Post on 24-Mar-2020
transcript
IPv6 Introduction
By David Beveridge
IPv4 Usage 2010
Why hasn’t it happened yet
• Waiting for everyone else
• Content providers say there are no users
• ISPs say there’s no content
• Lack of CPE Equipment
• Users say it’s not broken so why change
• But, the writing is on the wall
IPv4 Address Depletion
IPv4 Address Depletion
IPv6 Address Types
• Unicast - a single interface, on a single node (eg normal use)
• Anycast – deliver to one of the interfaces in the set (eg load
balance)
• Multicast – deliver to all interfaces in the set (eg broadcast)
Terminology
• node - a device that implements IPv6.
• router - a node that forwards IPv6 packets not
explicitly addressed to itself.
• host - any node that is not a router.
• link - a communication facility or medium over which nodes
can communicate at the link layer.
• neighbors - nodes attached to the same link.
• interface - a node's attachment to a link.
IPv6 – Address Format
An IPv6 address is represented as eight groups of four hexadecimal digits, each group representing 16 bits (two octets). The groups are separated by a colon (:). A typical example of an IPv6 address follows:
•2001:0db8:85a3:0000:0000:8a2e:0370:7334
•2001:db8:85a3:0:0:8a2e:370:7334
•2001:db8:85a3::8a2e:370:7334
The localhost (loopback) address, 0:0:0:0:0:0:0:1, and the IPv6 unspecified address, 0:0:0:0:0:0:0:0, are reduced to ::1 and ::, respectively
IPv4-mapped IPv6 address
::ffff:c000:280 is usually written as ::ffff:192.0.2.128
IPv6 Common Addresses
• ::/0 – The entire Internet (0.0.0.0/0)
• ::/128 – Unspecified Address (0.0.0.0)
• ::1/128 – Loopback Interface (127.0.0.1) • ::x.x.x.x/96 – deprecated IPv4 Compatible
• ::ffff:x.x.x.x/96 – an IPv4-mapped IPv6 address
• fe80::/10 – Local Link Addresses • ff00::/8 – Multicast
• 2000::/3 – Global Unicast • 2001::/32 - Used for Teredo tunneling
• 2002::/16 — Used for 6to4 addressing • 1000::/4, 4000::/3, 6000::/3, 8000::/3, A000::/3, C000::/3, E000::/4 all currently reserved
(future global unicast)
EUI-64 in IPv6
• Automatic Interface Addressing
• Implements IEEE 64-bit Extended Unique
Identifier (EUI-64)
• No need for DHCP or manual configuration
• This is accomplished on Ethernet interfaces by
referencing the already unique 48-bit MAC
address.
EUI-64 step1
• Convert the 48bit MAC address to 64 bit
• any EUI-64 address having 0xFFFE immediately
following its OUI portion can be recognized as having
been generated from an EUI-48 (or MAC) address.
EUI-64 step 2
• The second step is to invert the universal/local (U/L) flag (bit 7) in the OUI portion of the address
• The motivation for inverting the "u" bit when forming the interface identifier is to make it easy for system administrators to hand configure local scope identifiers when hardware tokens are not available. This is expected to be case for serial links, tunnel end-points, etc. The alternative would have been for these to be of the form 0200:0:0:1, 0200:0:0:2, etc., instead of the much simpler ::1, ::2
ICMPv6 Types
Neighbor Discovery defines five different ICMP packet types: A pair of Router Solicitation and Router Advertisement messages, a pair of Neighbor Solicitation and Neighbor Advertisements messages, and a Redirect message. The messages serve the following purpose:
•Router Solicitation: When an interface becomes enabled, hosts may send out Router Solicitations that request routers to generate Router Advertisements immediately rather than at their next scheduled time.
•Router Advertisement: Routers advertise their presence together with various link and Internet parameters either periodically, or in response to a Router Solicitation message. Router Advertisements contain prefixes that are used for determining whether another address shares the same link (on-link determination) and/or address configuration, a suggested hop limit value, etc.
ICMPv6 Types
• Neighbor Solicitation: Sent by a node to determine the link-layer address of a neighbor, or to verify that a neighbor is still reachable via a cached link-layer address. Neighbor Solicitations are also used for Duplicate Address Detection.
• Neighbor Advertisement: A response to a Neighbor Solicitation message. A node may also send unsolicited Neighbor Advertisements to announce a link-layer address change.
• Redirect: Used by routers to inform hosts of a better first hop for a destination.
