Getting started with IPv6


Published on

You may have hoped to retire before IPv6 became a reality, but unfortunately the IPv4 address exhaustion came too fast. For the rest of us, we’re going to bite off a small piece of the 15-year old IPv6 pie and talk about how to get started!

• Address format refresher
• IPv4 and IPv6 protocol comparison
• IPv6 neighbor discovery and auto-configuration
• Current migration and coexistence strategies
• ICMPv6, DHCPv6, and DNSv6
• How to get started at home

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Watch IPv4 Addresses run out*.comIPv6
  • APNIC only has the remaining /8 from the trigger IANA release. They will be
  • Also in the Cisco world, CLI output of IPv6 features are ugly (lack of readability) compared to their IPv4 counterparts. For example: show ip interface brief vs show ipv6 interface brief show ipeigrp neighbors vs show ipv6 eigrp neighbors
  • DHCPv6 Options include DNS server IP, domain name, NTP server, etc.DNS (RFC3484)A client may show preference for DNS AAAA (IPv6) records over IPv4 and thus attempt to connect to the destination server via IPv6.IPv6 makes heavy use of ICMP multicast/unicast messages and must be allowed via ACLs
  • Routable addresses can be either local (think RFC1918 private IP’s) or global (public IP address).RFC4941: Privacy Extensions for Stateless Address Autoconfiguration in IPv6. Keep IP for 1-7 days.Q: How do L2 switches handle IPv6 addresses?A: L2 switches are only looking at the SMAC/DMAC so IPv6 addressing is transparent to them. Exceptions to this would be a QoS or VACL/PACL applied to the interface examining L3/L4 portions of the header.
  • 1 base-2 binary position = 2 bits (e.g., 0 or 1)1 base-16 hex position = 4 bits (e.g., 0-9, A-F). In other words, it takes 4 binary positions (2^4) to represent 16 unique values (0-9 and A-F) per position.
  • See for details on multicast address spaceIPv4 has a documentation prefix as well (see RFC5737): (TEST-NET-1), (TEST-NET-2), and (TEST-NET-3)
  • /64 prefix: 128-bits = 64 for network and 64 for hostWhy prefix lengths in increments of 8? Because then your IPv6 address fits nicely within the : boundaries /48 = 2001:1 Format: [Global:ISP:Org:Subnet:Host:Host:Host:Host] /56 = 2001:1:1 Format: [Global:ISP:ISP:(Org & Subnet):Host:Host:Host:Host] /64 = 2001:1:1:1 Format: [Global:ISP:ISP:Subnet:Host:Host:Host:Host]Some equipment may have issues assigning a mask other than /64. /64 required for automatic IP address configuration.Prefix examples:/48 /64 /120
  • IPv6 NDP allows host & router/gateway discoveryCisco and Windows-based commands shownStateless Address AutoConfiguration (SLAAC) Uses Modified EUI-64 or Privacy Extensions (RFC4941/Microsoft)
  • IPv6 OnlyDual StackRecommended approachTunnel IPv4 or MPLSSee Basic Transition Mechanisms for IPv6 Hosts and Routers (RFC4213)6to4 Tunnels (RFC 3056) 2002:IPv4::/48 IPv6 Range Route 2002/16 to tunnel interface
  • NAT-PT is the only transition NAT protocol supported in most Cisco devices today, but it is generally regarded as obsolete. leaves no good options to NAT IPv4 addresses to IPv6 addresses.
  • The popular solution today is end-to-end dual stack configuration where an end node runs both IPv4 and IPv6.With Cisco, only the ASR 1000 series router supports NAT64 todayJuniper supports stateful NAT64 todayNAT64 gateway for Linux.
  • IPv6 Native Dual Stack Over DOCSIS Comcast: IPv6 Native Dual Stack for users (January 31, 2011) Content natively over both IPv6 and IPv4 Allocating 18,446,744,073,709,551,616 (18 quintillion) per user (/64)
  • Notable NotesIf you have IPv6 and IPv4 enabled on your machine, IPv6 (and DNSv6) will be preferred.Websites already setup for IPv6c:\\ruby>ping www.comcast6.netPinging [2001:558:1004:9:69:242:76:78] with 32 bytes of data: c:\\ruby>ping [2001:4860:b006::68] with 32 bytes of data:
  • Not all clients support DHCPv6, opting to support SLAAC only.DHCP-PD: Allows you to delegate a prefix which may contain multiple subnets to a router that can assign subnets on LAN segments.
