This document provides an overview and agenda for a course on Introduction to IPv6 for Service Providers. The course covers IPv6 essentials such as addressing, operations, applications/services, routing protocols, and transition strategies. It discusses the rationale for adopting IPv6 including the depletion of IPv4 addresses and the need to support the growing number of internet-connected devices. The document outlines some of the key limitations of IPv4 like fragmentation and the issues with long-term reliance on Network Address Translation (NAT) to overcome the address space depletion.
3. COURSE OVERVIEW
This course on IPv6 addresses the knowledge and skill requirements for
Architects and Projects Managers supporting IPv6 design and
implementation for Service Provider customers.
The course covers IPv6 Essentials details.
As a Prerequisites, taking the “IPv6 For Life!” Free On-Line Tutorial will
help. You can find the 3 Flash modules from http://fredbovy.com.
For further Study, the book “Understanding IPv6 Concepts” dig in depth
all the concepts explained in this course.
Migration strategies for a full range of scenarios are discussed.
4. COURSE CONTENT
The High-Level Objectives for this course are as follows:
§ Overview of IPv6
§ IPv6 Addressing in depth
§ IPv6 Operations
§ IPv6 Applications and Services
§ IPv6 routing protocols
§ Introduction to IPv6 Multicast
§ IPv6 Transition and customer integration Strategies including dual stack, 6to4
and 6RD Tunnels, NAT64 and DNS64 translation, Large Scale Nat (LSN or
CGN) NAT444, NAT464, DS-Lite, 6PE and 6VPE.
§ Introduction to IPv6 Security
(C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
6. § Lesson 1: The origin:
IPv4 and the rationale
for IPv6
§ Lesson 2: IPv6 Protocol
and Addresses
§ Lesson 3: ICMPv6 and
Neighbor Discovery
§ Lesson 4: IPv6 Services
§ Lesson 5: IPv6 Routing
Protocols
§ Lesson 6: IPv6 Multicast
§ Lesson 7: Transition to IPv6
– Dual-Stack
– Tunneling
– Translating
§ Lesson 8: QoS in IPv6
Networks
§ Lesson 9: IPv6 and Security
– Routing
Protocols
Security
– IPSec
– Threat on NDP
and SEND
COURSE AGENDA
(C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
7. TYPOGRAPHIC CONVENTIONS
Convention Type of Information
Italic Font
Book titles.
Word or characters that require special attention.
Variable names or placeholders for information you
must supply, for example:
Enter the following command:
ifstat [-z] {-a interface}
Interface is the name of the interface for which you
want to view statistics.
Monospaced font!
Command names, daemon names, and option names.
Information displayed on the system console or other
computer monitors.
The contents of files.
Bold monospaced font!
Words or characters you type, for example:
Enter the following command:
options httpd.enable on!
10. IPV4 AND ASSOCIATED PROTOCOLS
§ IPv4 was a Network designed for the Army that was supposed to interconnect
thousands of hosts
§ The Internet was not open to the public and you had to sign that you will not
use the Internet for business
§ Autoconfig was not needed
§ No smartphones, no sensors, no game console, no iPAD, no ADSL, no cable
home access and no Internet Access at home
§ IPv4 delivers a best-effort service
§ It was associated with other protocols:
§ ARP to resolve MAC address based on IP address
§ DHCP for centralized configuration of end nodes
11. IPV4 HEADER
Version Header Length D
T 0 R E Total Length
Fragment ID Flag Fragment Offset
Time To live (TTL) Protocol header checksum
Source Address
Destination Adress
Options (+ padding)
P P P
DF M
12. FRAGMENTATION
Identification (16 bits)
§ To identify all fragments from the same datagram
Fragment Offset (13 bits)
§ To reorder the fragments
Flag
§ DF – Do not Fragment
§ MF - More Fragment
13. PMTUD: 1ST ROUTER DROP MTU=1300
§ The source sends a datagram MTU=1500
§ 1st router MTU=1300
§ Drop
§ ICMP Pkt Too big MTU=1300
14. PMTUD: 2ND ROUTER DROP MTU=1100
(C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
16. IPV4 ADDRESSES
§ Address IP Source/Destination
§ Class A. Addresses 1.0.0.0 to 126.255.255.255.
§ 10.0.0.0. to 10.255.255.255 is private
§ 128 domains (Networks) and 16.777.214 class A hosts per domain
§ Class B. 127.0.0.0 to 191.255.255.255.
§ 172.16.0.0. to 172.31.255.255 is private
§ 16.000 domains and 65.534 Class B hosts per domain
§ Class C. 192.0.0.0 to 223.255.255.255.
§ 192.168.0.0. à 192.168.255.255 is private
§ 2.000.000 domains and 254 Class C Hosts per domain
§ Class D. 224.0.0.0 to 239.255.255.255 Multicast
§ Class E. 240.0.0.0 to 247.255.255.255 Experimental
§ 4 billion node maximum
§ VLSM et CIDR have removed the class limitation which were wasting a lot of
addresses
§ NAT/Private Address Space (RFC1918)
17. NAT/PAT
§ NAT allows the translation of private to public addresses
§ PAT allows many private addresses to use the same public address
§ RFC2993 Architectural Implications of NAT
§ Cons:
§ Bottleneck
§ Single point of failure
§ Applications must be NAT Friendly
§ Does not allow end-to-end security and permit undetected MITM attacks
§ High hidden costs to have applications support
§ Pro:
§ Hide the private networks topology
18. SOME DISCUSSIONS ABOUT NAT
RFC 1579 - Firewall Friendly FTP
RFC 2663 - IP Network Address Translator (NAT) Terminology and Considerations
RFC 2709 - Security Model with Tunnel-mode IPsec for NAT Domains
RFC 2993 - Architectural Implications of NAT
RFC 3022 - Traditional IP Network Address Translator (Traditional NAT)
RFC 3027 - Protocol Complications with the IP Network Address Translator (NAT)
RFC 3235 - Network Address Translator (NAT)-Friendly Application Design Guidelines
RFC 3715 - IPsec-Network Address Translation (NAT) Compatibility
RFC 3947 - Negotiation of NAT-Traversal in the IKE
RFC 5128 - State of Peer-to-Peer (P2P) Communication across
Network Address Translators (NATs)
19. OPTIONS
Limited number of possible options:
§ Class 0
- 0 - 00000 – End of the option list (padding).
- 1 - 00001 – No Operation.
- 2 - 00010 – Security and management restriction used by
military applications.
- 3 - 00011 – Loose Source Routing.
- 7 - 00111 – Route Recording.
- 8 - 01000 – Connection identification.
- 9 - 01001 – Strict Source Routing.
§ Class 2
- 4 - 00100 – Internet Timestamp.
20. DHCP
§ For end nodes, centralized configuration
§ Everything is configured from a DHCP server:
§ IP Address
§ Default Router
§ DNS Servers Addresses
§ SIP Server Addresses
§ Domain Names
21. IPV6 RATIONALE IN THE SERVICE PROVIDER ENVIRONMENT
§ The question is not “if” it will happen, but “when” will it happen
§ IPv4 addresses depleted as of February 2011
§ Number of connected devices continues to increase
§ IPv4 can accommodate 4 billion on nodes
§ Exceed 15 billion in 2015 and 50 billion in 2020
§ Over 100 billions Microcontrollers; 10 billions shipped per year
§ Devices are always connected, from anywhere
§ It will eliminate IPv4 issues once fully deployed
§ NAT
§ Network efficiency and scalability
§ It has integrated features (services)
§ Global addresses
§ Mobility
§ Security
22. NAT/PAT IS THE HEROINE OF THE INTERNET
§ NAT/PAT with private addresses was invented as a workaround for address depletion
in the 1990s. Then people started to use it and found that NAT/PAT was the solution
for everything: Security, multihoming, and address independency with the Service
Provider.
§ Most people do not realize the huge hidden costs which go with NAT. All the new
applications must be engineered to bypass and support NAT. There are more than
77 RFCs about NAT if you do a simple search on the IETF with NAT keyword, then
look at the result.
§ NAT denies end-to-end security, is a problem for real security protocols like IPSec or
DNSSEC.
§ NAT seems to be the solution for everything ,while actually it breaks a lot (most) of
the network applications and does not permit end-to-en security. It gives an
opportunity for undetected MITM exploits which could be prevented with end-to-end
security.
§ When people have start to use NAT/PAT they cannot imagine any network without it
or how the Internet was before the introduction of NAT/PAT..
§ NAT creates more issues than it solves problems. Without NAT, we would not
have sleep for 20+ years before starting a protocol more appropriate than IPv4.
Do you know that before it was prohibited
by Law in the USA in 1959 and in France in
1963, Heroine was sold in Pharmacy as a
Miracle Medicine for almost everything?
23. WHO IS RUNNING IPV6 ?
A lot of ISPs and enterprises already use IPv6:
§ Free SAS
§ RENATER
§ The Cable Operators with DOCSIS 3.0
§ COMCAST
– Running IPv6 internally for years
– General roll out scheduled to be completed in 2012
§ Time Warner
– General roll out scheduled to start next year
§ Mobile Phone
– 4G: Designed for IPv6, 3G supports IPv6
– T-Mobile: IPv6 only
– Verizon LTE: IPv6 is primary protocol
– Sprint: Deploying IPv6 in 2012
24. SERVICE PROVIDER IPV6 TRANSITION STRATEGIES
§ An end-to-end IPv6-only core is the ultimate goal.
§ Transition strategies require Carrier Grade solutions:
§ Native IPv4 core
§ Dual Stack
§ Large Scale NAT (Carrier Grade NAT, AFT)
§ MPLS enabled core
§ 6PE
§ 6VPE
§ The solution must support any customer connection.
§ Keeping two protocols is expensive. AT&T predicts the end of IPv4 in 2020.
25. SERVICE PROVIDER DRIVERS FOR ADOPTION OF IPV6
§ IPv4 growth potential is finite even with double NAT
§ Structured migration path to IPv6
§ Be one of the first to market with IPv6 enabled services
§ Customers will require access to new IPv6 content from content providers
§ SPs will be competing for services that are IPv6 dependant
§ Some devices, like smartphones, will be very soon IPv6-only
§ NAT cannot be the solution for all applications and all users
§ See IDC and Renater Migration Case Studies
26. CONCLUSION
§ IPv4 is not designed to support multiple addresses per user
§ NAT cannot be a solution for some applications
§ IPv4 Options are not extensible
§ New transport are introduced to support new applications
§ IPv4 cannot permit an address for each device which will need connection to
the Internet
28. FEATURES AND BENEFITS
§ No more fragmentation info in each packet
§ No more Header CHECKSUM
§ It is now mandatory for UDP
§ Traffic Class (8 bits) replaces the Precedence and ToS Byte
§ The Flow Label (20 bits) identifies a flow
§ Addresses are 128 bits long
§ No More NAT needed
§ Alignment on 64 bytes
§ Header size increases from 20 bytes to 40 bytes
§ Autoconfiguration
31. IPV6 ADDRESSING ARCHITECTURE (RFC 4291)
§ Unicast (one-to-one)
§ To identify a network interface
§ Three scopes of addresses:
§ IPv6 Global
§ Link-Local
§ Unique Local Address (equivalent RFC1918)
§ Multicast (one-to-many)
§ To identify a set of interface on the network
§ Traffic is routed to all of these interfaces
§ Scope: interface, link, site, organization, global
§ Anycast (one-to-nearest)
§ To identify a set of interfaces on the network
§ The traffic is routed to the nearest interface
§ IPv6 Addressing Architecture
§ http://tools.ietf.org/html/rfc4291
32. REPRESENTATION (RFC 4291)
§ X:X:X:X:X:X:X:X
§ X is a Hexa field on 16 bits
§ Consecutive 0 are represented by :: but this can be used only once in the
address
§ 2000:1::0102:1234:4222
§ FF01:0:0:0:0:0:0:1 or FF01::1
§ 0:0:0:0:0:0:0:0 or ::
§ In an URL, the address is surrounded by [ ]
§ http://[2001:1:4::11]:8080/index.html
33. GLOBAL UNICAST ADDRESS (RFC 4291)
§ Global unicast host address:
– 2000:0001:0002:0000:0000:0005:0006:0007
– 2000:0001:0002::0005:0006:0007
§ Network Prefix:
– 2000:0001:0002::/48
– 2000:1000:0001:0010::/64
§ In the Internet 2000::/3 global unicast address:
– http://www.iana.org/assignments/ipv6-unicast-address-assignments/ipv6-unicast-address-
assignments.xml
– http://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.
xml
Provider . 48 bits Site . 16 bits Host. 64 bits
Global Routing Prefix SLA Interface ID
34. IPV6 GLOBAL UNICAST ADDRESS FORMAT (RFC 3587)
Initial Format
Provider . n bits 64 .n bits Host. 64 bits
Global Routing Prefix Subnet ID Interface ID
IETF assigned 001 for Global Unicast, 2620::/12 assigned to American
Registry for Internet Numbers
16 Bits
3 9 bits
36 bits
Host. 64 bits
00
1
ARIN RIR or ISP
Subnet ID Interface ID
RFC 2374: Aggregatable Global Unicast Address Structure
Public Topology Site Topology Interface Identifier
13 8 24 16
3 64 bits
FP TLA ID RES
NLA ID SLA ID Interface ID
35. AGGREGATABLE GLOBAL UNICAST ADDRESS
STRUCTURE (RFC 2374)
§ FP: Format Prefix (001)
§ TLA ID: Top-Level Aggregation Identifier
§ A default free router will have a route to each TLA ID plus the specific routes for
the TLA ID it belongs to.