IPv6 Network Blocks
• /64 is the standard network block
• 64 bits for the Local Part (as per EUI-64)
• 64 bits for the Network Part
• /48 is the ideal Multiple Network Block
Allocation (65536 x /64s)
• At one million packets per second on a IPv6
subnet with 10,000 hosts it would take over
28 years to find the first host to infect.
Subnetting a /48
• If 2001:db8:1234::/48 is your block
• Then your /64 networks are:-
– 2001:db8:1234:1::/64
– 2001:db8:1234:2::/64
– 2001:db8:1234:3::/64 ... etc to …
– 2001:db8:1234:ffff::/64
Subnetting a /56 or /60
• Every hex digit is 4 bits, so…
• 2001:db8:1234:aa00::/56 (256 subnets) – 2001:db8:1234:aa00::/64
– 2001:db8:1234:aaff::/64
• 2001:db8:1234:aaa0::/60 (16 subnets) – 2001:db8:1234:aaa0::/64 to
– 2001:db8:1234:aaaf::/64
Service Provider Allocation
• There is enough space to allocate /16 to every organisation who has an AS (autonomous system) number currently.
• Default allocation is currently only /32 which will allow the Internet to grow to 2^16 times the size it is now. (Many ISP allocations are in their own /24, so their
allocation can grow, Optus seems to be in a /20 by itself, Telstra has a full /20 allocated.)
• Every current IPv4 Address user already allocated /48 to allow them to communicate with new IPv6 only users. (2002::/16 range)
Minimum Allocation to an ISP
• /32 is the standard allocation to small ISPs.
• This allows for 65536 customers to receive a /48 each.
• Initial allocations larger than /32 may be justified if:
– The organization provides comprehensive documentation of planned IPv6 infrastructure which would require a larger allocation; or
– The organization provides comprehensive documentation of all of the following:
• its existing IPv4 infrastructure and customer base,
• its intention to provide its existing IPv4 services via IPv6, and
• its intention to move some of its existing IPv4 customers to IPv6 within two years.
Getting IPv6 now
• Internode – ADSL Broadband Trial with IPv6 PPP & DHCP Prefix Delgation
– http://ipv6.internode.on.net/access/tunnel-broker/
• Aarnet – http://broker.aarnet.net.au
– Allocates /64 only
• Hurricane Electric – http://tunnelbroker.net
– Allocates /48
– Tunnel Broker based in USA or Hong Kong
• Automatic 6to4 Tunnel – All public IPv4 Addresses already have /48 allocated
• Microsoft Teredo Tunnel (for NAT users with private IPs) – Windows XP/2003/Vista/2008 OS
How 6to4 works
• 6to4 performs three functions:
– Assigns a block of IPv6 address space to any host
or network that has a global IPv4 address.
– Encapsulates IPv6 packets inside IPv4 packets for
transmission over an IPv4 network using 6in4.
– Routes traffic between 6to4 and "native" IPv6
networks.
• Uses Protocol 41 (eg: 1=ICMP, 6=TCP, 17=UDP, 47=GRE, 50=ESP, 51=AH)
How 6to4 works
• Allocated IPv6 Addresses per IPv4 Address
– 2002:CAFE:F00D::/48 allocated to 202.254.240.13
– 2002:DEAD:BEEF::/48 allocated to 222.173.190.239
– 16 bits for 65536 x ::/64 local networks
• Routing
– BGP Anycast 192.88.99.1 is the path to IPv6
– 2000::/16 is the BGP Advertisement for IPv4
• Reverse DNS
– https://6to4.nro.net
How 6to4 works
Consumer routers with 6to4 support
• Apple's Airport Extreme & Airport Express base station
• Linksys WRT610N
• Various Buffalo Technology wireless routers
• D-Link DIR-615, DIR-825 (V2 firmware; currently available for the DIR-825 Rev. B *only*!)