  • List of IPv6 Tunnel Brokers:
  • See RFC 2473 and RFC 3056 for IPv6 tunnel encapsulation information
  • IGP just uses link local address. No need for global IP address on interface.IPv6 management done by an IPv6 loopback.To verify IPv6 configuration, use:show ipv6 interface briefshow ipv6 router discovery
  • EUI = Extended Unique IdentifierMore details, see addressThe solicited-node address facilitates efficient querying of network nodes during address resolution. In IPv4, the ARP Request frame is sent to the MAC-level broadcast, disturbing all nodes on the network segment, including those that are not running IPv4. IPv6 uses the Neighbor Solicitation message to perform address resolution. However, instead of using the local-link scope all-nodes address as the Neighbor Solicitation message destination, which would disturb all IPv6 nodes on the local link, the solicited-node multicast address is used. The solicited-node multicast address consists of the prefix FF02::1:FF00:0/104 and the last 24-bits of the IPv6 address that is being resolved.For example, for the node with the link-local IPv6 address of FE80::2AA:FF:FE28:9C5A, the corresponding solicited-node address is FF02::1:FF28:9C5A. To resolve the FE80::2AA:FF:FE28:9C5A address to its link layer address, a node sends a Neighbor Solicitation message to the solicited-node address of FF02::1:FF28:9C5A. The node that is using the address of FE80::2AA:FF:FE28:9C5A is listening for multicast traffic at the solicited-node address and, for interfaces that correspond to a physical network adapter, has registered the corresponding multicast address with the network adapter.The result of using the solicited-node multicast address is that address resolution, which commonly occurs on a link, is not required to use a mechanism that disturbs all network nodes. In fact, very few nodes are disturbed during address resolution. In practice, because of the relationship between the Ethernet MAC address, the IPv6 interface ID, and the solicited-node address, the solicited-node address acts as a pseudo-unicast address for very efficient address resolution. join “All Routers” multicast group FF02::2
  • Firewall shown is the stateful IOS Firewall/CBAC. Zone-based firewall configuration should work as well. For configuration example, see: in red are implicit rules for every ACLnd-na = neighbor discovery, neighbor advertisement (L2 resolution reply/unsolicited addr announcement)nd-ns = neighbor discovery, neighbor solicitation (L2 resolution request)
  • IP: Consider using the last 1-2 octets of the IPv4 address in the IPv6 address to help with device recognition.DNS:When creating a DNSv6 reverse lookup zone, enter the address including prefix, e.g., fc00:a::/64DHCP: In Windows Server 2008 R2 the DHCPv6 scope prefixes are fixed at /64.
  • Windows 7 supports DHCPv6 in addition to SLAAC and manual modes.The Link Local address is dynamically generated for you.To use IPv4 instead of IPv6 in prefix policies (e.g. DNS queries): Automatic Tunnelingnetsh interface 6to4 set state state=disabled undoonstop=disablednetsh interface isatap set state state=disablednetsh interface teredo set state type=disabled
  • No DHCPv6 Support. Either SLAAC or Manual.Link local (fe80) address is assigned automaticallyIPv6 ULA address is learned from the ICMP router advertisement
  • SEND = Secure Neighbor DiscoveryWindows 7 can enable/disable privacy extensions by using:netsh interface ipv6 set global randomizeidentifiers=disablednetsh interface ipv6 set global randomizeidentifiers=enabledRecommendation is to use RFC4941 privacy extensions for external use, and EUI-64/DHCPv6 for internalDisable Rogue Tunnelsnetsh interface 6to4 set state state=disabled undoonstop=disablednetsh interface isatap set state state=disablednetsh interface teredo set state type=disabledEnable Mac OS X privacy extensions: Edit "/etc/sysctl.conf" and add net.inet6.ip6.use_tempaddr=1. Then reboot.Enable Linux privacy extensions: Edit "/etc/sysctl.conf" and add net.inet6.ip6.use_tempaddr=2. Then reboot.Assignment of DNS via SLAAC RDNSS options
  • Defined in RFC4291
  • Getting started with IPv6

    1. 1. A toe-dip into the volatile world of IPv6 transitions<br />Getting Started with IPv6<br />Tanner<br />04.29.2011<br />