§ RESERVED for future utilization
§ NLA ID: Next-Level Aggregation Identifier
§ Identify sites within an organization.
§ SLA ID: Site-Level Identifier
§ Identify the subnets within an organization
§ Same as the IPv4 Subnets
§ Supports 65.535 Subnets
§ Interface Identifier
Public Topology Site Topology Interface Identifier
13 8 24 16
3 Host. 64 bits
NLA ID SLA ID Interface ID
FP TLA ID RES
36. LINK-LOCAL ADDRESS (RFC 4291)
§ Allows automatic address configuration without router
§ Equivalent in IPv4: 169.254.0.0/16 (RFC 3927)
§ FE80::/10
128bits
All 0s Interface ID
11111
1010
FE80::/10
64 bits
37. SCOPED ADDRESS ARCHITECTURE (RFC 4007)
§ At the beginning the Site-Locale was defined
§ fec0::/10
§ This was deprecated by RFC 3879
§ All addresses but the unspecified have a scope
§ RFC 4007 defines a « Scope Zone » or Zone as a connected region with a
given scope
§ It is noted with the sign %
§ Example: fe80::1%5
38. UNIQUE-LOCAL ADDRESS (RFC 4193)
§ For private addresses like RFC 1918 for IPv6
§ Network Prefixes:
§ FC00::/7 Globally Managed
§ FD00::/8 Locally Managed
§ To reserve an address:
§ http://www.sixxs.net/tools/grh/ula/
48 bits 16 bits
Host. 64 bits
Global ID 40 bits Subnet ID Interface ID
1111 1100
1111 1101
FC00::/7
FD00::/8
39. INTERFACE ID DERIVED FROM THE MAC: EUI-64
§ Mac Address 48 bit
§ X=1 Unique
§ X=0 Not Unique
00 90 59 02 E0 F9
00 90 59 FF FE 02 E0 F9
000000X0
40. RANDOM INTERFACE ID (RFC 4941)
§ If the interface ID is derived from the MAC address, it will be constant.
§ There is no NAT, this can be used to track a user.
§ Privacy Extension uses a randomized ID to configure the interface ID.
41. SPECIAL ADDRESSES (RFC 4291)
§ Unspecified
§ 0:0:0:0:0:0:0:0 or::
§ Used when the node does not have an address configured
§ Loopback
§ 0:0:0:0:0:0:0:1
§ ::1
§ 127.0.0.1 for ipv4
§ IPv4-Mapped
§ ::ffff:192.168.0.11
§ Another RFC 5156 compiles the special addresses which should not be routed
on the Internet
§ http://tools.ietf.org/html//rfc5156
42. Flag – 4 bits
§ O if permanent
§ 1 if temporary
Scope – 4 bits
§ 1=node
§ 2=link
§ 4=admin
§ 5=site
§ 8=Organization
§ E=Global
MULTICAST (RFC 4291)
Only the link-local is automatically filtered by routers. Other scope must be implemented with Access-List
FF Flag Scope 0 Interface ID
128 bit
(C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
43. MULTICAST ADDRESS RESERVED
§ FF01::1 Interface-local Scope All node address
§ FF01::2 Interface-local Scope All routers address
§ FF02::1 Link-local Scope all node adress
§ FF02::2 Link-local Scope All routers address
§ FF05::1 Site-local Scope All node address
§ FF05::2 Site-local Scope all routers address
§ FF05::1:3 Site-local Scope all DHCP server
45. IPV6 ADDRESS SPACE
http://www.iana.org/assignments/ipv6-address-space/ipv6-address-space.xml
46. IPV6 ADDRESS SUMMARY
These addresses include:
§ ::/128 Unspecified Adddress
§ ::1/128 loopback Address
§ 2001::/32 Teredo prefix
§ 2001:db8::/32 reserved for training and documentation by RFC 3849
§ 2002::/16 prefix used by 6to4
Prefix Description
::/8 Address Reserved
2000::/3 Internet Routed Global Unicast Address
fc00::/7 Site Local Address (deprecated)
fe80::/10 Link-Local Address
ff00::/8 Multicast Address
http://www.iana.org/assignments/ipv6-address-space/ipv6-address-space.xml
47. ADDRESSES REQUIRED FOR AN IPV6 NODE
§ A Link-local for each interface
§ Loopback
§ Assigned Unicast
§ All-nodes Multicast
§ Solicited-node multicast for each unicast
§ Multicast
48. ADDRESSES REQUIRED FOR A ROUTER
All the addresses needed for a node plus:
§ Anycast address is a particular service needs it
§ All-Routers Multicast
§ Routing protocols specific multicast addresses
49. IPV6 IN ETHERNET
Protocole IPv6: Ox86DD
Dest Ethernet
Adress Source Ethernet
Adress 0x86DD IPv6 Header and charge
51. sa13-72c(config-if)#do show ipv6
int gig0/2
GigabitEthernet0/2 is up, line
protocol is up
§ IPv6 is enabled, link-local address is
FE80::20B:60FF:FEB4:9C1A
No Virtual link-local address(es):
§ Stateless address autoconfig enabled
Global unicast address(es):
§ 2000:1::20B:60FF:FEB4:9C1A, subnet is
2000:1::/64 [EUI/CAL/PRE]
§ Valid lifetime 2591911 preferred lifetime
604711
Hosts use stateless autoconfig for
addresses
Joined group address(es):
§ FF02::1
§ FF02::2
§ FF02::1:FFB4:9C1A
§ MTU is 1500 bytes
§ ICMP error messages limited to one every 100 milliseconds
§ ICMP redirects are enabled
§ ICMP unreachables are sent
§ ND DAD is enabled, number of DAD attempts: 1
§ ND reachable time is 30000 milliseconds (using 23319)
§ ND advertised reachable time is 0 (unspecified)
§ ND advertised retransmit interval is 0 (unspecified)
§ ND router advertisements are sent every 200 seconds
§ ND router advertisements live for 1800 seconds
§ ND advertised default router preference is Medium
CISCO IPV6 INTERFACE
(C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
52. ASSIGNMENT OF ADDRESSES
IANA
2a01:0e35:2f26:d340:acaa:4946:9234:1379!
RIR ISP/LIR
EU/ISP
EU
RIR NIR ISP/LIR EU
Regional Internet
Registries (ARIN,
APNIC, RIPE, NCC)
National
Internet
Registries
Local
Internet
Registries
End Users
http://www.ripe.net/ripe/docs/ripe-512
53. IPV6 ADDRESS ALLOCATION
§ IPv6 addresses are 4 time bigger than IPv4
§ Must be carefully managed not to explode the size of routing tables
§ Bloc of addresses are allocated by IANA or a RIR
§ To be eligible for address allocation:
§ Must be a LIR
§ Have a plan to provide addresses to customers within two years
§ Minimum allocation to a LIR is a /32
54. ADDRESSES ASSIGNMENT TO A USER
§ The assignment of addresses to end users is done by LIR
§ RFC 3177 obsoleted by RFC6177
§ Standard is no more /48 but between /48 and /64
§ For a large customer
§ /47 or larger can be assigned
§ Or multiple /48
§ /64 for a single subnet
§ /128 for a single host
§ By default the assignment is temporary
§ For multihomed users Provider Independant (PI) addresses
§ RIPE Looking Glass:
http://stat.ripe.net/2a01:e00::/26!
http://stat.ripe.net/2804:258::/32!
56. PROVIDER ASSIGNED ADDRESS SPACE
§ FP: Format Prefix (001)
§ TLA ID: Top-Level Aggregation Identifier
§ RESERVED pour utilisation future
§ NLA ID: Next-Level Aggregation Identifier
§ SLA ID: Site-Level Identifier
§ Interface Identifier
Site
Public Topology Topology Interface Identifier
13 8 24 16
3 Host. 64 bits
FP TLA ID RES
NLA ID SLA ID Interface ID
57. MULTIHOMING
ISP1
2001:db8::/32
assign
2001:db8:1::/48
ISP2
2001:db9::/32
assign
2001:db9:100::/48
Site
2001:db8:1::/48
2001:db9:100::/48
(C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
58. PROVIDER-ASSIGNED ADDRESS
§ The /48 prefix is assigned by ISP
§ The address belongs to the ISP and should be returned by the end of the
contract.
ISP1
2001::db8::/32
2001:db8:1::/48
ISP2
2001:db9::/32
2001:db9:100::/48
2001:db8:1::/48 2001:db9:100::/48
2001:db8:1::/48
2001:db9:100::/48
59. PROVIDER-ASSIGNED – MULTIHOMED
WORKSTATIONS
ISP1
2001:db8::/32
ISP2
2001:db9::/32
§ End node now has two addresses
2001:db9:100::/48
2001:db8:1::/48
2001:db9:100:99:42:345F:1:1/64
2001:db8:1:99:42:345F:1:1/64
60. PROVIDER-ASSIGNED – FAULT TOLERANCE(1)
ISP1
ISP2
§ Better route from ISP2
§ A session is started
2001:db9:100::/
48
2001:db9:100:99:42:345F:1:1/64
2001:db8:1:99:42:345F:1:1/64
2001:db8:1::/48
61. PROVIDER-ASSIGNED – FAULT TOLERANCE (2)
§ Dest thru ISP2 is no longer reachable
§ The session fails
ISP1 ISP2
2001:db9:100::/48
2001:db8:1::/48
2001:db9:100:99:42:345F:1:1/64
2001:db8:1:99:42:345F:1:1/64
62. PROVIDER-ASSIGNED – FAULT TOLERANCE (3)
ISP1
ISP2
§ A new session must be started
2001:db9:100::/48
2001:db8:1::/48
2001:db9:100:99:42:345F:1:1/64
2001:db8:1:99:42:345F:1:1/64
63. PROVIDER-ASSIGNED MULTIHOMING
§ Routing based Solution
§ RFC 3178
§ Need to establish tunnels with ISPs
§ Does not protect upstream ISP failure scenario
§ Quite complex to setup
§ Host based sloution
§ Shim6. RFC 5533, RFC 5534, RFC 5535
§ http://www.shim6.org/
§ http://datatracker.ietf.org/wg/shim6/charter/
§ Many solution proposed
§ Need to update software on the hosts
§ Prefix Translation stateless (NPT6 no NAT66 !)
