange modes § main mode § aggressive mode § Establish a channel secure and authenticated § Key exchanged § Find an agreement in Security Parameters § Parameters § encryption algorithm § hash algorithm § authentication method § Diffie-Hellman group
P2P IPSec Tunnels IPSEC+TUNNEL = VPN (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
DMVPN § Encrypted GRE Points to Multipoint Tunnels § NHRP for Spoke-to-Spoke direct communication § A hub is configured with many Spokes § Tunnels are encrypted for confidentiality § Spoke-to-Spoke tunnels are created on-demand
DMVPN: EXAMPLE Only one Tunnel Interface is configured on the Hub and on the Spokes
THREATS ON IPV6 § Threats on IPv6 Header § Threats on ICMPv6 and NDP § RFC6104: Rogue RA § NDP Exhaustion http://inconcepts.biz/~jsw/IPv6_NDP_Exhaustion.pdf § Threats on Transition § Dual-Stack § Tunnels § Translation § Attacks on Router § Securing the BGP Internet Access
IPV6 HEADER THREATS § Extension Header § Router Alert Option – http://www.iana.org/assignments/ipv6-routeralert-values/ipv6-routeralert-values.xml § Source Routing Type 0. † – http://www.secdev.org/conf/IPv6_RH_security-csw07.pdf – http://www.ietf.org/rfc/rfc5095.txt – Blocked by Firewall § Fragmentation – Security Considerations for IP Fragment Filtering (rfc1858) – Protection Against a Variant of the Tiny Fragment Attack (rfc3128) § Option not recognized – Should be dropped but ignored in reality § On a Cisco Router, this should be blocked by ACL
THREATS ON NDP A good presentation from the hacker choice web § http://www.thc.org/ipv6 IPv6 Neighbor Discovery (ND) Trust Models and Threats § http://www.ietf.org/rfc3756.txt Example of such attacks: § DAD attack § Network scan and NDP Exhaustion http://inconcepts.biz/~jsw/IPv6_NDP_Exhaustion.pdf § Kill the default router § Rogue Router. See RFC6104 § Redirect attack § Reduce the MTU
DAD ATTACK § A node wants to join the network and performs DAD § It sends an NS for the tested address § An Attacker sends NA for the tested address § Address is considered a DUP, A can’t access the network NA
KILL THE DEFAULT ROUTER § Traffic flows thru the router § The forged RA announces the existing Router address with a zero Lifetime § A does not have a default router § Without a default router, A assumes destination is on-link! § Hacker then pretends to be the next-hop
ROGUE ROUTER § Traffic flows thru the router § The forged RA announces the existing Router address with a zero Lifetime § Another RA can give hacker an Address with Lifetime > 0 § RFC6104
REDIRECT, MAN-IN-THE-MIDDLE ATTACK § Initial traffic travels from A to B through Router § Hacker sends a Redirect to A § A believes hacker is a better next hop to B § Disable Redirect on Hosts
ICMPV6 PACKET TOO BIG ATTACK § A sends traffic with MTU = 1500 § Hacker sends a Packet Too BIG MTU = 1280 § A sends traffic to B with MTU = 1280
NETWORK SCAN § An attacker sends packets to all Network addresses on a subnet § Each time the router starts a MAC Address resolution, it keeps the packet in a buffer § This consumes the router memory and CPU
SECURED NEIGHBOR DISCOVERY: SEND § Secure the IPv6 Network Discovery Protocol § Anti-Replay with Timestamp § Network clocks must be synchronized § No one can steel someone’s address § Protection with CGA § No Spoofing § Impossible to announce a rogue router § Routers are protected with Certificates § Linux and CISCO implementation
SECURE THE EBGP SESSION § Use MD5 IPSec Authentication, safer as IKE changes the key on a regular basis § Use Link-Local Address for Peering § Only Accept the Updates you are supposed to § Filter the illegal Prefixes in Updates § Limit the number of prefixes received § Filter too-long AS-Path eBGP IPSec or MD5 Authentication on the eBGP
INTERNET: THE PREFIXES WHICH MUST BE BLOCKED § http://tools.ietf.org/html/rfc5156 § http://tools.ietf.org/html/rfc4773 Routes to blocks Prefixes Default Routes ::/0 Unspecified Address ::/128 Loopback Addresses ::1/128 IPv4-compatible ::/96 IPv4-mapped ::ffff:0.0.0.0/96 Link-locale fe80::/10 or longer Site-local (obsolete) fec0::/10 or longer Unique-local fc00::/7 or longer Multicast but Global Scope ff00::/8 or longer Documentation 2001:db8::/32 or longer 6bone (obsolete) 3ffe::/16
INTERNET: PREFIXES WHICH MUST BE PERMITTED § Instead of blocking special addresses, one can allow the allocated addresses § http://www.team-cymru.org/ReadingRoom/Templates/IPv6Routers/ios.html § http://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt § Pretty long list ! § This list can be used to configure a filter on a router § Example of configuration filter: … ipv6 prefix-list ipv6-global-route permit 2C00:0000::/12 ge 12 le 64 ! router bgp 64500 neighbor 2001:db8:1::2 route-map ACCEPT-ROUTES in ! route-map ACCEPT-ROUTES permit 10 match ip address prefix-list ipv6-global-route
FOR HOSTS: PRIVACY EXTENSION § When the interface ID is derived from the MAC address (EUI-64), the same station will always keep Interface ID § As NAT is no longer used, it becomes possible to identify a target and spy on its traffic § RFC4941 “Privacy Extensions for Stateless Address Autoconfiguration in IPv6” generates a random and temporary interface ID § For Windows: netsh interface ipv6 set global randomizeidentifiers=enabled § For MAC OS and othe Kame derived OS: power-mac-g5-de-fred-bovy-6:~ root# sysctl -w net.inet6.ip6.use_tempaddr=1 § net.inet6.ip6.use_tempaddr: 0 -> 1
HIDE HOSTS WHEN POSSIBLE § Use Unique Local Addresses for Internal Addressing § Only provision Global Unique Addresses for Hosts which have access to the Internet or use ALG and Proxies to access Web Servers on the internet FD00:1:2:3::/64 FD00:1:2:5::/64 FD00:1:2:10::/64 Applica8on Layer Gateway 2001:1:2::1 FD00:1:2:10::109
USE MIPV6 TO HIDE THE LOCATION OF USERS § The mobile node roams from subnet to subnet but its source address never changes for the applications or for the correspondent node!
USE AUTHENTICATION FOR ROUTING PROTOCOLS § Use MD5 or IPSec when available to Authenticate Routing Updates § IPSec is safer as Key is changed by IKE automatically § Protect against Rogue Router § Also apply to First Hop Routing Protocol MD5 or IPSec MD5 or IPSec
ATTACKS ON ROUTERS § Use MD5 authentication when available § Not available with RIPng § Available for EIGRP, ISIS, BGP § OSPFv3 can be secured with IPSec § MD5 Authentication also applies for First Hop Routing Protocol § HSRP, GLBP § Prefer SSH to TELNET § Prefer SNMPv3 to SNMPv2 § Disable all the unused services § If a router interface is used only for management, routing can be disabled § Router(config-if)# ipv6 mode host unicast
DOS ATTACKS ON DHCPV6 § Starvation: A client can request IPv6 addresses until pool depletion § DoS: A Client can ask for a huge number of addresses. The server must keep track and manage the allocated addresses which will overwhelm its CPU. § Attack Mitigation: DHCPv6 snooping is not yet available. This attack can be mitigated by rate-limiting the requests.
DOS ATTACKS ON DHCPV6 (CONT.) § Disinformation: A rogue server can provide bad information to requests: Bad addresses, bad DNS Server addresses, bad domain names. § This can be more harmful than IPv4 because with IPv6 the server can use the Site-local multicast address ff05::1::3 and sit on any subnet of the whole site. § With IPv4, CISCO implements DHCPv6 Snooping. Only trusted ports can provide DHCP reply. This is not yet available for IPv6. § Scanning: If the DHCPv6 Server allocates IPv6 Addresses sequentially, this makes node discovery easy. § Some DHCPv6 Server allocate addresses randomly instead of sequentially.
THREATS ON TRANSITION § Dual-Stack – IPv4 scanning can be used to discover the node – IPv4 and IPv6 must be at the same security level § Tunnel – Tunnels are an easy target for many possible attacks – Packet Injection – Automatic Tunnels are the most dangerous – Automatic Servers can be the target of DoS attacks § Translation – NAT can be the target of DoS attacks – DoS Attacks by address pool depletion – DoS Attack by creating a lot of states or requests which consumes CPU
NODE AND NETWORK DISCOVERY § Discovering nodes or even Active Network with IPv6 is more complex § Finding an active network is not trivial § A scan over an IPv6 subnet would take ages – http://www.ietf.org/rfc/rfc5157.txt – 2^64 addresses to test! – 18.446.744.073.709.551.616 IPs per subnet – 500 millions years § If dual stack nodes are configured, one could use IPv4 to scan and IPv6 to attack! § A network scan can be used as a DoS Attack – In IPv6, a node must keep the packet which triggers a MAC Address resolution in a buffer – If one scans a full network with a big packet, this can consume a lot of buffers!
DUAL STACK ISSUES § Dual Stack Nodes may be very well IPv4 protected and poorly IPv6 protected § Dual Stack Nodes can be discovered thanks to an IPv4 scan ! § And then attacked using IPv6 tools !
INABILITY TO INSPECT TUNNELED PACKET IPv4 Firewall cannot inspect the IPv6 packet encapsulated in IPv4. IPv4 Header IPv6 Header IPv6 Payload
ATTACKS ON TUNNELS Traffic tunneled cannot be inspected § Access-List and packet inspection cannot inspect the IPv6 packet which is encapsulated in IPv4 packets § Solution is to implement multiple Firewalls which inspect packets before they get encapsulated § Other solution is when the Tunnel end point is on a Firewall, traffic can be inspected Easy to inject packets coming from a known Tunnel § If an attacker has the knowledge of manual tunnel configuration, it can send packet « originated » from a known tunnel head-end § With automatic tunnels it is even easier as packet can be originated from any address in the network § IPSec is the protection
6TO4 SOLUTION § IPv4 Firewall inspects IPv4 Traffic. § Because it is also a Tunnel end, it can also inspect the IPv6 in IPv4 Traffic § 6to4 decapsulates traffic § IPv6 Firewall inspects IPv6 Traffic IPv4 Firewall IPv6 Firewall 6to4 IPv4 IPv6 in IPv4 Tunnel IPv6 IPv6
ISATAP SOLUTION No traffic arrives at the transition device without inspection. ISATAP IPv4 Firewall IPv4 IPv6 IPv6 in IPv4 Tunnel IPv6 Firewall
ATTACK BY PACKET INJECTION IN A MANUAL TUNNEL (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
ATTACK BY REFLECTION BY A TUNNEL TAIL END (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
INTERNAL HOST REFLEXION ATTACK (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
MANUAL TUNNEL SECURITY (6IN4, GRE) Best solution if possible is to use IPSec to protect: § Traffic injection (AH, ESP) § Traffic capture (ESP) If not possible… § As they are manually configured, we have enough information to secure the following: § If a packet is received and has a source address which is not configured for any tunnel, it will be silently dropped. – To log the drop an Access-List (ACL) must be configured § Anti-spoofing rejects a packet which comes from a wrong tunnel and blocks the reflection attack. – CEF Unicast RPF can be used for anti-spoofing § Verify the source address of packets received on an interface § In strict mode the packet must be received on an interface which is the outgoing interfqce going to the source address
6TO4 TUNNEL SECURITY § Block Neighbor Discovery § Block ICMP Redirect § Block the link and Site local addresses § Block the IPv6 addresses matching IPv4 RFC 1918 § Verify the destination address
ATTACKS ON NAT64 AND NAT-PT § NAT-PT must be used as a last resort option § If we must support IPv4 Only Application, prefer NAT64 as NAT-PT § NAT64 and NAT-PT can be the target of DoS attacks § The attacker sends many IPv6 packets with different source addresses to the same IPv4 target. § Each packet consumes an address and a state which must be managed. § When there is no more IPv4 address available, there is no more access to IPv4 hosts § Another attack is to generate a lot of DNS requests which will also load the ALG CPU.
NAT64 ATTACKS § http://tools.ietf.org/html/rfc6146 § 5.3. Attacks on NAT64 § DoS: NAT64 has a limited amounts of IPv4 addresses § Send a lot of packets with many IPv6 source addresses § DoS: Send a lot of fragments § DoS: Send a lot of TCP SYN
NAT-PT AND NAT64 ATTACKS MITIGATION Implement rate-limiting for: § Request on NAT-PT ALG § Packets which trigger the creation of an NAT Translation Implement anti-spoofing § IP Source Guard on switches § SEND Remember than NAT is not a Security device like a Stateful Firewall
CISCO SECURITY FEATURES Access-list (ACL) § Stateless Access-List Standard, Extended § Stateful Reflexive ACL § This automatically allows the return traffic of sessions initiated from the inside hosts § Time Based ACL § The filter is only applied during the specified time range CISCO Firewall § Cisco IOS Firewall For IPv6 § CISCO Zone Based Firewall http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6- sec_trfltr_fw.html
CISCO STATELESS ACCESS-LIST § These ACL must explicitly permit or deny traffic in each direction § There is no state built and manage § For instance if FTP must be enabled: – an ACL must permit the FTP control port in outgoing and incoming direction – An ACL must permit the FTP data port in the incoming direction (Active Mode) or in the outgoing direction for (Passive Mode) § Default end of an ACL is – permit nd-ns – permit nd-na – deny all § PRO: – Does not consume a lot of resources § CON: – Traffic must carefully be permitted or denied in each direction – Impossible to permit only the return traffic of a given session
CISCO STATEFUL ACCESS-LIST: REFLEXIVE ACL § The ACL configuration only need to permit the outgoing paquets which starts a new session (i.e.Original paquet starting an FTP Session) § Return traffic is identified by a keyword used in an ACL applied in the opposite direction § PRO: Better granularity, only the return traffic is permitted ! § CON: Consumes more resources Example: ipv6 access-list OUTBOUND permit tcp 2001:DB8:0300:0201::/32 any reflect REFLECTOUT permit udp 2001:DB8:0300:0201::/32 any reflect REFLECTOUT ipv6 access-list INBOUND evaluate REFLECTOUT interface ethernet 0 ipv6 traffic-filter OUTBOUND out ipv6 traffic-filter INBOUND in
ICMPV6 FILTERING § All ICMPv6 cannot be blocked by Firewall! § Path MTU Discovery § Neighbor Discovery § NUD § Parameters Discovery § SLAAC § Parameter Problem § Must be permitted Packet Too Big ND-NS ND-NA RA Parameter Problem
CISCO IOS FIREWALL FOR IPV6 Fragmented packet inspection § The fragment header is used to trigger fragment processing. § Cisco IOS Firewall virtual fragment reassembly (VFR) examines out-of-sequence fragments and switches the packets into correct order, examines the number of fragments from a single IP given a unique identifier (Denial of Service [DoS] attack), and performs virtual reassembly to move packets to upper-layer protocols. IPv6 DoS attack mitigation § Mitigation mechanisms have been implemented in the same fashion as for IPv4 implementation, including SYN half-open connections. Tunneled packet inspection § Tunneled IPv6 packets terminated at a Cisco IOS firewall router can be inspected by the Cisco IOS Firewall for IPv6. Stateful packet inspection § The feature provides stateful packet inspection of TCP, UDP, Internet Control Message Protocol version 6 (ICMPv6), and FTP sessions.
CISCO IOS FIREWALL FOR IPV6 (CONT.) Stateful inspection of packets originating from the IPv4 network and terminating in an IPv6 environment § This feature uses IPv4-to-IPv6 translation services. Interpretation or recognition of most IPv6 extension header information § The feature provides IPv6 extension header information including routing header, hop-by-hop options header, and fragment header is interpreted or recognized. Port-to-application mapping (PAM) § PAM allows you to customize TCP or UDP port numbers for network services or applications. § PAM uses this information to support network environments that run services using ports that are different from the registered or well-known ports associated with an at the firewall. § The information in the PAM table enables Context-based Access Control (CBAC) supported services to run on nonstandard ports.
CISCO IOS FIREWALL ALERTS, AUDIT TRAILS, AND SYSTEM LOGGING § Cisco IOS Firewall generates real-time alerts and audit trails based on events tracked by the firewall. § Enhanced audit trail features use system logging to track all network transactions; to record time stamps, source host, destination host, and ports used; and to record the total number of transmitted bytes for advanced, session-based reporting. § Real-time alerts send system logging error messages to central management consoles when the system detects suspicious activity. § Using Cisco IOS Firewall inspection rules, you can configure alerts and audit trail information on a per-application protocol basis. – For example, if you want to generate audit trail information for TCP traffic, you can specify the generation of this information in the Cisco IOS Firewall rule that defines TCP inspection. The Cisco IOS Firewall provides audit trail messages to record details about inspected sessions. – Audit trail information is configurable on a per-application basis using the CBAC inspection rules. To determine which protocol was inspected, use the port number associated with the responder. The port number appears immediately after the address.
CISCO ZONE-BASED FIREWALL FOR IPV6 § Zones are created § Interfaces are placed into Zones § Zone Pairs are created § The pair identifies a source and a destination § Class-Map are used to identify traffic § Match on protocol § Match on Access-List § Class-default § A Policy defines the actions § These action applied for each Class-Map § Possible actions are: Drop, pass, inspect, log, reset (for TCP) § The Policy is then applied to a Zone-Pair
FORTIGATE IPV6 SUPPORT. FORTIOS V4.0 MR7 http://www.fortinet.com/solutions/ipv6.html § Complete content protection for IPv6 traffic including Antivirus, Web filtering, DLP and Email Filtering § IPsec VPNs § Dynamic routing protocol for IPv6: RIPng, OSPFv3 and BGP+ § Routing access lists and prefix lists § Dual protocol stack support § IPv6 tunnel over IPv4 § IPv4 tunnel over IPv6
FORTIGATE IPV6 SUPPORT. FORTIOS V4.0 MR7 § Firewall policies § Packet and network sniffing § Bi-directional traffic shaping § NAT/Route and Transparent mode § Logging and reporting § IPv6 specific troubleshooting such as ping6
DEDICATED OR HOST-BASED FIREWALL Dedicated Firewall devices § break the end-to-end model (like NAT) § Only return traffic of the outgoing traffic is permitted to get it in ! § Easy to manage Host-based Firewall § Maintain the end-to-end model § More difficult to manage
SECURITY IN AN IPV6 ENVIRONMENT Minimum Security Plan As a minimum, the following steps should be undertaken with regard to IPv6 security by an organization: § Develop an IPv6 Security Plan § Create appropriate policy § Manage Routers/Switches appropriately § Disable IPv6/Tunnels § Develop Access Control Lists (ACL) to Block IPv6/Tunnels on core/edge/outside enclave § Network protection devices/tools § Contact vendors for IPv6 advice § Block IPv6 (Type 41) tunnels § Enable IPv6 IDS/IPS features § Manage End Nodes appropriately § Enable IPv6 host firewalls on all end devices § Monitor Core and Enclave Boundaries
CONCLUSION § IPSec is provided with IPv6 stacks § For confidentiality, prefer – SSH to TELNET for active node management – SNMPv3 to SNMPv2 for the network management § Routing protocol can be authenticated § NDP is secured by SEND § Tunnels, NAT-PT or NAT64 don’t have any security feature associated – Anti-spoofing – IPSec – ACL – Rate-limiting § CEFv6 Unicast RPF on CISCO and ALCATEL-LUCENT 7750 for anti-spoofing § Use CISCO IOS Firewall or other Firewall for Public Network Connection § Check the NSA www (http://www.nsa.gov) – Check the Router Security Configuration Guide Supplement - Security for IPv6 Routers – Firewall Design Considerations for IPv6
Secured Neighbor Discovery (SEND) INTRODUCTION TO IPV6 FOR SERVICE PROVIDERS
INTRODUCTION TO SEND § NDP threats § SEND: a protocol to protect Neighbor Discovery Protocol against any attack § Cryptographically Generated Address – Makes IPv6 address steal proof ! – Spoofing becomes virtually impossible § Address Delegation Authority – Protection against Rogue Router – A router must have a valid certificate to get used as a default router. § Today SEND is supported by CISCO and LINUX § Example: http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6553/white_paper_c11-563156.html
NDP PROTOCOL DATA UNITS Two New PDUs § Certificate Path Solicitation (CPS SEND) § Certificate Path Advertisement (CPA SEND) New NDP Options § CGA - 11 § RSA - 12 § Certificate - 16 § Trust - 15 § Nonce - 14 § Timestamp -13
NEIGHBOR DISCOVERY OPTIONS Message CGA RSA Nonce Timestamp Router Solicitation MUST unless sent from MUST unless sent MUST MUST (RS) unspecified from unspecified Router Advertisement (RA) MAY. The CGA option can be omitted in RA but this would be rejected by current IOS implementation MUST MUST for solicited RA to all node multicast. Not needed for unsolicited. MUST Neighbor Solicitation (NS) MUST MUST MUST MUST Neighbor Advertisement (NA) MUST MUST MUST for solicited NA to all node multicast. Not needed for unsolicited. MUST Redirect MAY MUST MUST (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
PKI ARCHITECTURE (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
PKI ARCHITECTURE: X.509 CERTIFICATE (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
ROUTERS AND HOST CERTIFICATES VERIFICATION Router 1 2 3 4 Router Message Digest Sign Hash CA’s Private Key 5 Cert Req Router 6 Host Trusts Router’s Public Key after it verifies its signature using CA’s Public Key 7 Router Router Host Already has CA’s Public Key (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
RECEPTION OF AN RA AND SEND VALIDATION (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
VALIDATION OF AN RA § A host receives an RA from a new Router § It does not have a matching certificate § It sends a CPS to the Router § Router answers with a Certificate in a CPA § If the router Certificate matches the CA Certificate authority, the RA is accepted; otherwise it is dropped
CONCLUSION § SEND is the ultimate ND Security protocol § This is the answer to any possible attack using NDP § Makes any kind of attack against an IPv6 Network very difficult if not impossible § The Sec-Level parameter introduces a complexity argument which can be increased when the CPU becomes faster and could be used to break SEND § The network clocks must be synchronized to support SEND § Certificates must be distributed on Routers and Hosts
BOOKS ON THE WEB: SAFARI BOOKS ONLINE (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
SOME BOOKS (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
(C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!

More Related Content

PDF
Stun turn poc_pilot
byMihály Mészáros
 
PDF
AusNOG 2014 - Network Virtualisation: The Killer App for IPv6?
byMark Smith
 
PDF
AusNOG 2011 - Residential IPv6 CPE - What Not to Do and Other Observations
byMark Smith
 
PDF
I pv6 tutorial
byFred Bovy
 
PPTX
Nat traversal in WebRTC context
byAudioCodes
 
PPT
NAT Traversal
byDavide Carboni
 
PDF
From NAT to NAT Traversal
byLi-Wei Yao
 
PPTX
ICE basic
byVu Nguyen
 
Stun turn poc_pilot
byMihály Mészáros
 
AusNOG 2014 - Network Virtualisation: The Killer App for IPv6?
byMark Smith
 
AusNOG 2011 - Residential IPv6 CPE - What Not to Do and Other Observations
byMark Smith
 
I pv6 tutorial
byFred Bovy
 
Nat traversal in WebRTC context
byAudioCodes
 
NAT Traversal
byDavide Carboni
 
From NAT to NAT Traversal
byLi-Wei Yao
 
ICE basic
byVu Nguyen
 

What's hot

PPTX
Getting started with IPv6
byPrivate
 
PDF
SIP and DNS - federation, failover, load balancing and more
byOlle E Johansson
 
PPTX
Eric Vyncke - Layer-2 security, ipv6 norway
byIKT-Norge
 
PDF
Transition To I Pv6
byFred Bovy
 
PDF
IPv6 Transition
bySwiss IPv6 Council
 
PDF
WellGate 2644
byLong Nguyen
 
PPT
Ice
byTony Deng
 
PDF
Cameron - TMO IPv6 Norway Meeting
byIPv6no
 
PPTX
Upcoming internet challenges
byIvan Pepelnjak
 
PDF
Robert Raszuk - Technologies for IPv4/IPv6 coexistance
byPROIDEA
 
PPTX
Henrik Strøm - IPv6 from the attacker's perspective
byIKT-Norge
 
PDF
Hands-on Experience with IPv6 Routing and Services
byCisco Canada
 
PDF
Introduction of ipv6
byKaushikMajumder22
 
PPTX
Eric Vyncke - IPv6 security in general
byIKT-Norge
 
PDF
2015 update: SIP and IPv6 issues - staying Happy in SIP
byOlle E Johansson
 
PDF
NAT_Final
byPratik Bhide
 
PDF
Fedv6tf-fhs
byTim Martin
 
PDF
IPv6 Autoconfig
byFred Bovy
 
PDF
AusNOG 2015 - Why you should read RFCs and Internet Drafts (and what you need...
byMark Smith
 
PDF
Fedv6tf-IPv6-new-friends
byTim Martin
 
Getting started with IPv6
byPrivate
 
SIP and DNS - federation, failover, load balancing and more
byOlle E Johansson
 
Eric Vyncke - Layer-2 security, ipv6 norway
byIKT-Norge
 
Transition To I Pv6
byFred Bovy
 
IPv6 Transition
bySwiss IPv6 Council
 
WellGate 2644
byLong Nguyen
 
Ice
byTony Deng
 
Cameron - TMO IPv6 Norway Meeting
byIPv6no
 
Upcoming internet challenges
byIvan Pepelnjak
 
Robert Raszuk - Technologies for IPv4/IPv6 coexistance
byPROIDEA
 
Henrik Strøm - IPv6 from the attacker's perspective
byIKT-Norge
 
Hands-on Experience with IPv6 Routing and Services
byCisco Canada
 
Introduction of ipv6
byKaushikMajumder22
 
Eric Vyncke - IPv6 security in general
byIKT-Norge
 
2015 update: SIP and IPv6 issues - staying Happy in SIP
byOlle E Johansson
 
NAT_Final
byPratik Bhide
 
Fedv6tf-fhs
byTim Martin
 
IPv6 Autoconfig
byFred Bovy
 
AusNOG 2015 - Why you should read RFCs and Internet Drafts (and what you need...
byMark Smith
 
Fedv6tf-IPv6-new-friends
byTim Martin
 

Viewers also liked

PPT
IPv6_Quick_Start_Guide
byParthiban Nallathambi
 
PDF
IPv6 in IPv4/MPLS in a Nutshell
byFred Bovy
 
PPS
Multicast for ipv6
byFrederic Bovy
 
PDF
Ipv6 cheat sheet
bySwarup Hait
 
PDF
Advanced Radio over IP
byComms Connect
 
PDF
Deploying IPv6 in OpenStack Environments
byShannon McFarland
 
PPSX
Radio-Over-IP Presentation
byBriCom Solutions
 
PDF
LTE network: How it all comes together architecture technical poster
byDavid Swift
 
PPT
IPv6 networking training sduffy v3
byShane Duffy
 
PDF
IPV6 Hands on Lab
byCisco Canada
 
PDF
Advanced radio over IP
byComms Connect
 
PDF
CS6551 COMPUTER NETWORKS
byKathirvel Ayyaswamy
 
PPT
IPv6 theoryfinalx
byPawan Sharma
 
PDF
Cisco IPv6 Tutorial
bykriz5
 
PDF
IPv6
byPeter R. Egli
 
PDF
ConférenSquad #2 : StreamRoot - HTML5 & WebRTC : de nouveaux horizons pour le...
byJustindwah
 