• AVM FRITZ!Box 7270 (experimental “Labor” version)
• Mikrotik RouterOS software and RouterBoard hardware. Requires v3 and above with the IPv6 package installed
• Fortinet's FortiGate. Also supports stateful Firewalling, Antivirus, Application-Control and Intrusion-Protection for IPv6
D-Link 825 Rev B
http://www.gizmomart.com.au/product_info.php?products_id=262411 $169.95
Windows 6to4
• Windows XP SP2 or better
– For XP Install TCP/IP version 6 Protocol in Control
Panel Add/Remove Windows Components
• Then Enter the following into a command prompt
netsh interface ipv6 6to4 set relay 192.88.99.1
MacOS X
MacOS X
CentOS 6to4
/etc/sysconfig/network NETWORKING_IPV6=yes
IPV6_DEFAULTDEV="tun6to4"
IPV6FORWARDING=yes (optional)
/etc/sysconfig/network-scripts/ifcfg-ppp0 IPV6INIT=yes
IPV6TO4INIT=yes
IPV6TO4_IPV4ADDR=192.0.1.2 (only required if behind NAT)
IPV6TO4_ROUTING=“eth0-:cafe::0/64 eth1-:face::0/64” (optional)
IPV6_CONTROL_RADVD=yes (optional)
CentOS Router Advertisements
/etc/radvd.conf
interface eth0
{
AdvSendAdvert on;
MinRtrAdvInterval 30;
MaxRtrAdvInterval 100;
prefix 0:0:0:cafe::/64
{
AdvOnLink on;
AdvAutonomous on;
AdvRouterAddr off;
Base6to4Interface ppp0;
AdvPreferredLifetime 120;
AdvValidLifetime 300;
};
};
interface eth1
{
AdvSendAdvert on;
MinRtrAdvInterval 30;
MaxRtrAdvInterval 100;
prefix 0:0:0:face::/64
{
AdvOnLink on;
AdvAutonomous on;
AdvRouterAddr off;
Base6to4Interface ppp0;
AdvPreferredLifetime 120;
AdvValidLifetime 300;
};
};
How Teredo works
• The Teredo protocol performs several functions:
– Diagnoses UDP over IPv4 (UDPv4) connectivity and discovers the kind of NAT present (using a simplified replacement to the STUN protocol);
– assigns a globally-routable unique IPv6 address to each host using it;
– encapsulates IPv6 packets inside UDPv4 datagrams for transmission over an IPv4 network (this includes NAT traversal);
– routes traffic between Teredo hosts and native (or otherwise non-Teredo) IPv6 hosts.
How Teredo Works
NAT Types
• Cone NAT – Once the NAT translation table entry is in place, inbound traffic to the external address
and port number from any source address and port number is allowed and translated.
• Port Restricted – A NAT in which the NAT translation table entry stores a mapping between an internal
address and port number and an external address and port number, for either specific
source addresses or specific source address and port numbers
• Symmetric – When random port maps are used it’s impossible for both side to choose matching
ports
Require Related Source IP Source Port Remote Port Remote IP
Full Cone 1:1 NAT X
Restricted Cone NAPT X X X
Port Restricted NAPT X X X X
Symmetric NAPT X X X X X
How Teredo Works
Teredo node types
• Teredo defines several different kinds of node:
– Teredo client (End User) – It is a host which has IPv4 connectivity to the internet from behind a NAT and uses the Teredo tunneling protocol to access the IPv6 Internet.
Teredo clients are assigned an IPv6 address that starts with the Teredo prefix (2001:0000::/32).
– Teredo server (NAT Setup) – It is a well-known host which is used for initial configuration of a Teredo tunnel. A Teredo server never forwards any traffic for the client
(apart from IPv6 pings), and has therefore very modest bandwidth requirements (a few hundred bits per second per client at most)[citation
needed], which allows a single server to support large numbers of clients. Additionally, a Teredo server can be implemented in a fully stateless manner, thus using the same amount of memory regardless of how many clients it supports.
– Teredo relay (Tunnel Terminator & Traffic Relay) – It serves as the remote end of a Teredo tunnel. A Teredo relay must forward all of the data on behalf of the Teredo clients it serves, with the
exception of direct Teredo client to Teredo client exchanges. Therefore, a relay requires a lot of bandwidth and can only support a limited number of simultaneous clients. Each Teredo relay serves a range of IPv6 hosts (e.g. a single campus/company, an ISP or a whole operator network, or even the whole IPv6 Internet); it forwards traffic between any Teredo clients and any host within said range
– Teredo host-specific relay (Stand alone server) – It is a Teredo relay whose range of service is limited to the very host it runs on. As such, it has no particular bandwidth or routing
requirements. A computer with a host-specific relay will use Teredo to communicate with Teredo clients, but it will stick to its main IPv6 connectivity provider to reach the rest of the IPv6 Internet.