§ Experimental Draft RFC6296
§ http://fredbovyipv6.blogspot.com/2011/09/from-nat66-to-ipv6-to-ipv6-network.html
§ The solution should conform to RFC 3852
§ https://www.ietf.org/rfc/rfc3582.txt
65. PA MULTIHOMING: SHIM6
http://www.shim6.org/
AP1 AP2 … APn
TCP/UDP
IP
identifie
r
End-Point
Shim6 Layer
Locator Forwar
d
Shim6 Layer
Shim6
Protocol
66. PROVIDER-INDEPENDANT ADDRESS:
MULTIHOMING
§ Same as IPv4
§ No more renumbering if one change of ISP
ISP1
2001:db8:1::/48
2001:db8:66::/48
ISP2
2001:db8:100::/48
2001:db8:66::/48
2001:db8:66::/48
2001:db8:1::/48
2001:db8:1::/48
2001:db8:100::/48
2001:db8:66::/48
2001:db8:100::/48
2001:db8:66::/48
67. PROVIDER-INDEPENDANT VERSUS PROVIDER-ASSIGNED
§ Provider Assigned
§ It was the only solution until 2009
§ Keep routing table size quite low
§ Multihoming may be hard to setup
§ Provider Independent
§ Allocated by the RIR
§ Solve the multihoming problem
§ In Europe this is allocated by the RIPE
§ Must be Multihomed
§ Need to comply with: http://www.ripe.net/ripe/docs/ripe-452
§ No more aggregation of the routing table
68. CONCLUSION
§ No more address limitation
§ No more NAT limitation
§ Extensible with Option headers
§ Performance-oriented header, but twice bigger
§ Multicast replaces the broadcast
§ Multihoming is still an open debate
70. IPV6 HEADER
Ver Traffic Class Flow Label
Payload Length Next Header=Hop-By-Hop Hop Limit
Source IPv6 Address
Next Header=Routing Hdr
Next Header=TCP
DDeessttininaattioionn IIPPvv66 A Addddrreessss
Hop-By-Hop
Routing Header
TCP Header
71. IPV6 HEADER
Ethernet II, Src: ca:02:42:76:00:08 (ca:02:42:76:00:08), Dst: IPv6mcast_00:01:00:02
(33:33:00:01:00:02)
Destination: IPv6mcast_00:01:00:02 (33:33:00:01:00:02)
Source: ca:02:42:76:00:08 (ca:02:42:76:00:08)
Type: IPv6 (0x86dd)
Internet Protocol Version 6
0110 .... = Version: 6
[0110 .... = This field makes the filter "ip.version == 6" possible: 6]
.... 1110 0000 .... .... .... .... .... = Traffic class: 0x000000e0
.... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000
Payload length: 56
Next header: UDP (0x11)
Hop limit: 255
Source: fe80::38b1:e73c:c0f0:4442 (fe80::38b1:e73c:c0f0:4442)
Destination: ff02::1:2 (ff02::1:2)
User Datagram Protocol, Src Port: dhcpv6-client (546), Dst Port: dhcpv6-server (547)
Source port: dhcpv6-client (546)
Destination port: dhcpv6-server (547)
Length: 56
Checksum: 0x86f0 [validation disabled]
(C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
72. TRAFFIC CLASS
§ One byte
§ Same as ToS+Precedence in IPv4
§ Carry the DSCP
§ Can be changed by routers (mutable)
73. FLOW LABEL (RFC3697)
§ To Identify a flow of data
§ Not currently used by applications
§ Is not modified by routers (Unmutable)
§ A flow is identified by addresses and flow label.
§ Not encrypted by IPSec
§ Not fragmented if fragmentation occurs
§ Not very used because it could be used by DoS Attacks
74. IPV6 OPTION HEADER
§ IPv4 protocol field replaced by Next Header
§ Each option is formatted as a TLV (Type Length Value)
8 bits 8 bits
Option Type Option Length
Option data
75. HOP-BY-HOP OPTION
§ Hop-by-Hop (Next header=0) option must be inspected by all nodes
§ Used by Jumbogram to reach 65,536 octets
§ RFC 2711 Router Alert used by MLD, RSVP
§ Each router need to check this option
§ IANA manage a list of allocated numbers
§ 0 to 35 have been allocated
§ 36 to 65535 should be rejected
§ Must be the first option
76. ROUTING HEADER
§ Type 0: Source Routing
§ Loose Source Routing
§ Deprecated
http://www.ietf.org/rfc/rfc5095.txt
§ Type 1: Obsolete
§ Type 2: RFC3775 Used by Mobile IPv6
77. OTHER IPV6 OPTION HEADER
§ Destination Option
§ An option for the destination IPv6 address only
§ Fragment Header
§ Fragmentation is only permitted by the source
§ Routers cannot fragment packet anymore
§ Authentication Header
§ ESP Header
§ Mobility Header
85. MLD (IGMP)
§ Router and Multicast Receivers Protocol
§ MLDv1 (RFC 2710)
§ IGMPv2. RFC 2236
§ Multicast Listener Query. ICMPv6 Type 130
§ Multicast Listener v1. Report. ICMPv6 Type 131
§ Multicast Listener Done. ICMPv6 Type 132
§ MLDv2
§ IGMPv3. RFC 3376
§ Multicast Listener Query. ICMPv6 Type 130
§ Multicast Listener Report. v2. ICMPv6 Type 143
86. ICMPV6 PROTECTION
The following messages MUST have a hop limit = 255
§ RS:133, RA:134
§ NS:135, NA:136
§ Redirect: 137
§ Inverse Neighbor Discovery Solicitation: 141
§ Inverse Neighbor Discovery Advertisement: 142
§ Certificate Path Solicitation (SEND): 148
§ Certificate Path Advertisement (SEND): 149
87. ICMPV6 INFORMATION MESSAGE
§ pingv6
§ Echo Request
§ Echo Reply
sa13-72c>ping 2000:1::100!
Type escape sequence to abort.!
Sending 5, 100-byte ICMP Echos to 2000:1::100, timeout is 2 seconds:!
!!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/4 ms!
sa13-72c>!
Apr 21 05:56:54: ICMPv6: Sent echo request, Src=2000:1::20B:60FF:FEB4:9C1A, Dst=2000:1::100!
Apr 21 05:56:54: ICMPv6: Received echo reply, Src=2000:1::100, Dst=2000:1::20B:60FF:FEB4:9C1A!
Apr 21 05:56:54: ICMPv6: Sent echo request, Src=2000:1::20B:60FF:FEB4:9C1A, Dst=2000:1::100!
Apr 21 05:56:54: ICMPv6: Received echo reply, Src=2000:1::100, Dst=2000:1::20B:60FF:FEB4:9C1A!
Apr 21 05:56:54: ICMPv6: Sent echo request, Src=2000:1::20B:60FF:FEB4:9C1A, Dst=2000:1::100!
Apr 21 05:56:54: ICMPv6: Received echo reply, Src=2000:1::100, Dst=2000:1::20B:60FF:FEB4:9C1A!
Apr 21 05:56:54: ICMPv6: Sent echo request, Src=2000:1::20B:60FF:FEB4:9C1A, Dst=2000:1::100!
Apr 21 05:56:54: ICMPv6: Received echo reply, Src=2000:1::100, Dst=2000:1::20B:60FF:FEB4:9C1A!
[SNIP]!
88. ERROR MESSAGES
§ Destination Unreachable
§ Packet Too Big
§ Time Exceeded
§ Parameter Problem
89. TYPE: DESTINATION UNREACHABLE
Code Description Utilization
0 No route to destination The packet was dropped because the router did
not have a route to the destination
1 Communication
administrativement
prohibited
The packet was filtered by a router (ACL)
3 Unreachable address The data link layer cannot be resolved
4 Port unreachable The UDP or TCP destination port does not exist or
is ignored by the host
(C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
90. TYPE: TIME EXCEEDED
Code: Hop Limit Exceeded in Transit
§ The hop limit is decremented at each hop.
§ When it reaches zero.
§ The packet is dropped
§ ICMPv6 TIME EXCEEDED CODE: Hop limit exceeded in transit is sent
to the source address of the packet
§ This mitigates the consequences of a routing loop in a network.
Code: Fragment reassembly Time exceeded
§ When a station receives the first fragment of a packet, it starts a timer
§ If the timer reaches zero before the original datagram get reassembled
§ All fragments get dropped
§ TIME EXCEEDED, CODE: Fragment reassembly time exceeded is sent
to the source of the packet
91. TYPE: PACKET TOO BIG
§ When a router must forward a datagram on a link with an MTU smaller than the packet
size
§ It drops the packet
§ It sends an ICMPv6 Packet Too Big providing the MTU of the link
§ The source must
§ Send a new and smaller packet with a length matching the available MTU
§ Or send the original datagram fragmented with a fragment size matching the
available MTU
§ The minimum MTU in IPv6 MUST be 1280 bytes
92. TYPE: PARAMETER PROBLEM
§ A pointer helps this type to find the right field or option
§ Packet with such problem MUST be discarded and an ICMPv6 Parameter
Problem SHOULD be sent
Code Description Utilization
O Erroneous header field
encountered
A field in the header is wrong
1 Unrecognized next header
type encountered
The next header is not
recognized.
2 Unrecognized IPv6 option
encountered
The option field is not
recognized
93. ALU 7750: SHOW ROUTER ICMP6
A:SR-3>show>router>auth# show router icmp6
===============================================================================
Global ICMPv6 Stats
===============================================================================
Received
Total : 14 Errors : 0
Destination Unreachable : 5 Redirects : 5
Time Exceeded : 0 Pkt Too Big : 0
Echo Request : 0 Echo Reply : 0
Router Solicits : 0 Router Advertisements : 4
Neighbor Solicits : 0 Neighbor Advertisements : 0
-------------------------------------------------------------------------------
Sent
Total : 10 Errors : 0
Router Solicits : 0 Router Advertisements : 0
Neighbor Solicits : 5 Neighbor Advertisements : 5
===============================================================================
A:SR-3>show>router>auth#
(C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
94. CONCLUSION
§ ICMPv6 is quite similar to ICMP for IPv4
§ Information message: Echo Request, Echo Reply
§ Error Messages
§ ICMPv6 is also used to transport
§ Neighbor Discovery Protocol
§ MLD for multicast
97. NEIGHBOR SOLICITATION (NS)
§ MAC Address Resolution
§ NS are sent to the neighbor Solicited Node Multicast Address to resolve its
MAC address based on its IPv6 Address
§ Same purpose a ARP in IPv4
§ Optimized as the NS provides the sender MAC address
§ Neighbor Unreachability Detection
§ After « reachable time » without neighbor reachability confirmation from
upper layer, a NS is sent to the neighbor Unicast address to check the
neighbor reachability
§ Duplicate Address Detection
§ Before an IPv6 can be used DAD is performed
98. NS TO RESOLVE THE NEIGHBOR MAC ADDRESS
§ Sent to the solicited node address, this is
to ask the neighbor MAC address from its
IPv6 Address
99. NS PROBE TO CHECK NEIGHBOR REACHABILITY
§ Sent to the Unicast address, this is a
probe for Reachability
100. ND – NEIGHBOR ADVERTISEMENT
§ To reply with the MAC address or to acknowledge reachability
102. NEIGHBOR UNREACHABILITY DETECTION
§ ND Protocol can detect that a neighbor is unreachable
§ This may be useful to use a new default router
§ This can be detected by:
§ Upper layer protocol acknowledge traffic
§ NA received in response of an NS
§ This is configured on a Cisco Router with two parameters:
§ IPv6 nd ns-interval <milliseconds>
§ IPv6 nd reachable-time <milliseconds>
103. STATE MACHINE FOR REACHABILITY
NA1 – Receive a NA with Solicited=0
NA2 – Receive a NA with Solicited=1
NA3 – Receive a NA with Solicited=1
and Override=1 or Override=0
and the link-layer identical to
the one in cache
NA4 – Receive a NA with solicited=1,
Override=0 abd link-layer
different of the one in cache
NA5 – Receive a NA with solicited=0,
override=1, and link-layer
different from cache
O – Receive another paquet ND with a
link-layer different from the
cache.
S – Send a packet
T – Timeout
Te – Timeout with no more retry
U – Upper Layer confirmed
Create Entry
Send NS
Incomplete
NA2
Stale
Delay
Probe
Reachable
Te
NA1
Report Error
Delete Entry
NA3
Or
U
T or O or
NA4 or NA5
T
Retry NS
NA3 ou U
Retry NS
Send NS
NA5 ou O
S NA3 ou U
NA5 ou O
T
Te
T
T
104. NEIGHBOR STATES
§ INCOMPLETE
§ Address resolution is being performed on the entry. Specifically, a Neighbor Solicitation has been sent to the solicited-node
multicast address of the target, but the corresponding Neighbor Advertisement has not yet been received.
§ REACHABLE
§ Positive confirmation was received within the last ReachableTime milliseconds that the forward path to the neighbor was
functioning properly. While REACHABLE, no special action takes place as packets are sent.