    2. 2. Goals and Status<br />GOAL<br />Get IPv6 dual-stack running on a lab/home network and connect to the IPv6 internet.<br />STATUS<br />IPv4 Exhaustion Timeline<br />IPv6 Today<br />Google, Microsoft, Apple, Netflix, Cisco, Facebook, Gov’t Agencies<br />Service Provider Plan<br />Enterprise Plan<br />
    3. 3. IPv4 Exhaustion Schedule<br />3<br />
    4. 4. Advantages<br />Lots of Addresses<br />Automatic IP Address Configuration<br />Duplicate Address Detection (DAD)<br />Only available option post-IPv4<br />Still disagreements on implementation / transition methods<br />Immature device / OS / application support<br />Remembering long addresses<br />IPv6 Mechanics<br />Disadvantages<br />
    5. 5. Interface Addressing<br />Manual<br />SLAAC<br />DHCPv6<br />Link Local<br />DNS<br />Increased reliance due to lengthy addresses<br />AAAA (“Quad A”) Records<br />IPv6 Building Blocks<br />Routable<br />2002:d82a:3bcc:deff:baca:3f97:872d:d00d/64<br />ICMPv6<br />Neighbor Discovery<br />Routing<br />EIGRPv6, OSPFv3<br />
    6. 6. IPv6 Addressing<br />2002:adb8:85a3:af90:b8b8:8a2e:1773:ff31/64<br />8 x 16-bits separated by a :(colon)<br />Prefix length in CIDR format<br />NOT255.<br />Each interface has a:<br />Link local address<br />Routable address<br />[Modified] EUI-64<br />Auto w/privacy extensions<br />Manual<br />Neighbor Discovery<br />Heavy use of ICMP and Multicast<br />
    7. 7. IPv6 Subnetting<br /># of bits<br />Host portion<br />16<br />4<br />8<br />2001:0DB8:0800:3333:AAAA:BBBB:CCCC:DDDD<br />/16<br />Network/Subnet portion<br />/48<br />/64<br />/120<br />/128<br />CIDR<br />
    8. 8. Key Prefixes<br />
    9. 9. Prefix Sizes<br />1Assumes using the “standard” allocation of /64 for all links and segments<br />
    10. 10. Comparison Table<br />
    11. 11. Dual stack<br />NAT<br />NAT64 & DNS64 / NAT46 / NAT44 / NAT66 / NAT-PT / CGNAT / NAT444 / NAT464 / DS-Lite<br />Tunnels<br />6to4 (RFC 3056)<br />6in4<br />ISATAP (RFC 5214)<br />GRE/IPv6 over DMVPN<br />6rd<br />LISP<br />Reverse Proxy/Load Balancers<br />Transition Technologies<br />
    12. 12. Current<br />FinalState<br />
    13. 13. Transitional<br />Transitional<br />
    14. 14. Make sure there are no DNS AAAA records<br />Alternate: Disable IPv6 on all devices<br />Enable IPv6 in core, then firewall, then internet router<br />Enable select DMZ servers / inside clients<br />Dual Stack Transition Plan<br />
    15. 15. DNSv6 and DNS64<br />Name Resolution<br />IPv4<br />set type=a<br /><br />Address:<br />IPv6<br />set type=aaaa<br /><br />Address: 2001:558:1002:4:68:87:29:36<br />DNS64<br />IPv6 client makes DNS AAAA query, DNS64 gateway translates IPv4 response to AAAA format<br />
    16. 16. Client detects presence of routers on the link using Router Solicitation<br />Uses link-local address as the source IP<br />No gateway needed. Learned from RA’s.<br />DHCPv6<br />
    17. 17. IPv6 Attacks<br />IPv6 NDP Exhaustion<br />Configuring /64’s per subnet is akin to configuring an IPv4 /8 on a LAN<br />Allocate /64, Configure a /120<br />Breaks SLAAC<br />Ping/Ping or Ping/Pong attack<br />ND vulnerabilities<br />ICMP must be open to inside hosts<br />Dual Stack Hosts – IPv6 may not be locked down<br />
    18. 18. Additional Resources<br />Books<br />Deploying IPv6 in WAN/Branch Networks<br />Cisco Deploying IPv6 Networks<br />Cisco Global IPv6 Strategies<br />ARIN IPv6 Wiki<br />Measuring IPv6 Adoption<br /><br />Cisco IOS IPv6 Configuration Guide<br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br />
    19. 19. APPENDIX A<br />Device Configuration Examples<br />
    20. 20. Dual Stack ISP<br />Request dual stack support from ISP<br />or<br />IPv6 Tunnel Broker<br />Sign up for free IPv6 tunnel broker service ( from Hurricane Electric)<br />IPv6 Internet Access<br />Step<br />1<br />
    21. 21. Cisco Router Security (IPv4)<br />Step<br />2<br />Access List<br />ip access-list extended ACL-OUTSIDE-IN<br /> remark --- Allow IPv6 Tunnel Broker<br /> permit icmp host any echo<br /> permit 41 host any<br /> permit …<br />deny ip any any log<br />interface F4<br />description Internet Interface<br />ip access-group ACL-OUTSIDE-IN in<br /><ul><li>Encapsulated traffic must be permitted in/out physical interface.