PDF
Internet of Things (IOT) - Technology and Applications
byDr. Mazlan Abbas
 
PDF
Hacking the Creative Brain
byDenise Jacobs
 
PPT
BUSINESS LETTER AND DIFFERENT STYLES
bySeemab Abbas
 
IPv6_Quick_Start_Guide
byParthiban Nallathambi
 
IPv6 in IPv4/MPLS in a Nutshell
byFred Bovy
 
Multicast for ipv6
byFrederic Bovy
 
Ipv6 cheat sheet
bySwarup Hait
 
Advanced Radio over IP
byComms Connect
 
Deploying IPv6 in OpenStack Environments
byShannon McFarland
 
Radio-Over-IP Presentation
byBriCom Solutions
 
LTE network: How it all comes together architecture technical poster
byDavid Swift
 
IPv6 networking training sduffy v3
byShane Duffy
 
IPV6 Hands on Lab
byCisco Canada
 
Advanced radio over IP
byComms Connect
 
CS6551 COMPUTER NETWORKS
byKathirvel Ayyaswamy
 
IPv6 theoryfinalx
byPawan Sharma
 
Cisco IPv6 Tutorial
bykriz5
 
IPv6
byPeter R. Egli
 
ConférenSquad #2 : StreamRoot - HTML5 & WebRTC : de nouveaux horizons pour le...
byJustindwah
 
Internet of Things (IOT) - Technology and Applications
byDr. Mazlan Abbas
 
Hacking the Creative Brain
byDenise Jacobs
 
BUSINESS LETTER AND DIFFERENT STYLES
bySeemab Abbas
 

Similar to Fb i pv6-sparchimanv1.0

PPSX
IPv6fundamentalspresentationforccnastudents
bykaqureshi8
 
PPT
Understanding i pv6 2
bysrmanjuskp
 
PPTX
Ipv4 over ipv6 by Jigar Tarsariya
byJigar Tarsariya
 
PDF
How You Will Get Hacked Ten Years from Now
byjulievreeland
 
ODP
IPv6: What Why and How
byGihan Dias
 
PDF
A Comparative Study On IPv4 And IPv6
byAmber Ford
 
PDF
In Defence of NATs
byAPNIC
 
PPTX
The case for IPv6
byAPNIC
 
PPTX
Gohil-Network layer & Address Resolution Protocol.pptx
byJuvil2
 
PPTX
Networking essentials lect2
byRoman Brovko
 
PDF
IPv6 In z/VSE:IBM z/VSE Live Virtual Class 2012
byIBM India Smarter Computing
 
PDF
Transition to ipv6 cgv6-edited
byFred Bovy
 
PPTX
4. Understanding Internet Protocol.pptx
byRobertohtirolhsconce
 
PPTX
MVA slides lesson 4
byFabio Almeida- Oficina Eletrônica
 
PDF
IP addressing and subnetting including IPv6 1st Edition J. D. Wegner
bymatvejxhejni20
 
PPTX
IPv6 - The Next next generation protocol
byMohit Sharma
 
DOCX
I pv6
byUdi Ghosh
 
PDF
Presd1 09
byNiels Groeneveld
 
PPTX
IPV6
byNaza hamed Jan
 
PDF
IPv6 & Content Providers
byThomas Kernen
 
IPv6fundamentalspresentationforccnastudents
bykaqureshi8
 
Understanding i pv6 2
bysrmanjuskp
 
Ipv4 over ipv6 by Jigar Tarsariya
byJigar Tarsariya
 
How You Will Get Hacked Ten Years from Now
byjulievreeland
 
IPv6: What Why and How
byGihan Dias
 
A Comparative Study On IPv4 And IPv6
byAmber Ford
 
In Defence of NATs
byAPNIC
 
The case for IPv6
byAPNIC
 
Gohil-Network layer & Address Resolution Protocol.pptx
byJuvil2
 
Networking essentials lect2
byRoman Brovko
 
IPv6 In z/VSE:IBM z/VSE Live Virtual Class 2012
byIBM India Smarter Computing
 
Transition to ipv6 cgv6-edited
byFred Bovy
 
4. Understanding Internet Protocol.pptx
byRobertohtirolhsconce
 
MVA slides lesson 4
byFabio Almeida- Oficina Eletrônica
 
IP addressing and subnetting including IPv6 1st Edition J. D. Wegner
bymatvejxhejni20
 
IPv6 - The Next next generation protocol
byMohit Sharma
 
I pv6
byUdi Ghosh
 
Presd1 09
byNiels Groeneveld
 
IPV6
byNaza hamed Jan
 
IPv6 & Content Providers
byThomas Kernen
 

More from Fred Bovy

PDF
Ospfv3 News version 2
byFred Bovy
 
PDF
Ospfv3 primer
byFred Bovy
 
PDF
Osp fv3 cs
byFred Bovy
 
PDF
IPv6 training
byFred Bovy
 
PDF
CEFv6 in a nutshell
byFred Bovy
 
PDF
Routing ipv6 v3
byFred Bovy
 
PDF
Autoconfig
byFred Bovy
 
PDF
Neighbor discoverydhcp
byFred Bovy
 
PDF
Inter as cisco1
byFred Bovy
 
PDF
I pv6 better than IPv4 but why ?
byFred Bovy
 
PDF
Fred explainsi pv6-v2-alpha
byFred Bovy
 
PDF
Resume
byFred Bovy
 
PDF
Fred bovyresume@2
byFred Bovy
 
PDF
CEFv6 in a nutshell
byFred Bovy
 
PDF
Fred explains IPv6
byFred Bovy
 
PDF
IPv6 tools
byFred Bovy
 
PDF
Multicast for IPv6
byFred Bovy
 
PDF
Dhcp pd in brief
byFred Bovy
 
PDF
6Rd
byFred Bovy
 
Ospfv3 News version 2
byFred Bovy
 
Ospfv3 primer
byFred Bovy
 
Osp fv3 cs
byFred Bovy
 
IPv6 training
byFred Bovy
 
CEFv6 in a nutshell
byFred Bovy
 
Routing ipv6 v3
byFred Bovy
 
Autoconfig
byFred Bovy
 
Neighbor discoverydhcp
byFred Bovy
 
Inter as cisco1
byFred Bovy
 
I pv6 better than IPv4 but why ?
byFred Bovy
 
Fred explainsi pv6-v2-alpha
byFred Bovy
 
Resume
byFred Bovy
 
Fred bovyresume@2
byFred Bovy
 
CEFv6 in a nutshell
byFred Bovy
 
Fred explains IPv6
byFred Bovy
 
IPv6 tools
byFred Bovy
 
Multicast for IPv6
byFred Bovy
 
Dhcp pd in brief
byFred Bovy
 
6Rd
byFred Bovy
 

Recently uploaded

PDF
automobili.pdf panini album slicice ......
byStefanFilipovic9
 
PPTX
Creating content that converts into leads.
bySEONutri
 
PDF
action man.pdf album sa slicicama panini...
byStefanFilipovic9
 
PPTX
Social_Media_Good_or_Bad_B2Plus_Lesson.pptx
byJuliaRutkowska4
 
PDF
anastasia panini album.pdf album sa slicicama
byStefanFilipovic9
 
PDF
Angry Birds film (2016).pdf panini album
byStefanFilipovic9
 
PDF
album panini Evoksi.pdf panini album slicice
byStefanFilipovic9
 
PDF
Batman Forever album sličice.pdf panini album
byStefanFilipovic9
 
PDF
investor pitch - iapploud | independent music platform
byVenkat Subramanian
 
PDF
alfred jonatan kvak panini album.pdf slicice
byStefanFilipovic9
 
PDF
Tour & Travel App Development Explained- Features, Costs, and Technologies Us...
byMike Brown
 
automobili.pdf panini album slicice ......
byStefanFilipovic9
 
Creating content that converts into leads.
bySEONutri
 
action man.pdf album sa slicicama panini...
byStefanFilipovic9
 
Social_Media_Good_or_Bad_B2Plus_Lesson.pptx
byJuliaRutkowska4
 
anastasia panini album.pdf album sa slicicama
byStefanFilipovic9
 
Angry Birds film (2016).pdf panini album
byStefanFilipovic9
 
album panini Evoksi.pdf panini album slicice
byStefanFilipovic9
 
Batman Forever album sličice.pdf panini album
byStefanFilipovic9
 
investor pitch - iapploud | independent music platform
byVenkat Subramanian
 
alfred jonatan kvak panini album.pdf slicice
byStefanFilipovic9
 
Tour & Travel App Development Explained- Features, Costs, and Technologies Us...
byMike Brown
 