§ STALE
§ More than ReachableTime milliseconds have elapsed since the last positive confirmation was received that the forward path was
functioning properly. While stale, no action takes place until a packet is sent. The STALE state is entered upon receiving a
unsolicited Neighbor Discovery message that updates the cached link-layer address. Receipt of such a message does not confirm
reachability, and entering the STALE state ensures reachability is verified quickly if the entry is actually being used. However,
reachability is not actually verified until the entry is actually used.
§ DELAY
§ More than ReachableTime milliseconds have elapsed since the last positive confirmation was received that the forward path was
functioning properly, and a packet was sent within the last DELAY_FIRST_PROBE_TIMEseconds. If no reachability confirmation is
received within DELAY_FIRST_PROBE_TIME seconds of entering the DELAY state, send a Neighbor Solicitation and change the
state to PROBE. The DELAY state is an optimization that gives upper-layer protocols additional time to provide reachability
confirmation in those cases where ReachableTime milliseconds have passed since the last confirmation due to lack of recent
traffic. Without this optimization, the opening of a TCP connection after a traffic lull would initiate probes even though the
subsequent three-way handshake would provide a reachability confirmation almost immediately.
§ PROBE
§ A reachability confirmation is actively sought by retransmitting Neighbor Solicitations every RetransTimer milliseconds until a
reachability confirmation is received.
105. NEIGHBOR DISCOVERY TRACE ON A CISCO
ROUTER
§ No DROP during ND MAC address resolution. This is because packet is buffered and this can be used for a
DoS Attack
sa13-72c#ping 2000:1::100!
Type escape sequence to abort.!
Sending 5, 100-byte ICMP Echos to 2000:1::100, timeout is 2 seconds:!
!!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/4 ms!
sa13-72c#!
Apr 18 08:36:03: ICMPv6-ND: DELETE -> INCMP: 2000:1::100!
Apr 18 08:36:03: ICMPv6-ND: Sending NS for 2000:1::100 on GigabitEthernet0/2!
Apr 18 08:36:03: ICMPv6-ND: Resolving next hop 2000:1::100 on interface GigabitEthernet0/2!
Apr 18 08:36:03: ICMPv6-ND: Received NA for 2000:1::100 on GigabitEthernet0/2 from 2000:1::100!
Apr 18 08:36:03: ICMPv6-ND: Neighbour 2000:1::100 on GigabitEthernet0/2 : LLA 0008.201a.7c38!
Apr 18 08:36:03: ICMPv6-ND: INCMP -> REACH: 2000:1::100!
Apr 18 08:36:08: ICMPv6-ND: Received NS for 2000:1::1 on GigabitEthernet0/2 from FE80::208:20FF:FE1A:
7C38!
Apr 18 08:36:08: ICMPv6-ND: DELETE -> INCMP: FE80::208:20FF:FE1A:7C38!
Apr 18 08:36:08: ICMPv6-ND: Neighbour FE80::208:20FF:FE1A:7C38 on GigabitEthernet0/2 : LLA 0008.201a.
7c38!
Apr 18 08:36:08: ICMPv6-ND: INCMP -> STALE: FE80::208:20FF:FE1A:7C38!
Apr 18 08:36:08: ICMPv6-ND: Sending NA for 2000:1::1 on GigabitEthernet0/2!
Apr 18 08:36:08: ICMPv6-ND: STALE -> DELAY: FE80::208:20FF:FE1A:7C38
106. NEIGHBOR SOLICITATION CAPTURE
§ The Source Layer Address is provided to avoid the request in the other
direction
Internet Protocol Version 6
0110 .... = Version: 6
[0110 .... = This field makes the filter "ip.version == 6" possible: 6]
.... 1110 0000 .... .... .... .... .... = Traffic class: 0x000000e0
.... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000
Payload length: 400
Next header: ICMPv6 (0x3a)
Hop limit: 255
Source: fe80::2027:9779:3775:5cf8 (fe80::2027:9779:3775:5cf8)
Destination: fe80::38b1:e73c:c0f0:4442 (fe80::38b1:e73c:c0f0:4442)
Internet Control Message Protocol v6
Type: 135 (Neighbor solicitation)
Code: 0
Checksum: 0x64e3 [correct]
Target: fe80::38b1:e73c:c0f0:4442 (fe80::38b1:e73c:c0f0:4442)
ICMPv6 Option (Source link-layer address)
Type: Source link-layer address (1)
Length: 8
Link-layer address: ca:03:42:76:00:08
SNIP
The Source Layer Address is
provided to avoid the request
in the other direction
107. DUPLICATED ADDRESS DETECTION (DAD)
§ ICMP Type = 135
§ Dst = solicited node multicast address of A
§ Data = link-layer of A
§ Query: What is your link layer address ?
§ If no NA received, the address can be considered unique
§ A sends a NA to claim this address
108. DUPLICATE ADDRESS DETECTION DEBUG
§ DAD Debug on a Cisco Router
Apr 18 09:57:31: ICMPv6-ND: L3 came up on GigabitEthernet0/2
Apr 18 09:57:31: IPv6-Addrmgr-ND: DAD request for 2000:1::1 on
GigabitEthernet0/2
Apr 18 09:57:31: ICMPv6-ND: Sending NS for 2000:1::1 on
GigabitEthernet0/2
Apr 18 09:57:32: IPv6-Addrmgr-ND: DAD: 2000:1::1 is unique.
Apr 18 09:57:32: ICMPv6-ND: Sending NA for 2000:1::1 on
GigabitEthernet0/2
Apr 18 09:57:32: IPv6-Address: Address 2000:1::1/64 is up on
GigabitEthernet0/2
109. REDIRECT
§ A Redirect is sent by a Router to provide a better Next-hop for a destination
§ This is sent after the Router has forwarded a packet on the interface used to
receive a packet
§ Can be used by DoS Attacks (IPv4 or IPv6)
§ May be disabled by most OS (IPv4 or IPv6)
111. REDIRECT: H1 ROUTE TO H2 VIA R2
(C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
112. ROUTER ADVERTISEMENT (RA)
§ A Router Advertisement is sent by a Router to announce its availability as a
Router with its Link-local IPv6 Address
§ Router Advertisement also provides a configuration parameter to use on the
link:
§ MTU
§ Availability of DHCPv6 for configuration
§ Hop Limit
§ Available Prefixes on the link and whether these prefixes can be used for
autoconfiguration
§ Addresses of DNS Servers
§ Router Advertisement can be sent Unsolicited on a regular basis
§ Router Advertisement can be requested by a Router Solicitation
§ May be used by hacker (RFC6102)
113. ND – ROUTER ANNOUNCEMENT (RA)
§ ICMP Type = 134
§ Src = Router Link-Local
§ Dst = All nodes multicast address, FF02::1
§ Data = Options, prefix, lifetime, autoconfig flag
§ Cisco Router configuration
§ Ipv6 unicast-routing
114. RA FIELDS DESCRIPTION
§ Router link-local address
§ Lifetime: The time that this router will be considered active. A Lifetime of zero is
used by a router which cannot be used as a default router.
§ Hops: Default Hop-Limit to use on this link.
§ MTU: Default MTU to use on this link
§ Reachable time: Used by NUD. A length of time that a node considers a neighbor
reachable until another reachability confirmation is received from that neighbor.
§ Retransmit time: Used by Address Resolution and NUD. It specifies the minimum
time, in milliseconds, between retransmitted Neighbor Solicitation messages.
§ AddrFlag: This is the Managed Address flag used to signal the use of DHCPv6 for
Address and Other configuration.When set the OtherFlag is redundant.
§ OtherFlag: Used to signal the use of DHCPv6 for other parameter configuration.
§ There is also a 1-bit autonomous address-configuration flag in the Prefix Option.
When set indicates that this prefix can be used for stateless address configuration
115. RA ON CISCO ROUTER - SHOW IPV6 ROUTERS
hote#show ipv6 routers
Router FE80::2038:148E:B9DF:FD6D on FastEthernet0/0, last update 2
min
Hops 64, Lifetime 1800 sec, AddrFlag=0, OtherFlag=0, MTU=1500
HomeAgentFlag=0, Preference=Medium
Reachable time 0 (unspecified), Retransmit time 0 (unspecified)
Prefix 2001::/64 onlink autoconfig
Valid lifetime 2592000, preferred lifetime 604800
Note: A router which cannot be used as a default router sends RA with Lifetime=0
116. RA CAPTURE
Internet Protocol Version 6
0110 .... = Version: 6
[0110 .... = This field makes the filter "ip.version == 6"
possible: 6]
.... 0000 0000 .... .... .... .... .... = Traffic class: 0x00000000
.... .... .... 0000 0000 0000 0000 0000 = Flowlabel:
0x00000000
Payload length: 104
Next header: ICMPv6 (0x3a)
Hop limit: 255
Source: fe80::207:cbff:fe3e:b6b3
(fe80::207:cbff:fe3e:b6b3)
Destination: ff02::1 (ff02::1)
Internet Control Message Protocol v6
Type: 134 (Router advertisement)
Code: 0
Checksum: 0xf74b [correct]
Cur hop limit: 64
Flags: 0x00
Router lifetime: 1800
Reachable time: 0
Retrans timer: 0
ICMPv6 Option (Prefix information)
Type: Prefix information (3)
Length: 32
Prefix length: 64
Flags: 0xc0
Valid lifetime: 86400
Preferred lifetime: 86400
Prefix: 2a01:e35:2f26:d340::
ICMPv6 Option (Recursive DNS Server)
Type: Recursive DNS Server (25)
Prefix
Length: 40
Reserved
DNS Servers Address
Lifetime: 600
Recursive DNS Servers: dns3.proxad.net (2a01:e00::2)
Recursive DNS Servers: dns2.proxad.net (2a01:e00::1)
ICMPv6 Option (MTU)
Type: MTU (5)
Length: 8
MTU: 1480
ICMPv6 Option (Source link-layer address)
Type: Source link-layer address (1)
Length: 8
Link-layer address: 00:07:cb:3e:b6:b3
Source
MAC @
MTU
All node link-local
address
Router
Lifetime
(C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
117. § RA can include the DNS Server Addresses (Recursive DNS Option)
§ MAC OS X 10.7 supports this option
§ RDNSS config in rtadvd.conf to configure the Linux rtadvd daemon
interface eth0 {
AdvSendAdvert on;
prefix 2001:db8:cafe:1::/64 {
AdvOnLink on;
AdvAutonomous on;
};
rdnss 2001: db8:cafe:1::1 {
};
}
DNS SERVER ANNOUNCED IN RA (RFC 6106)
118. ALU 7750 CONFIGURATION OF THE RA
RA must be authorized as they are not generated by default.
CLI Syntax: config>router# router-advertisement
interface ip-int-name
current-hop-limit number
managed-configuration
max-advertisement-interval seconds
min-advertisement-interval seconds
mtu mtu-bytes
other-stateful-configuration
prefix ipv6-prefix/prefix-length
autonomous
on-link
preferred-lifetime {seconds | infinite}
valid-lifetime {seconds | infinite}
reachable-time milli-seconds
retransmit-time milli-seconds
router-lifetime seconds
no shutdown
use-virtual-mac
119. ALU 7750 RA CONFIGURATION
Router-advertisement
Syntax router-advertisement
Context config>router
Description This command configures router advertisement properties. By
default, it is disabled for all IPv6 enabled interfaces.
The no form of the command disables all IPv6 interface.
However, the no interface interface-name command disables
a specific interface.
Default disabled
120. ALU 7750 RA CONFIGURATION
Prefix
Syntax [no] prefix [ipv6-prefix/prefix-length]
Context config>router>router-advert>if
Description This command configures an IPv6 prefix in the router advertisement
messages. To support multiple IPv6 prefixes, use multiple prefix statements.
No prefix is advertised until explicitly configured using prefix statements.
Default none
Parameters ip-prefix The IP prefix for prefix list entry in dotted decimal notation.
Values ipv4-prefix a.b.c.d (host bits must be 0)
ipv4-prefix-length 0 — 32
ipv6-prefix x:x:x:x:x:x:x:x (eight 16-bit pieces)
x:x:x:x:x:x:d.d.d.d
x: [0 — FFFF]H
d: [0 — 255]D
ipv6-prefix-length 0 — 128
prefix-length Specifies a route must match the most significant bits and
have a prefix length.