Teredo IP Address
• As an example, the IPv6 address 2001:0000:4136:e378:8000:63bf:3fff:fdd2 refers to a Teredo client:
• using Teredo server at address 65.54.227.120 (4136e378 in hexadecimal),
• located behind a cone NAT (bit 64 is set),
• using UDP mapped port 40000 on its NAT (in hexadecimal 63bf xor ffff equals 9c40, or decimal number 40000),
• whose NAT has public IPv4 address 192.0.2.45 (3ffffdd2 xor ffffffff equals c000022d, which is to say 192.0.2.45
Bits 0 - 31 32 - 63 64 - 79 80 - 95 96 - 127
Length 32 bits 32 bits 16 bits 16 bits 32 bits
Description Prefix
Teredo
server IPv4
Flags Obfuscated
UDP port
Client
public IPv4
Part 2001:0000 4136:e378 8000 63bf 3fff:fdd2
Decoded 65.54.227.120 cone NAT 40000 192.0.2.45
Initial communication between
Teredo clients in different sites
with restricted NATs
Initial communication
from an IPv6-only host to
a Teredo client with a
restricted NAT
Initial communication from a
Teredo client to an IPv6-only
host with a restricted NAT
Example Cisco PIX Config
interface Ethernet0
nameif outside
ipv6 address 2001:db8:c000:1051::37/64
ipv6 enable
ipv6 nd suppress-ra
interface Ethernet1
nameif inside
ipv6 address 2001:db8:c000:1052::1/64
ipv6 enable
ipv6 unicast-routing
ipv6 route outside ::/0 2001:db8:c000:1051::1
IPv6 DNS Records
• AAAA – Forward Lookup
box6.bevhost.com IN AAAA 2607:f878:1:668::84
• PTR – Reverse Lookup
4.8.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.6.6.0.1.0.0.0.8.7.8.f.7.0.6.2.ip6.arpa IN PTR box6.bevhost.com.
• Glue
For self hosted domains where supported by domain registrar (Melbourne IT only in Australia)
bevhost.com is registered with gkg.net yourhostname.ip6.name can be used if anyone here needs it.
Setting up Bind
/etc/named.conf
options {
listen-on port 53 {
127.0.0.1;
96.9.149.84;
96.9.149.85;
};
listen-on-v6 port 53 {
::1;
2607:f878:1:668::84;
2607:f878:1:668::85;
};
};
Setting up postfix & dovecot
/etc/postfix/main.cf
inet_protocols = ipv4,ipv6
/etc/dovecot.conf
listen = *, [::]
Setting Up Apache
NameVirtualHost [2607:f878:1:668::84]:80
<VirtualHost [2607:f878:1:668::84]:80>
…
</VirtualHost>
cPanel Scripts
http://wiki.netniche.com.au/index.php/Cpanel_IPv6
•Creates a local part address for each web site based
on an MD5 hash of the domain name
Useful PHP 5.1 features
• string inet_ntop ( string $in_addr ) – This function converts a 32bit IPv4, or 128bit IPv6 address (if PHP was built with IPv6
support enabled) into an address family appropriate string representation.
• string inet_pton ( string $address ) – This function converts a human readable IPv4 or IPv6 address (if PHP was built with IPv6
support enabled) into an address family appropriate 32bit or 128bit binary structure.
<?php $packed = chr(127) . chr(0) . chr(0) . chr(1); $expanded = inet_ntop($packed); /* Outputs: 127.0.0.1 */ echo $expanded; $packed = str_repeat(chr(0), 15) . chr(1); $expanded = inet_ntop($packed); /* Outputs: ::1 */ echo $expanded; ?>
Useful PHP 5.2 features
• Filter can be used to validate IP Addresses • mixed filter_var ( mixed $variable [, int $filter = FILTER_DEFAULT [, mixed $options ]] )
$ip = ‘2001:db8:1234::1';
if (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6)) {
echo "This ($ip) IPv6 address is considered valid.";
}
Migration States
Dual Stack Network
Doesn’t solve the problem, as only customers with IP4 Address can access IP4 Content
DS Lite style NAT464
• Requires special CPE equipment or software
Dual Stack with NAT444
Requires subscribers to have dual stack to get to both networks
Stateful NAT64
• Suitable for greenfield networks or sites
• Requires modified DNS and CGN
Stateless NAT IVI
CERNET in China has been running IPv6↔IPv4 IVI translators for a couple of years and considers the IVI path well proven for enabling v4-v6 transition compared with other coexistence techniques.