Fb i pv6-sparchimanv1.0

  • 1.
    INTRODUCTION TO IPV6FOR SERVICE PROVIDERS Version 1.0 Student Guide
  • 2.
    COURSE INTRODUCTION Introductionto IPv6 for Service Providers (FB-IPv6SPArchiMan) (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
  • 3.
    COURSE OVERVIEW Thiscourse on IPv6 addresses the knowledge and skill requirements for Architects and Projects Managers supporting IPv6 design and implementation for Service Provider customers. The course covers IPv6 Essentials details. As a Prerequisites, taking the “IPv6 For Life!” Free On-Line Tutorial will help. You can find the 3 Flash modules from http://fredbovy.com. For further Study, the book “Understanding IPv6 Concepts” dig in depth all the concepts explained in this course. Migration strategies for a full range of scenarios are discussed.
  • 4.
    COURSE CONTENT TheHigh-Level Objectives for this course are as follows: § Overview of IPv6 § IPv6 Addressing in depth § IPv6 Operations § IPv6 Applications and Services § IPv6 routing protocols § Introduction to IPv6 Multicast § IPv6 Transition and customer integration Strategies including dual stack, 6to4 and 6RD Tunnels, NAT64 and DNS64 translation, Large Scale Nat (LSN or CGN) NAT444, NAT464, DS-Lite, 6PE and 6VPE. § Introduction to IPv6 Security (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
  • 5.
  • 6.
    § Lesson 1:The origin: IPv4 and the rationale for IPv6 § Lesson 2: IPv6 Protocol and Addresses § Lesson 3: ICMPv6 and Neighbor Discovery § Lesson 4: IPv6 Services § Lesson 5: IPv6 Routing Protocols § Lesson 6: IPv6 Multicast § Lesson 7: Transition to IPv6 – Dual-Stack – Tunneling – Translating § Lesson 8: QoS in IPv6 Networks § Lesson 9: IPv6 and Security – Routing Protocols Security – IPSec – Threat on NDP and SEND COURSE AGENDA (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
  • 7.
    TYPOGRAPHIC CONVENTIONS ConventionType of Information Italic Font Book titles. Word or characters that require special attention. Variable names or placeholders for information you must supply, for example: Enter the following command: ifstat [-z] {-a interface} Interface is the name of the interface for which you want to view statistics. Monospaced font! Command names, daemon names, and option names. Information displayed on the system console or other computer monitors. The contents of files. Bold monospaced font! Words or characters you type, for example: Enter the following command: options httpd.enable on!
  • 8.
    (C) 2012 FREDBOVY EIRL. IPV6 FOR LIFE!
  • 9.
    Introduction to IPv6 INTRODUCTION TO IPV6 FOR SERVICE PROVIDERS
  • 10.
    IPV4 AND ASSOCIATEDPROTOCOLS § IPv4 was a Network designed for the Army that was supposed to interconnect thousands of hosts § The Internet was not open to the public and you had to sign that you will not use the Internet for business § Autoconfig was not needed § No smartphones, no sensors, no game console, no iPAD, no ADSL, no cable home access and no Internet Access at home § IPv4 delivers a best-effort service § It was associated with other protocols: § ARP to resolve MAC address based on IP address § DHCP for centralized configuration of end nodes
  • 11.
    IPV4 HEADER VersionHeader Length D T 0 R E Total Length Fragment ID Flag Fragment Offset Time To live (TTL) Protocol header checksum Source Address Destination Adress Options (+ padding) P P P DF M
  • 12.
    FRAGMENTATION Identification (16bits) § To identify all fragments from the same datagram Fragment Offset (13 bits) § To reorder the fragments Flag § DF – Do not Fragment § MF - More Fragment
  • 13.
    PMTUD: 1ST ROUTERDROP MTU=1300 § The source sends a datagram MTU=1500 § 1st router MTU=1300 § Drop § ICMP Pkt Too big MTU=1300
  • 14.
    PMTUD: 2ND ROUTERDROP MTU=1100 (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
  • 15.
    PMTUD: PACKET REACHESTHE DESTINATION
  • 16.
    IPV4 ADDRESSES §Address IP Source/Destination § Class A. Addresses 1.0.0.0 to 126.255.255.255. § 10.0.0.0. to 10.255.255.255 is private § 128 domains (Networks) and 16.777.214 class A hosts per domain § Class B. 127.0.0.0 to 191.255.255.255. § 172.16.0.0. to 172.31.255.255 is private § 16.000 domains and 65.534 Class B hosts per domain § Class C. 192.0.0.0 to 223.255.255.255. § 192.168.0.0. à 192.168.255.255 is private § 2.000.000 domains and 254 Class C Hosts per domain § Class D. 224.0.0.0 to 239.255.255.255 Multicast § Class E. 240.0.0.0 to 247.255.255.255 Experimental § 4 billion node maximum § VLSM et CIDR have removed the class limitation which were wasting a lot of addresses § NAT/Private Address Space (RFC1918)
  • 17.
    NAT/PAT § NATallows the translation of private to public addresses § PAT allows many private addresses to use the same public address § RFC2993 Architectural Implications of NAT § Cons: § Bottleneck § Single point of failure § Applications must be NAT Friendly § Does not allow end-to-end security and permit undetected MITM attacks § High hidden costs to have applications support § Pro: § Hide the private networks topology
  • 18.
    SOME DISCUSSIONS ABOUTNAT RFC 1579 - Firewall Friendly FTP RFC 2663 - IP Network Address Translator (NAT) Terminology and Considerations RFC 2709 - Security Model with Tunnel-mode IPsec for NAT Domains RFC 2993 - Architectural Implications of NAT RFC 3022 - Traditional IP Network Address Translator (Traditional NAT) RFC 3027 - Protocol Complications with the IP Network Address Translator (NAT) RFC 3235 - Network Address Translator (NAT)-Friendly Application Design Guidelines RFC 3715 - IPsec-Network Address Translation (NAT) Compatibility RFC 3947 - Negotiation of NAT-Traversal in the IKE RFC 5128 - State of Peer-to-Peer (P2P) Communication across Network Address Translators (NATs)
  • 19.
    OPTIONS Limited numberof possible options: § Class 0 - 0 - 00000 – End of the option list (padding). - 1 - 00001 – No Operation. - 2 - 00010 – Security and management restriction used by military applications. - 3 - 00011 – Loose Source Routing. - 7 - 00111 – Route Recording. - 8 - 01000 – Connection identification. - 9 - 01001 – Strict Source Routing. § Class 2 - 4 - 00100 – Internet Timestamp.
  • 20.
    DHCP § Forend nodes, centralized configuration § Everything is configured from a DHCP server: § IP Address § Default Router § DNS Servers Addresses § SIP Server Addresses § Domain Names
  • 21.
    IPV6 RATIONALE INTHE SERVICE PROVIDER ENVIRONMENT § The question is not “if” it will happen, but “when” will it happen § IPv4 addresses depleted as of February 2011 § Number of connected devices continues to increase § IPv4 can accommodate 4 billion on nodes § Exceed 15 billion in 2015 and 50 billion in 2020 § Over 100 billions Microcontrollers; 10 billions shipped per year § Devices are always connected, from anywhere § It will eliminate IPv4 issues once fully deployed § NAT § Network efficiency and scalability § It has integrated features (services) § Global addresses § Mobility § Security
  • 22.
    NAT/PAT IS THEHEROINE OF THE INTERNET § NAT/PAT with private addresses was invented as a workaround for address depletion in the 1990s. Then people started to use it and found that NAT/PAT was the solution for everything: Security, multihoming, and address independency with the Service Provider. § Most people do not realize the huge hidden costs which go with NAT. All the new applications must be engineered to bypass and support NAT. There are more than 77 RFCs about NAT if you do a simple search on the IETF with NAT keyword, then look at the result. § NAT denies end-to-end security, is a problem for real security protocols like IPSec or DNSSEC. § NAT seems to be the solution for everything ,while actually it breaks a lot (most) of the network applications and does not permit end-to-en security. It gives an opportunity for undetected MITM exploits which could be prevented with end-to-end security. § When people have start to use NAT/PAT they cannot imagine any network without it or how the Internet was before the introduction of NAT/PAT.. § NAT creates more issues than it solves problems. Without NAT, we would not have sleep for 20+ years before starting a protocol more appropriate than IPv4. Do you know that before it was prohibited by Law in the USA in 1959 and in France in 1963, Heroine was sold in Pharmacy as a Miracle Medicine for almost everything?
  • 23.
    WHO IS RUNNINGIPV6 ? A lot of ISPs and enterprises already use IPv6: § Free SAS § RENATER § The Cable Operators with DOCSIS 3.0 § COMCAST – Running IPv6 internally for years – General roll out scheduled to be completed in 2012 § Time Warner – General roll out scheduled to start next year § Mobile Phone – 4G: Designed for IPv6, 3G supports IPv6 – T-Mobile: IPv6 only – Verizon LTE: IPv6 is primary protocol – Sprint: Deploying IPv6 in 2012
  • 24.
    SERVICE PROVIDER IPV6TRANSITION STRATEGIES § An end-to-end IPv6-only core is the ultimate goal. § Transition strategies require Carrier Grade solutions: § Native IPv4 core § Dual Stack § Large Scale NAT (Carrier Grade NAT, AFT) § MPLS enabled core § 6PE § 6VPE § The solution must support any customer connection. § Keeping two protocols is expensive. AT&T predicts the end of IPv4 in 2020.
  • 25.
    SERVICE PROVIDER DRIVERSFOR ADOPTION OF IPV6 § IPv4 growth potential is finite even with double NAT § Structured migration path to IPv6 § Be one of the first to market with IPv6 enabled services § Customers will require access to new IPv6 content from content providers § SPs will be competing for services that are IPv6 dependant § Some devices, like smartphones, will be very soon IPv6-only § NAT cannot be the solution for all applications and all users § See IDC and Renater Migration Case Studies
  • 26.
    CONCLUSION § IPv4is not designed to support multiple addresses per user § NAT cannot be a solution for some applications § IPv4 Options are not extensible § New transport are introduced to support new applications § IPv4 cannot permit an address for each device which will need connection to the Internet
  • 27.
    (C) 2012 FREDBOVY EIRL. IPV6 FOR LIFE!
  • 28.
    FEATURES AND BENEFITS § No more fragmentation info in each packet § No more Header CHECKSUM § It is now mandatory for UDP § Traffic Class (8 bits) replaces the Precedence and ToS Byte § The Flow Label (20 bits) identifies a flow § Addresses are 128 bits long § No More NAT needed § Alignment on 64 bytes § Header size increases from 20 bytes to 40 bytes § Autoconfiguration
  • 29.
    TRANSITION RICHNESS §Dual-Stack § Translation § NAT, LSN, CGN § NAT-PT = NAT46+NAT64+ALG § NAT64/DNS64, NAT444, NAT464 § Tunneling § 6to4, 6RD, 4RD § DS-Lite = 4RD + LSN § IPv6 Over IPv4/MPLS § 6PE § 6VPE
  • 30.
    IPv6 Operations INTRODUCTIONTO IPV6 FOR SERVICE PROVIDERS
  • 31.
    IPV6 ADDRESSING ARCHITECTURE(RFC 4291) § Unicast (one-to-one) § To identify a network interface § Three scopes of addresses: § IPv6 Global § Link-Local § Unique Local Address (equivalent RFC1918) § Multicast (one-to-many) § To identify a set of interface on the network § Traffic is routed to all of these interfaces § Scope: interface, link, site, organization, global § Anycast (one-to-nearest) § To identify a set of interfaces on the network § The traffic is routed to the nearest interface § IPv6 Addressing Architecture § http://tools.ietf.org/html/rfc4291
  • 32.
    REPRESENTATION (RFC 4291) § X:X:X:X:X:X:X:X § X is a Hexa field on 16 bits § Consecutive 0 are represented by :: but this can be used only once in the address § 2000:1::0102:1234:4222 § FF01:0:0:0:0:0:0:1 or FF01::1 § 0:0:0:0:0:0:0:0 or :: § In an URL, the address is surrounded by [ ] § http://[2001:1:4::11]:8080/index.html
  • 33.
    GLOBAL UNICAST ADDRESS(RFC 4291) § Global unicast host address: – 2000:0001:0002:0000:0000:0005:0006:0007 – 2000:0001:0002::0005:0006:0007 § Network Prefix: – 2000:0001:0002::/48 – 2000:1000:0001:0010::/64 § In the Internet 2000::/3 global unicast address: – http://www.iana.org/assignments/ipv6-unicast-address-assignments/ipv6-unicast-address- assignments.xml – http://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry. xml Provider . 48 bits Site . 16 bits Host. 64 bits Global Routing Prefix SLA Interface ID
  • 34.
    IPV6 GLOBAL UNICASTADDRESS FORMAT (RFC 3587) Initial Format Provider . n bits 64 .n bits Host. 64 bits Global Routing Prefix Subnet ID Interface ID IETF assigned 001 for Global Unicast, 2620::/12 assigned to American Registry for Internet Numbers 16 Bits 3 9 bits 36 bits Host. 64 bits 00 1 ARIN RIR or ISP Subnet ID Interface ID RFC 2374: Aggregatable Global Unicast Address Structure Public Topology Site Topology Interface Identifier 13 8 24 16 3 64 bits FP TLA ID RES NLA ID SLA ID Interface ID
  • 35.
    AGGREGATABLE GLOBAL UNICASTADDRESS STRUCTURE (RFC 2374) § FP: Format Prefix (001) § TLA ID: Top-Level Aggregation Identifier § A default free router will have a route to each TLA ID plus the specific routes for the TLA ID it belongs to. § RESERVED for future utilization § NLA ID: Next-Level Aggregation Identifier § Identify sites within an organization. § SLA ID: Site-Level Identifier § Identify the subnets within an organization § Same as the IPv4 Subnets § Supports 65.535 Subnets § Interface Identifier Public Topology Site Topology Interface Identifier 13 8 24 16 3 Host. 64 bits NLA ID SLA ID Interface ID FP TLA ID RES
  • 36.
    LINK-LOCAL ADDRESS (RFC4291) § Allows automatic address configuration without router § Equivalent in IPv4: 169.254.0.0/16 (RFC 3927) § FE80::/10 128bits All 0s Interface ID 11111 1010 FE80::/10 64 bits
  • 37.
    SCOPED ADDRESS ARCHITECTURE(RFC 4007) § At the beginning the Site-Locale was defined § fec0::/10 § This was deprecated by RFC 3879 § All addresses but the unspecified have a scope § RFC 4007 defines a « Scope Zone » or Zone as a connected region with a given scope § It is noted with the sign % § Example: fe80::1%5
  • 38.
    UNIQUE-LOCAL ADDRESS (RFC4193) § For private addresses like RFC 1918 for IPv6 § Network Prefixes: § FC00::/7 Globally Managed § FD00::/8 Locally Managed § To reserve an address: § http://www.sixxs.net/tools/grh/ula/ 48 bits 16 bits Host. 64 bits Global ID 40 bits Subnet ID Interface ID 1111 1100 1111 1101 FC00::/7 FD00::/8
  • 39.
    INTERFACE ID DERIVEDFROM THE MAC: EUI-64 § Mac Address 48 bit § X=1 Unique § X=0 Not Unique 00 90 59 02 E0 F9 00 90 59 FF FE 02 E0 F9 000000X0
  • 40.
    RANDOM INTERFACE ID(RFC 4941) § If the interface ID is derived from the MAC address, it will be constant. § There is no NAT, this can be used to track a user. § Privacy Extension uses a randomized ID to configure the interface ID.
  • 41.
    SPECIAL ADDRESSES (RFC4291) § Unspecified § 0:0:0:0:0:0:0:0 or:: § Used when the node does not have an address configured § Loopback § 0:0:0:0:0:0:0:1 § ::1 § 127.0.0.1 for ipv4 § IPv4-Mapped § ::ffff:192.168.0.11 § Another RFC 5156 compiles the special addresses which should not be routed on the Internet § http://tools.ietf.org/html//rfc5156
  • 42.
    Flag – 4bits § O if permanent § 1 if temporary Scope – 4 bits § 1=node § 2=link § 4=admin § 5=site § 8=Organization § E=Global MULTICAST (RFC 4291) Only the link-local is automatically filtered by routers. Other scope must be implemented with Access-List FF Flag Scope 0 Interface ID 128 bit (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
  • 43.
    MULTICAST ADDRESS RESERVED § FF01::1 Interface-local Scope All node address § FF01::2 Interface-local Scope All routers address § FF02::1 Link-local Scope all node adress § FF02::2 Link-local Scope All routers address § FF05::1 Site-local Scope All node address § FF05::2 Site-local Scope all routers address § FF05::1:3 Site-local Scope all DHCP server
  • 44.
    SOLICITED-NODE MULTICAST ADDRESS § Unicast Address § 805B:2D9D:DC28::FC57:D4C8:1FFF § Prefix § FF02:0:0:0:0:1:FF § Solicited-node multicast adress § FF02:0:0:0:0:1:FFC8:1FFF § Automatically configured for each unicast Prefix Interface Identifier FF02 O 0001 FF 24 bits 128 bits
  • 45.
    IPV6 ADDRESS SPACE http://www.iana.org/assignments/ipv6-address-space/ipv6-address-space.xml
  • 46.
    IPV6 ADDRESS SUMMARY These addresses include: § ::/128 Unspecified Adddress § ::1/128 loopback Address § 2001::/32 Teredo prefix § 2001:db8::/32 reserved for training and documentation by RFC 3849 § 2002::/16 prefix used by 6to4 Prefix Description ::/8 Address Reserved 2000::/3 Internet Routed Global Unicast Address fc00::/7 Site Local Address (deprecated) fe80::/10 Link-Local Address ff00::/8 Multicast Address http://www.iana.org/assignments/ipv6-address-space/ipv6-address-space.xml
  • 47.
    ADDRESSES REQUIRED FORAN IPV6 NODE § A Link-local for each interface § Loopback § Assigned Unicast § All-nodes Multicast § Solicited-node multicast for each unicast § Multicast
  • 48.
    ADDRESSES REQUIRED FORA ROUTER All the addresses needed for a node plus: § Anycast address is a particular service needs it § All-Routers Multicast § Routing protocols specific multicast addresses
  • 49.
    IPV6 IN ETHERNET Protocole IPv6: Ox86DD Dest Ethernet Adress Source Ethernet Adress 0x86DD IPv6 Header and charge
  • 50.
    MULTICAST MAPPING ONETHERNET IPv6 Multicast Address § FF02:0:0:0:0:1:FF90:FE53 § 128 bits Mac Address § 33:33:FF:90:FE:53 § 48 bits FF02:0:0:0:0:1:FF90:FE53 33:33:FF:90:FE:53
  • 51.
    sa13-72c(config-if)#do show ipv6 int gig0/2 GigabitEthernet0/2 is up, line protocol is up § IPv6 is enabled, link-local address is FE80::20B:60FF:FEB4:9C1A No Virtual link-local address(es): § Stateless address autoconfig enabled Global unicast address(es): § 2000:1::20B:60FF:FEB4:9C1A, subnet is 2000:1::/64 [EUI/CAL/PRE] § Valid lifetime 2591911 preferred lifetime 604711 Hosts use stateless autoconfig for addresses Joined group address(es): § FF02::1 § FF02::2 § FF02::1:FFB4:9C1A § MTU is 1500 bytes § ICMP error messages limited to one every 100 milliseconds § ICMP redirects are enabled § ICMP unreachables are sent § ND DAD is enabled, number of DAD attempts: 1 § ND reachable time is 30000 milliseconds (using 23319) § ND advertised reachable time is 0 (unspecified) § ND advertised retransmit interval is 0 (unspecified) § ND router advertisements are sent every 200 seconds § ND router advertisements live for 1800 seconds § ND advertised default router preference is Medium CISCO IPV6 INTERFACE (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
  • 52.
    ASSIGNMENT OF ADDRESSES IANA 2a01:0e35:2f26:d340:acaa:4946:9234:1379! RIR ISP/LIR EU/ISP EU RIR NIR ISP/LIR EU Regional Internet Registries (ARIN, APNIC, RIPE, NCC) National Internet Registries Local Internet Registries End Users http://www.ripe.net/ripe/docs/ripe-512
  • 53.
    IPV6 ADDRESS ALLOCATION § IPv6 addresses are 4 time bigger than IPv4 § Must be carefully managed not to explode the size of routing tables § Bloc of addresses are allocated by IANA or a RIR § To be eligible for address allocation: § Must be a LIR § Have a plan to provide addresses to customers within two years § Minimum allocation to a LIR is a /32
  • 54.
    ADDRESSES ASSIGNMENT TOA USER § The assignment of addresses to end users is done by LIR § RFC 3177 obsoleted by RFC6177 § Standard is no more /48 but between /48 and /64 § For a large customer § /47 or larger can be assigned § Or multiple /48 § /64 for a single subnet § /128 for a single host § By default the assignment is temporary § For multihomed users Provider Independant (PI) addresses § RIPE Looking Glass: http://stat.ripe.net/2a01:e00::/26! http://stat.ripe.net/2804:258::/32!
  • 55.
    INTERNET HIERARCHY ISP1 21ae:db8::/32 Cust1 21ae:db8:1::/48 RIR1 21ae::/8 Cust2 21ae:db9:1::/48 Cust4 2001:db8:2::/48 ISP2 21ae:db9::/32 Cust3 2001:db8:1::/48 (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE! ISP3 2001:db8::/32 IANA 2000::/3 RIR2 2001::/8
  • 56.
    PROVIDER ASSIGNED ADDRESSSPACE § FP: Format Prefix (001) § TLA ID: Top-Level Aggregation Identifier § RESERVED pour utilisation future § NLA ID: Next-Level Aggregation Identifier § SLA ID: Site-Level Identifier § Interface Identifier Site Public Topology Topology Interface Identifier 13 8 24 16 3 Host. 64 bits FP TLA ID RES NLA ID SLA ID Interface ID
  • 57.
    MULTIHOMING ISP1 2001:db8::/32 assign 2001:db8:1::/48 ISP2 2001:db9::/32 assign 2001:db9:100::/48 Site 2001:db8:1::/48 2001:db9:100::/48 (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
  • 58.
    PROVIDER-ASSIGNED ADDRESS §The /48 prefix is assigned by ISP § The address belongs to the ISP and should be returned by the end of the contract. ISP1 2001::db8::/32 2001:db8:1::/48 ISP2 2001:db9::/32 2001:db9:100::/48 2001:db8:1::/48 2001:db9:100::/48 2001:db8:1::/48 2001:db9:100::/48
  • 59.
    PROVIDER-ASSIGNED – MULTIHOMED WORKSTATIONS ISP1 2001:db8::/32 ISP2 2001:db9::/32 § End node now has two addresses 2001:db9:100::/48 2001:db8:1::/48 2001:db9:100:99:42:345F:1:1/64 2001:db8:1:99:42:345F:1:1/64
  • 60.
    PROVIDER-ASSIGNED – FAULTTOLERANCE(1) ISP1 ISP2 § Better route from ISP2 § A session is started 2001:db9:100::/ 48 2001:db9:100:99:42:345F:1:1/64 2001:db8:1:99:42:345F:1:1/64 2001:db8:1::/48
  • 61.
    PROVIDER-ASSIGNED – FAULTTOLERANCE (2) § Dest thru ISP2 is no longer reachable § The session fails ISP1 ISP2 2001:db9:100::/48 2001:db8:1::/48 2001:db9:100:99:42:345F:1:1/64 2001:db8:1:99:42:345F:1:1/64
  • 62.
    PROVIDER-ASSIGNED – FAULTTOLERANCE (3) ISP1 ISP2 § A new session must be started 2001:db9:100::/48 2001:db8:1::/48 2001:db9:100:99:42:345F:1:1/64 2001:db8:1:99:42:345F:1:1/64
  • 63.
    PROVIDER-ASSIGNED MULTIHOMING §Routing based Solution § RFC 3178 § Need to establish tunnels with ISPs § Does not protect upstream ISP failure scenario § Quite complex to setup § Host based sloution § Shim6. RFC 5533, RFC 5534, RFC 5535 § http://www.shim6.org/ § http://datatracker.ietf.org/wg/shim6/charter/ § Many solution proposed § Need to update software on the hosts § Prefix Translation stateless (NPT6 no NAT66 !) § Experimental Draft RFC6296 § http://fredbovyipv6.blogspot.com/2011/09/from-nat66-to-ipv6-to-ipv6-network.html § The solution should conform to RFC 3852 § https://www.ietf.org/rfc/rfc3582.txt
  • 64.
  • 65.
    PA MULTIHOMING: SHIM6 http://www.shim6.org/ AP1 AP2 … APn TCP/UDP IP identifie r End-Point Shim6 Layer Locator Forwar d Shim6 Layer Shim6 Protocol
  • 66.
    PROVIDER-INDEPENDANT ADDRESS: MULTIHOMING § Same as IPv4 § No more renumbering if one change of ISP ISP1 2001:db8:1::/48 2001:db8:66::/48 ISP2 2001:db8:100::/48 2001:db8:66::/48 2001:db8:66::/48 2001:db8:1::/48 2001:db8:1::/48 2001:db8:100::/48 2001:db8:66::/48 2001:db8:100::/48 2001:db8:66::/48
  • 67.
    PROVIDER-INDEPENDANT VERSUS PROVIDER-ASSIGNED § Provider Assigned § It was the only solution until 2009 § Keep routing table size quite low § Multihoming may be hard to setup § Provider Independent § Allocated by the RIR § Solve the multihoming problem § In Europe this is allocated by the RIPE § Must be Multihomed § Need to comply with: http://www.ripe.net/ripe/docs/ripe-452 § No more aggregation of the routing table
  • 68.
    CONCLUSION § Nomore address limitation § No more NAT limitation § Extensible with Option headers § Performance-oriented header, but twice bigger § Multicast replaces the broadcast § Multihoming is still an open debate
  • 69.
    (C) 2012 FREDBOVY EIRL. IPV6 FOR LIFE!
  • 70.
    IPV6 HEADER VerTraffic Class Flow Label Payload Length Next Header=Hop-By-Hop Hop Limit Source IPv6 Address Next Header=Routing Hdr Next Header=TCP DDeessttininaattioionn IIPPvv66 A Addddrreessss Hop-By-Hop Routing Header TCP Header
  • 71.
    IPV6 HEADER EthernetII, Src: ca:02:42:76:00:08 (ca:02:42:76:00:08), Dst: IPv6mcast_00:01:00:02 (33:33:00:01:00:02) Destination: IPv6mcast_00:01:00:02 (33:33:00:01:00:02) Source: ca:02:42:76:00:08 (ca:02:42:76:00:08) Type: IPv6 (0x86dd) Internet Protocol Version 6 0110 .... = Version: 6 [0110 .... = This field makes the filter "ip.version == 6" possible: 6] .... 1110 0000 .... .... .... .... .... = Traffic class: 0x000000e0 .... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000 Payload length: 56 Next header: UDP (0x11) Hop limit: 255 Source: fe80::38b1:e73c:c0f0:4442 (fe80::38b1:e73c:c0f0:4442) Destination: ff02::1:2 (ff02::1:2) User Datagram Protocol, Src Port: dhcpv6-client (546), Dst Port: dhcpv6-server (547) Source port: dhcpv6-client (546) Destination port: dhcpv6-server (547) Length: 56 Checksum: 0x86f0 [validation disabled] (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
  • 72.
    TRAFFIC CLASS §One byte § Same as ToS+Precedence in IPv4 § Carry the DSCP § Can be changed by routers (mutable)
  • 73.
    FLOW LABEL (RFC3697) § To Identify a flow of data § Not currently used by applications § Is not modified by routers (Unmutable) § A flow is identified by addresses and flow label. § Not encrypted by IPSec § Not fragmented if fragmentation occurs § Not very used because it could be used by DoS Attacks
  • 74.
    IPV6 OPTION HEADER § IPv4 protocol field replaced by Next Header § Each option is formatted as a TLV (Type Length Value) 8 bits 8 bits Option Type Option Length Option data
  • 75.
    HOP-BY-HOP OPTION §Hop-by-Hop (Next header=0) option must be inspected by all nodes § Used by Jumbogram to reach 65,536 octets § RFC 2711 Router Alert used by MLD, RSVP § Each router need to check this option § IANA manage a list of allocated numbers § 0 to 35 have been allocated § 36 to 65535 should be rejected § Must be the first option
  • 76.
    ROUTING HEADER §Type 0: Source Routing § Loose Source Routing § Deprecated http://www.ietf.org/rfc/rfc5095.txt § Type 1: Obsolete § Type 2: RFC3775 Used by Mobile IPv6
  • 77.
    OTHER IPV6 OPTIONHEADER § Destination Option § An option for the destination IPv6 address only § Fragment Header § Fragmentation is only permitted by the source § Routers cannot fragment packet anymore § Authentication Header § ESP Header § Mobility Header
  • 78.
    OPTIONS ORDERING §Hop-by-hop § Destination options (if routing present) § Routing § Fragment § Authentication § ESP § Mobility § Destination option (if routing absent) § Upper layer
  • 79.
    IPV6 PACKET CAPTURE Internet Protocol Version 6 0110 .... = Version: 6 .... 1010 0000 .... .... .... .... .... = Traffic class: 0x000000a0 .... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000 Payload length: 60 Next header: IPv6 hop-by-hop option (0x00) Hop limit: 64 Source: 2005::2 (2005::2) Destination: 2005::1 (2005::1) Hop-by-Hop Option Next header: IPv6 destination option (0x3c) Length: 0 (8 bytes) PadN: 6 bytes Destination Option Next header: ICMPv6 (0x3a) Length: 0 (8 bytes) PadN: 6 bytes (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
  • 80.
    MAXIMUM TRANSMISSION UNIT IPv4 § MTU >= 68 Octets IPv6 § MTU >= 1280 Octets § PMTUD Link-Layer Frame Frame Header IPv6 Packet Frame Trailer Minimum MTU = 1280 Octets
  • 81.
    ICMPv6 INTRODUCTION TOIPV6 FOR SERVICE PROVIDERS
  • 82.
    TOPICS § Introduction § ICMPv6 § MLD (IGMP) § ICMPv6 Protection § ICMPv6 Error Messages § Destination Unreachable § Time Exceeded § Packet too Big § Parameter Problem § Information Messages § Echo Request § Echo Reply § Cisco and ALU 7750 Example
  • 83.
    INTRODUCTION § RFC4443 § IPv6 extension header type 58 § Path MTU Discovery § ICMPv6 carry Neighbor Discovery Protocol, MLD
  • 84.
    ICMPV6/NDP HEADER http://www.iana.org/assignments/icmpv6-parameters § List all types, codes and more Type Code Checksum Message Body
  • 85.
    MLD (IGMP) §Router and Multicast Receivers Protocol § MLDv1 (RFC 2710) § IGMPv2. RFC 2236 § Multicast Listener Query. ICMPv6 Type 130 § Multicast Listener v1. Report. ICMPv6 Type 131 § Multicast Listener Done. ICMPv6 Type 132 § MLDv2 § IGMPv3. RFC 3376 § Multicast Listener Query. ICMPv6 Type 130 § Multicast Listener Report. v2. ICMPv6 Type 143
  • 86.
    ICMPV6 PROTECTION Thefollowing messages MUST have a hop limit = 255 § RS:133, RA:134 § NS:135, NA:136 § Redirect: 137 § Inverse Neighbor Discovery Solicitation: 141 § Inverse Neighbor Discovery Advertisement: 142 § Certificate Path Solicitation (SEND): 148 § Certificate Path Advertisement (SEND): 149
  • 87.