Values 1 — 128
121. ND – ROUTER SOLICITATION
§ ICMP Type = 133
§ Src = :: or link-local address
§ Dst = All routers multicast address
§ When a station boots, it must send a RS message to request routers
information
122. NEXT-HOP DETERMINATION
§ This is different from IPv4 as two nodes can be neighbors with different
prefixes.
§ A neighbor will be considered on-link if:
§ It is covered by a prefix of the link
§ It has received a NA for this address
§ It has received any ND message from this address
§ It has received an RA with this prefix in the prefix list
§ It has received a REDIRECT message with a target equal to this address
123. STATELESS ADDRESS AUTOCONFIGURATION (SLAAC)
RFC 4862, IPv6 Stateless Address Autoconfiguration
§ RS/RA to request prefixes available to build addresses
§ DAD to test the new addresses
124. AUTOCONFIGURATION WITH DHCPV6
§ Stateful Autoconfiguration avec DHCPv6 RFC3315
§ DHCPv6 provides address and other parameters
(DNS, domain name, SIP…)
§ Stateless Autoconfiguration with DHCPv6
§ SLAAC used for address configuration
§ DHCPv6 for the other information (DNS, Domain Name)
§ Prefix Delegation
§ DHCPv6 can be used to provide a prefix which can be subnetted
§ The Service Provider useS DHCPv6 PD to allocate a block of addresses for
the customer
125. STATEFUL OR STATELESS AUTOCONFIG DHCPV6
§ IPv6 routers signal how DHCPv6 can be used by end nodes
§ RA M bit « Managed Address Configuration » is set if DHCPv6 must be used
for address configuration. If M bit is set, the O bit is redundant as DHCPv6
will be used to get all the configs.
§ RA O bit « Other Stateful Configuration » is set if DHCPv6 must be used for
other configurations
§ M and possibly O bits are set in the RA for DHCPv6 stateful autoconfiguration
§ M = 0 and O = 1 in the RA for DHCPv6 stateless autoconfiguration
§ DHCPv6 clients and relays use IPv6 Multicast addresses
§ « ff02::1:2 » All relays agents and servers link-local address
§ « ff05::1:3 » All DHCPv6 servers site-local address
126. AUTOCONFIGURATION (STATEFUL DHCPV6)
Address and Other
parameters are configured
from DHCPv6
DHCPv6 with Rapid Commit (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
127. AUTOCONFIGURATION (STATELESS DHCPV6)
DHCPv6 with Rapid Commit
Address
configuration
from the prefix
received in the
RA (SLAAC)
Other parameters
are given by a
DHCPv6 Server
(C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
129. MAIN ALGO OF AUTOCONFIGURATION PROCESS
(C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
Derive the link-local
address
FE80::[Interface ID]
Send NS to the solicited
node multicast address
derived from the link-local
NA received ? Stop
Initialize the link-local
Send RS
RA Received ? Use DHCPv6
and exit
Set Hop Limit,
Reachable Time,
Retrans Timer, MTU
Prefix
Information
present ?
A
B
Managed
Address
Configuration
Flag = 1 ?
Other
Configuration
Flag = 1 ?
Use DHCPv6
Stop
Yes
No
Yes
No
Yes
No
Yes
No
Yes
No
Start
130. TENTATIVE IS THE AUTOCONF PROCESS STARTING…
§ First Step
§ Address verification with « Duplicate Address Detection (DAD) »
§ Can only receive a response to the DAD NS Request
Valid
Preferred Deprecated
Tentative Invalid
Preferred Lifetime
Valid Lifetime
131. AUTOCONFIG: PREFERRED LIFETIME
§ The address is verified by DAD and can be used to send and receive unicast
traffic.
§ The address can be used for new connections or by existing one
§ The Preferred Lifetime is determined by the field Preferred Lifetime included in
the RA Prefix Information or the Preferred-Lifetime Option in the DHCPv6 IA
Address
Valid
Preferred Deprecated
Tentative Invalid
Preferred Lifetime
Valid Lifetime
132. AUTOCONFIG: DEPRECATED
§ The address has been verified by DAD
§ A New connection should not use this address
§ Existing communications can use this address
Valid
Preferred Deprecated
Tentative Invalid
Preferred Lifetime
Valid Lifetime
133. AUTOCONFIG: VALID LIFETIME
§ The address can be used to send and receive unicast traffic
§ Valid state includes preferred and deprecated
§ The Valid Lifetime is determined by the field Valid Lifetime included in the RA
Prefix Information or the Valid-Lifetime Option in the DHCPv6 IA Address
Valid
Preferred Deprecated
Tentative Invalid
Preferred Lifetime
Valid Lifetime
134. RA PREFIX OPTION
ipv6 nd prefix <prefix/mask>[Valid]
[Preferred][no-advertise| off-link | no-autoconfig]
A
Take the first
prefix
information
On-Link
Flag = 0 ?
Ignore
the prefix
Autonomous
Flag = 0 ?
No
No
Derive the Stateless
address
Prefixe:[interface ID]
Send NS to the
matching solicited
node multicast
address
NA
Received ?
Other prefixes to
process
Yes
Initialise the
Stateless
address
Go to next prefix
B
No
No
Yes Do not initialize
the stateless
address
Preferred > Yes
Valid
Valid = 0
Ignore
the prefix
Ignore
the prefix
Ignore
the prefix
No
Yes
Yes
Yes
135. AUTOCONFIG: INVALID
§ The address cannot be used to send or receive traffic
§ The address reaches the Invalid state when the Valid Lifetime has expired
Valid
Preferred Deprecated
Tentative Invalid
Preferred Lifetime
Valid Lifetime
136. AUTOCONFIG - SHOW IPV6 INTERFACE
hote#sh ipv6 int fa0/0
FastEthernet0/0 is up, line protocol is up
IPv6 is enabled, link-local address is FE80::38B1:E73C:C0F0:4442
No Virtual link-local address(es):
Global unicast address(es):
BAD:1:2:FC64:8ECC:593A:15C3:654, subnet is BAD:1:2:FC64:8ECC:593A:
15C3:654/128
2001::20EC:31D3:14CB:A7A, subnet is 2001::/64
Joined group address(es):
FF02::1
FF02::1:FFC3:654
FF02::1:FFCB:A7A
FF02::1:FFF0:4442
MTU is 1500 bytes
ICMP error messages limited to one every 100 milliseconds
ICMP redirects are enabled
ICMP unreachables are sent
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds (using 37164)
Default router is FE80::2038:148E:B9DF:FD6D on FastEthernet0/0
hote#
(C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
137. RFC 2894 ROUTER RENUMBERING FOR IPV6
§ Node renumbering is performed, thanks to RA
§ Old prefix is announced with Preferred Lifetime very small or
null and the new prefix with a normal Preferred Lifetime
§ Hosts will have two prefixes
§ Address built from old prefix will be deprecate
§ New connections use the new prefix
§ After some time, the connections will be set on the new prefix
§ Router only announces the new prefix
§ The Old prefix will be invalid
139. NDP PDU SUMMARY
Message Goal ICMP
Code
Sender Target Option
Router Solicitation
(RS)
Resuest an immediate RA 133 Host All Routers SLLA
Router Advertisement
(RA)
Announce: defaut router,
prefixes, parameters
134 Routers RS Sender or all host SLLA, MTU, Prefix, Route,
Interval, Home Agent info
Neighbor Solicitation
(NS)
Request the Link layer address
of the target.
Also used to send probe (NUD)
135 Hosts Multicast Solicited
node address or
unicast of the target
SLLA
Neighbor
Advertisement (NA)
Answer to the NS 136 Hosts Sender of the NS or all
hosts
TLLA
Redirect Information of a better next hop
for a destination
137 Routers Host which triggers the
Redirect
TLLA
Redirected header
Inverse neighbor
Solicitation (INS)
Request an IPv6 address
matching a Link layer address
141 Hosts All hosts SLLA, TLLA, MTU, Source
address list
Inverse Neighbor
Advertisement (INA)
Answer to INA 142 Hosts INS Sender SLLA, TLLA, Target
addresses list, MTU
(C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
141. CONCLUSION
§ NDP is part of any IPv6 stack
§ NDP provides many services allowing address and default router
autoconfiguration
§ NDP checks the Neighbor availability
§ NDP is vulnerable to DoS attacks. See RFC3756.
143. OBJECTIVES
§ Understand DHCPv6
§ Understand the support of DNS for IPv6
§ Understand Mobile IPv6
§ Find a list of IPv6 ready network application
§ 1949 applications supporting IPv6
§ http://www.ipv6-to-standard.org/
§ How to test your stack and ISP
§ http://test-ipv6.com/
145. STATEFUL DHCPv6 SIGNALIZATION
§ Stateful Autoconfiguration with DHCP for IPv6
RFC3315
§ IPv6 routers signal the use of DHCPv6
§ M-bit flag « Managed Address Configuration » is set when address and
network parameters configuration are available from DHCPv6
§ O-bit flag « Other Stateful Configuration » is set when Other parameters
configuration must be performed with DHCPv6
146. DHCP MOST IMPORTANT TERMINOLOGY
DHCP = Unique IDentifier
http://tools.ietf.org/html/rfc3315#section-9
DHCP Client or Server has its DUID. It is based on the LL Address, the Vendor, the enterprise, the Time… What I
have seen the Most for the moment was Link Layer (LL or MAC Address).
Veryy important as DHCP uses multicast to communicate with ALL DHCP nodes. DUID is the used to fins the right
node.
IA = Identity Association
http://tools.ietf.org/html/rfc3315#section-10
Each IA must be associated with exactly one interface. Each Interface May have multiple prefixes but will have ONE
IA. This is a logic construct that can be used for a group of interfaces which play the same role.
« Each address in an IA has a preferred lifetime and a valid lifetime, as defined in RFC 2462 [17]. The lifetimes are
transmitted from the DHCP server to the client in the IA option. The lifetimes apply to the use of IPv6
addresses, as described in section 5.5.4 of RFC 2462. » From RFC 3315 Section 10.
IMPORTANT: When theses timers need to be changed, it is from the Server, the source! Changing the routers
timers has no effects.
147. HOW ADDRESSES ARE TRANSPORTED ?
OPTION_IA_NA option-len
IAID
T1
T2
IA_NA-options
OPTION_IA_TA option-len
IAID
IA_TA-options
IA_NA
OPTION_IAADDR OPTION_LEN
IPv6 ADDRESS
PREFERRED_LIFETIME
VALID_LIFETIME
IAaddr-options
IA_TA
IA Address Option
Non
Temporary
Addresses
With
DHCPv6
Timers
Temporary
Addresses
No Timers,
Managed
by the
Upper
Layer!
IPv6
Address
and
Timers.
0xffffffff
is infinity
148. DHCPV6 MULTICAST ADDRESSES
§ "ff02::1:2" Link-local scope. All Relay agent and servers
§ "ff05::1:3" Site-Local scope. All DHCPv6 servers
DHCPv6 Client DHCPv6 Server
SOLICIT ff02::1:2
Advertize fe80::1
Request ff02::1:2
Reply fe80::1
fe80::1
YES. I am here and I
can provide you with
blah blah blah!
I Want to reserve:
2001:db8:12:FD:45:fa:F
And Use domain
fredbovy.com
And DNS Server:
2a01::1, 2a01::2
YES You got it!
It’s all for you!