DHCPv6 Overview • Used to configure nodes with the following:
– One or more IPv6 addresses, or
– Configuration information, or
– One or more IPv6 prefixes
– Or all of the above
• Offer similar functionality to DHCPv4 but for IPv6
• Additional mode of operation in DHCPv6 – Stateless DHCPv6 where configuration information only is exchanged
– Stateful is similar to how DHCPv4 traditionally operates
• Requires IPv6 transport
• DHCPv6 is not simply an upgrade to DHCPv4, it is a separate and distinct protocol
• Generally DHCPv4 and DHCPv6 transmit information respective to the versions of IP being used – In some cases this information can intersect or conflict, for example:
• DNS server IP address, DNS search path
Fundamentals of DHCPv6
• DHCPv6 clients listen on port 546, servers and relays listen on port 547
• Solely layer 3 protocol unlike DHCPv4
• DHCPv6 clients and servers (relays) communicate via link-local multicast
addresses
– All_DHCP_Relay_Agents_and_Servers and All_DHCP_Servers multicast addresses are
used by DHCPv6
– Relays may forward DHCPv6 messages to other relays or server using link-local multicast
or global unicast IPv6 addresses
• Relay agent “chaining” through DHCPv6 message encapsulation
– Information about each relay agent between the client and server is encapsulated
• DHCPv6 employs a larger option code space
– DHCPv6 options are TLV similar to those in DHCPv4
– 16 bit option type code and length with variable length data
– Most information carried in options, instead of fixed header fields
– Vendor options also help to ensure that core DHCPv6 options are maximized and not
overloaded
DHCPv6 Role of Routers
• Routers in IPv6 deployments have different roles in the network compared to routers in IPv4 deployments
• IPv6 routers advertise their availability using IPv6 Router Advertisement Messages – Unlike in IPv4 deployments hosts are explicitly told where routers are
statically, via DHCPv4, etc.
– Details of IPv6 Router behaviour is out of scope
• IPv6 routers also transmit additional information that is relevant to the links it serves including but not limited to the following: – Prefix information or information about prefixes that are in use or valid for a
given link or links
– Flags that suggest how DHCPv6 should be used by nodes • Managed bit suggests use of stateful DHCPv6
• Other bit suggests use of stateless DHCPv6
– Additionally the Autonomous bit indicates that auto-configuration should be used by nodes
Stateful DHCPv6
• Used when a DHCPv6 client wishes to be allocated an IPv6 address using DHCPv6
• Similar to DHCPv4 today, a DHCPv6 server will allocate one or more IPv6 addresses or prefixes to a DHCPv6 client – DHCPv6 may leverage a four message exchange (SOLICIT,
ADVERTISE, REQUEST, REPLY), or
– Rapid Commit may be employed which uses only two message (SOLICIT, REPLY)
• Configuration options like DNS Server IPv6 Addresses (RFC3646) may or may not be requested and offered to the client – Note in DHCPv6 adherence to the option request option is more
rigidly evaluated and adhered to unlike in DHCPv4 where the parameter request list is more of a hint
Stateful DHCPv6
Stateful DHCPv6 with Rapid Commit
Stateful DHCPv6 with Relay Agent
Stateless DHCPv6
• Assumes one or more techniques used by a node to acquire one or more IPv6 addresses
– Static assignment
– Auto-configuration
• Stateless DHCPv6 is a two message exchange (INFORMATION-REQUEST, REPLY) between a DHCPv6 client and server where configuration information only is provided (e.g. DNS server configuration where no IPv4 stack is present)
Stateless DHCPv6
DHCPv6 Server Preference Option
• DHCPv6 server preference option indicates the preferences as configured administratively for a DHCPv6 server – Per RFC3315 DHCPv6 clients wait a specified amount of
time and gather DHCPv6 server responses to its requests
– If a DHCPv6 server responses contains a preference less than 255
– No preference indicating a preference of zero
– Preference of 255 suggest that no further waiting is required, this is the highest preference
• After waiting the specified amount of time a DHCPv6 client must select the best response
DHCPv6 Reconfigure
• Unlike that of DHCPv4, DHCPv6 Reconfigure affords a secure technique for DHCPv6 servers to interact with DHCPv6 clients
• The Reconfiguration Key Authentication Protocol, as specified in RFC3315, is the mechanism used to enable this interaction securely
• DHCPv6 clients must advertise support and willingness to enable Reconfigure – DHCPv6 server must obviously be enabled and support this behavior
as well
• After successfully negotiating willingness to support Reconfigure DHCPv6 servers can be triggered to transmit Reconfigure messages to DHCPv6 clients – Renew, Information-Request, or Rebind can result from the
transmission of a Reconfigure message
• Reconfigure Key Authentication Protocol does not imply support for DHCPv6 Authentication as specified in RFC3315
DOCSISv3.0 DHCPv6 Reconfigure Data over cable standard Interface specification (for Cable Modems)
IPv6 is supported by
Google, YouTube, Facebook
BitTorrent
World of Warcraft, Xbox, PS3
RFC5514 – IPv6 over Social Networks (1st April 09)
Conclusions and Recommendations
• DO
– Start now
– Evaluate your networks
– Experiment & Learn
– Plan you migration
– Harden your hosts
• DON’T
– Accept Private NAT IPv4 from an ISP unless IPv6 is offered alongside.
– Purchase new equipment without IPv6 support