    ICMPV6 INFORMATION MESSAGE § pingv6 § Echo Request § Echo Reply sa13-72c>ping 2000:1::100! Type escape sequence to abort.! Sending 5, 100-byte ICMP Echos to 2000:1::100, timeout is 2 seconds:! !!!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/4 ms! sa13-72c>! Apr 21 05:56:54: ICMPv6: Sent echo request, Src=2000:1::20B:60FF:FEB4:9C1A, Dst=2000:1::100! Apr 21 05:56:54: ICMPv6: Received echo reply, Src=2000:1::100, Dst=2000:1::20B:60FF:FEB4:9C1A! Apr 21 05:56:54: ICMPv6: Sent echo request, Src=2000:1::20B:60FF:FEB4:9C1A, Dst=2000:1::100! Apr 21 05:56:54: ICMPv6: Received echo reply, Src=2000:1::100, Dst=2000:1::20B:60FF:FEB4:9C1A! Apr 21 05:56:54: ICMPv6: Sent echo request, Src=2000:1::20B:60FF:FEB4:9C1A, Dst=2000:1::100! Apr 21 05:56:54: ICMPv6: Received echo reply, Src=2000:1::100, Dst=2000:1::20B:60FF:FEB4:9C1A! Apr 21 05:56:54: ICMPv6: Sent echo request, Src=2000:1::20B:60FF:FEB4:9C1A, Dst=2000:1::100! Apr 21 05:56:54: ICMPv6: Received echo reply, Src=2000:1::100, Dst=2000:1::20B:60FF:FEB4:9C1A! [SNIP]!
  • 88.
    ERROR MESSAGES §Destination Unreachable § Packet Too Big § Time Exceeded § Parameter Problem
  • 89.
    TYPE: DESTINATION UNREACHABLE Code Description Utilization 0 No route to destination The packet was dropped because the router did not have a route to the destination 1 Communication administrativement prohibited The packet was filtered by a router (ACL) 3 Unreachable address The data link layer cannot be resolved 4 Port unreachable The UDP or TCP destination port does not exist or is ignored by the host (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
  • 90.
    TYPE: TIME EXCEEDED Code: Hop Limit Exceeded in Transit § The hop limit is decremented at each hop. § When it reaches zero. § The packet is dropped § ICMPv6 TIME EXCEEDED CODE: Hop limit exceeded in transit is sent to the source address of the packet § This mitigates the consequences of a routing loop in a network. Code: Fragment reassembly Time exceeded § When a station receives the first fragment of a packet, it starts a timer § If the timer reaches zero before the original datagram get reassembled § All fragments get dropped § TIME EXCEEDED, CODE: Fragment reassembly time exceeded is sent to the source of the packet
  • 91.
    TYPE: PACKET TOOBIG § When a router must forward a datagram on a link with an MTU smaller than the packet size § It drops the packet § It sends an ICMPv6 Packet Too Big providing the MTU of the link § The source must § Send a new and smaller packet with a length matching the available MTU § Or send the original datagram fragmented with a fragment size matching the available MTU § The minimum MTU in IPv6 MUST be 1280 bytes
  • 92.
    TYPE: PARAMETER PROBLEM § A pointer helps this type to find the right field or option § Packet with such problem MUST be discarded and an ICMPv6 Parameter Problem SHOULD be sent Code Description Utilization O Erroneous header field encountered A field in the header is wrong 1 Unrecognized next header type encountered The next header is not recognized. 2 Unrecognized IPv6 option encountered The option field is not recognized
  • 93.
    ALU 7750: SHOWROUTER ICMP6 A:SR-3>show>router>auth# show router icmp6 =============================================================================== Global ICMPv6 Stats =============================================================================== Received Total : 14 Errors : 0 Destination Unreachable : 5 Redirects : 5 Time Exceeded : 0 Pkt Too Big : 0 Echo Request : 0 Echo Reply : 0 Router Solicits : 0 Router Advertisements : 4 Neighbor Solicits : 0 Neighbor Advertisements : 0 ------------------------------------------------------------------------------- Sent Total : 10 Errors : 0 Router Solicits : 0 Router Advertisements : 0 Neighbor Solicits : 5 Neighbor Advertisements : 5 =============================================================================== A:SR-3>show>router>auth# (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
  • 94.
    CONCLUSION § ICMPv6is quite similar to ICMP for IPv4 § Information message: Echo Request, Echo Reply § Error Messages § ICMPv6 is also used to transport § Neighbor Discovery Protocol § MLD for multicast
  • 95.
    Neighbor Discovery Protocol INTRODUCTION TO IPV6 FOR SERVICE PROVIDERS
  • 96.
    NDP FEATURES §RFC 4861, RFC 4862 § Router Discovery § Neighbor Discovery § Prefix Discovery § Parameter Discovery § Address Auto-Configuration § Address Resolution § Next-hop Determination § Neighbor Unreachability Detection § Duplicate Address Detection § Redirection § Default Router and More Specific route Selection § Proxying node
  • 97.
    NEIGHBOR SOLICITATION (NS) § MAC Address Resolution § NS are sent to the neighbor Solicited Node Multicast Address to resolve its MAC address based on its IPv6 Address § Same purpose a ARP in IPv4 § Optimized as the NS provides the sender MAC address § Neighbor Unreachability Detection § After « reachable time » without neighbor reachability confirmation from upper layer, a NS is sent to the neighbor Unicast address to check the neighbor reachability § Duplicate Address Detection § Before an IPv6 can be used DAD is performed
  • 98.
    NS TO RESOLVETHE NEIGHBOR MAC ADDRESS § Sent to the solicited node address, this is to ask the neighbor MAC address from its IPv6 Address
  • 99.
    NS PROBE TOCHECK NEIGHBOR REACHABILITY § Sent to the Unicast address, this is a probe for Reachability
  • 100.
    ND – NEIGHBORADVERTISEMENT § To reply with the MAC address or to acknowledge reachability
  • 101.
    NEIGHBOR CACHE MANAGEMENTFSM (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
  • 102.
    NEIGHBOR UNREACHABILITY DETECTION § ND Protocol can detect that a neighbor is unreachable § This may be useful to use a new default router § This can be detected by: § Upper layer protocol acknowledge traffic § NA received in response of an NS § This is configured on a Cisco Router with two parameters: § IPv6 nd ns-interval <milliseconds> § IPv6 nd reachable-time <milliseconds>
  • 103.
    STATE MACHINE FORREACHABILITY NA1 – Receive a NA with Solicited=0 NA2 – Receive a NA with Solicited=1 NA3 – Receive a NA with Solicited=1 and Override=1 or Override=0 and the link-layer identical to the one in cache NA4 – Receive a NA with solicited=1, Override=0 abd link-layer different of the one in cache NA5 – Receive a NA with solicited=0, override=1, and link-layer different from cache O – Receive another paquet ND with a link-layer different from the cache. S – Send a packet T – Timeout Te – Timeout with no more retry U – Upper Layer confirmed Create Entry Send NS Incomplete NA2 Stale Delay Probe Reachable Te NA1 Report Error Delete Entry NA3 Or U T or O or NA4 or NA5 T Retry NS NA3 ou U Retry NS Send NS NA5 ou O S NA3 ou U NA5 ou O T Te T T
  • 104.
    NEIGHBOR STATES §INCOMPLETE § Address resolution is being performed on the entry. Specifically, a Neighbor Solicitation has been sent to the solicited-node multicast address of the target, but the corresponding Neighbor Advertisement has not yet been received. § REACHABLE § Positive confirmation was received within the last ReachableTime milliseconds that the forward path to the neighbor was functioning properly. While REACHABLE, no special action takes place as packets are sent. § STALE § More than ReachableTime milliseconds have elapsed since the last positive confirmation was received that the forward path was functioning properly. While stale, no action takes place until a packet is sent. The STALE state is entered upon receiving a unsolicited Neighbor Discovery message that updates the cached link-layer address. Receipt of such a message does not confirm reachability, and entering the STALE state ensures reachability is verified quickly if the entry is actually being used. However, reachability is not actually verified until the entry is actually used. § DELAY § More than ReachableTime milliseconds have elapsed since the last positive confirmation was received that the forward path was functioning properly, and a packet was sent within the last DELAY_FIRST_PROBE_TIMEseconds. If no reachability confirmation is received within DELAY_FIRST_PROBE_TIME seconds of entering the DELAY state, send a Neighbor Solicitation and change the state to PROBE. The DELAY state is an optimization that gives upper-layer protocols additional time to provide reachability confirmation in those cases where ReachableTime milliseconds have passed since the last confirmation due to lack of recent traffic. Without this optimization, the opening of a TCP connection after a traffic lull would initiate probes even though the subsequent three-way handshake would provide a reachability confirmation almost immediately. § PROBE § A reachability confirmation is actively sought by retransmitting Neighbor Solicitations every RetransTimer milliseconds until a reachability confirmation is received.
  • 105.
    NEIGHBOR DISCOVERY TRACEON A CISCO ROUTER § No DROP during ND MAC address resolution. This is because packet is buffered and this can be used for a DoS Attack sa13-72c#ping 2000:1::100! Type escape sequence to abort.! Sending 5, 100-byte ICMP Echos to 2000:1::100, timeout is 2 seconds:! !!!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/4 ms! sa13-72c#! Apr 18 08:36:03: ICMPv6-ND: DELETE -> INCMP: 2000:1::100! Apr 18 08:36:03: ICMPv6-ND: Sending NS for 2000:1::100 on GigabitEthernet0/2! Apr 18 08:36:03: ICMPv6-ND: Resolving next hop 2000:1::100 on interface GigabitEthernet0/2! Apr 18 08:36:03: ICMPv6-ND: Received NA for 2000:1::100 on GigabitEthernet0/2 from 2000:1::100! Apr 18 08:36:03: ICMPv6-ND: Neighbour 2000:1::100 on GigabitEthernet0/2 : LLA 0008.201a.7c38! Apr 18 08:36:03: ICMPv6-ND: INCMP -> REACH: 2000:1::100! Apr 18 08:36:08: ICMPv6-ND: Received NS for 2000:1::1 on GigabitEthernet0/2 from FE80::208:20FF:FE1A: 7C38! Apr 18 08:36:08: ICMPv6-ND: DELETE -> INCMP: FE80::208:20FF:FE1A:7C38! Apr 18 08:36:08: ICMPv6-ND: Neighbour FE80::208:20FF:FE1A:7C38 on GigabitEthernet0/2 : LLA 0008.201a. 7c38! Apr 18 08:36:08: ICMPv6-ND: INCMP -> STALE: FE80::208:20FF:FE1A:7C38! Apr 18 08:36:08: ICMPv6-ND: Sending NA for 2000:1::1 on GigabitEthernet0/2! Apr 18 08:36:08: ICMPv6-ND: STALE -> DELAY: FE80::208:20FF:FE1A:7C38
  • 106.
    NEIGHBOR SOLICITATION CAPTURE § The Source Layer Address is provided to avoid the request in the other direction Internet Protocol Version 6 0110 .... = Version: 6 [0110 .... = This field makes the filter "ip.version == 6" possible: 6] .... 1110 0000 .... .... .... .... .... = Traffic class: 0x000000e0 .... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000 Payload length: 400 Next header: ICMPv6 (0x3a) Hop limit: 255 Source: fe80::2027:9779:3775:5cf8 (fe80::2027:9779:3775:5cf8) Destination: fe80::38b1:e73c:c0f0:4442 (fe80::38b1:e73c:c0f0:4442) Internet Control Message Protocol v6 Type: 135 (Neighbor solicitation) Code: 0 Checksum: 0x64e3 [correct] Target: fe80::38b1:e73c:c0f0:4442 (fe80::38b1:e73c:c0f0:4442) ICMPv6 Option (Source link-layer address) Type: Source link-layer address (1) Length: 8 Link-layer address: ca:03:42:76:00:08 SNIP The Source Layer Address is provided to avoid the request in the other direction
  • 107.
    DUPLICATED ADDRESS DETECTION(DAD) § ICMP Type = 135 § Dst = solicited node multicast address of A § Data = link-layer of A § Query: What is your link layer address ? § If no NA received, the address can be considered unique § A sends a NA to claim this address
  • 108.
    DUPLICATE ADDRESS DETECTIONDEBUG § DAD Debug on a Cisco Router Apr 18 09:57:31: ICMPv6-ND: L3 came up on GigabitEthernet0/2 Apr 18 09:57:31: IPv6-Addrmgr-ND: DAD request for 2000:1::1 on GigabitEthernet0/2 Apr 18 09:57:31: ICMPv6-ND: Sending NS for 2000:1::1 on GigabitEthernet0/2 Apr 18 09:57:32: IPv6-Addrmgr-ND: DAD: 2000:1::1 is unique. Apr 18 09:57:32: ICMPv6-ND: Sending NA for 2000:1::1 on GigabitEthernet0/2 Apr 18 09:57:32: IPv6-Address: Address 2000:1::1/64 is up on GigabitEthernet0/2
  • 109.
    REDIRECT § ARedirect is sent by a Router to provide a better Next-hop for a destination § This is sent after the Router has forwarded a packet on the interface used to receive a packet § Can be used by DoS Attacks (IPv4 or IPv6) § May be disabled by most OS (IPv4 or IPv6)
  • 110.
    REDIRECT: H1 DEFAULTROUTE VIA R1 (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
  • 111.
    REDIRECT: H1 ROUTETO H2 VIA R2 (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
  • 112.
    ROUTER ADVERTISEMENT (RA) § A Router Advertisement is sent by a Router to announce its availability as a Router with its Link-local IPv6 Address § Router Advertisement also provides a configuration parameter to use on the link: § MTU § Availability of DHCPv6 for configuration § Hop Limit § Available Prefixes on the link and whether these prefixes can be used for autoconfiguration § Addresses of DNS Servers § Router Advertisement can be sent Unsolicited on a regular basis § Router Advertisement can be requested by a Router Solicitation § May be used by hacker (RFC6102)
  • 113.
    ND – ROUTERANNOUNCEMENT (RA) § ICMP Type = 134 § Src = Router Link-Local § Dst = All nodes multicast address, FF02::1 § Data = Options, prefix, lifetime, autoconfig flag § Cisco Router configuration § Ipv6 unicast-routing
  • 114.
    RA FIELDS DESCRIPTION § Router link-local address § Lifetime: The time that this router will be considered active. A Lifetime of zero is used by a router which cannot be used as a default router. § Hops: Default Hop-Limit to use on this link. § MTU: Default MTU to use on this link § Reachable time: Used by NUD. A length of time that a node considers a neighbor reachable until another reachability confirmation is received from that neighbor. § Retransmit time: Used by Address Resolution and NUD. It specifies the minimum time, in milliseconds, between retransmitted Neighbor Solicitation messages. § AddrFlag: This is the Managed Address flag used to signal the use of DHCPv6 for Address and Other configuration.When set the OtherFlag is redundant. § OtherFlag: Used to signal the use of DHCPv6 for other parameter configuration. § There is also a 1-bit autonomous address-configuration flag in the Prefix Option. When set indicates that this prefix can be used for stateless address configuration
  • 115.
    RA ON CISCOROUTER - SHOW IPV6 ROUTERS hote#show ipv6 routers Router FE80::2038:148E:B9DF:FD6D on FastEthernet0/0, last update 2 min Hops 64, Lifetime 1800 sec, AddrFlag=0, OtherFlag=0, MTU=1500 HomeAgentFlag=0, Preference=Medium Reachable time 0 (unspecified), Retransmit time 0 (unspecified) Prefix 2001::/64 onlink autoconfig Valid lifetime 2592000, preferred lifetime 604800 Note: A router which cannot be used as a default router sends RA with Lifetime=0
  • 116.
    RA CAPTURE InternetProtocol Version 6 0110 .... = Version: 6 [0110 .... = This field makes the filter "ip.version == 6" possible: 6] .... 0000 0000 .... .... .... .... .... = Traffic class: 0x00000000 .... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000 Payload length: 104 Next header: ICMPv6 (0x3a) Hop limit: 255 Source: fe80::207:cbff:fe3e:b6b3 (fe80::207:cbff:fe3e:b6b3) Destination: ff02::1 (ff02::1) Internet Control Message Protocol v6 Type: 134 (Router advertisement) Code: 0 Checksum: 0xf74b [correct] Cur hop limit: 64 Flags: 0x00 Router lifetime: 1800 Reachable time: 0 Retrans timer: 0 ICMPv6 Option (Prefix information) Type: Prefix information (3) Length: 32 Prefix length: 64 Flags: 0xc0 Valid lifetime: 86400 Preferred lifetime: 86400 Prefix: 2a01:e35:2f26:d340:: ICMPv6 Option (Recursive DNS Server) Type: Recursive DNS Server (25) Prefix Length: 40 Reserved DNS Servers Address Lifetime: 600 Recursive DNS Servers: dns3.proxad.net (2a01:e00::2) Recursive DNS Servers: dns2.proxad.net (2a01:e00::1) ICMPv6 Option (MTU) Type: MTU (5) Length: 8 MTU: 1480 ICMPv6 Option (Source link-layer address) Type: Source link-layer address (1) Length: 8 Link-layer address: 00:07:cb:3e:b6:b3 Source MAC @ MTU All node link-local address Router Lifetime (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
  • 117.
    § RA caninclude the DNS Server Addresses (Recursive DNS Option) § MAC OS X 10.7 supports this option § RDNSS config in rtadvd.conf to configure the Linux rtadvd daemon interface eth0 { AdvSendAdvert on; prefix 2001:db8:cafe:1::/64 { AdvOnLink on; AdvAutonomous on; }; rdnss 2001: db8:cafe:1::1 { }; } DNS SERVER ANNOUNCED IN RA (RFC 6106)
  • 118.
    ALU 7750 CONFIGURATIONOF THE RA RA must be authorized as they are not generated by default. CLI Syntax: config>router# router-advertisement interface ip-int-name current-hop-limit number managed-configuration max-advertisement-interval seconds min-advertisement-interval seconds mtu mtu-bytes other-stateful-configuration prefix ipv6-prefix/prefix-length autonomous on-link preferred-lifetime {seconds | infinite} valid-lifetime {seconds | infinite} reachable-time milli-seconds retransmit-time milli-seconds router-lifetime seconds no shutdown use-virtual-mac
  • 119.
    ALU 7750 RACONFIGURATION Router-advertisement Syntax router-advertisement Context config>router Description This command configures router advertisement properties. By default, it is disabled for all IPv6 enabled interfaces. The no form of the command disables all IPv6 interface. However, the no interface interface-name command disables a specific interface. Default disabled
  • 120.
    ALU 7750 RACONFIGURATION Prefix Syntax [no] prefix [ipv6-prefix/prefix-length] Context config>router>router-advert>if Description This command configures an IPv6 prefix in the router advertisement messages. To support multiple IPv6 prefixes, use multiple prefix statements. No prefix is advertised until explicitly configured using prefix statements. Default none Parameters ip-prefix The IP prefix for prefix list entry in dotted decimal notation. Values ipv4-prefix a.b.c.d (host bits must be 0) ipv4-prefix-length 0 — 32 ipv6-prefix x:x:x:x:x:x:x:x (eight 16-bit pieces) x:x:x:x:x:x:d.d.d.d x: [0 — FFFF]H d: [0 — 255]D ipv6-prefix-length 0 — 128 prefix-length Specifies a route must match the most significant bits and have a prefix length. Values 1 — 128
  • 121.
    ND – ROUTERSOLICITATION § ICMP Type = 133 § Src = :: or link-local address § Dst = All routers multicast address § When a station boots, it must send a RS message to request routers information
  • 122.
    NEXT-HOP DETERMINATION §This is different from IPv4 as two nodes can be neighbors with different prefixes. § A neighbor will be considered on-link if: § It is covered by a prefix of the link § It has received a NA for this address § It has received any ND message from this address § It has received an RA with this prefix in the prefix list § It has received a REDIRECT message with a target equal to this address
  • 123.
    STATELESS ADDRESS AUTOCONFIGURATION(SLAAC) RFC 4862, IPv6 Stateless Address Autoconfiguration § RS/RA to request prefixes available to build addresses § DAD to test the new addresses
  • 124.
    AUTOCONFIGURATION WITH DHCPV6 § Stateful Autoconfiguration avec DHCPv6 RFC3315 § DHCPv6 provides address and other parameters (DNS, domain name, SIP…) § Stateless Autoconfiguration with DHCPv6 § SLAAC used for address configuration § DHCPv6 for the other information (DNS, Domain Name) § Prefix Delegation § DHCPv6 can be used to provide a prefix which can be subnetted § The Service Provider useS DHCPv6 PD to allocate a block of addresses for the customer
  • 125.
    STATEFUL OR STATELESSAUTOCONFIG DHCPV6 § IPv6 routers signal how DHCPv6 can be used by end nodes § RA M bit « Managed Address Configuration » is set if DHCPv6 must be used for address configuration. If M bit is set, the O bit is redundant as DHCPv6 will be used to get all the configs. § RA O bit « Other Stateful Configuration » is set if DHCPv6 must be used for other configurations § M and possibly O bits are set in the RA for DHCPv6 stateful autoconfiguration § M = 0 and O = 1 in the RA for DHCPv6 stateless autoconfiguration § DHCPv6 clients and relays use IPv6 Multicast addresses § « ff02::1:2 » All relays agents and servers link-local address § « ff05::1:3 » All DHCPv6 servers site-local address
  • 126.
    AUTOCONFIGURATION (STATEFUL DHCPV6) Address and Other parameters are configured from DHCPv6 DHCPv6 with Rapid Commit (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
  • 127.
    AUTOCONFIGURATION (STATELESS DHCPV6) DHCPv6 with Rapid Commit Address configuration from the prefix received in the RA (SLAAC) Other parameters are given by a DHCPv6 Server (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
  • 128.
    FULL AUTOCONFIGURATION PROCESS (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
  • 129.
    MAIN ALGO OFAUTOCONFIGURATION PROCESS (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE! Derive the link-local address FE80::[Interface ID] Send NS to the solicited node multicast address derived from the link-local NA received ? Stop Initialize the link-local Send RS RA Received ? Use DHCPv6 and exit Set Hop Limit, Reachable Time, Retrans Timer, MTU Prefix Information present ? A B Managed Address Configuration Flag = 1 ? Other Configuration Flag = 1 ? Use DHCPv6 Stop Yes No Yes No Yes No Yes No Yes No Start
  • 130.
    TENTATIVE IS THEAUTOCONF PROCESS STARTING… § First Step § Address verification with « Duplicate Address Detection (DAD) » § Can only receive a response to the DAD NS Request Valid Preferred Deprecated Tentative Invalid Preferred Lifetime Valid Lifetime
  • 131.
    AUTOCONFIG: PREFERRED LIFETIME § The address is verified by DAD and can be used to send and receive unicast traffic. § The address can be used for new connections or by existing one § The Preferred Lifetime is determined by the field Preferred Lifetime included in the RA Prefix Information or the Preferred-Lifetime Option in the DHCPv6 IA Address Valid Preferred Deprecated Tentative Invalid Preferred Lifetime Valid Lifetime
  • 132.
    AUTOCONFIG: DEPRECATED §The address has been verified by DAD § A New connection should not use this address § Existing communications can use this address Valid Preferred Deprecated Tentative Invalid Preferred Lifetime Valid Lifetime
  • 133.
    AUTOCONFIG: VALID LIFETIME § The address can be used to send and receive unicast traffic § Valid state includes preferred and deprecated § The Valid Lifetime is determined by the field Valid Lifetime included in the RA Prefix Information or the Valid-Lifetime Option in the DHCPv6 IA Address Valid Preferred Deprecated Tentative Invalid Preferred Lifetime Valid Lifetime
  • 134.
    RA PREFIX OPTION ipv6 nd prefix <prefix/mask>[Valid] [Preferred][no-advertise| off-link | no-autoconfig] A Take the first prefix information On-Link Flag = 0 ? Ignore the prefix Autonomous Flag = 0 ? No No Derive the Stateless address Prefixe:[interface ID] Send NS to the matching solicited node multicast address NA Received ? Other prefixes to process Yes Initialise the Stateless address Go to next prefix B No No Yes Do not initialize the stateless address Preferred > Yes Valid Valid = 0 Ignore the prefix Ignore the prefix Ignore the prefix No Yes Yes Yes
  • 135.
    AUTOCONFIG: INVALID §The address cannot be used to send or receive traffic § The address reaches the Invalid state when the Valid Lifetime has expired Valid Preferred Deprecated Tentative Invalid Preferred Lifetime Valid Lifetime
  • 136.
    AUTOCONFIG - SHOWIPV6 INTERFACE hote#sh ipv6 int fa0/0 FastEthernet0/0 is up, line protocol is up IPv6 is enabled, link-local address is FE80::38B1:E73C:C0F0:4442 No Virtual link-local address(es): Global unicast address(es): BAD:1:2:FC64:8ECC:593A:15C3:654, subnet is BAD:1:2:FC64:8ECC:593A: 15C3:654/128 2001::20EC:31D3:14CB:A7A, subnet is 2001::/64 Joined group address(es): FF02::1 FF02::1:FFC3:654 FF02::1:FFCB:A7A FF02::1:FFF0:4442 MTU is 1500 bytes ICMP error messages limited to one every 100 milliseconds ICMP redirects are enabled ICMP unreachables are sent ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds (using 37164) Default router is FE80::2038:148E:B9DF:FD6D on FastEthernet0/0 hote# (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
  • 137.
    RFC 2894 ROUTERRENUMBERING FOR IPV6 § Node renumbering is performed, thanks to RA § Old prefix is announced with Preferred Lifetime very small or null and the new prefix with a normal Preferred Lifetime § Hosts will have two prefixes § Address built from old prefix will be deprecate § New connections use the new prefix § After some time, the connections will be set on the new prefix § Router only announces the new prefix § The Old prefix will be invalid
  • 138.
    RENUMBERING SCENARIO RoutersConfiguration RA Preferred Prefix: 2001:db8:cafe:2::/64 Deprecated Prefix: 2001:db8:cafe:1::/64 Host Preferred address: 2001:db8:cafe:2:1:4567:9f0:1 Deprecated address: 2001:db8:cafe:1:4567:9f0:1 Valid Preferred interface Ethernet0 ipv6 nd prefix 2001:db8:cafe:1::/64 43200 0 ipv6 nd prefix 2001:db8:cafe:2::/64 43200 43200
  • 139.
    NDP PDU SUMMARY Message Goal ICMP Code Sender Target Option Router Solicitation (RS) Resuest an immediate RA 133 Host All Routers SLLA Router Advertisement (RA) Announce: defaut router, prefixes, parameters 134 Routers RS Sender or all host SLLA, MTU, Prefix, Route, Interval, Home Agent info Neighbor Solicitation (NS) Request the Link layer address of the target. Also used to send probe (NUD) 135 Hosts Multicast Solicited node address or unicast of the target SLLA Neighbor Advertisement (NA) Answer to the NS 136 Hosts Sender of the NS or all hosts TLLA Redirect Information of a better next hop for a destination 137 Routers Host which triggers the Redirect TLLA Redirected header Inverse neighbor Solicitation (INS) Request an IPv6 address matching a Link layer address 141 Hosts All hosts SLLA, TLLA, MTU, Source address list Inverse Neighbor Advertisement (INA) Answer to INA 142 Hosts INS Sender SLLA, TLLA, Target addresses list, MTU (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
  • 140.
    INTERESTING RFCS §RFC 2460 IPv6 Specification § RFC 5095 Deprecation of Type 0 Routing Headers in IPv6 § RFC 4291 IPv6 Addressing Architecture § RFC 4861 Neighbor Discovery § RFC 4862 IPv6 Stateless Auto config § RFC 4443 ICMPv6 Specification § http://tools.ietf.org/html/rfc4443
  • 141.
    CONCLUSION § NDPis part of any IPv6 stack § NDP provides many services allowing address and default router autoconfiguration § NDP checks the Neighbor availability § NDP is vulnerable to DoS attacks. See RFC3756.
  • 142.
    (C) 2012 FREDBOVY EIRL. IPV6 FOR LIFE!
  • 143.
    OBJECTIVES § UnderstandDHCPv6 § Understand the support of DNS for IPv6 § Understand Mobile IPv6 § Find a list of IPv6 ready network application § 1949 applications supporting IPv6 § http://www.ipv6-to-standard.org/ § How to test your stack and ISP § http://test-ipv6.com/
  • 144.
  • 145.
    STATEFUL DHCPv6 SIGNALIZATION § Stateful Autoconfiguration with DHCP for IPv6 RFC3315 § IPv6 routers signal the use of DHCPv6 § M-bit flag « Managed Address Configuration » is set when address and network parameters configuration are available from DHCPv6 § O-bit flag « Other Stateful Configuration » is set when Other parameters configuration must be performed with DHCPv6
  • 146.
    DHCP MOST IMPORTANTTERMINOLOGY DHCP = Unique IDentifier http://tools.ietf.org/html/rfc3315#section-9 DHCP Client or Server has its DUID. It is based on the LL Address, the Vendor, the enterprise, the Time… What I have seen the Most for the moment was Link Layer (LL or MAC Address). Veryy important as DHCP uses multicast to communicate with ALL DHCP nodes. DUID is the used to fins the right node. IA = Identity Association http://tools.ietf.org/html/rfc3315#section-10 Each IA must be associated with exactly one interface. Each Interface May have multiple prefixes but will have ONE IA. This is a logic construct that can be used for a group of interfaces which play the same role. « Each address in an IA has a preferred lifetime and a valid lifetime, as defined in RFC 2462 [17]. The lifetimes are transmitted from the DHCP server to the client in the IA option. The lifetimes apply to the use of IPv6 addresses, as described in section 5.5.4 of RFC 2462. » From RFC 3315 Section 10. IMPORTANT: When theses timers need to be changed, it is from the Server, the source! Changing the routers timers has no effects.
  • 147.
    HOW ADDRESSES ARETRANSPORTED ? OPTION_IA_NA option-len IAID T1 T2 IA_NA-options OPTION_IA_TA option-len IAID IA_TA-options IA_NA OPTION_IAADDR OPTION_LEN IPv6 ADDRESS PREFERRED_LIFETIME VALID_LIFETIME IAaddr-options IA_TA IA Address Option Non Temporary Addresses With DHCPv6 Timers Temporary Addresses No Timers, Managed by the Upper Layer! IPv6 Address and Timers. 0xffffffff is infinity
  • 148.