149. DHCPv6 CLIENT – SERVER
DHCPv6 Client DHCPv6 Server
Solicit
Dst:All_DHCP_Relay_Agents_and_Servers (FF02::1:2)
Src: Client Link-local address
Advertise
Dst: Client Link-local address
Src: Server Link-local address
Request
Dst: Server Dst:All_DHCP_Relay_Agents_and_Servers (FF02::1:2)
Src: Client Link-local address
Reply
Dst: Client Link-local address
Src: Server Link-local address
(C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
150. DHCPv6 CLIENT – RELAY – SERVER
DHCPv6 Client DHCPv6 Server
Solicit
Dst:All_DHCP_Relay_Agents_and_Servers
(FF02::1:2)
Request
Dst: Server Dst:All_DHCP_Relay Agents_and_Servers
(FF02::1:2)
Src: Client Link-local address
Relay-reply
Dst: Client Link-local address
Src: Server Link-local address
DHCPv6 Relay
Relay-Forward
to All_DHCP_Servers (FF05::1:3)
Relay-reply
Advertise
Relay-Forward
to All_DHCP_Servers (FF05::1:3)
Reply
(C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
151. DHCPv6 SOLICIT (1)
Internet Protocol Version 6
0110 .... = Version: 6
[0110 .... = This field makes the filter "ip.version == 6" possible: 6]
.... 1110 0000 .... .... .... .... .... = Traffic class: 0x000000e0
.... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000
Payload length: 56
Nxt header: UDP (0x11)
Hop limit: 255
Source: fe80::38b1:e73c:c0f0:4442 (fe80::38b1:e73c:c0f0:4442)
Destination: ff02::12 (ff02::1:2)
User Datagram Protocol, Src Port: dhcpv6-client (546), Dst Port: dhcpv6-server (547)
Source port: dhcpv6-client (546)
Destination port: dhcpv6-server (547)
Length: 56
Checksum: 0x86f0 [validation disabled]
Link-Local All Servers and Relays
dhcpv6-client: 546
dhcpv6-server: 547
(C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
152. DHCPv6 SOLICIT (2)
DHCPv6 Message type: Solicit (1)
Transaction-ID: 0x00b44306
Elapsed time
option type: 8
option length: 2
elapsed-time: 0 ms
Client Identifier
option type: 1
option length: 10
DUID type: link-layer address (3)
Hardware type: Ethernet (1)
Link-layer address: ca:02:42:76:00:08
Option Request
option type: 6
option length: 4
Requested Option code: DNS recursive name server (23)
Requested Option code: Domain Search List (24)
Identity Association for Non-temporary Address
option type: 3
option length: 12
IAID: 262145
T1: 0
T2: 0
DNS Server Address
Domain Name
Non-Temporary Address
(C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
154. DHCPV6 SERVER STATUS
R4>show ipv6 dhcp
This device's DHCPv6 unique identifier(DUID): 00030001CA0342760008
R4>show ipv6 dhcp int
FastEthernet0/0 is in server mode
Using pool: fred
Preference value: 0
Hint from client: ignored
Rapid-Commit: disabled
R4#show ipv6 dhcp pool
DHCPv6 pool: fred
Static bindings:
Binding for client BADCAF0E
IA PD: IA ID not specified
Prefix: DEAD:BEEF::/48
preferred lifetime 604800, valid lifetime 2592000
Address allocation prefix: DEAD:BEEF:1:2:3::/64 valid 172800 preferred 86400 (1
in use, 0 conflicts)
Domain name: fredbovy.com
Active clients: 1
(C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
155. DHCPV6 SERVER ALLOCATION
R4#show ipv6 dhcp bind
Client: FE80::38B1:E73C:C0F0:4442
DUID: 00030001CA0242760008
Username : unassigned
IA NA: IA ID 0x00040001, T1 43200, T2 69120
Address: DEAD:BEEF:1:2:6090:18A5:E017:DE5C
preferred lifetime 86400, valid lifetime 172800
expires at Aug 11 2010 03:23 PM (172554 seconds)
(C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
156. DHCPv6 CLIENT
hote#show ipv6 dhcp interface
FastEthernet0/0 is in client mode
Prefix State is IDLE
Address State is OPEN
Renew for address will be sent in 11:39:08
List of known servers:
Reachable via address: FE80::2027:9779:3775:5CF8
DUID: 00030001CA0342760008
Preference: 0
Configuration parameters:
IA NA: IA ID 0x00040001, T1 43200, T2 69120
Address: BAD:1:2:FC64:8ECC:593A:15C3:654/128
preferred lifetime 86400, valid lifetime 172800
expires at Aug 11 2010 02:36 PM (171549 seconds)
Domain name: fredbovy.com
Information refresh time: 0
Prefix Rapid-Commit: disabled
Address Rapid-Commit: disabled
Configuration:
interface FastEthernet0/0
ipv6 address dhcp
(C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
157. DHCPv6 OPERATION
*Aug 9 15:34:32.806: IPv6 DHCP: Received REPLY from FE80::2027:9779:3775:5CF8 on FastEthernet0/0
*Aug 9 15:34:32.806: IPv6 DHCP: IA_NA 00040001 contains status code NOADDRS-AVAIL
*Aug 9 15:34:32.806: IPv6 DHCP: DHCPv6 address changes state from REQUEST to SOLICIT (ADDR_NAK)
on FastEthernet0/0
*Aug 9 15:34:32.806: IPv6 DHCP: Received REPLY from FE80::2027:9779:3775:5CF8 on FastEthernet0/0
*Aug 9 15:34:32.806: IPv6 DHCP: No matching transaction ID in REPLY from
FE80::2027:9779:3775:5CF8 on FastEthernet0/0
*Aug 9 15:34:33.782: IPv6 DHCP: Sending SOLICIT to FF02::1:2 on FastEthernet0/0
*Aug 9 15:34:33.786: IPv6 DHCP: Received ADVERTISE from FE80::2027:9779:3775:5CF8 on
FastEthernet0/0
*Aug 9 15:34:33.786: IPv6 DHCP: Adding server FE80::2027:9779:3775:5CF8
*Aug 9 15:34:33.786: IPv6 DHCP: Received ADVERTISE from FE80::2027:9779:3775:5CF8 on
FastEthernet0/0
*Aug 9 15:34:34.858: IPv6 DHCP: Sending REQUEST to FF02::1:2 on FastEthernet0/0
*Aug 9 15:34:34.858: IPv6 DHCP: DHCPv6 address changes state from SOLICIT to REQUEST
(ADDR_ADVERTISE_RECEIVED) on FastEthernet0/0
*Aug 9 15:34:34.858: IPv6 DHCP: Received REPLY from FE80::2027:9779:3775:5CF8 on FastEthernet0/0
*Aug 9 15:34:34.858: IPv6 DHCP: Processing options
*Aug 9 15:34:34.862: IPv6 DHCP: Adding address DEAD:BEEF:1:2:C541:3F5C:EA1A:BE21/128 to
FastEthernet0/0
*Aug 9 15:34:34.870: IPv6 DHCP: T1 set to expire in 43200 seconds
*Aug 9 15:34:34.870: IPv6 DHCP: T2 set to expire in 69120 seconds
*Aug 9 15:34:34.870: IPv6 DHCP: Configuring domain name fredbovy.com
*Aug 9 15:34:34.870: IPv6 DHCP: DHCPv6 address changes state from REQUEST to OPEN
(ADDR_REPLY_RECEIVED) on FastEthernet0/0
*Aug 9 15:34:34.870: IPv6 DHCP: Received REPLY from FE80::2027:9779:3775:5CF8 on FastEthernet0/0
*Aug 9 15:34:34.870: IPv6 DHCP: DHCPv6 address changes state from OPEN to OPEN
(ADDR_REPLY_RECEIVED) on FastEthernet0/0 (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
158. STATELESS DHCPV6
§ IPv6 Routers signal the DHCPv6 utilization
§ M bit = 0 « Managed Address Configuration » to use SLAAC for address
autoconfiguration
§ O bit = 1 « Other Stateful Configuration » to use DHCPv6 for Other
parameter configuration
§ Address is configured by SLAAC
§ Other parameters are then requested to the DHCPv6 Server
159. DHCP PREFIX DELEGATION
§ DHCPv6 PD Server allocates a block of addresses
§ The block received by the client is then subnetted to configure each interface
160. ISENTITY ASSOCIATION IA_PD
IA_PD Prefix option
IPv6 prefix
(16 octets)
(C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
IA_PD option
Option_IA_PD option-length
IAID (4 Octets)
T1
T2
OPTION_IAPREFIX option-length
preferred-lifetime
valid-lifetime
prefix-length
IPprefix-options
IA _PD-options
161. DHCP PREFIX DELEGATION
IPv6
2001:db8:1:1::/64
DHCP PD
Client
DHCP PD Server
2001:db8:1::/48
RA
ISP
2001:db8::/32
2001:db8:2:1::/64
RA
2001:db8:2:2::/64
RA
2001:db8:2::/48
(C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
162. DHCP-PD OPERATION
2001:db8:678::/32 DHCP-PD Server
(C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
2001:db8:678::1/64
DHCPv6 Client
IPv6
Internet
DHCP-PD Relay
2001:341f::1:57/64
2001:341f::/32
Router Advertisement
Prefix-List
2001:db8:678::/64
M=0, O=0
(SLAAC)
DHCPv6-PD Client
May Use LL for the p2p Link Address
163. 5:00AM FIRST HOME OFFICE DHCP-PD USER
COMES UP!
IPv6
Internet
2001:341f::1:57/64
IPv6 Private Network
2001:db8:678::1
2001:db8:678:1::/56 2001:db8:658::/48
8 bits for Subnets
(C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
2001:db8:678:10::/64
2001:db8:678:11::/64
...
DHCP-PD Server
Relay_Forward (Solicit)
Advertize
Request IA_PD
First Block Reply IA_PD
2001:db8:678::/56
IPv6
Internet
IPv6
Internet
AS 610
AS 413
2001:413::/32
AS 341F
2001:341F::/32
FTTH
Solicit IA_PD
Home Network
2001:db8:678::/64
2001:db8:678:d340:98:22ac:f9:1
Router Advertisement
Managed=0, Other=0
MTU=1500, Hop Limit=64
Retrans Timer=0 (Unsp)
Reachable Time=0 (Unsp)
Prefix:
2001:db8:678::/56
On-Link=1
Autonomous=1
Valid=7200
Preferred=1200
3
1a
1b
2b
DHCP-PD Relay
164. 7:00 AM DHCP-PD FIRST OFFICE COMES UP
(C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
IPv6
Internet
2001:341f::1:57/64
IPv6 Private Network
2001:db8:658::/48
2001:db8:678:1::/56
8 bits for Subnets
2001:db8:678:10::/64
2001:db8:678:11::/64
...
DHCPv6-PD Client
DHCP-PD Server
Relay_forward (Solicit IA_PD)
Request IA_PD
Reply IA_PD
First Block
2001:db8:678::/56
Home Network
2001:db8:678::/64
IPv6
Internet
IPv6
Internet
AS 610
2001:610::/32
AS 413
2001:413::/32
AS 341F
2001:341F::/32
FTTH
DHCPv6 Relqy
P2P LL Address
SOLICIT IA_PD
Relay_Reply(Solicit IA_PD)
Advertise IA_PD
REPLY IA_PD
Request IA_PD
166. DOMAIN NAME SERVICES (DNS)
§ RFC1035, RFC1036
§ To Provide Name to addresses resolution
§ To Provide address to name resolution
§ To Find Mail Servers in a domain to allow eMail routing
§ Key component in network architecture
§ Request and Replies are encapsulated in UDP port 53 messages
§ DNS Message Length is limited to 512 bytes
§ DNSSEC is an effort to offer a secure DNS service
§ Nodes and even Subnets discovery became difficult with IPv6 addresses
therefore DNS is likely to get used to discover target
167. THE DNS TREE STRUCTURE
.
Root « . »
arpa edu gov net com ca au za
In-addr ip6 coca-cola mcDo company google
bill sec head
TLD
Second
Level
Domain
Third
Level
Domain
(C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
168. RESOLUTION OF FRED.EXAMPLE.COM
DNS
Root DNS
« . »
TLD DNS
.com.
Domain
DNS
example.com.
Query=fred.example.com
Referral to .com gTLD DNS
Query=fred.example.com
Referral to example.com DNS
Query=fred.example.com
Authoritative Answer
(C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
169. § For Address to Name Resolution
http://www.iana.org/domains/arpa/
http://tools.ietf.org/html/rfc5855
REVERSE MAPPING
.
arpa edu
In-addr
ip6
0 1 2 194 195
47
37
2 2.37.47.195.in-addr.arpa
170. ROOT DNS SERVERS
§ They return the addresses of the TLD Servers
§ 13 IP anycast addresses are used
§ 13 ipv4 addresses can be sent in a 512 (436) bytes UDP message!