    22. 22. IP Protocol 41is reserved for IPv6 encapsulation</li></ul>IP will change depending on IPv6 broker endpoint used<br />
    23. 23. Cisco Router Configuration (IP)<br />Step<br />3<br />ipv6 unicast-routing<br />ipv6 cef<br />interface Tu0<br /> description IPv6 Internet<br />ipv6 enable<br />ipv6 address 2001:DB8:F::2/64<br /> tunnel source F4<br />tunnel destination<br /> tunnel mode ipv6ip<br />interface G0<br /> description LAN Segment<br /> ipv6 address 2001:DB8:1::1/64 <br />ipv6 address 2001:DB8:1::/64 EUI-64<br /> ipv6 enable<br />ipv6 route ::/0 Tu0<br />Assigned from HE<br />Internet Interface<br />IPv6 Broker Endpoint<br />IPv6 Encapsulated in IPv4<br />IP from /48 allocation<br />IPv6 default route<br />
    24. 24. Cisco Router IP Autoconfig<br />IPV6-Router# shipv6 int<br />GigabitEthernet0 is up, line protocol is up<br /> [Hardware is PQII_PRO_UEC, address is 68EF.BD61.4D13]<br /> IPv6 is enabled, link-local address is FE80::6AEF:BDFF:FE61:4D13 <br /> No Virtual link-local address(es):<br /> Stateless address autoconfig enabled<br />Global unicast address(es):<br />2001:DB8:1:0:6AEF:BDFF:FE61:4D13, subnet is 2001:DB8:1::/64[EUI/CAL/PRE]<br /> valid lifetime 2591835 preferred lifetime 604635<br /> Joined group address(es):<br />FF02::1<br /> FF02::1:FF61:4D13<br /> MTU is 1500 bytes<br /> …<br /> ND DAD is enabled, number of DAD attempts: 1<br /> ND reachable time is 30000 milliseconds (using 30000)<br /> Default router is FE80::215:C6FF:FE53:9EC8 on GigabitEthernet0<br />Interface MAC<br />EUI-64 Insertion<br />U/L bit flip<br />Learned via ND from upstream router<br />All IPv6 nodes, link local<br />Solicited node addr for replies<br />Link local addr used for next hop<br />
    25. 25. Cisco Router Security (IPv6)<br />Step<br />4<br />Access List<br />IOS Firewall (CBAC)<br />ipv6 access-list ACL-IPV6-IN<br /> remark --- Block AfriNIC/APNIC<br /> deny ipv6 2001:4200::/23 any <br /> deny ipv6 2C00:0000::/12 any <br /> deny ipv6 2001:0200::/23 any <br /> deny ipv6 2001:0C00::/23 any <br /> deny ipv6 2001:0E00::/23 any <br /> deny ipv6 2001:4400::/23 any <br /> deny ipv6 2001:8000::/19 any <br /> deny ipv6 2001:A000::/20 any <br /> deny ipv6 2001:B000::/20 any <br /> deny ipv6 2400:0000::/12 any <br /> remark --- Allow Neighbor Discovery<br /> permit icmp any anynd-na<br /> permit icmp any anynd-ns<br /> remark --- Block everything else<br /> deny ipv6 any any log<br />interface Tunnel0<br /> ipv6 traffic-filter ACL-IPV6-IN in<br />ipv6 inspect alert-off<br />ipv6 inspect routing-header<br />ipv6 inspect max-incomplete low 100<br />ipv6 inspect max-incomplete high 200<br />ipv6 inspect one-minute low 100<br />ipv6 inspect one-minute high 200<br />ipv6 inspect udp idle-time 15<br />ipv6 inspect tcp idle-time 1800<br />ipv6 inspect tcpfinwait-time 1<br />ipv6 inspect tcpsynwait-time 15<br />ipv6 inspect tcp max-incomplete host 500 block-time 0<br />ipv6 inspect name FW1 ftp<br />ipv6 inspect name FW1 tcp<br />ipv6 inspect name FW1 udp<br />ipv6 inspect name FW1 icmp<br />interface G0<br /> ipv6 inspect FW1 in<br /> ipv6 inspect FW1 out<br />