    DHCPV6 MULTICAST ADDRESSES § "ff02::1:2" Link-local scope. All Relay agent and servers § "ff05::1:3" Site-Local scope. All DHCPv6 servers DHCPv6 Client DHCPv6 Server SOLICIT ff02::1:2 Advertize fe80::1 Request ff02::1:2 Reply fe80::1 fe80::1 YES. I am here and I can provide you with blah blah blah! I Want to reserve: 2001:db8:12:FD:45:fa:F And Use domain fredbovy.com And DNS Server: 2a01::1, 2a01::2 YES You got it! It’s all for you!
  • 149.
    DHCPv6 CLIENT –SERVER DHCPv6 Client DHCPv6 Server Solicit Dst:All_DHCP_Relay_Agents_and_Servers (FF02::1:2) Src: Client Link-local address Advertise Dst: Client Link-local address Src: Server Link-local address Request Dst: Server Dst:All_DHCP_Relay_Agents_and_Servers (FF02::1:2) Src: Client Link-local address Reply Dst: Client Link-local address Src: Server Link-local address (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
  • 150.
    DHCPv6 CLIENT –RELAY – SERVER DHCPv6 Client DHCPv6 Server Solicit Dst:All_DHCP_Relay_Agents_and_Servers (FF02::1:2) Request Dst: Server Dst:All_DHCP_Relay Agents_and_Servers (FF02::1:2) Src: Client Link-local address Relay-reply Dst: Client Link-local address Src: Server Link-local address DHCPv6 Relay Relay-Forward to All_DHCP_Servers (FF05::1:3) Relay-reply Advertise Relay-Forward to All_DHCP_Servers (FF05::1:3) Reply (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
  • 151.
    DHCPv6 SOLICIT (1) Internet Protocol Version 6 0110 .... = Version: 6 [0110 .... = This field makes the filter "ip.version == 6" possible: 6] .... 1110 0000 .... .... .... .... .... = Traffic class: 0x000000e0 .... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000 Payload length: 56 Nxt header: UDP (0x11) Hop limit: 255 Source: fe80::38b1:e73c:c0f0:4442 (fe80::38b1:e73c:c0f0:4442) Destination: ff02::12 (ff02::1:2) User Datagram Protocol, Src Port: dhcpv6-client (546), Dst Port: dhcpv6-server (547) Source port: dhcpv6-client (546) Destination port: dhcpv6-server (547) Length: 56 Checksum: 0x86f0 [validation disabled] Link-Local All Servers and Relays dhcpv6-client: 546 dhcpv6-server: 547 (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
  • 152.
    DHCPv6 SOLICIT (2) DHCPv6 Message type: Solicit (1) Transaction-ID: 0x00b44306 Elapsed time option type: 8 option length: 2 elapsed-time: 0 ms Client Identifier option type: 1 option length: 10 DUID type: link-layer address (3) Hardware type: Ethernet (1) Link-layer address: ca:02:42:76:00:08 Option Request option type: 6 option length: 4 Requested Option code: DNS recursive name server (23) Requested Option code: Domain Search List (24) Identity Association for Non-temporary Address option type: 3 option length: 12 IAID: 262145 T1: 0 T2: 0 DNS Server Address Domain Name Non-Temporary Address (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
  • 153.
    DHCPv6 ADVERTISE (2) DHCPv6 Message type: Advertise (2) Transaction-ID: 0x00b44306 Server Identifier option type: 2 option length: 10 DUID type: link-layer address (3) Hardware type: Ethernet (1) Link-layer address: ca:03:42:76:00:08 Client Identifier option type: 1 option length: 10 DUID type: link-layer address (3) Hardware type: Ethernet (1) Link-layer address: ca:02:42:76:00:08 Server Identifier Client Identifier Identity Association for Non-temporary Address option type: 3 option length: 40 IAID: 262145 T1: 43200 T2: 69120 IA Address option type: 5 option length: 24 IPv6 address: bad:1:2:2d98:8e14:c0b1:6ef5:8548 Preferred lifetime: 86400 Valid lifetime: 172800 Domain Search List option type: 24 option length: 14 DNS Domain Search List Domain: fredbovy.com IPv6 Address Domain Name (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
  • 154.
    DHCPV6 SERVER STATUS R4>show ipv6 dhcp This device's DHCPv6 unique identifier(DUID): 00030001CA0342760008 R4>show ipv6 dhcp int FastEthernet0/0 is in server mode Using pool: fred Preference value: 0 Hint from client: ignored Rapid-Commit: disabled R4#show ipv6 dhcp pool DHCPv6 pool: fred Static bindings: Binding for client BADCAF0E IA PD: IA ID not specified Prefix: DEAD:BEEF::/48 preferred lifetime 604800, valid lifetime 2592000 Address allocation prefix: DEAD:BEEF:1:2:3::/64 valid 172800 preferred 86400 (1 in use, 0 conflicts) Domain name: fredbovy.com Active clients: 1 (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
  • 155.
    DHCPV6 SERVER ALLOCATION R4#show ipv6 dhcp bind Client: FE80::38B1:E73C:C0F0:4442 DUID: 00030001CA0242760008 Username : unassigned IA NA: IA ID 0x00040001, T1 43200, T2 69120 Address: DEAD:BEEF:1:2:6090:18A5:E017:DE5C preferred lifetime 86400, valid lifetime 172800 expires at Aug 11 2010 03:23 PM (172554 seconds) (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
  • 156.
    DHCPv6 CLIENT hote#showipv6 dhcp interface FastEthernet0/0 is in client mode Prefix State is IDLE Address State is OPEN Renew for address will be sent in 11:39:08 List of known servers: Reachable via address: FE80::2027:9779:3775:5CF8 DUID: 00030001CA0342760008 Preference: 0 Configuration parameters: IA NA: IA ID 0x00040001, T1 43200, T2 69120 Address: BAD:1:2:FC64:8ECC:593A:15C3:654/128 preferred lifetime 86400, valid lifetime 172800 expires at Aug 11 2010 02:36 PM (171549 seconds) Domain name: fredbovy.com Information refresh time: 0 Prefix Rapid-Commit: disabled Address Rapid-Commit: disabled Configuration: interface FastEthernet0/0 ipv6 address dhcp (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
  • 157.
    DHCPv6 OPERATION *Aug9 15:34:32.806: IPv6 DHCP: Received REPLY from FE80::2027:9779:3775:5CF8 on FastEthernet0/0 *Aug 9 15:34:32.806: IPv6 DHCP: IA_NA 00040001 contains status code NOADDRS-AVAIL *Aug 9 15:34:32.806: IPv6 DHCP: DHCPv6 address changes state from REQUEST to SOLICIT (ADDR_NAK) on FastEthernet0/0 *Aug 9 15:34:32.806: IPv6 DHCP: Received REPLY from FE80::2027:9779:3775:5CF8 on FastEthernet0/0 *Aug 9 15:34:32.806: IPv6 DHCP: No matching transaction ID in REPLY from FE80::2027:9779:3775:5CF8 on FastEthernet0/0 *Aug 9 15:34:33.782: IPv6 DHCP: Sending SOLICIT to FF02::1:2 on FastEthernet0/0 *Aug 9 15:34:33.786: IPv6 DHCP: Received ADVERTISE from FE80::2027:9779:3775:5CF8 on FastEthernet0/0 *Aug 9 15:34:33.786: IPv6 DHCP: Adding server FE80::2027:9779:3775:5CF8 *Aug 9 15:34:33.786: IPv6 DHCP: Received ADVERTISE from FE80::2027:9779:3775:5CF8 on FastEthernet0/0 *Aug 9 15:34:34.858: IPv6 DHCP: Sending REQUEST to FF02::1:2 on FastEthernet0/0 *Aug 9 15:34:34.858: IPv6 DHCP: DHCPv6 address changes state from SOLICIT to REQUEST (ADDR_ADVERTISE_RECEIVED) on FastEthernet0/0 *Aug 9 15:34:34.858: IPv6 DHCP: Received REPLY from FE80::2027:9779:3775:5CF8 on FastEthernet0/0 *Aug 9 15:34:34.858: IPv6 DHCP: Processing options *Aug 9 15:34:34.862: IPv6 DHCP: Adding address DEAD:BEEF:1:2:C541:3F5C:EA1A:BE21/128 to FastEthernet0/0 *Aug 9 15:34:34.870: IPv6 DHCP: T1 set to expire in 43200 seconds *Aug 9 15:34:34.870: IPv6 DHCP: T2 set to expire in 69120 seconds *Aug 9 15:34:34.870: IPv6 DHCP: Configuring domain name fredbovy.com *Aug 9 15:34:34.870: IPv6 DHCP: DHCPv6 address changes state from REQUEST to OPEN (ADDR_REPLY_RECEIVED) on FastEthernet0/0 *Aug 9 15:34:34.870: IPv6 DHCP: Received REPLY from FE80::2027:9779:3775:5CF8 on FastEthernet0/0 *Aug 9 15:34:34.870: IPv6 DHCP: DHCPv6 address changes state from OPEN to OPEN (ADDR_REPLY_RECEIVED) on FastEthernet0/0 (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
  • 158.
    STATELESS DHCPV6 §IPv6 Routers signal the DHCPv6 utilization § M bit = 0 « Managed Address Configuration » to use SLAAC for address autoconfiguration § O bit = 1 « Other Stateful Configuration » to use DHCPv6 for Other parameter configuration § Address is configured by SLAAC § Other parameters are then requested to the DHCPv6 Server
  • 159.
    DHCP PREFIX DELEGATION § DHCPv6 PD Server allocates a block of addresses § The block received by the client is then subnetted to configure each interface
  • 160.
    ISENTITY ASSOCIATION IA_PD IA_PD Prefix option IPv6 prefix (16 octets) (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE! IA_PD option Option_IA_PD option-length IAID (4 Octets) T1 T2 OPTION_IAPREFIX option-length preferred-lifetime valid-lifetime prefix-length IPprefix-options IA _PD-options
  • 161.
    DHCP PREFIX DELEGATION IPv6 2001:db8:1:1::/64 DHCP PD Client DHCP PD Server 2001:db8:1::/48 RA ISP 2001:db8::/32 2001:db8:2:1::/64 RA 2001:db8:2:2::/64 RA 2001:db8:2::/48 (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
  • 162.
    DHCP-PD OPERATION 2001:db8:678::/32DHCP-PD Server (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE! 2001:db8:678::1/64 DHCPv6 Client IPv6 Internet DHCP-PD Relay 2001:341f::1:57/64 2001:341f::/32 Router Advertisement Prefix-List 2001:db8:678::/64 M=0, O=0 (SLAAC) DHCPv6-PD Client May Use LL for the p2p Link Address
  • 163.
    5:00AM FIRST HOMEOFFICE DHCP-PD USER COMES UP! IPv6 Internet 2001:341f::1:57/64 IPv6 Private Network 2001:db8:678::1 2001:db8:678:1::/56 2001:db8:658::/48 8 bits for Subnets (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE! 2001:db8:678:10::/64 2001:db8:678:11::/64 ... DHCP-PD Server Relay_Forward (Solicit) Advertize Request IA_PD First Block Reply IA_PD 2001:db8:678::/56 IPv6 Internet IPv6 Internet AS 610 AS 413 2001:413::/32 AS 341F 2001:341F::/32 FTTH Solicit IA_PD Home Network 2001:db8:678::/64 2001:db8:678:d340:98:22ac:f9:1 Router Advertisement Managed=0, Other=0 MTU=1500, Hop Limit=64 Retrans Timer=0 (Unsp) Reachable Time=0 (Unsp) Prefix: 2001:db8:678::/56 On-Link=1 Autonomous=1 Valid=7200 Preferred=1200 3 1a 1b 2b DHCP-PD Relay
  • 164.
    7:00 AM DHCP-PDFIRST OFFICE COMES UP (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE! IPv6 Internet 2001:341f::1:57/64 IPv6 Private Network 2001:db8:658::/48 2001:db8:678:1::/56 8 bits for Subnets 2001:db8:678:10::/64 2001:db8:678:11::/64 ... DHCPv6-PD Client DHCP-PD Server Relay_forward (Solicit IA_PD) Request IA_PD Reply IA_PD First Block 2001:db8:678::/56 Home Network 2001:db8:678::/64 IPv6 Internet IPv6 Internet AS 610 2001:610::/32 AS 413 2001:413::/32 AS 341F 2001:341F::/32 FTTH DHCPv6 Relqy P2P LL Address SOLICIT IA_PD Relay_Reply(Solicit IA_PD) Advertise IA_PD REPLY IA_PD Request IA_PD
  • 165.
    (C) 2012 FREDBOVY EIRL. IPV6 FOR LIFE!
  • 166.
    DOMAIN NAME SERVICES(DNS) § RFC1035, RFC1036 § To Provide Name to addresses resolution § To Provide address to name resolution § To Find Mail Servers in a domain to allow eMail routing § Key component in network architecture § Request and Replies are encapsulated in UDP port 53 messages § DNS Message Length is limited to 512 bytes § DNSSEC is an effort to offer a secure DNS service § Nodes and even Subnets discovery became difficult with IPv6 addresses therefore DNS is likely to get used to discover target
  • 167.
    THE DNS TREESTRUCTURE . Root « . » arpa edu gov net com ca au za In-addr ip6 coca-cola mcDo company google bill sec head TLD Second Level Domain Third Level Domain (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
  • 168.
    RESOLUTION OF FRED.EXAMPLE.COM DNS Root DNS « . » TLD DNS .com. Domain DNS example.com. Query=fred.example.com Referral to .com gTLD DNS Query=fred.example.com Referral to example.com DNS Query=fred.example.com Authoritative Answer (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
  • 169.
    § For Addressto Name Resolution http://www.iana.org/domains/arpa/ http://tools.ietf.org/html/rfc5855 REVERSE MAPPING . arpa edu In-addr ip6 0 1 2 194 195 47 37 2 2.37.47.195.in-addr.arpa
  • 170.
    ROOT DNS SERVERS § They return the addresses of the TLD Servers § 13 IP anycast addresses are used § 13 ipv4 addresses can be sent in a 512 (436) bytes UDP message! § 200+ physical servers around the globe § Domain root-servers.net: a.root-servers.net through m.root-servers.net § In Europe, RIPE Servers k.root-servers.net are located in Amsterdam, Athens, Doha, Frankfurt, London and Milan. IPv4:193.0.14.129, IPv6:2001:7fd::1 § IPv6 addresses are already supported by 9 of the 13 root-servers § Requirements of a Root Server are in RFC2870 § http://www.iana.org/domains/root/
  • 171.
    TOP LEVEL DOMAIN(TLD) DNS SERVERS § They return the address of the NS for a User domain § The full list is at http://www.iana.org/domains/root/db/ § Generic Top-Level-Domains (gTLD): § .com § .edu § .net § .org § .mil, etc… § Country Code Top-Level-Domains (ccTLD): § .us, .ca, .fr, .uk, etc…
  • 172.
    THE EXAMPLE.COM DNSSERVERS § Primary or Master and Secondary or Slave DNS Server § To increase performance and reliability of DNS, there is more than one DNS server for each domain. § The Master Zone file describing the zone is located on the Primary server § The Secondary Server is synchronized with the Primary, thanks to Zone Transfer DNS Slave Zone DNS Slave Zone § Caching only Servers DNS Master Zone DNS Slave Zone Zone Transfer Master Zone File
  • 173.
    ZONE AND ZONEFILES: CONFIG FOR A ZONE § Zone files translate the domain name into operational entities § Zone Files contain: § Data that describe the zone authority, known as the Start of Authority (S0A) Resource Record. § All the hosts within the zones. § A Resource Record for an IPv4 Address § AAAA Resource Record for an IPv6 Address § Data that describes global information for the zone. MX Resource Records for the domain’s mail servers and NS Resource Records for the Name Servers § In the case of a subdomain delegation, the name servers are responsible for this subdomain…
  • 174.
    RECURSIVE AND ITERATIVEQUERIES § The simplest mode for the server is non-recursive, since it can answer queries using only local information: the response contains an error, the answer, or a referral to some other server "closer" to the answer. § All name servers must implement non-recursive queries. § The simplest mode for the client is recursive, since in this mode the name server acts in the role of a resolver and returns either an error or the answer, but never referrals. § This service is optional in a name server. The name server may also choose to restrict the clients that can use recursive mode.
  • 175.
    RECURSIVE QUERY §All servers do not support Recursive Query § Root and TLD servers do not support Recursive Query 1 Name Server Root Name Server Authoritative Name Server for TLD com Authoritative Name Server for 2 3 4 5 Cache company.com Client Resolver
  • 176.
    ITERATIVE QUERY NameServer Root Name Server Authoritative Name Server for TLD com Authoritative Name Server for company.com Client Resolver 2 Query Referal 1 Query Referal 4 Query Authoritative answer 3 Query Referal 5 Cache All servers support Iterative Query (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
  • 177.
    IPV6 SUPPORT INDNS § RFC1886 describes how to accommodate IPv6 Addresses in DNS § AAAA Resource Record to store 128 bits addresses § IPv6 reverse mapping uses the PTR RR in the first place under domain ip6.int replaced by ip6.arpa § More complex solution A6/DNAME § After many discussions, this was moved to Experimental status § DNS requests must be transported in IPv6 § DNS Root servers and Top-level domains must support IPv6 § 9 of the 13 root-servers are IPv6 ready § DNS messages larger than 512 bytes must be supported (EDNS0) and not filtered by firewalls
  • 178.
    AAAA AND IPV6.ARPA § AAAA is written like an IPv6 address. Leading zeros can be omitted § ipv6-host IN AAAA 2001:db8:1:2:3:4:567:89ab § Ip6.arpa is the reverse-mapping name space for IPv6 addresses. Each level of subdomain under ip6.arpa represents four bits of the 128-bit address. Omitting leading zeros is not allowed, so there are always 32 hex digits and 32 levels of subdomain below ip6.arpa in a domain name corresponding to a full ipv6 address. § b.a.9.8.7.6.5.0.4.0.0.0.3.0.0.0.2.0.0.0.1.0.0.0.8.b.d. 0.1.0.0.2.ip6.arpa.
  • 179.
    AAAA RESOURCE RECORDSYNTAX name ttl class ipv6 § ipv6-host IN AAAA 2001:db8:1:2:3:4:567:89ab § name: ipv6-host.The name is unqualified, causing the $ORIGIN directive value to be substituted. You could have written this as ns1.example.com. (using the FQDN format), which may be more understandable. § ttl: There is no ttl value defined for the RR, so the zone default from the $TTL directive will be used. § class: IN. Defines the class to be Internet § ipv6: 2001:db8:1:2:3:4:567:89ab. This is a Global Unicast address.
  • 180.
    ADDING AAAA TOFORWARD-MAPPING ZONES § A and AAAA can coexist for dual-stack hosts: Skydive IN A 192.239.120.111 IN AAAA 2001:db8:cafe:f1::e1 § Another option is to create one entry for each protocol Skydive IN A 192.239.120.111 skydive-v6 IN AAAA 2001:db8:cafe:f1::e1 or skydive.v6 IN AAAA 2001:db8:cafe:f1::e1
  • 181.
    ZONE FILE WITHIPV6 SUPPORT EXAMPLE (1) ; transitional IPv6/IPv4 zone file for example.com $TTL 2d ; default TTL for zone SOA Resource $ORIGIN example.com. Record ; Start of Authority RR defining the key characteristics of the zone (domain) @ IN SOA ns1.example.com. hostmaster.example.com. ( 2003080800 ; sn = serial number 12h ; refresh 15m ; retry = update retry 3w ; expiry 2h ; min = minimum ) ; name server RRs for the domain IN NS ns1.example.com. ; the second name server is ; external to this zone (domain) . IN NS ns2.example.net. Name Servers (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
  • 182.
    ZONE FILE WITHIPV6 SUPPORT EXAMPLE (2) ; mail server RRs for the zone (domain) 3w IN MX 10 mail.example.com. ; the second mail server is ; external to the zone (domain) IN MX 20 mail.example.net. ; domain hosts includes NS and MX records defined above ; plus any others required ; the following hosts are in IPv6 subnet 1 ns1 IN A 192.168.254.2 ns1 IN AAAA 2001:db8:0:1::1 mail IN A 192.168.254.4 mail IN AAAA 2001:db8:0:1::2 ; these hosts are defined to be in the IPv6 subnet 2 joe IN A 192.168.254.6 joe IN AAAA 2001:db8:0:2::1 www IN A 192.168.254.7 www IN AAAA 2001:db8:0:2::2 ; aliases ftp (ftp server) to an external location ftp IN CNAME ftp.example.net (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
  • 183.
    IPV6 REVERSE-MAPPING ZONES § The subnet where skydive.v6.movie.edu is on 2001:db8:cafe:f9::/64 would correspond to the reverse-mapping zone: § 9.f.0.0.e.f.a.c.8.b.d.0.1.0.0.2.ip6.arpa § IPv6 reverse-mapping zones contain PTR records, SOA record and one or more NS record: $TTL 1d @ IN SOA terminator.movie.edu. hostmaster.movie.edu. ( 2011030800 ; Serial number 1h ; Refresh (1 hour) 15m ; Retry (15 minutes) 30d ; Expire (30 days) 10m ) ; Negative-caching TTL (10 minutes) IN NS terminator.movie.edu. IN NS wormhole.movie.edu. 3.d.0.0.0.0.0.0.0.0.0.0.0.0.0.0 PTR skydive.v6.movie.edu. 4.d.0.0.0.0.0.0.0.0.0.0.0.0.0.0 PTR super8.v6.movie.edu.
  • 184.
    IPV6 PTR RESOURCERECORD The PTR RR is standardized in RFC 1035 and maps an IPv6 address to a particular interface ID. Syntax is : – name ttl class rr name § name: This is the subnet ID and interface ID parts of the IPv6 address written in reverse nibble format. While this looks like a number, it is in fact treated as a name. The name is unqualified causing the $ORIGIN directive value to be substituted. § ttl: There is no ttl value defined for the RR, so the zone default from the $TTL directive will be used. § class: IN defines the class to be Internet § name: Defines that the query for <address> will return name Example: 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.0 IN PTR joe.example.com.
  • 185.
    REVERSE IPV6 ZONEFILE FOR EXAMPLE.COM (1) ; reverse IPV6 zone file for example.com Prefix for all the addresses $TTL 2d ; default TTL for zone $ORIGIN 0.0.0.0.8.b.d.0.1.0.0.2.IP6.ARPA. ; Start of Authority RR defining the key characteristics of the zone (domain) @ IN SOA ns1.example.com. hostmaster.example.com. ( 2003080800 ; sn = serial number 12h ; refresh = refresh 15m ; retry = update retry 3w ; expiry = expiry 2h ; min = minimum ) ; name server RRs for the domain IN NS ns1.example.com. ; the second name server is ; external to this zone (domain) . IN NS ns2.example.net. (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
  • 186.
    REVERSE IPV6 ZONEFILE FOR EXAMPLE.COM (2) ; PTR RR maps a IPv6 address to a host name ; hosts in subnet ID 1 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.0 IN PTR ns1.example.com. 2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.0 IN PTR mail.example.com. ; hosts in subnet ID 2 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.0 IN PTR joe.example.com. 2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.0 IN PTR www.example.com. name: 2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.0 This is the subnet ID and interface ID parts of the IPv6 address 0.0.0.0.0.0.1.0.0.0 written in reverse nibble format. While this looks like a number, it is in fact treated as a name. The name is unqualified causing the $ORIGIN directive value to be substituted. You could have written this as 2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.IP6.ARPA. ttl: There is no ttl value defined for the RR, so the zone default of 2d from the $TTL directive will be used. Class: IN defines the class to be Internet Name: www.example.com Defines that a query for 2001:db8:0:2:0:0:0:2 will return www.example.com (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
  • 187.
    BUILT-IN EMPTY REVERSE-MAPPINGZONES § These special addresses are resolved locally by BIND without forwarding any request on the Internet. Reverse-mapping Zone Name Function IPv4 Equivalent 0...ip6.arpa Unspecified IPv6 address 0.0.0.0 1.0...ip6.arpa IPv6 Loopback Address 127.0.0.1 8.b.d.0.1.0.0.2.ip6.arpa IPv6 Documentation Network 192.0.2/24 d.f.ip6.arpa Unique Local Addresses 10/8, etc.(RFC1918) 8.e.f.ip6.arpa Link-Local Addresses 169.254/16 9.e.f.ip6.arpa Link-Local Addresses 169.254/16 a.e.f.ip6.arpa Link-Local Addresses 169.254/16 b.e.f.ip6.arpa Link-Local Addresses 169.254/16
  • 188.
    DNS REQUEST TRANSPORTEDIN IPV6 Internet Protocol Version 6 0110 .... = Version: 6 [0110 .... = This field makes the filter "ip.version == 6" possible .... 0000 0000 .... .... .... .... .... = Traffic class: 0x00000000 .... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000 Payload length: 145 Next header: UDP (0x11) Hop limit: 255 Source: fe80::61e:64ff:feec:73a9 (fe80::61e:64ff:feec:73a9) Destination: ff02::fb (ff02::fb) User Datagram Protocol, Src Port: mdns (5353), Dst Port: mdns (5353) Source port: mdns (5353) Destination port: mdns (5353) Length: 145 Checksum: 0x5753 [validation disabled] Domain Name System (response) mDNSv6 Link-local Multicast destination (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
  • 189.
    IPV6 ADDRESSES INDNS: AAAA RECORD Type AAAA Name: power-mac-g5-de-fred-bovy-6.local Type: AAAA (IPv6 address) .000 0000 0000 0001 = Class: IN (0x0001) 1... .... .... .... = Cache flush: True Time to live: 2 minutes Data length: 16 Addr: 2a01:e35:2f26:d340:61e:64ff:feec:73a9
  • 190.
    DNS CAPTURE InternetProtocol Version 6 0110 .... = Version: 6 [0110 .... = This field makes the filter "ip.version == 6" possible: 6] .... 0000 0000 .... .... .... .... .... = Traffic class: 0x00000000 .... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000 Payload length: 145 Next header: UDP (0x11) Hop limit: 255 Source: fe80::61e:64ff:feec:73a9 (fe80::61e:64ff:feec:73a9) Destination: ff02::fb (ff02::fb) User Datagram Protocol, Src Port: mdns (5353), Dst Port: mdns (5353) Source port: mdns (5353) Destination port: mdns (5353) Length: 145 Checksum: 0x5753 [validation disabled] Domain Name System (response) [Request In: 788] [Time: -404.306754000 seconds] Transaction ID: 0x0000 Flags: 0x8400 (Standard query response, No error) Questions: 0 Answer RRs: 1 Authority RRs: 0 Additional RRs: 3 Answers power-mac-g5-de-fred-bovy-6.local: type A, class IN, cache flush, addr 192.168.0.15 Name: power-mac-g5-de-fred-bovy-6.local Type: A (Host address) .000 0000 0000 0001 = Class: IN (0x0001) 1... .... .... .... = Cache flush: True Time to live: 2 minutes Data length: 4 Addr: 192.168.0.15 mDNSv6 multicast address MDNS port 5353 (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
  • 191.
    DNS CAPTURE (SUITE) Additional records power-mac-g5-de-fred-bovy-6.local: type AAAA, class IN, cache flush, addr fe80::61e:64ff:feec:73a9 Name: power-mac-g5-de-fred-bovy-6.local Type: AAAA (IPv6 address) .000 0000 0000 0001 = Class: IN (0x0001) 1... .... .... .... = Cache flush: True Time to live: 2 minutes Data length: 16 Addr: fe80::61e:64ff:feec:73a9 power-mac-g5-de-fred-bovy-6.local: type AAAA, class IN, cache flush, addr 2a01:e35:2f26:d340:61e:64ff:feec:73a9 Name: power-mac-g5-de-fred-bovy-6.local Type: AAAA (IPv6 address) .000 0000 0000 0001 = Class: IN (0x0001) 1... .... .... .... = Cache flush: True Time to live: 2 minutes Data length: 16 Addr: 2a01:e35:2f26:d340:61e:64ff:feec:73a9 power-mac-g5-de-fred-bovy-6.local: type NSEC, class IN, cache flush, next domain name power-mac-g5-de-fred-bovy-6.local Name: power-mac-g5-de-fred-bovy-6.local Type: NSEC (Next secured) .000 0000 0000 0001 = Class: IN (0x0001) 1... .... .... .... = Cache flush: True Time to live: 2 minutes Data length: 8 Next domain name: power-mac-g5-de-fred-bovy-6.local RR type in bit map: A (Host address) RR type in bit map: AAAA (IPv6 address) AAAA Record (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
  • 192.
    RECURSIVE NAME SERVERSPRIMING FOR IPV6 § Most recursive name servers perform a bootstrap process called priming to determine the current list of root name servers, since information in the local copy of the root hints file could be out of date. § To prime, a recursive name server sends a DNS query of type NS for the root (".") to one of the root name servers listed in the local root hints file. § The recursive name server uses the list of root name servers in the response returned from a live root name server for resolution purposes. § Priming ensures that a recursive name server always starts operation with the most up-to-date list of root name servers. § The operators of nine root name servers - a, d, f, h, i, j, k, l, m - have assigned IPv6 addresses to their systems.
  • 193.
    IPV6 AND EDNS0SUPPORT § Including the IPv6 addresses at the root level of the DNS involves two related actions on the parts of the IANA and the DNS Root Server Operators: § Add Resource Records of Type AAAA to the hints file. The IANA maintains the authoritative root hints file at ftp://ftp.internic.net/ domain/. § Provision the 13 root name servers to return the Type AAAA records when name server resolvers bootstrap, perform what is known as a priming.
  • 194.
    IPV6 AND EDNS0SUPPORT (CONT.) § RFC1035 specifies the maximum DNS UDP message to 512 bytes: § 13 IPv4 anycast addresses were used to represent 200+ Servers for the announcement to fit in a 512 bytes message. 436 bytes actually leave room for some options. § With only 5 IPv6 addresses added to the Additional Section of the DNS Type NS response message root server operators return during the priming exchange, the size of the response message increases from 436 bytes to 576 bytes. § 9 Root Servers have been assigned IPv6 addresses § When all 13 root name servers are assigned IPv6 addresses, the priming response will increase in size to 811 bytes .
  • 195.
    IPV6 AND EDNS0SUPPORT (CONT.) Conditions for the successful completion of a priming exchange: § Resolvers and any intermediate systems that are situated between resolvers and root name servers must be able process DNS messages containing Type AAAA resource records. § Additionally, resolvers must use DNS Extensions (EDNS0, RFC 2671) to notify root name servers that they are able to process DNS response messages larger than the 512 byte maximum DNS message size specified in RFC1035. § Intermediate systems must be configured to forward UDP-encapsulated DNS response messages larger than the 512 byte maximum DNS message size specified in RFC1035 to resolvers that issued the priming request.
  • 196.
    TEST THE EDNS0SUPPORT § To test the action a firewall implementation takes when it receives a UDP-encapsulated DNS response message larger than 512 bytes, a network or firewall administrator can perform the following DNS lookup using: § dig ns +bufsize=4096 @192.33.4.12 OR § dig ns +bufsize=4096 @2001:500:2D::D § This command should elicit a 699 bytes response that contains AAAA resource records § If no response is received, network and firewall administrators should first determine if a security policy other than the vendor's default processing for DNS messages is blocking large response messages or large UDP messages. If no policy other than the vendor's default processing is configured, note the implementation and version, and contact your vendor to determine if an upgrade or hot fix is available.