§ 200+ physical servers around the globe
§ Domain root-servers.net: a.root-servers.net through m.root-servers.net
§ In Europe, RIPE Servers k.root-servers.net are located in Amsterdam, Athens,
Doha, Frankfurt, London and Milan. IPv4:193.0.14.129, IPv6:2001:7fd::1
§ IPv6 addresses are already supported by 9 of the 13 root-servers
§ Requirements of a Root Server are in RFC2870
§ http://www.iana.org/domains/root/
171. TOP LEVEL DOMAIN (TLD) DNS SERVERS
§ They return the address of the NS for a User domain
§ The full list is at http://www.iana.org/domains/root/db/
§ Generic Top-Level-Domains (gTLD):
§ .com
§ .edu
§ .net
§ .org
§ .mil, etc…
§ Country Code Top-Level-Domains (ccTLD):
§ .us, .ca, .fr, .uk, etc…
172. THE EXAMPLE.COM DNS SERVERS
§ Primary or Master and Secondary or Slave DNS Server
§ To increase performance and reliability of DNS, there is more than one DNS
server for each domain.
§ The Master Zone file describing the zone is located on the Primary server
§ The Secondary Server is synchronized with the Primary, thanks to Zone
Transfer
DNS Slave Zone
DNS Slave Zone
§ Caching only Servers
DNS Master
Zone
DNS Slave Zone
Zone Transfer
Master Zone File
173. ZONE AND ZONE FILES: CONFIG FOR A ZONE
§ Zone files translate the domain name into operational entities
§ Zone Files contain:
§ Data that describe the zone authority, known as the Start of Authority (S0A)
Resource Record.
§ All the hosts within the zones.
§ A Resource Record for an IPv4 Address
§ AAAA Resource Record for an IPv6 Address
§ Data that describes global information for the zone. MX Resource Records
for the domain’s mail servers and NS Resource Records for the Name
Servers
§ In the case of a subdomain delegation, the name servers are responsible for
this subdomain…
174. RECURSIVE AND ITERATIVE QUERIES
§ The simplest mode for the server is non-recursive, since it can answer queries
using only local information: the response contains an error, the answer, or a
referral to some other server "closer" to the answer.
§ All name servers must implement non-recursive queries.
§ The simplest mode for the client is recursive, since in this mode the name server
acts in the role of a resolver and returns either an error or the answer, but never
referrals.
§ This service is optional in a name server. The name server may also choose to
restrict the clients that can use recursive mode.
175. RECURSIVE QUERY
§ All servers do not support Recursive Query
§ Root and TLD servers do not support Recursive Query
1
Name Server
Root Name Server
Authoritative Name
Server for TLD com
Authoritative Name
Server for
2
3
4
5
Cache company.com
Client Resolver
176. ITERATIVE QUERY
Name Server
Root Name Server
Authoritative Name
Server for TLD com
Authoritative Name
Server for
company.com
Client Resolver
2
Query
Referal
1
Query
Referal
4
Query
Authoritative
answer
3
Query
Referal
5
Cache
All servers support Iterative Query
(C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
177. IPV6 SUPPORT IN DNS
§ RFC1886 describes how to accommodate IPv6 Addresses in DNS
§ AAAA Resource Record to store 128 bits addresses
§ IPv6 reverse mapping uses the PTR RR in the first place under domain ip6.int
replaced by ip6.arpa
§ More complex solution A6/DNAME
§ After many discussions, this was moved to Experimental status
§ DNS requests must be transported in IPv6
§ DNS Root servers and Top-level domains must support IPv6
§ 9 of the 13 root-servers are IPv6 ready
§ DNS messages larger than 512 bytes must be supported (EDNS0) and not filtered by
firewalls
178. AAAA AND IPV6.ARPA
§ AAAA is written like an IPv6 address. Leading zeros can be omitted
§ ipv6-host IN AAAA 2001:db8:1:2:3:4:567:89ab
§ Ip6.arpa is the reverse-mapping name space for IPv6 addresses. Each level of
subdomain under ip6.arpa represents four bits of the 128-bit address. Omitting leading
zeros is not allowed, so there are always 32 hex digits and 32 levels of subdomain
below ip6.arpa in a domain name corresponding to a full ipv6 address.
§ b.a.9.8.7.6.5.0.4.0.0.0.3.0.0.0.2.0.0.0.1.0.0.0.8.b.d.
0.1.0.0.2.ip6.arpa.
179. AAAA RESOURCE RECORD SYNTAX
name ttl class ipv6
§ ipv6-host IN AAAA 2001:db8:1:2:3:4:567:89ab
§ name: ipv6-host.The name is unqualified, causing the $ORIGIN directive value to be
substituted. You could have written this as ns1.example.com. (using the FQDN format),
which may be more understandable.
§ ttl: There is no ttl value defined for the RR, so the zone default from the $TTL directive
will be used.
§ class: IN. Defines the class to be Internet
§ ipv6: 2001:db8:1:2:3:4:567:89ab. This is a Global Unicast address.
180. ADDING AAAA TO FORWARD-MAPPING ZONES
§ A and AAAA can coexist for dual-stack hosts:
Skydive IN A 192.239.120.111
IN AAAA 2001:db8:cafe:f1::e1
§ Another option is to create one entry for each protocol
Skydive IN A 192.239.120.111
skydive-v6 IN AAAA 2001:db8:cafe:f1::e1
or
skydive.v6 IN AAAA 2001:db8:cafe:f1::e1
181. ZONE FILE WITH IPV6 SUPPORT EXAMPLE (1)
; transitional IPv6/IPv4 zone file for example.com
$TTL 2d ; default TTL for zone
SOA Resource
$ORIGIN example.com.
Record
; Start of Authority RR defining the key characteristics of the zone (domain)
@ IN SOA ns1.example.com. hostmaster.example.com. (
2003080800 ; sn = serial number
12h ; refresh
15m ; retry = update retry
3w ; expiry
2h ; min = minimum
)
; name server RRs for the domain
IN NS ns1.example.com.
; the second name server is
; external to this zone (domain) .
IN NS ns2.example.net.
Name Servers
(C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
182. ZONE FILE WITH IPV6 SUPPORT EXAMPLE (2)
; mail server RRs for the zone (domain)
3w IN MX 10 mail.example.com.
; the second mail server is
; external to the zone (domain)
IN MX 20 mail.example.net.
; domain hosts includes NS and MX records defined above
; plus any others required
; the following hosts are in IPv6 subnet 1
ns1 IN A 192.168.254.2
ns1 IN AAAA 2001:db8:0:1::1
mail IN A 192.168.254.4
mail IN AAAA 2001:db8:0:1::2
; these hosts are defined to be in the IPv6 subnet 2
joe IN A 192.168.254.6
joe IN AAAA 2001:db8:0:2::1
www IN A 192.168.254.7
www IN AAAA 2001:db8:0:2::2
; aliases ftp (ftp server) to an external location
ftp IN CNAME ftp.example.net
(C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
183. IPV6 REVERSE-MAPPING ZONES
§ The subnet where skydive.v6.movie.edu is on 2001:db8:cafe:f9::/64 would correspond
to the reverse-mapping zone:
§ 9.f.0.0.e.f.a.c.8.b.d.0.1.0.0.2.ip6.arpa
§ IPv6 reverse-mapping zones contain PTR records, SOA record and one or more NS
record:
$TTL 1d
@ IN SOA terminator.movie.edu. hostmaster.movie.edu.
(
2011030800 ; Serial number
1h ; Refresh (1 hour)
15m ; Retry (15 minutes)
30d ; Expire (30 days)
10m ) ; Negative-caching TTL (10 minutes)
IN NS terminator.movie.edu.
IN NS wormhole.movie.edu.
3.d.0.0.0.0.0.0.0.0.0.0.0.0.0.0 PTR skydive.v6.movie.edu.
4.d.0.0.0.0.0.0.0.0.0.0.0.0.0.0 PTR super8.v6.movie.edu.
184. IPV6 PTR RESOURCE RECORD
The PTR RR is standardized in RFC 1035 and maps an IPv6 address to a particular
interface ID. Syntax is :
– name ttl class rr name
§ name: This is the subnet ID and interface ID parts of the IPv6 address written in
reverse nibble format. While this looks like a number, it is in fact treated as a name.
The name is unqualified causing the $ORIGIN directive value to be substituted.
§ ttl: There is no ttl value defined for the RR, so the zone default from the $TTL
directive will be used.
§ class: IN defines the class to be Internet
§ name: Defines that the query for <address> will return name
Example:
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.0 IN PTR joe.example.com.
185. REVERSE IPV6 ZONE FILE FOR EXAMPLE.COM (1)
; reverse IPV6 zone file for example.com
Prefix for all the addresses
$TTL 2d ; default TTL for zone
$ORIGIN 0.0.0.0.8.b.d.0.1.0.0.2.IP6.ARPA.
; Start of Authority RR defining the key characteristics of the zone (domain)
@ IN SOA ns1.example.com. hostmaster.example.com. (
2003080800 ; sn = serial number
12h ; refresh = refresh
15m ; retry = update retry
3w ; expiry = expiry
2h ; min = minimum
)
; name server RRs for the domain
IN NS ns1.example.com.
; the second name server is
; external to this zone (domain) .
IN NS ns2.example.net.
(C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
186. REVERSE IPV6 ZONE FILE FOR EXAMPLE.COM (2)
; PTR RR maps a IPv6 address to a host name
; hosts in subnet ID 1
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.0 IN PTR ns1.example.com.
2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.0 IN PTR mail.example.com.
; hosts in subnet ID 2
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.0 IN PTR joe.example.com.
2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.0 IN PTR www.example.com.
name: 2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.0
This is the subnet ID and interface ID parts of the IPv6 address
0.0.0.0.0.0.1.0.0.0 written in reverse nibble format. While this looks like a number,
it is in fact treated as a name. The name is unqualified causing the $ORIGIN directive
value to be substituted. You could have written this as
2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.IP6.ARPA.
ttl: There is no ttl value defined for the RR, so the zone default of 2d
from the $TTL directive will be used.
Class: IN defines the class to be Internet
Name: www.example.com Defines that a query for 2001:db8:0:2:0:0:0:2 will return
www.example.com (C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
187. BUILT-IN EMPTY REVERSE-MAPPING ZONES
§ These special addresses are resolved locally by BIND without forwarding any
request on the Internet.