    26. 26. Windows Server Configuration<br />Step<br />5a<br />Manually Configure Server IP Address<br />DHCPv6 scope created with local fc00 addressing (ULA)<br />(Optional)<br />View of DNS A and AAAA Record<br />
    27. 27. Windows 7 Configuration<br />Step<br />5b<br />Enable IPv6<br />Disable IPv6 tunnels (6to4, isatap, teredo)<br />Prefer IPv4 over IPv6 during transition (KB929852)<br />LAN Network Connection:<br />   Physical Address. . . . . . . . . : 00-22-68-1A-E1-4C<br />   DHCP Enabled. . . . . . . . . . . : Yes<br />   Autoconfiguration Enabled . . . . : Yes<br /> IPv6 Address. . . . . . . . . . . : 2001:db8:1::222:68ff:fe1a:e14c(Preferred)<br /> Temporary IPv6 Address. . . . . . : 2001:db8:1::a1fd:f339:f800:f7ff(Preferred)<br />   Link-local IPv6 Address . . . . . : fe80::688f:1818:28fc:f11e%12(Preferred)<br />   IPv4 Address. . . . . . . . . . . :<br />   Subnet Mask . . . . . . . . . . . :<br />   Default Gateway . . . . . . . . . :<br />   DHCP Server . . . . . . . . . . . :<br />   DHCPv6 IAID . . . . . . . . . . . : 218112349<br />   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-14-C0-65-37-00-23-54-66-DF-67<br />  DNS Servers . . . . . . . . . . . : 2001:db8:1::10<br /><br />
    28. 28. Mac OS X<br />Step<br />5c<br />
    29. 29. OS Support Comparison<br />1Feature supported in IOS 12.4(24)T and later.<br />2EUI-64 capability disabled by default. Privacy extensions must be disabled to use.<br />3Privacy extensions disabled by default. <br />
    30. 30. Test Connectivity<br />Step<br />6<br />Ping Test<br />c:> ping<br />Pinging [2001:4860:800d::63] with 32 bytes of data:<br /> <br />Reply from 2001:4860:800d::63: time=45ms<br />Reply from 2001:4860:800d::63: time=42ms<br />Web Test<br />
    31. 31. APPENDIX B<br />Restrictions, Caveats, Considerations, and Tools<br />
    32. 32. Does your L3 switch support hardware-based forwarding for IPv6?<br />Platform Limitations<br />
    33. 33. Do log parsing applications recognize IPv6?<br />Syslog, etc.<br />IP address calculation formulas in spreadsheets<br />IP-enabled A/V equipment<br />Network Video Recording software<br />Application Compatibility<br />
    34. 34. 3560/3750<br />sdm prefer dual-ipv4-and-ipv6 default<br />Others: ipv6 mld snooping<br />IPv6 CEF disabled by default<br />IPv6 will use resources from the IPv4 pool<br />Cisco Notes<br />
    35. 35. Tools<br />stealthyb@nms2:~$ sudo aptitude install sipcalc<br />stealthyb@nms2:~$ sipcalc2001:db8:1::/48<br />-[ipv6 : 2001:db8:1::/48] - 0<br />[IPV6 INFO]<br />Expanded Address - 2001:0db8:0001:0000:0000:0000:0000:0000<br />Compressed address - 2001:db8:1::<br />Subnet prefix (masked) - 2001:db8:1:0:0:0:0:0/48<br />Address ID (masked) - 0:0:0:0:0:0:0:0/48<br />Prefix address - ffff:ffff:ffff:0:0:0:0:0<br />Prefix length - 48<br />Address type - Aggregatable Global Unicast Addresses<br />Network range - 2001:0db8:0001:0000:0000:0000:0000:0000 -<br /> 2001:0db8:0001:ffff:ffff:ffff:ffff:ffff<br />
    36. 36. Q: How do I specify a port in an IPv6 URL?<br />A: http://[2001:db8::dade:55]:8080/<br />Q: What are the group of addresses called in between each : (colon)?<br />A: Depending on your source, they can be called “fields”, “groups”, “quads”, “hextets”, or “hexadecatet”.<br />Q&A<br />