  • 197.
    DNSSEC § DNSSECis detailed in RFC4033, RFC4034 and RFC4035. A discussion of operational practices relating to DNSSEC can be found in RFC4641. § In DNSSEC, a secure response to a query is one which is cryptographically signed and validated. § In DNSSEC, there is no Protection against DoS attack § DNSSEC adds new Resource Record types: Resource Record Signature (RRSIG), DNS Public Key (DNSKEY), Delegation Signer (DS) and Next Secure (NSEC) § A signed zone will contain the 4 additional security-related records § DNSSEC requires support for EDNS0 (RFC2671) and DNSSEC OK (DO) EDNS bit EDNS0 (RFC 3225) § In DNSSEC, the Root Zone is signed § http://data.iana.org/root-anchors/draft-icann-dnssec-trust-anchor.html
  • 198.
    DYNAMIC DNS §DNS Servers can be updated dynamically § Address allocated with DHCPv6 or SLAAC automatically update the DNS § DNSUpdates in the Domain Name System (DNS UPDATE) § http://tools.ietf.org/html/RFC2136 § Secure Domain Name System (DNS) Dynamic Update § http://tools.ietf.org/html/RFC3007 § Operational Considerations and Issues with IPv6 DNS § http://tools.ietf.org/html/rfc4472
  • 199.
    IPV6 DEVICES MANAGEMENT § SNMP for IPv6 § SNMP transported by IPv6 § IPv6 supported by MIB. § First approach was to implement separate MIBs for IPv4 and IPv6 § RFC2465 and RFC2466 now deprecated § Unified MIB for IPv4 and IPv6 in RFC4293 § TELNET, SSH for IPv6 § FTP, TFTP for IPv6 § SYSLOG for IPv6 § HTTP for IPv6 § Ping, traceroute
  • 200.
    MOBILE IPV6: RFC3775 § The mobile node can roam from subnet to subnet, but its source address is unchanged for the applications. § No session is lost § The network can be hidden from the correspondent node § This existed in IPv4 but IPv6 greatly improved it
  • 201.
    MOBILE IPV6 TERMINOLOGY Home Agent The router which switches the traffic to the mobile node. Mobile Node The roaming user Home Address The initial network address. All the communications of the mobile node come from this address. Home Link The link where the mobile node is permanently attached. Care-Of-Address The temporary address on the visited network. Correspondant Node The node (not mobile) communicating with the mobile node. (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
  • 202.
    MOBILE NODE ACQUIRESA COA § Mobile node visits a new subnet § It must acquire its Care of Address (CoA) Mobile Node acquires its Care of Address from SLAAC or DHCPv6
  • 203.
    HOME AGENT ADDRESSDISCOVERY (ANYCAST) § Home Agent (HA) may have move § New HA may have been installed § Anycast address may be used to find the HA
  • 204.
    COA BINDING ANDTUNNEL CREATION § Mobile Node register its CoA with the Home Agent § Signaling uses a Mobility Option § IPv6 in IPv6 Tunnel is setup between the MN and the HA Mobile Node 1 2
  • 205.
    BIDIRECTIONNEL TUNNELING §The packets from the CN are routed to the MN via the tunnel in both directions. § The Home Agent intercepts the NS on the Home Link and answers in Proxy- ND. § Transparent for the Corresponding Node Mobile Node
  • 206.
    BIDIRECTIONNEL TUNNELING MobileNode Src @ Dst @ MN IPv6 Home @ CN IPv6 @ Out Src Out Dst In Src In Dst MN IPv6 CoA HA IPv6 @ MN IPv6 Home @ CN IPv6 @ Src @ Dst @ CN IPv6 @ MN IPv6 Home @ Out Src Out Dst In Src In Dst HA IPv6 @ MN IPv6 CoA CN IPv6 @ MN IPv6 Home @ (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
  • 207.
    RETURN ROUTABILITY PROCEDURE § Traffic is routed via the Home Agent until the Return Routability Procedure § CN must support Mobile IPv6 § The CN verifies that the Mobile Node can be reached at its CoA and its Home Address Mobile Node MN proves to the CN that it receives the Keygen Tokens
  • 208.
    RETURN ROUTABILITY PROCEDURE § Verify that the MN who sends the Binding Update is the same MN who sends the data packets. Mobile Node A IPv6 Home Address IPv6 CoA Home Agent CoTI COT Visited Networks A Local Network B Correspondent Node HoTI: Home Test Init CoTI: Care-of Test Init HoT: Home Test COT: Care-of Test
  • 209.
    MOBILITY HEADER FEATURES Type Message Feature 0 Binding Refresh Request (BRR) Binding Update sent by the MN to the HA or the CN 1 Home Test Init (HoTI) Sent by the CN to the Home address of the MN to initialize the Return Routability process. The HoTI is routed via the HA. 2 Care-of Test Init (CoTI) Sent by the CN to the MN CoA to initialize the Return Routability process. 3 Home Test (HoT) HoTI response of the MN to the CN 4 Care-of Test (CoT) CoTI response of the MN to CN 5 Binding Update (BU) Sent by the MN to notify the HA or the CN that it has changed its network point of attachment and has a new CoA. 6 Binding Acknowledgement (BA) Acknowledgement of the BU sent by the HA or the CN. 7 Binding Error (BE) Sent by the CN or the MN to signal an error. For example, if the MN send a message with a Destination Option including a Home Address but the CN does not have a CoA in its Binding Database. (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
  • 210.
    ROUTE OPTIMIZATION SIGNALING § The MN registers its binding to the CN § This Mode must be supported by the CN § This can be avoided for security reason as the CN is now aware that the mobile node is no longer on its Home Link. § By default, the signaling is not crypted. Mobile Node Binding Update Binding Ack
  • 211.
    ROUTE OPTIMIZATION (IDVERIFICATION) § The Mobile Node identity is verified § An IPSec Tunnel is established between the MN and the CN Mobile Node
  • 212.
    DESTINATION OPTION INCLUDESTHE MN SOURCE @ Mobile Node Dst Opt Src @ Dst @ MN IPv6 CoA CN IPv6 @ MN IPv6 Home @ The CN replaces the MN IPv6 CoA with the IPv6 Home @ from the Destination Option: Datagram comes from the MN (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
  • 213.
    ROUTING OPTION INCLUDESTHE MN SOURCE @ Mobile Node The MN replaces the MN IPv6 CoA with the MN IPv6 Home @ from the Routing Option: Datagram is sent to the MN Home @ Src @ Dst @ Routing CN IPv6 @ MN IPv6 CoA MN IPv6 Home @ (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
  • 214.
    MOBILE IPV6 APPLICATIONS § Mobile Router or Nemo § RFC 3963: NEMO Basic Support Protocol § A router is moving with all its networks and connected hosts § RFC 5555: Mobile IPv6 Support for Dual Stack Hosts and Routers § Ad Hoc dynamic mobile networks or Manet § Nodes discover their neighbors dynamically § They join a network dynamically
  • 215.
    NEMO: THE MOBILEROUTER Mobile Router may receive a block of addresses from DHCPv6-PD Dual Stack avec DSMIPv6 Bluetooth Nemo Mobile Router
  • 216.
    MOBILE AD HOCNETWORKING: MANET § MANET nodes discovers theirs neighbors dynamically § OSPFv3 § EIGRP Wireless Uplink
  • 217.
    RFC5213: PROXY MOBILEIPV6 A proxy mobility agent performs signaling on behalf of a mobile device attached to the network. Two new network functions are defined in PMIPv6: § The Local Mobility Anchor (LMA) § Provides the home agent function within a PMIPv6 domain, being the topological anchor point for the mobile node’s care-of address. § The Mobile Access Gateway (MAG) § A function of an access router responsible for triggering the mobility-related signaling on behalf of the attached mobile device.
  • 218.
    1) PMIPV6: MNAUTHENTICATION 1. The MN enters the PMIPv6 domain and attach to an access-link. 2. The MAG verifies the MN Identity and Authorizations. 3. If OK, the MAG helps the MN to get all the configuration: address, default gateway,… 4. The MN considers the PMIPv6 domain as a link Authentication The LMA provides the Mobile IPv6 HA function Local Mobility Anchor (LMA1) IPv6 Network Mobile Node MN1 Mobile Access Gateway (MAG1) Mobile Access Gateway (MAG3) Mobile Access Gateway (MAG2) Local Mobility Anchor (LMA2) Mobile Node MN2
  • 219.
    Local Mobility Anchor (LMA1) 2) PMIPV6: MN JOINS THE IPV6 NETWORK 1. The MN sends a RS (Router Solicitation) to the MAG. 2. For updating the LMA about the MN location, the MAG sends a Mobile Node MN1 Mobile Access Gateway (MAG1) PBU (Proxy Binding Update) to the MN’s LMA. 3. The LMA sends a PBA (Proxy Binding Acknowledgement) including the MN home network prefixes. It creates the Binding Cache entry and sets up its endpoint of the bi-directional tunnel to the MAG. 4. The MAG sends a RA: Router Advertisement to the MN. The MAG can emulate the MN’s Home Link 5. The MN can be configured using SLAAC or DHCPv6 n PBA/PBU Signaling must be protected with IPSec ! n Data Protection is Optional RS PBU PBA including the MN home network prefixe(s) RA 1 2 3 4 The LMA provides the Mobile IPv6 HA function
  • 220.
    CONCLUSION § DHCPv6 § Stateful § Stateless § Prefix Delegation § All the applications required to build and manage a network are available § Root DNS Servers are now also IPv6, so there is no longer any requirement to run dual stack for DNS § Mobile IPv6 is built from the IPv6 flexibility and requires three Options Headers
  • 221.
    (C) 2012 FREDBOVY EIRL. IPV6 FOR LIFE!
  • 222.
  • 223.
    INTRODUCTION § Providea fault tolerant default router § Transparent for hosts § FHRP protocol provides a virtual IPv6 address used by the end node as default route § This virtual address is configured on several routers § Also possible to track an interface or any objects as an IPv6 route
  • 224.
    DEFAULT ROUTER SOLUTIONS § FHRP Protocols § HSRP for IPv6: The first implementation § GLBP for IPv6: For lad-balancing § VRRP for IPv6: An open standard § The cheapest solution § Neighbor Discovery (NDP) § The most expensive § Run a routing protocol on the hosts § RIPng, OSPFv3
  • 225.
    INTRODUCTION TO HSRPV6 § HSRP was ported to IPv6 as HSRPv6 § Allows a virtual link-local address § UDP Hello to track neighbors § Default priority is 100 § The active router sends the RA § An interface can be tracked and priority decremented if it fails Hello P=100 Hello P=128
  • 226.
    HSRPV6 STEP BYSTEP Hello P=100 Hello P=128 RA FE80::1
  • 227.
    HSRPV6 ON ACISCO ROUTER § For IPv6 HSRP, configure version: 2 standby version 2 § Configuration of the standby ipv6 address can be automatic standby 1 ipv6 <address❘autoconfig> § Configuration of interface tracking standby 1 preempt standby 1 track Ethernet1/0 § Verification of HSRPv6 show standby
  • 228.
    HSRPV6: INTERFACE OROTHER OBJECT TRACKING § Interface Tracking automatically decrements the HSRPv6 router priority if the interface fails § With preempt mode enabled, the STANDBY router becomes ACTIVE Standby Active
  • 229.
  • 230.
    TOPICS § RIPv2 § OSPFv3 § ISIS § EIGRP for IPv6 § BGPv4
  • 231.
    RIPNG § RFC2080 § Based on RIPv2 § Distance Vector § Routing by rumour § Spit-horizon, poison reverse § Metric: Hop Count § Same limit as RIPv2 § Maximum Hop=15 § Use Link-Local Addresses § UDP Port 521 § Multicast announces FF02::9 § Cisco IOS support 4 instances of RIPng § Configured by interface
  • 232.
    RIPNG. T=0 (C)2012 FRED BOVY EIRL. IPV6 FOR LIFE!
  • 233.
    RIPNG. T=30 (C)2012 FRED BOVY EIRL. IPV6 FOR LIFE!
  • 234.
    RIPNG. T=60 (C)2012 FRED BOVY EIRL. IPV6 FOR LIFE!
  • 235.
    EIGRP FOR IPV6 § Next Header 88 § Distance Vector optimized with techniques from Link-State protocols § Neighbor discovery with fast multicast Hello § Full routing table exchanged during initialization § Then only Updates are sent § Reliable and Easy to configure § 3 New TLVs § IPv6_REQUEST_TYPE § IPv6_Metric_Type § IPv6_Exterior_Type § MD5 Authentication § Automatic Summarization disabled § No Split Horizon
  • 236.
    COMPOSITE METRIC :F(⨊DELAY+MINBW) § Default Metric EIGRP = 256 * (107/BWmin + Sum(Delays)/10) § Example: A link to a destination with the smallest available bandwidth is 128k and the sum of the delays is 84000 microseconds § Emetric = 256 *(107/128 + 84000/10) § Emetric = 256*86525 = 22150400
  • 237.
    EIGRP FOR IPV6EXAMPLE interface Ethernet0/0 no ip address ipv6 address 4::1/64 ipv6 eigrp 100 interface Loopback0 no ip address ipv6 address CAFE:1::1/64 ipv6 eigrp 100 ipv6 router eigrp 100 eigrp router-id 1.1.1.2 no shutdown unix1b#sh ipv6 eigrp topology IPv6-EIGRP Topology Table for AS(100)/ID(1.1.1.2) Codes: P - Passive, A - Active, U - Update, Q - Query, R - Reply, r - reply Status, s - sia Status P 4::/64, 1 successors, FD is 281600 via Connected, Ethernet0/0 P CAFE:2::/64, 1 successors, FD is 128256 via Connected, Loopback0 P CAFE:1::/64, 1 successors, FD is 409600 via FE80::A8BB:CCFF:FE03:E900 (409600/128256), Ethernet0/0 unix1b#sh ipv6 eigrp interface IPv6-EIGRP interfaces for process 100 Xmit Queue Mean Pacing Time Multicast Pending Interface Peers Un/Reliable SRTT Un/Reliable Flow Timer Routes Et0/0 1 0/0 8 0/2 50 0 Lo0 0 0/0 0 0/1 0 0 unix1b#sh ipv6 eigrp neighbor IPv6-EIGRP neighbors for process 100 H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num 0 Link-local address: Et0/0 10 00:06:18 8 200 0 3 FE80::A8BB:CCFF:FE03:E900" (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
  • 238.
    OSPFV3 FOR IPV6 § OSPF is recommended by the lETF for IPv4 et IPv6 § Link-State § Routing by propaganda § RFC 2740 § OSPFv3 is executed by link § OSPFv3 uses Multicast § FF02::5 OSPF Routers § FF02::6 OSPF designated routers § OSPF discovers its neighbors and becomes adjacent with some of them § Two routers are adjacents if they exchange their LSA directly
  • 239.
    OSPFV3 ARCHITECTURE §Area 0 is the Backbone (area) § A router in one area is an Internal router § A router internal in the area 0 is a backbone router
  • 240.
    OSPFV3 FEATURES §The ABR summarizes the routes between areas § The ASBR summarizes the routes between AS § Within an area OSPF has a Link State protocol behavior § Between two areas or two AS, it behaves as a Distance-Vector protocol
  • 241.
    LSA MODIFICATIONS §Inter-area LSA § Summary (type 3) replaced by Inter-area Prefix LSA (Type 3) § ASBR Summary remplaced by Inter-area Router LSA (Type 4) § Router and Network LSA only contains Identifiers (no more prefix) § 2 new LSAs: § Link LSA (Type 8) § Link local scope contains the Link-Local addresses § Intra-Area Prefix LSA (Type 9) § Carry the IPv6 prefixes
  • 242.
    NEIGHBOR OSPF –INIT (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
  • 243.
    NEIGHBOR OSPF –2WAY (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
  • 244.
    NEIGHBOR OSPF –EXSTART: ELECTION MASTER (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
  • 245.
    NEIGHBOR OSPF –LOAD - SYNCHRONIZATION (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
  • 246.
    NEIGHBOR INITIALIZATION §Many OSPF instances are supported on a link § OSPF looks for neighbors of the same instance § The neighbor states are: – DOWN – INIT § Interface receives a Hello – 2WAY § One can see itself in the other router Hello. At this stage a DR should be elected on a multi-access network – EXSTART § The two neighbors elect the Master to drive the DB exchange. – LOAD § The DB are initializing between two neighbors – FULL § The neighbors are fully initialized
  • 247.
    OSPF NETWORK TYPES § Point to Point Networks § Point to Point § Point to Multipoint § Both uses the multicast address FF02::5 § Point to multipoint nonbroadcast § Uses the unicast address of the neighbor § Multiple Access Networks § BROADCAST § Multicast addresses used are FF02::5 and FF02::6 § NBMA (Non Broadcast Multiple Access) § No broadcast and no multicast. Neighbor configuration must be done manually.
  • 248.
    MULTIPLE ACCESS NETWORK:DR AND BDR § Two neighbors which synchronize their Databases are adjacents § On a multi-access network, a DR and a BDR are elected § Each router has a priority which is sent in the hello. § Highest priority win! § Priority 0 = cannot be elected § Non pre-emptive election. The elected DR and BDR are not replaced if a neighbor with a better priority comes up. § Neighbors are only Adjacents with the DR and BDR § This change the adjacencies from: n*(n-1)/2 which is O(n^2) (n-1)*2 which is O(2n) § For 7 neighbors we will have 12 adjacencies instead of 24 § For 20 neighbors we will have 38 adjacencies instead of 190
  • 249.
    ISIS § ISISfor ISO 10589 § CLNP/CLNS § Integrated ISIS for IPv4 - RFC 1195 § Very similar to OSPF § Info is coded as TLV § ISIS for IPv6 uses Protocol 0X8E § 2 new TLV § IPv6_Reachability (0XEC) § IPv6_Interface_Address (0XE8)
  • 250.
    ISIS FOR IPV6CONFIGURATION router isis fred net 49.0001.0000.0000.0000.0200 passive-interface Loopback0 ! ! interface Ethernet0/0 no ip address ipv6 address FE80::3 link-local ipv6 address 2000::1/100 ipv6 router isis fred standby version 2 standby 1 ipv6 FE80::5 standby 1 preempt standby 1 track Ethernet1/0 end (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
  • 251.
    Border Gateway Protocol(BGP) MP-BGP FOR MULTI PROTOCOL BGP FOR IPv6
  • 252.
    INTRODUCTION § References § RFC 1770, 1772,1773, 1774, 2545 § The Internet Routing Architecture by Bassam Halabi § Path Vector Protocol § BGP runs over TCP port 179 § Path Attribute § Mandatory: In all updates § Well-known: Must be implemented § Discretionary: Not implemented § Transitive: Not sent to neighbors if not implemented § Most important are AS_PATH and NEXT_HOP § Full BGP Tables are exchanged at startup § Only updates are sent after
  • 253.
    BGP ROUTING §eBGP and iBGP § Only eBGP changes the Next Hop § Peers are manually configured § Hold time negotiated § A routing protocol must run in each AS
  • 254.
    PATH ATTRIBUTES :WELL-KNOWN MANDATORY § Origin (Type code 1) § Well-known, Mandatory § 0: IGP § 1: EGP § 2: Incomplete § AS_PATH (Type code 2) § Well-known, Mandatory § 1: AS_SET § 2:AS_SEQUENCE § NEXT_HOP (Type Code 3) § Well-known, Mandatory
  • 255.
    OTHER ATTRIBUTES… §MULTI_EXIT_DISC (Type Code 4) § Optional, Non-Transitive § LOCAL_PREF (Type Code 5) § Well-known, Discretionary § ATOMIC-AGGREGATE (Type Code 6) § Well-known, Discretionary § AGGREGATOR (Type Code 7) § Optional, transitive § Community § Cluster § MP_REACH_NLRI
  • 256.
    § Synchronization §Next-Hop joinables § Weight (Cisco Proprietary) § Local Preference § AS_PATH le plus court § Multi Exit Discriminator § bgp always-compare-med § bgp bestpath med-confed § bgp deterministic med § eBGP avant iBGP § Multipath § eBGP Multipath § maximum-paths n § iBGP Multipath § maximum-paths ibgp n § eiBGP Multipath § maximum-paths eibgp n § Oldest Path BEST PATH ALGORITHM (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
  • 257.
    EXAMPLE unix1a#sh bgpipv6 600:11:22:62::/64 BGP routing table entry for 600:11:22:62::/64, version 900 Paths: (2 available, best #2, table Default) Flag: 0x820 Not advertised to any peer 1 55570 47418 39654 24266 44837 18778 7481 30006 26443 58269 46052 30397 45086 7253 {2680,19823,56986} 2000:100::100 from 2000:100::100 (5.5.5.5) Origin EGP, metric 1311, localpref 100, valid, external 1 55570 47418 39654 {24266,44837,18778} 2000::100 from 2000::100 (1.1.1.1) Origin EGP, metric 1174, localpref 100, valid, external, best 0 (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
  • 258.
    BGP MESSAGE §Open § Open a BGP session § Update § Contains the routing information § Routes to add or to withdraw § Notification § Reset the connection after an error § Keepalive § Keep the connection open
  • 259.
    OPEN Ethernet Packet:127 bytes Dest Addr: AABB.CC03.F000, Source Addr: AABB.CC03.E900 Protocol: 0x86DD IPV6 Version: 0x6, Traffic_Class: 0xC0, (Prec=Internet Contrl) Flow_Label: 0x000000, Payload_Length: 73 Next_Header: 6, Hop_Limit: 1 Source: 2000::1 Dest: 2000::100 TCP Src Port: 179, Dest Port: 11044 Seq #: 0x90D41545, Ack #: 0x0223D0B8, Hdr_Len: 5 Flags: 0x18 ACK PSH, Window: 16347, Checksum: 0x624D (OK) Urgent Pointer: 0 BGP Marker: FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF When IPv6 is used AFI: IPv6 SAFI: Unicast Length: 53, Type: 1 (Open) Version: 4, AS: 65000, Hold Time: 180, BGP ID: 10.1.1.1 Option length: 24 Type:2 Len:6 : Capability: (Code: 1 Len:4) MultiProtocol Ext. AFI: IPv6, SAFI: Unicast, Type:2 Len:2 : Capability: (Code:128 Len:0) Route Refresh (old) Type:2 Len:2 : Capability: (Code: 2 Len:0) Route Refresh Type:2 Len:6 : Capability: (Code: 65 Len:4) Unknown Capability: 4104 0000 FDE8 (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
  • 260.
    UPDATE (MP_REACH_NLRI) BGPMarker: FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF Length: 178, Type: 2 (Update) Unfeasible Routes Length: 0 Total Path Attribute Length: 155 Attr Flags: 0x40, Type: 1 ORIGIN: 1 (EGP) Attr Flags: 0x40, Type: 2 AS_PATH: Path Type: 2 (AS_SEQ), Len: 6; 1, 42040, 60532, 26199, 13743, 42950, Path Type: 1 (AS_SET), Len: 2; 2238, 12373, Attr Flags: 0x80, Type: 4 MULTI_EXIT_DISC: 2454 Attr Flags: 0x40, Type: 5 LOCAL_PREF: 70553 Attr Flags: 0x80, Type: 14 MP_REACH_NLRI: Len: 111 AFI: IPv6, SAFI: Unicast, NEXT_HOP: 2000::100 NLRI: Len: 64 bits, 600:11:22:14:: NLRI: Len: 64 bits, 600:11:22:15:: NLRI: Len: 64 bits, 600:11:22:16:: NLRI: Len: 64 bits, 600:11:22:17:: NLRI: Len: 64 bits, 600:11:22:18:: NLRI: Len: 64 bits, 600:11:22:19:: NLRI: Len: 64 bits, 600:11:22:1A:: NLRI: Len: 64 bits, 600:11:22:1B:: NLRI: Len: 64 bits, 600:11:22:1C:: NLRI: Len: 64 bits, 600:11:22:1D:: MP_REACH_NLRI AFI: IPv6 SAFI: Unicast (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
  • 261.
    NOTIFICATION Ethernet Packet:97 bytes Dest Addr: AABB.CC03.F000, Source Addr: AABB.CC03.E900 Protocol: 0x86DD IPV6 Version: 0x6, Traffic_Class: 0xC0, (Prec=Internet Contrl) Flow_Label: 0x000000, Payload_Length: 43 Next_Header: 6, Hop_Limit: 1 Source: 2000::1 Dest: 2000::100 TCP Src Port: 179, Dest Port: 11068 Seq #: 0xD7C221D4, Ack #: 0x3A33542E, Hdr_Len: 5 Flags: 0x18 ACK PSH, Window: 16347, Checksum: 0x74D9 (OK) Urgent Pointer: 0 BGP Marker: FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFF Length: 23, Type: 3 (Notification) Error Code: 2, OPEN Message Error Error SubCode: 2, Bad Peer AS Error Data: 0001 Reason for the BGP Session Reset: BAD Peer AS ! (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
  • 262.
    EBGP VERSUS IBGP § iBGP sessions do not change the NEXT_HOP § iBGP sessions do not repeat a message received from iBGP § iBGP needs a full mesh § Cluster & Confederation § Cluster and Route Reflector allows an iBGP peer to repeat a message § Confederation creates sub-AS. iBGP session between Sub-AS behaves as eBGP
  • 263.
    DUAL STACK IPV4/IPV6 § It is possible to use the same BGP session to announce IPv4 and IPv6 routes or to use different sessions for each protocol. § The same IPv4 session can be used for both IPv4 and IPv6 routes. § For 6PE, the IPv6 routes are announced in IPv4 sessions. The next hop of IPv6 routes are IPv4. § If IPv4 is used to announce IPv6 routes, the next hop must be configured.
  • 264.
    EBGP PEERING CANUSE LINK-LOCAL OR GLOBAL § For eBGP peering, one can use the link-local instead of the Global address § The Outgoing interface must be configured § The Next Hop for advertised routes must be configured
  • 265.
    BGP TABLE INTERNET § http://bgp.potaroo.net/v6/as2.0/index.html § BGP data obtained from AS2.Report last updated at Wed Jun 15 17:45:02 2011 (Australian Eastern Time)
  • 266.
    RIPE LOOKING GLASS:HTTP://STAT.RIPE.NET/ 2A02:20::/32 (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
  • 267.
    CONCLUSION § BGPis not a Routing Protocol. The next-hop is not always the neighbor router § The next hop must be found with a routing protocol § BGP routes are recursive § BGP does not discover the neighbors; they are configured § iBGP peers do not repeat Updates § iBGP peers do not change the next-hop § eBGP peers must be directly connected § eBGP peering can be done with loopback for load-balancing § eBGP peering can use link-local or global addresses § BGP sessions can be used for IPv4 or IPv6 addresses
  • 268.
    CONCLUSION (CONT.) §Most popular routing protocols are available for IPv6 § RIPng is RIPv2 for IPv6 § OSPFv3 is OSPF for IPv6 with a few differences in the Link-State Database § MP-BGP carry the IPv6 routing updates in MP_REACH_NLRI and MP_UNREACH_NLRI
  • 269.
    (C) 2012 FREDBOVY EIRL. IPV6 FOR LIFE!
  • 270.
    TOPICS § MulticastIPv6 Addresses § PIM § PIM SM § PIM-SSM § PIM Bidir § Rendezvous Point (RP) § Static § Anycast RP § BSR § MLD § MLDv1 § MLDv2
  • 271.
    MULTICAST. RFC 4291 FF Flag Scope 0 Interface ID § R § Embedded Rendezvous § RFC 3956 § P § Multicast based unicast § RFC 3956 et RFC 3306 § T § 0 Permanent address § 1 for temporary 128 bits n Scope – 4 bits n 1=node n 2=link n 4=admin n 5=site n 8=Organization n E=Global n 6, 7, 9-D not assigned. F est reserved. n Only the link-local is filtered by the routers, others must be filtered by routers (Access-List)
  • 272.
    MULTICAST IPV4 ANDIPV6 IP Service IPv4 Solution IPv6 Solution Extended Address 32-bits, Class D 128 bits. 112 bits Groups Routing PIM, MBGP, DVMRP, MOSPF PIM and MBGP Forwarding PIM-DM, PIM-SM, PIM-SSM, PIM-Bidir PIM-SM, PIM-SSM, PIM-Bidir Groups Management IGMPv1, v2, v3 MLDv1, v2 Domain Control Boundary, Border Scope Interdomains Solutions MSDP Unic RP (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
  • 273.
    PIMV6 BASICS §PIM uses the unicast routing protocol to implement the Reverse Path Forwarding § MP-BGP can be used to build divergent routing tables § PIMv6 between Routers, MLD between Hosts and Routers DR 1st Jump DR Last Jump DR Last Jump
  • 274.
    PIMV6 SPARSE MODEBASICS. RFC 4601 § The rendezvous point allows Source and Receivers (listeners) to meet. § The result is a tree shared by all sources (shared tree) toward a group of listeners. § Once the traffic starts to flow on the Shared Tree, it is possible to switch on the Shortest Path Tree (SPT). DR 1st Jump DR Last Jump DR Last Jump
  • 275.
    THE PIM DESIGNATEDROUTER § The 1st Hop Router, near the source is the PIMv6 Designated Router § Elected with PIMv6 Hello Protocol § Highest Priority § Highest IPv6 address § Forward traffic from the source to the RP (Register) DR 1st Jump DR Last Jump DR Last Jump
  • 276.
    THE MLD QUERIER § The Last Hop Router is the MLD Querier § Lowest IPv6 Address § Discover the local Listeners and start to build a path to the RP § A shared tree is then built from the RP to the listener DR 1st Jump DR Last Jump DR Last Jump
  • 277.
    MULTICAST ROUTING INITIALIZATION § Routers must be IPv6 Multicast Routing enabled § PIM and MLD are started on their interfaces § Rendezvous point address MUST be configured § Static, Embedded or § Dynamic with BSR DR 1st Jump DR Last Jump DR Last Jump
  • 278.
    PIMV6-SM: SHARED TREEINITIALIZATION § When a listener starts to listen to a given group, it sends Unsolicited Reports § A (*,G) entry is created in the Last Hop Router Multicast Routing Table (MRIB) MLD Multicast Listener Report (*,G) Hop-by-Hop Router Alert. Hop Limit=1 (*,G) (*,G) DR 1st Jump DR Last Jump DR Last Jump
  • 279.
    PIMV6-SM: PIM JOINTRAVEL TOWARD THE RP § Because it has a (*,G) entry in its MRIB, the Last Hop Router starts to send PIM Join (*,G) to its Rendezvous Point Upstream Neighbor. § The reception of a PIM Join (*,G) creates a (*,G) entry in the MRIB which triggers the sending of a PIM Join (*,G) to its Rendezvous Point Upstream Neighbor. § PIM Join reaches the RP. (*,G) (*,G) (*,G) (*,G) PIM Join (*,G) Dest: ff02::d Router Alert DR 1st Jump DR Last Jump DR Last Jump MLD Multicast Listener Report (*,G) Hop-by-Hop Router Alert. Hop Limit=1
  • 280.
    PIMV6-SM: SOURCE STARTSTO SEND TRAFFIC § The source can start to send traffic at any time § No Signaling required DR 1st Jump DR Last Jump DR Last Jump
  • 281.
    PIMV6-SM: SOURCE REGISTERSWITH THE RP § First Hop Multicast Router intercepts the Multicast flow § Multicast traffic is encapsulated in PIM Register unicast packets to the RP Register DR 1st Jump DR Last Jump DR Last Jump
  • 282.
    PIMV6-SM: REGISTER ATTHE RP § The RP removes the unicast encapsulation of the PIM Register § The RP duplicates (if multiple outgoing interfaces) and forwards the multicast toward all the Listeners DR 1st Jump DR Last Jump DR Last Jump
  • 283.
    PIMV6-SM: JOIN TOWARDTHE SOURCE § When the RP receives multicast in Register packets, it initializes a native multicast path by sending a PIM Join (S,G) toward the source § It travels hop by hop to until it reaches the first hop router PIM Join (S,G) DR 1st Jump DR Last Jump DR Last Jump
  • 284.
    PIMV6-SM: BUILDING THEMULTICAST SHARED TREE § When the First Hop DR receives the PIM join, it is able to forward the multicast natively to the RP § When the RP receives two copies of the same multicast packet, it discards the encapsulated copy DR 1st Jump DR Last Jump DR Last Jump