Reverse-mapping Zone Name Function IPv4 Equivalent
0...ip6.arpa Unspecified IPv6 address 0.0.0.0
1.0...ip6.arpa IPv6 Loopback Address 127.0.0.1
8.b.d.0.1.0.0.2.ip6.arpa IPv6 Documentation Network 192.0.2/24
d.f.ip6.arpa Unique Local Addresses 10/8, etc.(RFC1918)
8.e.f.ip6.arpa Link-Local Addresses 169.254/16
9.e.f.ip6.arpa Link-Local Addresses 169.254/16
a.e.f.ip6.arpa Link-Local Addresses 169.254/16
b.e.f.ip6.arpa Link-Local Addresses 169.254/16
188. DNS REQUEST TRANSPORTED IN IPV6
Internet Protocol Version 6
0110 .... = Version: 6
[0110 .... = This field makes the filter "ip.version == 6" possible
.... 0000 0000 .... .... .... .... .... = Traffic class: 0x00000000
.... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000
Payload length: 145
Next header: UDP (0x11)
Hop limit: 255
Source: fe80::61e:64ff:feec:73a9 (fe80::61e:64ff:feec:73a9)
Destination: ff02::fb (ff02::fb)
User Datagram Protocol, Src Port: mdns (5353), Dst Port: mdns (5353)
Source port: mdns (5353)
Destination port: mdns (5353)
Length: 145
Checksum: 0x5753 [validation disabled]
Domain Name System (response)
mDNSv6
Link-local Multicast destination
(C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
189. IPV6 ADDRESSES IN DNS: AAAA RECORD
Type AAAA
Name: power-mac-g5-de-fred-bovy-6.local
Type: AAAA (IPv6 address)
.000 0000 0000 0001 = Class: IN (0x0001)
1... .... .... .... = Cache flush: True
Time to live: 2 minutes
Data length: 16
Addr: 2a01:e35:2f26:d340:61e:64ff:feec:73a9
190. DNS CAPTURE
Internet Protocol Version 6
0110 .... = Version: 6
[0110 .... = This field makes the filter "ip.version == 6" possible: 6]
.... 0000 0000 .... .... .... .... .... = Traffic class: 0x00000000
.... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000
Payload length: 145
Next header: UDP (0x11)
Hop limit: 255
Source: fe80::61e:64ff:feec:73a9 (fe80::61e:64ff:feec:73a9)
Destination: ff02::fb (ff02::fb)
User Datagram Protocol, Src Port: mdns (5353), Dst Port: mdns (5353)
Source port: mdns (5353)
Destination port: mdns (5353)
Length: 145
Checksum: 0x5753 [validation disabled]
Domain Name System (response)
[Request In: 788]
[Time: -404.306754000 seconds]
Transaction ID: 0x0000
Flags: 0x8400 (Standard query response, No error)
Questions: 0
Answer RRs: 1
Authority RRs: 0
Additional RRs: 3
Answers
power-mac-g5-de-fred-bovy-6.local: type A, class IN, cache flush, addr 192.168.0.15
Name: power-mac-g5-de-fred-bovy-6.local
Type: A (Host address)
.000 0000 0000 0001 = Class: IN (0x0001)
1... .... .... .... = Cache flush: True
Time to live: 2 minutes
Data length: 4
Addr: 192.168.0.15
mDNSv6 multicast address
MDNS port 5353
(C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
191. DNS CAPTURE (SUITE)
Additional records
power-mac-g5-de-fred-bovy-6.local: type AAAA, class IN, cache flush, addr fe80::61e:64ff:feec:73a9
Name: power-mac-g5-de-fred-bovy-6.local
Type: AAAA (IPv6 address)
.000 0000 0000 0001 = Class: IN (0x0001)
1... .... .... .... = Cache flush: True
Time to live: 2 minutes
Data length: 16
Addr: fe80::61e:64ff:feec:73a9
power-mac-g5-de-fred-bovy-6.local: type AAAA, class IN, cache flush, addr 2a01:e35:2f26:d340:61e:64ff:feec:73a9
Name: power-mac-g5-de-fred-bovy-6.local
Type: AAAA (IPv6 address)
.000 0000 0000 0001 = Class: IN (0x0001)
1... .... .... .... = Cache flush: True
Time to live: 2 minutes
Data length: 16
Addr: 2a01:e35:2f26:d340:61e:64ff:feec:73a9
power-mac-g5-de-fred-bovy-6.local: type NSEC, class IN, cache flush, next domain name power-mac-g5-de-fred-bovy-6.local
Name: power-mac-g5-de-fred-bovy-6.local
Type: NSEC (Next secured)
.000 0000 0000 0001 = Class: IN (0x0001)
1... .... .... .... = Cache flush: True
Time to live: 2 minutes
Data length: 8
Next domain name: power-mac-g5-de-fred-bovy-6.local
RR type in bit map: A (Host address)
RR type in bit map: AAAA (IPv6 address)
AAAA Record
(C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
192. RECURSIVE NAME SERVERS PRIMING FOR IPV6
§ Most recursive name servers perform a bootstrap process called priming to determine the
current list of root name servers, since information in the local copy of the root hints file
could be out of date.
§ To prime, a recursive name server sends a DNS query of type NS for the root (".") to one
of the root name servers listed in the local root hints file.
§ The recursive name server uses the list of root name servers in the response returned
from a live root name server for resolution purposes.
§ Priming ensures that a recursive name server always starts operation with the most up-to-date
list of root name servers.
§ The operators of nine root name servers - a, d, f, h, i, j, k, l, m - have assigned IPv6
addresses to their systems.
193. IPV6 AND EDNS0 SUPPORT
§ Including the IPv6 addresses at the root level of the DNS involves two related
actions on the parts of the IANA and the DNS Root Server Operators:
§ Add Resource Records of Type AAAA to the hints file.
The IANA maintains the authoritative root hints file at ftp://ftp.internic.net/
domain/.
§ Provision the 13 root name servers to return the Type AAAA records when
name server resolvers bootstrap, perform what is known as a priming.
194. IPV6 AND EDNS0 SUPPORT (CONT.)
§ RFC1035 specifies the maximum DNS UDP message to 512 bytes:
§ 13 IPv4 anycast addresses were used to represent 200+ Servers for the
announcement to fit in a 512 bytes message. 436 bytes actually leave room for some
options.
§ With only 5 IPv6 addresses added to the Additional Section of the DNS Type NS
response message root server operators return during the priming exchange, the size
of the response message increases from 436 bytes to 576 bytes.
§ 9 Root Servers have been assigned IPv6 addresses
§ When all 13 root name servers are assigned IPv6 addresses, the priming response
will increase in size to 811 bytes .
195. IPV6 AND EDNS0 SUPPORT (CONT.)
Conditions for the successful completion of a priming exchange:
§ Resolvers and any intermediate systems that are situated between resolvers
and root name servers must be able process DNS messages containing Type
AAAA resource records.
§ Additionally, resolvers must use DNS Extensions (EDNS0, RFC 2671) to notify
root name servers that they are able to process DNS response messages
larger than the 512 byte maximum DNS message size specified in RFC1035.
§ Intermediate systems must be configured to forward UDP-encapsulated DNS
response messages larger than the 512 byte maximum DNS message size
specified in RFC1035 to resolvers that issued the priming request.
196. TEST THE EDNS0 SUPPORT
§ To test the action a firewall implementation takes when it receives a UDP-encapsulated
DNS response message larger than 512 bytes, a network or
firewall administrator can perform the following DNS lookup using:
§ dig ns +bufsize=4096 @192.33.4.12 OR
§ dig ns +bufsize=4096 @2001:500:2D::D
§ This command should elicit a 699 bytes response that contains AAAA resource
records
§ If no response is received, network and firewall administrators should first
determine if a security policy other than the vendor's default processing for
DNS messages is blocking large response messages or large UDP messages.
If no policy other than the vendor's default processing is configured, note the
implementation and version, and contact your vendor to determine if an
upgrade or hot fix is available.
197. DNSSEC
§ DNSSEC is detailed in RFC4033, RFC4034 and RFC4035. A discussion of
operational practices relating to DNSSEC can be found in RFC4641.
§ In DNSSEC, a secure response to a query is one which is
cryptographically signed and validated.
§ In DNSSEC, there is no Protection against DoS attack
§ DNSSEC adds new Resource Record types: Resource Record Signature
(RRSIG), DNS Public Key (DNSKEY), Delegation Signer (DS) and Next
Secure (NSEC)
§ A signed zone will contain the 4 additional security-related records
§ DNSSEC requires support for EDNS0 (RFC2671) and DNSSEC OK (DO)
EDNS bit EDNS0 (RFC 3225)
§ In DNSSEC, the Root Zone is signed
§ http://data.iana.org/root-anchors/draft-icann-dnssec-trust-anchor.html
198. DYNAMIC DNS
§ DNS Servers can be updated dynamically
§ Address allocated with DHCPv6 or SLAAC automatically update the DNS
§ DNSUpdates in the Domain Name System (DNS UPDATE)
§ http://tools.ietf.org/html/RFC2136
§ Secure Domain Name System (DNS) Dynamic Update
§ http://tools.ietf.org/html/RFC3007
§ Operational Considerations and Issues with IPv6 DNS
§ http://tools.ietf.org/html/rfc4472
199. IPV6 DEVICES MANAGEMENT
§ SNMP for IPv6
§ SNMP transported by IPv6
§ IPv6 supported by MIB.
§ First approach was to implement separate MIBs for IPv4 and IPv6
§ RFC2465 and RFC2466 now deprecated
§ Unified MIB for IPv4 and IPv6 in RFC4293
§ TELNET, SSH for IPv6
§ FTP, TFTP for IPv6
§ SYSLOG for IPv6
§ HTTP for IPv6
§ Ping, traceroute
200. MOBILE IPV6: RFC 3775
§ The mobile node can roam from subnet to subnet, but its source address is
unchanged for the applications.
§ No session is lost
§ The network can be hidden from the correspondent node
§ This existed in IPv4 but IPv6 greatly improved it
201. MOBILE IPV6 TERMINOLOGY
Home Agent The router which switches the traffic to the mobile node.
Mobile Node The roaming user
Home Address The initial network address. All the communications of the mobile
node come from this address.
Home Link The link where the mobile node is permanently attached.
Care-Of-Address The temporary address on the visited network.
Correspondant Node The node (not mobile) communicating with the mobile node.
(C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
202. MOBILE NODE ACQUIRES A COA
§ Mobile node visits a new subnet
§ It must acquire its Care of Address (CoA)
Mobile Node
acquires its Care of Address
from SLAAC or DHCPv6
203. HOME AGENT ADDRESS DISCOVERY (ANYCAST)
§ Home Agent (HA) may have move
§ New HA may have been installed
§ Anycast address may be used to find the HA
204. COA BINDING AND TUNNEL CREATION
§ Mobile Node register its CoA with the Home Agent
§ Signaling uses a Mobility Option
§ IPv6 in IPv6 Tunnel is setup between the MN and the HA
Mobile Node
1
2
205. BIDIRECTIONNEL TUNNELING
§ The packets from the CN are routed to the MN via the tunnel in both directions.
§ The Home Agent intercepts the NS on the Home Link and answers in Proxy-
ND.
§ Transparent for the Corresponding Node
Mobile Node
206. BIDIRECTIONNEL TUNNELING
Mobile Node
Src @ Dst @
MN IPv6
Home @
CN IPv6
@
Out Src Out Dst In Src In Dst
MN IPv6
CoA
HA IPv6
@
MN IPv6
Home @
CN IPv6
@
Src @ Dst @
CN IPv6
@
MN IPv6
Home @
Out Src Out Dst In Src In Dst
HA IPv6 @ MN IPv6
CoA
CN IPv6
@
MN IPv6
Home @
(C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
207. RETURN ROUTABILITY PROCEDURE
§ Traffic is routed via the Home Agent until the Return Routability Procedure
§ CN must support Mobile IPv6
§ The CN verifies that the Mobile Node can be reached at its CoA and its Home
Address
Mobile Node
MN proves to the CN that it
receives the Keygen Tokens
208. RETURN ROUTABILITY PROCEDURE
§ Verify that the MN who sends the Binding Update is the same MN who sends
the data packets.
Mobile Node A
IPv6 Home Address
IPv6 CoA
Home Agent
CoTI
COT
Visited Networks A Local Network B
Correspondent
Node
HoTI: Home Test Init CoTI: Care-of Test Init
HoT: Home Test COT: Care-of Test
209. MOBILITY HEADER FEATURES
Type Message Feature
0 Binding Refresh Request (BRR) Binding Update sent by the MN to the HA or the CN
1 Home Test Init (HoTI) Sent by the CN to the Home address of the MN to initialize the
Return Routability process. The HoTI is routed via the HA.
2 Care-of Test Init (CoTI) Sent by the CN to the MN CoA to initialize the Return Routability
process.
3 Home Test (HoT) HoTI response of the MN to the CN
4 Care-of Test (CoT) CoTI response of the MN to CN
5 Binding Update (BU) Sent by the MN to notify the HA or the CN that it has changed its
network point of attachment and has a new CoA.
6 Binding Acknowledgement (BA) Acknowledgement of the BU sent by the HA or the CN.
7 Binding Error (BE) Sent by the CN or the MN to signal an error. For example, if the MN
send a message with a Destination Option including a Home
Address but the CN does not have a CoA in its Binding Database.
(C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
210. ROUTE OPTIMIZATION SIGNALING
§ The MN registers its binding to the CN
§ This Mode must be supported by the CN
§ This can be avoided for security reason as the CN is now aware that the mobile
node is no longer on its Home Link.
§ By default, the signaling is not crypted.
Mobile Node
Binding Update
Binding Ack
211. ROUTE OPTIMIZATION (ID VERIFICATION)
§ The Mobile Node identity is verified
§ An IPSec Tunnel is established between the MN and the CN
Mobile Node
212. DESTINATION OPTION INCLUDES THE MN SOURCE @
Mobile Node
Dst Opt Src @ Dst @
MN IPv6
CoA
CN IPv6
@
MN IPv6
Home @
The CN replaces the MN IPv6
CoA with the IPv6 Home @
from the Destination Option:
Datagram comes from the MN
(C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!
213. ROUTING OPTION INCLUDES THE MN SOURCE @
Mobile Node
The MN replaces the MN IPv6 CoA with the MN IPv6 Home @ from the Routing Option:
Datagram is sent to the MN Home @
Src @ Dst @ Routing
CN IPv6
@
MN IPv6
CoA
MN IPv6
Home @
(C) 2012 FRED BOVY EIRL. IPV6 FOR LIFE!