  • 285.
    PIMV6-SM: REGISTER-STOP §… and sends a PIMv6 Register-Stop to the First Hop DR. § The DR knows that it does not have to encapsulate the multicast traffic in unicast anymore Register-Stop DR 1st Jump DR Last Jump DR Last Jump
  • 286.
    PIMV6-SM: FLOWING DOWNTHE SHARED TREE § Traffic can now travel from the Source to all the listeners using the Shared Tree DR 1st Jump DR Last Jump DR Last Jump
  • 287.
    § Last HopRouter notices that it receives the traffic from an interface which does not point to the best path back to the Source (RPF). PIMV6-SM: PIM LAST-HOP SWITCHOVER TO THE SPT !!! DR 1st Jump DR Last Jump DR Last Jump
  • 288.
    PIMV6-SM: LAST-HOP SWITCHOVERTO THE SPT § Last Hop Router sends a PIMv6 Join (S,G) toward the Source § (S,G) states are created in the MRIB by the PIMv6 Join (S,G) travelling hop by hop to the Source DR 1st Jump PIM JOIN (S,G) DR Last Jump DR Last Jump
  • 289.
    PIMV6-SM: BUILDING THESHORTEST PATH TREE (SPT) § When the DR receives the PIM JOIN (S,G), it starts to forward packets down the Shortest Path Tree but also down the Shared Tree. DR 1st Jump DR Last Jump DR Last Jump
  • 290.
    PIMV6-SM: PRUNING THESHARED TREE § When the Last Hop router receives two copies of the same flow, it decides to prune the Shared Tree § It sends a (S,G,rpt-bit) Prune toward the RP (S,G,rpt-bit) Prune DR 1st Jump DR Last Jump DR Last Jump
  • 291.
    PIMV6-SM: SHORTEST PATHTREE ONLY (SPT) § When the Shortest Path Tree has been Pruned, traffic only flows on the Shortest Path Tree § If traffic on the Shortest Path goes down below a configurable threshold, it is possible to switch back to the Shared Tree. DR 1st Jump DR Last Jump DR Last Jump
  • 292.
    PIM-SM SUMMARY §Sources and Listeners meet at the Rendezvous point § It is possible to stay forever on the Shared Tree to minimize the states on the routers. § The Rendezvous point must be carefully chosen on the network § It is possible to use an Anycast Address for the RP with longest match prefix to choose a primary. § BSR is the only dynamic RP configuration method § Using MLDv2 and SSM, there is no more need for an RP
  • 293.
    INTRODUCTION TO MLD § ICMPv6 with IPv6 Hop-by-Hop Router Alert Option § Hop Limit is 1 § On each link a Querier is elected. § Lower IPv6 address is elected. § The Querier sends a Query on a regular basis to ask if there is any receiver present. Query FE80:: 1 FF02:: 1 I am the Querier 1 FE80::1 I am the Querier FE80::100 2 I won ! 3
  • 294.
    ROBUSTNESS § Thisis the basis for the computation of many parameters § MLD is robust to [Variable Robustness] – 1 packet loss § Default: 2. MLD has no problem losing one MLD packet Host A Host B State Change R FE80:: 1 FF02:: 1
  • 295.
    INTRODUCTION TO MLDV1 § All MLD packets are sent with Link-Local address as source. § Hop Limit is 1 § MLDv1 (RFC 2710) is IPv6 version of IGMP Version 2 (RFC 2236) § Multicast Listener Query § General Query. Sent to the all-nodes Link-Local multicast address to figure out which group has members. § Address-Specific Query is used to identify the members of a given group. It is sent to the address of the group which is being queried. § Multicast Listener Report § Response to a Query § Multicast Listener Done § Sent by a Listener that does not listen to this group anymore.
  • 296.
    PIM-SSM § WithPIM-SSM the Listener must provide the Source address. § Rendezvous points are no longer needed. § The source can be configured statically § The source can be learned from DNS with the Record G § PIM-SSM is supported with MLDv2 § RFC 3306: Unicast-Prefix-based IPv6 Multicast Flags: 00PT. P=1, T=1 plen = 0 network prefix = 0 FF3x::/96 x = any valid scope
  • 297.
    EMBEDDED RP –FLAGS FF75:0130:2001:db8:9abc::4321 Flags: 7 R: Rendezvous Point = 1 then P: Prefix =1 and T: Temporary Prefix = 1 (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
  • 298.
    EMBEDDED RP –PREFIX FF75:0130:2001:db8:9abc::4321 Prefix length = 30 Hex = 48 dec 2001:db8:9abc:: (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
  • 299.
    EMBEDDED RP –ADDRESS OF THE RP 7 5 1 FF75:0130:2001:db8:9abc::4321 Rendezvous Point Address 2001:db8:9abc::1 § RFC3956 (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
  • 300.
    PIM BOOT STRAPROUTER § Many routers are Candidates BSR (C-BSR). § The C-BSR elect a BSR by sending C-BSR message with priorities. § The message travels hop by hop. § The C-BSR with the best priority becomes the BSR. § During the election it announces its presence on the network. § This is similar to the election of the root of the spanning-tree. § Some routers are configured as Candidates RP (C-RP). § C-RP unicast their presence of C-RP to the C-BSR. § The C-BSR sends its list of C-RP to all the PIM routers. § All the PIM routers receive the list of C-RP and execute the same hashing function to choose an RP for each group.
  • 301.
    (C) 2012 FREDBOVY EIRL. IPV6 FOR LIFE!
  • 302.
    1ST GENERATION: THEIPV6 PIONEERS § Tunnels for Experimental testing or Enterprises The Experimental 6BONE network was created from overlay IPv6 in IPv4 Tunnels over the IPv4 Internet. § Dual-Stack § Overlay IPv6 in IPv4 Tunnels • Manual 6in4 and automatic 6to4 • And more automatic tunnels • Again mostly introduced with Windows: TEREDO to bypass NAT devices and ISATAP to use IPv4 networks as a NBMA network for IPv6. § NAT and Private Addresses (RFC1918) • In parallel to make the most of the remaining IPv4 addresses, NAT44 and IPv4 private addresses (RFC1918) were introduced (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
  • 303.
    2ND GENERATION: SPSTRANSITION 1ST PHASE, THE 2000S § SPs with MPLS/IPv4 Backbone: 6PE and 6VPE Most SPs were running IPv4/MPLS First Phase of the transition, deploy 6PE/6VPE § SPs with IPv4 Backbone: 6RD FREE a french SP deployed IPv6 in 5 Weeks from a 6to4 stack! § Carrier Grade NAT or Large Scale NAT (Testing) DS-Lite = IPv4 in IPv6 Tunnel + CGN § SPs who deployed IPv6 choose DS-Lite to support the existing IPv4 customers § They deploy it as soon as they migrated from 6PE/6VPE to Native IPv6 § Some of them planned to replace DS-Lite with A+P when it will be available Other protocols are designed, some of themare tested: CGN, NAT444, NAT464, dIVI, dIVI-pd § Network Address Translation Protocols (NAT) NAT-PT § First attempt to translate IPv6 to IPv4 protocols. Deprecated! NAT64/DNS64 (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
  • 304.
    3RD GENERATION: GOINGSTATELESS, THE 2010s § Stateful Carrier Grade NAT issues Because of the Stateful CGN known issues, a lot of work is being done to develop and test some Stateless protocols to share the remaining IPv4 addresses without stateful NAT, CGN. § A+P Architecture and Stateless NAT solutions Testing To share the remaining IPv4 addresses using the IPv4 Source Ports Without any Stateful NAT in the SP backbone. § Users or CPE have some IP addresses and Source Ports assigned § Not a new solution, FT ORANGE planned A+P in 2009 while they were choosing DS-Lite in the first place § First proposal for A+P at the IETF Taipei 2011 is based on Stateless NAT464 aka dIVI, dIVI-pd and 4RD (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
  • 305.
    TRANSITIONTOOLS - DEPLOYMENT (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE! Time IETF Taipei 82 – Nov 2011 2010 2007 2003 1996 Dual-Stack 6to4 6in4 NAT-PT 6VPE NAT64 NAT64 DS-Lite Testing dIVI-pd NAT444 DS-Lite 6RD A+P 6PE 6BONE 6PE 6RD 6VPE DS-Lite dIVI-pd NAT444 A+P Standardization IPv6 in IPv4 Tunnels IPv4 in IPv6 Tunnels NAT464
  • 306.
    NETWORK ADDRESS TRANSLATION n NAT44 and IPv4 private addresses in the 90s n IPv6 to IPv4 translations • NAT-PT † AT-PT is NAT64 + NAT46 + DNS ALG • NAT-PT was replaced by NAT64 and DNS64 n Carrier Grade NAT or Large Scale NAT • NAT444 or double NAT • DS-Lite = IPv4 in IPv6 Tunnels + NAT44 (LSN) (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
  • 307.
    DUAL STACK ANDTUNNELING This was introduced at the very beginning of IPv6 in 1996 All clients are now configured by default as dual-stack nodes It is still the best approach for a smooth transition Tunnels are manually, statically configured It may be obvious but for dual-stack you still need IPv4 addresses! IPv4 IPv6 Host Tunneling Dual Stack Router Dual Stack Router IPv6 Host IPv6 Hosts IPv6 IPv4 IPv6 IPv4 IPv6 IPv4 IPv6 Packet IPv6 Hdr IPv4 Hdr (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
  • 308.
    AUTOMATIC TUNNELS FORENTERPRISES: 6TO4 Tunnel destination IPv4 address is embedded in the IPv6 address ! 2002:C044:1::/48 prefix comes from 192.68.0.1 2002:C046:1::/48 prefix comes from 192.70.0.1 (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
  • 309.
    6TO4 RELAY nMicrosoft Public Relay: ü 6to4.ipv6.microsoft.com ü Anycast: 192.99.88.1 (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
  • 310.
    SPS MPLS ENABLED:6PE AND 6VPE In the very early 2000s, 6PE was introduced to help the SPs with an MPLS/IPv4 Background to provide an IPv6 Service No Backbone Routers Upgrade needed! (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
  • 311.
    All IPv6 Addrpt4assesof a building Xlate to one IPv4 Addresses: 2001:DB8:678:1000::/48 -> IP 10.12.13.2/24 2001:DB8:678:1000::/48 -> IP 10.12.13.3/24 2001:DB8:678:1000::/48 -> IP 10.12.13.4/24 (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE! DHCPv6 Client IPv6 Internet STATEFUL NAT64 101.12.13.1/24 2001:db8:678::1/64 (SLAAC) DHCPv6-PD Client Use LL for the p2p Link Address to SP IPv6 Private Network 2001:db8:658::/48 2001:db8:678:1::/56 8 bits for Subnets 2001:db8:678:3::/56 8 bits for Subnets 2001:db8:678:2::/56 8 bits for Subnets First Subnet 2001:db8:678::/64 2001:db8:678:30::/64 2001:db8:678:31::/64 ... 2001:db8:678:20::/64 2001:db8:678:21::/64 ... 2001:db8:678:10::/64 2001:db8:678:11::/64 ... 1 2 IPv4 Only Host 10.12.13.1/24 10.12.13.2/24 10.12.13.3/24
  • 312.
    6RD AUTOMATIC TUNNELFOR SPS Free, a french SP customized a 6to4 stack to allow a custom prefix instead of 2002::/16 Free deployed 6RD in 5 weeks in 2007 and immediately started an IPv6 service over the IPv4 backbone, user configurable 4RD is IPv4 in IPv6 (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
  • 313.
    DUAL STACK LITEOR DS-LITE Once the SP have migrated their backbone to IPv6, DS-Lite is used to support RFC1918 IPv4 Customers § IPv4 in IPv6 Tunnels + NAT44 (LSN at the SP) § LSN inside mapping uses Source IPv6 + Source IPv4 + Port § LSN allows to share the remaining IPv4 addresses efficienciently But LSN must keep a lot of states and is a Single Point of failure shared by Many Customers LSN (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
  • 314.
    DS-LITE: HELP TRANSITIONTO IPV6 (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
  • 315.
    CONNECTING IPV6-ONLY WITHIPV4-ONLY: AFT64 Access Aggregation Edge Core IP/MPLS Residential IPv6 ONLY connectivity NAT64 DNS64 Public IPv4 Internet IPv4 Datacenter IPv4 ONLY New IPv6 clients must have access to IPv4 content § AFT64 technology is only applicable in case where there are IPv6 only end-points that need to talk to IPv4 only end-points (AFT64 for going from IPv6 to IPv4) § AFT64:= “stateful v6 to v4 translation” or “stateless translation”, ALG still required § Key components includes NAT64 and DNS64 § Assumption: Network infrastructure and services have fully transitioned to IPv6 and IPv4 has been phased out (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
  • 316.
    PROTOCOL TRANSLATION: NAT64,DNS64 § Client requests the IPv6 Address § DNS64 translates the request to an IPv4 Address DNS64 Web Server IPv4 DNS h2.exemple.com ? h2.exemple.com ? A: 192.0.2.1 AAAA 64:ff9b::c0:201 NAT64 IPv6 IPv4 (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
  • 317.
    NAT64 AND DNS64 § The session is initialized by IPv6 client § Traffic route the 64:ff9b::/96 prefix to the NAT64 Router § NAT64 then convert headers in both directions DNS64 Web Server IPv4 DNS SYN 64:ff9b::c0:201 SYN+ACK h2.exemple.com ? h2.exemple.com ? A: 192.0.2.1 AAAA 64:ff9b::c0:201 NAT64 SYN 192.0.2.1 IPv6 IPv4 SYN+ACK (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
  • 318.
    NAT444: A SECONDLEVEL OF NAT44 Solution to share the remaining IPv4 addresses among multiple customers (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
  • 319.
    NAT444: LSN SCALABILITYISSUE n How many streams LSN will be able to manage ? n LSN is a Single Point of failure (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
  • 320.
    NAT444: OVERLAPPING PRIVATEADDRESS ! (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
  • 321.
    NAT444: 2 CUSTOMERSBEHIND SAME LSN (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
  • 322.
    NAT444 NETWORK DESIGNISSUES § Overlapping Addresses If one of the customers network uses the same private network number than the NAT CPE to LSN link we have a sever duplicate network issue !!! § Two Customers behind the same LSN want to communicate Packets with a private source address may be dropped by customer policy (Firewall, ACL, host policy). So LSN must be used also for local traffic § Plus all the LSN Based solutions: – Scalability Behind each CPE NAT there can be many devices. Each device may generate many application streams. How mansy stream will be supported by LSN ? We have not enough experience to say ??? – Single Point of Failure The LSN device keeps many states. If it reboot, many users will have to restart their applications. (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
  • 323.
    DS-LITE: CONNECT THEIPV4 USERS Another solution to share the remaining IPv4 addresses among multiple customers (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
  • 324.
    STATEFUL NAT464 ORSTATELESS DIVI, DIVI-PD dIVI is the stateless version to share IPv4 addresses among multiple users using source ports Stateless means NO NAT or LSN! (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
  • 325.
    ADDRESS+PORT (A+P) §Experimental RFC6346 § Use some bits of the source port to share an IPv4 address without Stateful NAT, CGN or LSN. § Can be implemented on hosts or CPEs which may have to do some translation for the non upgraded hosts § Requires signaling to request which ports are granted § IPv4 Packets must be encapsulated/decapsulated to get sent into tunnels using the ports which are allocated for the host or the CPE § The first proposal at the IETF in 2011 relies on Stateless NAT464 aka dIVI, dIVI-pd and 4RD and does not require signaling § France Telecom-Orange has a software implementation: http://opensourceaplusp.weebly.com/ (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
  • 326.
    DIVI, DIVI-PD ORSTATELESS NAT464 A+P proposal at the IETF actually relies on dIVI-pd and 4RD. § dIVI-pd is Stateless NAT464 and permit to translate IPv6 addresses to IPv4 Address+Source Port It is then possible to share an IPv4 address among many users or CPEs. Without requiring any Stateful NAT with all the known problems associated A very interesting test in large SP domains : " For port configuration, since there are 65536 TCP/UDP ports for each IP address, and in fact one can use hundreds only for normal applications, so one IPv4 address can be shared by multiple customers. In our experiment, we selected ratio to be 128. That is to say, one IPv4 address is shared by 128 users, and there are 512 available ports per user." http://tools.ietf.org/html/draft-sunq-v6ops-ivi-sp-02#page-7 (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
  • 327.
    CONCLUSION § DualStack is the preferred transition method § For enterprise many tunneling encapsulations are available § Transition techniques have serious Security implication § Tunnels if not secured with IPSec are very unsafe § Manual Tunnels are more secure, but can also be used to inject any kind of traffic § For Service Providers, 6PE and 6VPE over MPLS/IPv4 or 6RD over IPv4 § To support IPv4 Only Application, NAT64/DNS64 is a possible approach § To support IPv4 RFC1918 only clients over a new IPv6 infrastructure, DS-Lite will be the preferred approach
  • 328.
    IPv6 on MPLS/IPv4 INTRODUCTION TO IPV6 FOR SERVICE PROVIDERS
  • 329.
    WHY MPLS? §At the beginning MPLS was designed to replace a complex IP header with a simple one using a small label for a more efficient forwarding § MPLS introduced a connected mode § IP routers became very powerful and the performance was no longer the driver for MPLS adoption. So why MPLS? § MPLS enables the network for more services § MPLS-VPN § Traffic Engineering § IPv6: 6PE, 6VPE
  • 330.
    MPLS-VPN ARCHITECTURE PE:Provider Edge CE: Customer Edge P: Provider PE MP-iBGP Nuage MPLS OSPF ou ISIS LDP ou RSVP P CE CE CE CE VRF Red PE PE PE P P P PE VRF Green VRF Green VRF Red (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
  • 331.
    MPLS-VPN 2 LEVELSOF ROUTING § In the Core § OSPF or ISIS builds the IP routing table § LDP or RSVP distributes the labels in the core § At the edge: VRF § BGP builds the VRF routing table § BGP distributes the labels with the VRF routes § MP-BGP IP Routes are recursively resolved thanks to OSPF or ISIS
  • 332.
    MPLS VPN: ROUTESAND LABELS EXCHANGES PE 192.168.1.0 label 34 CE CE Nuage MPLS P PE l0:193.13.13.1 P MP-iBGP 192.168.1.0 192.168.1.0 IP IP 34 15 193.13.13.1 POP 193.13.13.1 25 193.13.13.1 15 IP 34 25 IP 34 IP BGP label Exchange LDP label Exchange CE to CE packet travel
  • 333.
    WHAT IS 6PE(RFC 4798)? § Provides IPv6 global connectivity over an IPv4-MPLS core § Transitioning mechanism for providing unicast IPv6 access over IPv4-signaled MPLS § Coexistence mechanism for combining IPv4 and IPv6 services over an MPLS backbone § As with other IPv6 “tunnel” technologies, it enables services such as the following: § “IPv6 Internet Access” § Peer-to-peer connectivity § Access to IPv6 services supplied by the SP itself
  • 334.
    6PE ARCHITECTURE (C)2012 FRED BOVY EIRL. IPV6 FOR LIFE!
  • 335.
  • 336.
    6PE: THE TECHNOLOGY § It is an implicit method to tie-up a v4-signalled label switch path with IPv6 routes announced via MP-BGP § It can apply RFC 2547bis architecture to IPv6: § IPv4/MPLS core infrastructure remains IPv6-unaware § PEs are updated to support dual stack/6PE § IPv6 reachability exchanged among 6PEs via MP-iBGP § IPv6 packets transported from 6PE to 6PE inside IPv4 LSPs
  • 337.
  • 338.
  • 339.
  • 340.
  • 341.
    WHAT IS 6VPE(RFC 4659)? § For VPN customers, IPv6 VPN service is exactly the same as IPv4 VPN service § Current 6PE is like VPN but is NOT VPN (that is, global reachability) § Coexistence mechanism for combining IPv4 and IPv6 VPN services over an MPLS backbone § It enables services such as: § IPv6 VPN Access § Carriers supporting carriers § Access to IPv6 services supplied by the SP itself § Internet Access § Hub and Spoke § InterAS Scenario A, B and C
  • 342.
    6VPE ARCHITECTURE (C)2012 FRED BOVY EIRL. IPV6 FOR LIFE!
  • 343.
    VPNv4 6VPE RD2 bytes:6 bytes TYPE:VALUE 2 bytes:6 bytes TYPE:VALUE RT (extended community) 2 bytes:6 bytes TYPE:VALUE 2 bytes:6 bytes TYPE:VALUE VPN address 8 bytes:4 bytes RD:IPv4-address [8 bytes]16 bytes [RD]IPv6-address MP_REACH-NLRI AFI=1 SAFI=128 AFI=2 SAFI=128 NLRI <length, IPv4-prefix,label> <length, IPv4-prefix,label> VRF (Virtual Routing & 1 VRF = 1 RIB + 1 FIB MP-VRF forwarding instance) Nexthop 0:IPv4-address [0]::FFFF:IPv4-address [0]:IPv6-address [0]:IPv6-LL-address Peering IPv4-address IPv4-address, IPv6-address IPv6-LL--address 6VPE: THE TECHNOLOGY
  • 344.
    ROUTING PROTOCOLS LEVERAGEDWITH 6VPE • IPv4-signalled LSP • iBGP VPNv6 AF peering between 6VPE (PE1, PE2) • eBGP IPv6+vrf AF peering with CE • Only eBGP and static route within VRF between CE-PE
  • 345.
    ROUTING TABLES •At the 6VPE - A set of private IPv6 routing tables (red, blue) - A default routing table (IPv4 or IPv6) - A BGP table (AF VPNv6)
  • 346.
    ROUTING TABLES: EXAMPLES PE1#show ipv6 route vrf blue IPv6 Routing Table -blue -7 entries C 2001:100::/64 [0/0] via Ethernet4/0, directly connected B 2001:300::/64 [200/0] via 200.10.10.1%Default-IP-Routing-Table, indirectly connected PE1#show ipv6 route vrf red IPv6 Routing Table - red - 10 entries C 2001:200::/64 [0/0] via Ethernet0/0, directly connected B 2001:400::/64 [200/0] via 200.10.10.1%Default-IP-Routing-Table, indirectly connected PE1#show ip route 200.10.10.0/32 is subnetted, 1 subnets i L1 200.10.10.1 [115/30] via 40.1.1.3, Ethernet1/0 31.0.0.0/24 is subnetted, 1 subnets i L1 31.1.1.0 [115/30] via 40.1.1.3, Ethernet1/0 200.11.11.0/32 is subnetted, 1 subnets C 200.11.11.1 is directly connected, Loopback0
  • 347.
    BGP VPNV6 TABLEEXAMPLE PE1#show bgp vpnv6 unicast all Network Next Hop Metric Route Distinguisher: 100:1 (default for vrf blue) * 2001:100::/64 2001:100::72a 0 *> :: 0 *> i2001:300::/64 ::FFFF:200.10.10.1 0 Route Distinguisher: 200:1 (default for vrf red) *> 2001:200::/64 :: 0 *> 2001:400::/64 ::FFFF:200.10.10.1 0
  • 348.
  • 349.
    6VPE ADVANCED SERVICES § InterAS Scenario A, B or C (Also applies for 6PE) § Internet access Model 1 and 3 § Hub and spoke § Carrier’s carrier
  • 350.
    VPN CLIENT CONNECTIVITY VPN sites attached to different MPLS VPN service providers RD:1:27:2001:db8:1::/48, RT=1:231, Label=(28) BGP, OSPF, RIPv2 2001:db8:1::/48,NH=CE-1" VPN-A-1 VPN-A-2 VPN-v4 update: PE-1 PE2 CE2 Edge Router1 Edge Router2 NH=PE-1 CE-1 AS #100 AS #200 149.27.2.0/24" VPN-A VRF Import routes with route-target 1:231" How to distribute routes between SPs?
  • 351.
    VPNV6 DISTRIBUTION OPTIONSIN INTER-AS Several options available for distribution of VPNv6 prefix information PE-1 VPN-A-1 PE-2 VPN-A-2 CE-2 PE-ASBR-1 PE-ASBR-2 Back-to-back VRFs MP-eBGP for VPNv4 AS #100 AS #200 Multihop MP-eBGP between RRs CE-1 Multihop MP-eBGP Non-VPN Transit Provider
  • 352.
    SCENARIO A: PARTNERSHIPBETWEEN TWO SPS § Recommended for fewer VRFs requiring simpler connectivity when ASBRs are directly connected over a physical interface § ASBRs are directly connected over a physical interface § Sub-interface per VRF is created and mapped § Packet is forwarded as an IP packet between the ASBRs § Each PE-ASBR router treats the other as a CE § PE-ASBR to PE-ASBR link may use any supported PE-CE routing protocol § Scalability issues if need to support large numbers of VRFs § Most used when two ISPs want to interconnect a few customers as it allows maximum control § Maximum Isolation between the 2 AS
  • 353.
    SCENARIO A. BACK-TO-BACKVRF CONNECTIVITY VRF to VRF connectivity between PE-ASBRs PE-1 PE-ASBR-1 PE-ASBR-2 AS #100 AS #200 CE-1 CE-2 CE-3 VPN-A-1 PE-2 CE-4 VPN-A-2 VPN-B-1 VPN-B-2 One logical interface and VRF per VPN client
  • 354.
    SCENARIO B. MP-EBGPFOR VPNV6 MP-BGP VPNv6 prefix exchange between gateway PE-ASBRs PE-1 MP-eBGP for VPNv6 Labels exchange between Gateway PE-ASBR routers using MP-eBGP CE-1 CE-2 CE-3 VPN-A-1 PE-2 CE-4 VPN-A-2 VPN-B-1 VPN-B-2 PE-ASBR-1 PE-ASBR-2 AS #100 AS #200
  • 355.
    SCENARIO C: SAMEISP MERGING AS § This is the favorite method when an ISP want to merge multiple Autonomous System under its control. § No need to install the 2 additional ASBRs of Scenario B. § In this solution, the ASBRs are only needed to leak the 6VPE loopback /32 routes with associated labels. This can be done with eBGP IPv4 + Label (RFC3107) or running the IGP and LDP between the ASBR. § In this solution only the destination next hop on the ingress 6VPE is not the local ASBR but the egress 6VPE loopback /32 address. § Maximum fusion of the 2 ASs
  • 356.
    SCENARIO C. MULTIHOPMP-EBGP FOR VPNV6 BETWEEN RRS Multihop MP-eBGP VPNv6 prefix exchange between Route Reflectors PE-1 Multihop MP-eBGP for VPNv6 with no next-hop- self CE-1 CE-2 CE-3 VPN-A-1 PE-2 CE-4 VPN-A-2 VPN-B-1 VPN-B-2 ASBR-1 RR-2 AS #100 AS #200 ASBRs exchange BGP next-hop addresses with labels" ASBR-2 RR-1 eBGP IPv4 + Labels
  • 357.
    HUB AND SPOKETOPOLOGY § The Hub and Spoke is used when the traffic has to take a given path for an application, like a firewall. CE1 CE2 PE2 PE3 PE1 Hub-CE Spoke-CE
  • 358.
    INTERNET ACCESS: WHAT’STHE PROBLEM ? § The Internet routing table cannot be imported into each VRF. § The full Internet routing table must be kept in the global routing table. § Two Methods for 6VPE Access to the Internet: – Use one interface in the global table for Internet access and one interface in the VRF for the VPN access. This method does not require any specific features. OR – Only one interface for VRF and Internet access. The static routes may have destinations and next hop in different access spaces. These routes are redistributed in BGP.
  • 359.
    CARRIER’SCARRIER: WHAT’S THEPROBLEM ? § We need to interconnect ISPs, which manage the full Internet routing tables. § The full routing tables cannot be imported in each VRF. § The customer advertises their Internet routing table between POPs via iBGP session throughout the 6VPE service, but they are never imported in the VRF. § The 6VPE VRF only has routes and labels for the Internet routes Next Hop. § The Carriers backbone receives a labeled packet for the BGP Next Hop destination Similar to MPLS-VPN where the P router don’t know the VPN routes. All they know it the Egress PE loopback address. With CsC, the Carrier don’t know the Internet routes BUT the Next-Hop of these routes!
  • 360.
  • 361.
    CONCLUSIONS § 6PEand 6VPE are proven solutions and they do not have the performance and security concerns related to tunneling § All the Advanced Services supported with IPv4 and MPLS-VPN are supported with 6PE and 6VPE § Many operators provide IPv6 service to their customers with 6PE/6VPE § 6PE and 6VPE do not require any update of the MPLS/IPv4 backbone § For Operators who have not deployed MPLS, 6RD can be a good alternative
  • 362.
    (C) 2012 FREDBOVY EIRL. IPV6 FOR LIFE!
  • 363.
    QOS FOR IPV6 § 8 bits, Traffic Class § 20 bits, Flow Label Ver Traffic Class Flow Label Payload Length Next Header=Hop-By-Hop Hop Limit Source IPv6 Address Destination IPv6 Address Next Header=Routing Hdr Next Header=TCP Hop-By-Hop Routing Header TCP Header
  • 364.
    TRAFFIC CLASS –8 BITS § Same use as the ToS + Precedence bit in IPv4 § Mutable Field, it can be remarked by intermediate router § It carries the DSCP bits to identify either: § Expedited Forwarding Class § typically used by VoIP § Assured Forwarding Class § AF1x to AF4x § where x is the drop probability of the packet
  • 365.
    FLOW LABEL –20 BITS § The Flow Label helps to identify a flow with a Source and Destination IPv6 address § Unmutable Field not changed by any intermediate router § Flow Label = 0 is the default Flow § Field not covered by encryption if IPSec is used § Field not fragmented if fragmentation occurred § There is no common agreement about its utilization § In addition, this field could be used by an attacker as it identifies a Flow and is not protected by IPSec § In practice the Flow Label is available for Application but not used
  • 366.
    INTSERV § Defined3 Class of Service § Guaranteed Services § Bandwidth Guarantee, delay and no loss of traffic § Controlled Load § Multiple levels of best effort § Best Effort § RFC 1633 § RSVP is used as a Signalling Protocol RFC2205 § Flow level granularity § End-to-End QoS
  • 367.
    RESOURCE RESERVATION PROTOCOL(RSVP) § RFC 2205 RSVP Version 1 § RSVP is used to reserve Bandwidth in the Router’s Priority Queue § RSVP Service Types: § Controlled Load RFC 2211 § DiffServ similar to AF § Guaranteed Load RFC 2212 § DiffServ similar to EF
  • 368.
    DIFFSERV § Granularityis the flow aggregate § Expedited Forwarding § RFC 2598 § DSCP 101110 § Real Time class for Voice and Video § RSVP can help to reserve Bandwidth § Match IntServ Guaranteed Services § Assured Forwarding § Classes AF1x to AF4x § CS1 to CS4 for compatibility with Precedence § Match IntServ Controlled Load
  • 369.
    DIFF SERV CLASSSELECTOR PHB DSCP DSCP bin Intended Protocol Configuration IP Routing Class Selector 6 110000 BGP, OSPF, and so on Queuing=rate based. Small guaranteed min rate, WRED Streaming Video Class Selector 4 100000 Often Proprietary Admission control=RSVP, Queuing=rate based. Small guaranteed min rate, WRED Telephony Signaling Class Selector 3 011000 SIP, H323, etc…. Queuing=rate based. Small guaranteed min rate, WRED Network Management Class Selector 2 010000 SNMP Queuing=rate based. Small guaranteed min rate, WRED Scavenger Class Selector 1 0010000 User Selected Service Queuing=rate based. NO guaranteed min rate, WRED (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
  • 370.
    Diff-Serv and MPLS INTRODUCTION TO IPV6 FOR SERVICE PROVIDERS
  • 371.
    MPLS AND QOS 3 bits for 8 levels of priority in MPLS § Experimental bits 3 MPLS Transit modes § Uniform mode § Short Pipe mode § Pipe mode
  • 372.
    MPLS EXP BITS § Label/Tag: 20 bits § MPLS Experimental bits: 3 bits § Bottom of Stack: S § Time To Live: 8 Bits Label/Tag 32 bits COS TTL 3 2 1 0 EXP S
  • 373.
    UNIFORM MODE APPLICATION § The service is managed end-to-end by the same organization MPLS/VPN MPLS/VPN Fusion MPLS EXP-IP DSCP EXP->DSCP DSCP->EXP dscp
  • 374.
    UNIFORM MODE §MPLS and IPv6 have the same QoS Strategy § DSCP is copied in EXP at the Ingress § EXP is copied in DSCP at the Egress
  • 375.
    PIPE MODE §MPLS and IPv6 networks have a different QoS strategy § EXP and DSCP are completely independent of each other § MPLS EXP is used to schedule the packet at the Egress
  • 376.
    SHORT PIPE MODE § MPLS and IPv6 have a different strategy but…. § At the egress, DSCP is used to schedule the packet
  • 377.
    CONCLUSION § QoSin IPv6 is similar to QoS in IPv4 with the addition of the Flow Label field § QoS also apply to MPLS networks and 3 models provide 3 different strategies when IPv6 packets must cross a MPLS/IPv4 network
  • 378.
    (C) 2012 FREDBOVY EIRL. IPV6 FOR LIFE!
  • 379.
    Security Management inIPv6 INTRODUCTION TO IPV6 FOR SERVICE PROVIDERS
  • 380.
    IPSEC § IPSecis mandatory with IPv6 Stacks § Headers Authentication § Data Confidentiality § Data Integrity http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6- ipsec.html
  • 381.
    IPSEC: AH ANDESP § Architecture. RFC 2401 § Authenticated Header § Integrity, Authentication and anti-replay § Each packet has a unique signature § Protocol 50 § Encapsulating Security Payload § Has all the AH features… § So why still use AH ? § ESP adds encryption of the payload for confidentiality § Protocol 51
  • 382.
    IPSEC: TRANSPORT MODE § Used for Host-to-Host communication § Only the payload is encrypted and/or authenticated § Addresses cannot be changed without corrupting the header hash unless we use NAT Transversal (NAT-T) § RFC 3715: IPsec-Network Address Translation (NAT) Compatibility Requirements § RFC 3947: Negotiation of NAT-Traversal in IKE § RFC 3948: UDP Encapsulation of IPsec ESP Packets
  • 383.
    MODE IPSEC: TUNNELMODE § Used for Router-to-Router communication § The whole datagram is authenticated and/or encrypted § The original packet is then encapsulated in a new packet § This mode supports NAT in a very limited mode § See rfc3715: 4.1 IPSec Tunnel Mode
  • 384.
    IPSEC ENCAPSULATIONS (C)2012 FRED BOVY EIRL. IPV6 FOR LIFE!
  • 385.
    IKE RFC 2409 § If someone can capture enough IPsec traffic, the IPSec key can be guessed § To avoid this, the key can be changed automatically and securely on a regular basis § Each time, IKE creates a new Security Association § Hybrid protocol based on ISAKMP, Oakley and KEME
  • 386.
    SECURITY ASSOCIATION (SA) § Contains all the states needed to protect communication with a peer. § SA is unidirectional. § An SA is needed at each end of the IPSec connection. § If manually configured it has no Time to Live § If it is created dynamically with IKE, then it has a Time To Live. § SA is saved in a SADB § SA is identified by: § The source thanks to a Selector § The destination thanks to the Security Parameter Index (SPI) on 32 bits
  • 387.
    SECURITY ASSOCIATION (SA)PARAMETERS § Sequence Number (32 bits) § outbound processing § Incremented for each secured packet § No more than 4G packet generated with the same key § Sequence Number Overflow § Outbound processing § Used if Sequence Number get over the maximum § The policy detemines the action in this case § Antireplay Window § Lifetime § Mode (Tunnel or Transport)
  • 388.
    SECURITY ASSOCIATION (SA)PARAMETERS (CONT.) § Tunnel destination § For the tunnel mode § Parameters PMTU § Security Policy § All policies are stored in the SP Database § Determine the action for the protection § Selectors § Source and Destination Address § Name § Protocol § Upper Layer Ports
  • 389.
    ESP HEADER ANDTRAILER 32 bits Security Parameter Index (SPI) Sequence Number IV Protected Data Pad length Next Pad Header Authentication data (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
  • 390.
    AH HEADER 32bits Next Header Payload Reserved Length Security Parameter Index (SPI) Sequence Number Authentication data (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
  • 391.
    ISAKMP § IKEis a hybrid protocol based on ISAKMP, Oakley and KEME § ISAKMP communicates on port UDP 500 § Defines how 2 peers communicate § Defines the states transitions between 2 peers § Initialization in two phases of the ISAKMP SA § ISAKMP SA analogous to IPSec SA § Cookies Exchange § Policy Negotiation
  • 392.
    IKE EXCHANGE :CREATE AN IKE SA § Two exchange modes § main mode § aggressive mode § Establish a channel secure and authenticated § Key exchanged § Find an agreement in Security Parameters § Parameters § encryption algorithm § hash algorithm § authentication method § Diffie-Hellman group
  • 393.
    P2P IPSec Tunnels IPSEC+TUNNEL = VPN (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
  • 394.
    DMVPN § EncryptedGRE Points to Multipoint Tunnels § NHRP for Spoke-to-Spoke direct communication § A hub is configured with many Spokes § Tunnels are encrypted for confidentiality § Spoke-to-Spoke tunnels are created on-demand
  • 395.
    DMVPN: EXAMPLE Onlyone Tunnel Interface is configured on the Hub and on the Spokes
  • 396.
    THREATS ON IPV6 § Threats on IPv6 Header § Threats on ICMPv6 and NDP § RFC6104: Rogue RA § NDP Exhaustion http://inconcepts.biz/~jsw/IPv6_NDP_Exhaustion.pdf § Threats on Transition § Dual-Stack § Tunnels § Translation § Attacks on Router § Securing the BGP Internet Access
  • 397.
    IPV6 HEADER THREATS § Extension Header § Router Alert Option – http://www.iana.org/assignments/ipv6-routeralert-values/ipv6-routeralert-values.xml § Source Routing Type 0. † – http://www.secdev.org/conf/IPv6_RH_security-csw07.pdf – http://www.ietf.org/rfc/rfc5095.txt – Blocked by Firewall § Fragmentation – Security Considerations for IP Fragment Filtering (rfc1858) – Protection Against a Variant of the Tiny Fragment Attack (rfc3128) § Option not recognized – Should be dropped but ignored in reality § On a Cisco Router, this should be blocked by ACL
  • 398.
    THREATS ON NDP A good presentation from the hacker choice web § http://www.thc.org/ipv6 IPv6 Neighbor Discovery (ND) Trust Models and Threats § http://www.ietf.org/rfc3756.txt Example of such attacks: § DAD attack § Network scan and NDP Exhaustion http://inconcepts.biz/~jsw/IPv6_NDP_Exhaustion.pdf § Kill the default router § Rogue Router. See RFC6104 § Redirect attack § Reduce the MTU
  • 399.
    DAD ATTACK §A node wants to join the network and performs DAD § It sends an NS for the tested address § An Attacker sends NA for the tested address § Address is considered a DUP, A can’t access the network NA
  • 400.
    KILL THE DEFAULTROUTER § Traffic flows thru the router § The forged RA announces the existing Router address with a zero Lifetime § A does not have a default router § Without a default router, A assumes destination is on-link! § Hacker then pretends to be the next-hop
  • 401.
    ROGUE ROUTER §Traffic flows thru the router § The forged RA announces the existing Router address with a zero Lifetime § Another RA can give hacker an Address with Lifetime > 0 § RFC6104
  • 402.
    REDIRECT, MAN-IN-THE-MIDDLE ATTACK § Initial traffic travels from A to B through Router § Hacker sends a Redirect to A § A believes hacker is a better next hop to B § Disable Redirect on Hosts
  • 403.
    ICMPV6 PACKET TOOBIG ATTACK § A sends traffic with MTU = 1500 § Hacker sends a Packet Too BIG MTU = 1280 § A sends traffic to B with MTU = 1280
  • 404.
    NETWORK SCAN §An attacker sends packets to all Network addresses on a subnet § Each time the router starts a MAC Address resolution, it keeps the packet in a buffer § This consumes the router memory and CPU
  • 405.
    SECURED NEIGHBOR DISCOVERY:SEND § Secure the IPv6 Network Discovery Protocol § Anti-Replay with Timestamp § Network clocks must be synchronized § No one can steel someone’s address § Protection with CGA § No Spoofing § Impossible to announce a rogue router § Routers are protected with Certificates § Linux and CISCO implementation
  • 406.
    SECURE THE EBGPSESSION § Use MD5 IPSec Authentication, safer as IKE changes the key on a regular basis § Use Link-Local Address for Peering § Only Accept the Updates you are supposed to § Filter the illegal Prefixes in Updates § Limit the number of prefixes received § Filter too-long AS-Path eBGP IPSec or MD5 Authentication on the eBGP
  • 407.
    INTERNET: THE PREFIXESWHICH MUST BE BLOCKED § http://tools.ietf.org/html/rfc5156 § http://tools.ietf.org/html/rfc4773 Routes to blocks Prefixes Default Routes ::/0 Unspecified Address ::/128 Loopback Addresses ::1/128 IPv4-compatible ::/96 IPv4-mapped ::ffff:0.0.0.0/96 Link-locale fe80::/10 or longer Site-local (obsolete) fec0::/10 or longer Unique-local fc00::/7 or longer Multicast but Global Scope ff00::/8 or longer Documentation 2001:db8::/32 or longer 6bone (obsolete) 3ffe::/16
  • 408.
    INTERNET: PREFIXES WHICHMUST BE PERMITTED § Instead of blocking special addresses, one can allow the allocated addresses § http://www.team-cymru.org/ReadingRoom/Templates/IPv6Routers/ios.html § http://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt § Pretty long list ! § This list can be used to configure a filter on a router § Example of configuration filter: … ipv6 prefix-list ipv6-global-route permit 2C00:0000::/12 ge 12 le 64 ! router bgp 64500 neighbor 2001:db8:1::2 route-map ACCEPT-ROUTES in ! route-map ACCEPT-ROUTES permit 10 match ip address prefix-list ipv6-global-route
  • 409.
    FOR HOSTS: PRIVACYEXTENSION § When the interface ID is derived from the MAC address (EUI-64), the same station will always keep Interface ID § As NAT is no longer used, it becomes possible to identify a target and spy on its traffic § RFC4941 “Privacy Extensions for Stateless Address Autoconfiguration in IPv6” generates a random and temporary interface ID § For Windows: netsh interface ipv6 set global randomizeidentifiers=enabled § For MAC OS and othe Kame derived OS: power-mac-g5-de-fred-bovy-6:~ root# sysctl -w net.inet6.ip6.use_tempaddr=1 § net.inet6.ip6.use_tempaddr: 0 -> 1
  • 410.
    HIDE HOSTS WHENPOSSIBLE § Use Unique Local Addresses for Internal Addressing § Only provision Global Unique Addresses for Hosts which have access to the Internet or use ALG and Proxies to access Web Servers on the internet FD00:1:2:3::/64 FD00:1:2:5::/64 FD00:1:2:10::/64 Applica8on Layer Gateway 2001:1:2::1 FD00:1:2:10::109
  • 411.
    USE MIPV6 TOHIDE THE LOCATION OF USERS § The mobile node roams from subnet to subnet but its source address never changes for the applications or for the correspondent node!
  • 412.
    USE AUTHENTICATION FORROUTING PROTOCOLS § Use MD5 or IPSec when available to Authenticate Routing Updates § IPSec is safer as Key is changed by IKE automatically § Protect against Rogue Router § Also apply to First Hop Routing Protocol MD5 or IPSec MD5 or IPSec
  • 413.
    ATTACKS ON ROUTERS § Use MD5 authentication when available § Not available with RIPng § Available for EIGRP, ISIS, BGP § OSPFv3 can be secured with IPSec § MD5 Authentication also applies for First Hop Routing Protocol § HSRP, GLBP § Prefer SSH to TELNET § Prefer SNMPv3 to SNMPv2 § Disable all the unused services § If a router interface is used only for management, routing can be disabled § Router(config-if)# ipv6 mode host unicast
  • 414.
    DOS ATTACKS ONDHCPV6 § Starvation: A client can request IPv6 addresses until pool depletion § DoS: A Client can ask for a huge number of addresses. The server must keep track and manage the allocated addresses which will overwhelm its CPU. § Attack Mitigation: DHCPv6 snooping is not yet available. This attack can be mitigated by rate-limiting the requests.
  • 415.
    DOS ATTACKS ONDHCPV6 (CONT.) § Disinformation: A rogue server can provide bad information to requests: Bad addresses, bad DNS Server addresses, bad domain names. § This can be more harmful than IPv4 because with IPv6 the server can use the Site-local multicast address ff05::1::3 and sit on any subnet of the whole site. § With IPv4, CISCO implements DHCPv6 Snooping. Only trusted ports can provide DHCP reply. This is not yet available for IPv6. § Scanning: If the DHCPv6 Server allocates IPv6 Addresses sequentially, this makes node discovery easy. § Some DHCPv6 Server allocate addresses randomly instead of sequentially.
  • 416.
    THREATS ON TRANSITION § Dual-Stack – IPv4 scanning can be used to discover the node – IPv4 and IPv6 must be at the same security level § Tunnel – Tunnels are an easy target for many possible attacks – Packet Injection – Automatic Tunnels are the most dangerous – Automatic Servers can be the target of DoS attacks § Translation – NAT can be the target of DoS attacks – DoS Attacks by address pool depletion – DoS Attack by creating a lot of states or requests which consumes CPU
  • 417.
    NODE AND NETWORKDISCOVERY § Discovering nodes or even Active Network with IPv6 is more complex § Finding an active network is not trivial § A scan over an IPv6 subnet would take ages – http://www.ietf.org/rfc/rfc5157.txt – 2^64 addresses to test! – 18.446.744.073.709.551.616 IPs per subnet – 500 millions years § If dual stack nodes are configured, one could use IPv4 to scan and IPv6 to attack! § A network scan can be used as a DoS Attack – In IPv6, a node must keep the packet which triggers a MAC Address resolution in a buffer – If one scans a full network with a big packet, this can consume a lot of buffers!
  • 418.
    DUAL STACK ISSUES § Dual Stack Nodes may be very well IPv4 protected and poorly IPv6 protected § Dual Stack Nodes can be discovered thanks to an IPv4 scan ! § And then attacked using IPv6 tools !
  • 419.
    INABILITY TO INSPECTTUNNELED PACKET IPv4 Firewall cannot inspect the IPv6 packet encapsulated in IPv4. IPv4 Header IPv6 Header IPv6 Payload
  • 420.
    ATTACKS ON TUNNELS Traffic tunneled cannot be inspected § Access-List and packet inspection cannot inspect the IPv6 packet which is encapsulated in IPv4 packets § Solution is to implement multiple Firewalls which inspect packets before they get encapsulated § Other solution is when the Tunnel end point is on a Firewall, traffic can be inspected Easy to inject packets coming from a known Tunnel § If an attacker has the knowledge of manual tunnel configuration, it can send packet « originated » from a known tunnel head-end § With automatic tunnels it is even easier as packet can be originated from any address in the network § IPSec is the protection
  • 421.
    6TO4 SOLUTION §IPv4 Firewall inspects IPv4 Traffic. § Because it is also a Tunnel end, it can also inspect the IPv6 in IPv4 Traffic § 6to4 decapsulates traffic § IPv6 Firewall inspects IPv6 Traffic IPv4 Firewall IPv6 Firewall 6to4 IPv4 IPv6 in IPv4 Tunnel IPv6 IPv6
  • 422.
    ISATAP SOLUTION Notraffic arrives at the transition device without inspection. ISATAP IPv4 Firewall IPv4 IPv6 IPv6 in IPv4 Tunnel IPv6 Firewall
  • 423.
    ATTACK BY PACKETINJECTION IN A MANUAL TUNNEL (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
  • 424.
    ATTACK BY REFLECTIONBY A TUNNEL TAIL END (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
  • 425.
    INTERNAL HOST REFLEXIONATTACK (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
  • 426.
    MANUAL TUNNEL SECURITY(6IN4, GRE) Best solution if possible is to use IPSec to protect: § Traffic injection (AH, ESP) § Traffic capture (ESP) If not possible… § As they are manually configured, we have enough information to secure the following: § If a packet is received and has a source address which is not configured for any tunnel, it will be silently dropped. – To log the drop an Access-List (ACL) must be configured § Anti-spoofing rejects a packet which comes from a wrong tunnel and blocks the reflection attack. – CEF Unicast RPF can be used for anti-spoofing § Verify the source address of packets received on an interface § In strict mode the packet must be received on an interface which is the outgoing interfqce going to the source address
  • 427.
    6TO4 TUNNEL SECURITY § Block Neighbor Discovery § Block ICMP Redirect § Block the link and Site local addresses § Block the IPv6 addresses matching IPv4 RFC 1918 § Verify the destination address
  • 428.
    ATTACKS ON NAT64AND NAT-PT § NAT-PT must be used as a last resort option § If we must support IPv4 Only Application, prefer NAT64 as NAT-PT § NAT64 and NAT-PT can be the target of DoS attacks § The attacker sends many IPv6 packets with different source addresses to the same IPv4 target. § Each packet consumes an address and a state which must be managed. § When there is no more IPv4 address available, there is no more access to IPv4 hosts § Another attack is to generate a lot of DNS requests which will also load the ALG CPU.
  • 429.
    NAT64 ATTACKS §http://tools.ietf.org/html/rfc6146 § 5.3. Attacks on NAT64 § DoS: NAT64 has a limited amounts of IPv4 addresses § Send a lot of packets with many IPv6 source addresses § DoS: Send a lot of fragments § DoS: Send a lot of TCP SYN
  • 430.
    NAT-PT AND NAT64ATTACKS MITIGATION Implement rate-limiting for: § Request on NAT-PT ALG § Packets which trigger the creation of an NAT Translation Implement anti-spoofing § IP Source Guard on switches § SEND Remember than NAT is not a Security device like a Stateful Firewall
  • 431.
    CISCO SECURITY FEATURES Access-list (ACL) § Stateless Access-List Standard, Extended § Stateful Reflexive ACL § This automatically allows the return traffic of sessions initiated from the inside hosts § Time Based ACL § The filter is only applied during the specified time range CISCO Firewall § Cisco IOS Firewall For IPv6 § CISCO Zone Based Firewall http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6- sec_trfltr_fw.html
  • 432.
    CISCO STATELESS ACCESS-LIST § These ACL must explicitly permit or deny traffic in each direction § There is no state built and manage § For instance if FTP must be enabled: – an ACL must permit the FTP control port in outgoing and incoming direction – An ACL must permit the FTP data port in the incoming direction (Active Mode) or in the outgoing direction for (Passive Mode) § Default end of an ACL is – permit nd-ns – permit nd-na – deny all § PRO: – Does not consume a lot of resources § CON: – Traffic must carefully be permitted or denied in each direction – Impossible to permit only the return traffic of a given session
  • 433.
    CISCO STATEFUL ACCESS-LIST:REFLEXIVE ACL § The ACL configuration only need to permit the outgoing paquets which starts a new session (i.e.Original paquet starting an FTP Session) § Return traffic is identified by a keyword used in an ACL applied in the opposite direction § PRO: Better granularity, only the return traffic is permitted ! § CON: Consumes more resources Example: ipv6 access-list OUTBOUND permit tcp 2001:DB8:0300:0201::/32 any reflect REFLECTOUT permit udp 2001:DB8:0300:0201::/32 any reflect REFLECTOUT ipv6 access-list INBOUND evaluate REFLECTOUT interface ethernet 0 ipv6 traffic-filter OUTBOUND out ipv6 traffic-filter INBOUND in
  • 434.
    ICMPV6 FILTERING §All ICMPv6 cannot be blocked by Firewall! § Path MTU Discovery § Neighbor Discovery § NUD § Parameters Discovery § SLAAC § Parameter Problem § Must be permitted Packet Too Big ND-NS ND-NA RA Parameter Problem
  • 435.
    CISCO IOS FIREWALLFOR IPV6 Fragmented packet inspection § The fragment header is used to trigger fragment processing. § Cisco IOS Firewall virtual fragment reassembly (VFR) examines out-of-sequence fragments and switches the packets into correct order, examines the number of fragments from a single IP given a unique identifier (Denial of Service [DoS] attack), and performs virtual reassembly to move packets to upper-layer protocols. IPv6 DoS attack mitigation § Mitigation mechanisms have been implemented in the same fashion as for IPv4 implementation, including SYN half-open connections. Tunneled packet inspection § Tunneled IPv6 packets terminated at a Cisco IOS firewall router can be inspected by the Cisco IOS Firewall for IPv6. Stateful packet inspection § The feature provides stateful packet inspection of TCP, UDP, Internet Control Message Protocol version 6 (ICMPv6), and FTP sessions.
  • 436.
    CISCO IOS FIREWALLFOR IPV6 (CONT.) Stateful inspection of packets originating from the IPv4 network and terminating in an IPv6 environment § This feature uses IPv4-to-IPv6 translation services. Interpretation or recognition of most IPv6 extension header information § The feature provides IPv6 extension header information including routing header, hop-by-hop options header, and fragment header is interpreted or recognized. Port-to-application mapping (PAM) § PAM allows you to customize TCP or UDP port numbers for network services or applications. § PAM uses this information to support network environments that run services using ports that are different from the registered or well-known ports associated with an at the firewall. § The information in the PAM table enables Context-based Access Control (CBAC) supported services to run on nonstandard ports.
  • 437.
    CISCO IOS FIREWALLALERTS, AUDIT TRAILS, AND SYSTEM LOGGING § Cisco IOS Firewall generates real-time alerts and audit trails based on events tracked by the firewall. § Enhanced audit trail features use system logging to track all network transactions; to record time stamps, source host, destination host, and ports used; and to record the total number of transmitted bytes for advanced, session-based reporting. § Real-time alerts send system logging error messages to central management consoles when the system detects suspicious activity. § Using Cisco IOS Firewall inspection rules, you can configure alerts and audit trail information on a per-application protocol basis. – For example, if you want to generate audit trail information for TCP traffic, you can specify the generation of this information in the Cisco IOS Firewall rule that defines TCP inspection. The Cisco IOS Firewall provides audit trail messages to record details about inspected sessions. – Audit trail information is configurable on a per-application basis using the CBAC inspection rules. To determine which protocol was inspected, use the port number associated with the responder. The port number appears immediately after the address.
  • 438.
    CISCO ZONE-BASED FIREWALLFOR IPV6 § Zones are created § Interfaces are placed into Zones § Zone Pairs are created § The pair identifies a source and a destination § Class-Map are used to identify traffic § Match on protocol § Match on Access-List § Class-default § A Policy defines the actions § These action applied for each Class-Map § Possible actions are: Drop, pass, inspect, log, reset (for TCP) § The Policy is then applied to a Zone-Pair
  • 439.
    FORTIGATE IPV6 SUPPORT.FORTIOS V4.0 MR7 http://www.fortinet.com/solutions/ipv6.html § Complete content protection for IPv6 traffic including Antivirus, Web filtering, DLP and Email Filtering § IPsec VPNs § Dynamic routing protocol for IPv6: RIPng, OSPFv3 and BGP+ § Routing access lists and prefix lists § Dual protocol stack support § IPv6 tunnel over IPv4 § IPv4 tunnel over IPv6
  • 440.
    FORTIGATE IPV6 SUPPORT.FORTIOS V4.0 MR7 § Firewall policies § Packet and network sniffing § Bi-directional traffic shaping § NAT/Route and Transparent mode § Logging and reporting § IPv6 specific troubleshooting such as ping6
  • 441.
    DEDICATED OR HOST-BASEDFIREWALL Dedicated Firewall devices § break the end-to-end model (like NAT) § Only return traffic of the outgoing traffic is permitted to get it in ! § Easy to manage Host-based Firewall § Maintain the end-to-end model § More difficult to manage
  • 442.
    SECURITY IN ANIPV6 ENVIRONMENT Minimum Security Plan As a minimum, the following steps should be undertaken with regard to IPv6 security by an organization: § Develop an IPv6 Security Plan § Create appropriate policy § Manage Routers/Switches appropriately § Disable IPv6/Tunnels § Develop Access Control Lists (ACL) to Block IPv6/Tunnels on core/edge/outside enclave § Network protection devices/tools § Contact vendors for IPv6 advice § Block IPv6 (Type 41) tunnels § Enable IPv6 IDS/IPS features § Manage End Nodes appropriately § Enable IPv6 host firewalls on all end devices § Monitor Core and Enclave Boundaries
  • 443.
    CONCLUSION § IPSecis provided with IPv6 stacks § For confidentiality, prefer – SSH to TELNET for active node management – SNMPv3 to SNMPv2 for the network management § Routing protocol can be authenticated § NDP is secured by SEND § Tunnels, NAT-PT or NAT64 don’t have any security feature associated – Anti-spoofing – IPSec – ACL – Rate-limiting § CEFv6 Unicast RPF on CISCO and ALCATEL-LUCENT 7750 for anti-spoofing § Use CISCO IOS Firewall or other Firewall for Public Network Connection § Check the NSA www (http://www.nsa.gov) – Check the Router Security Configuration Guide Supplement - Security for IPv6 Routers – Firewall Design Considerations for IPv6
  • 444.
    Secured Neighbor Discovery(SEND) INTRODUCTION TO IPV6 FOR SERVICE PROVIDERS
  • 445.
    INTRODUCTION TO SEND § NDP threats § SEND: a protocol to protect Neighbor Discovery Protocol against any attack § Cryptographically Generated Address – Makes IPv6 address steal proof ! – Spoofing becomes virtually impossible § Address Delegation Authority – Protection against Rogue Router – A router must have a valid certificate to get used as a default router. § Today SEND is supported by CISCO and LINUX § Example: http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6553/white_paper_c11-563156.html
  • 446.
    NDP PROTOCOL DATAUNITS Two New PDUs § Certificate Path Solicitation (CPS SEND) § Certificate Path Advertisement (CPA SEND) New NDP Options § CGA - 11 § RSA - 12 § Certificate - 16 § Trust - 15 § Nonce - 14 § Timestamp -13
  • 447.
    NEIGHBOR DISCOVERY OPTIONS Message CGA RSA Nonce Timestamp Router Solicitation MUST unless sent from MUST unless sent MUST MUST (RS) unspecified from unspecified Router Advertisement (RA) MAY. The CGA option can be omitted in RA but this would be rejected by current IOS implementation MUST MUST for solicited RA to all node multicast. Not needed for unsolicited. MUST Neighbor Solicitation (NS) MUST MUST MUST MUST Neighbor Advertisement (NA) MUST MUST MUST for solicited NA to all node multicast. Not needed for unsolicited. MUST Redirect MAY MUST MUST (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
  • 448.
    PKI ARCHITECTURE (C)2012 FRED BOVY EIRL. IPV6 FOR LIFE!
  • 449.
    PKI ARCHITECTURE: X.509CERTIFICATE (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
  • 450.
    ROUTERS AND HOSTCERTIFICATES VERIFICATION Router 1 2 3 4 Router Message Digest Sign Hash CA’s Private Key 5 Cert Req Router 6 Host Trusts Router’s Public Key after it verifies its signature using CA’s Public Key 7 Router Router Host Already has CA’s Public Key (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
  • 451.
    RECEPTION OF ANRA AND SEND VALIDATION (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
  • 452.
    VALIDATION OF ANRA § A host receives an RA from a new Router § It does not have a matching certificate § It sends a CPS to the Router § Router answers with a Certificate in a CPA § If the router Certificate matches the CA Certificate authority, the RA is accepted; otherwise it is dropped
  • 453.
    CONCLUSION § SENDis the ultimate ND Security protocol § This is the answer to any possible attack using NDP § Makes any kind of attack against an IPv6 Network very difficult if not impossible § The Sec-Level parameter introduces a complexity argument which can be increased when the CPU becomes faster and could be used to break SEND § The network clocks must be synchronized to support SEND § Certificates must be distributed on Routers and Hosts
  • 454.
    BOOKS ON THEWEB: SAFARI BOOKS ONLINE (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
  • 455.
    SOME BOOKS (C)2012 FRED BOVY EIRL. IPV6 FOR LIFE!
  • 456.
    (C) 2012 FREDBOVY EIRL. IPV6 FOR LIFE!