1
INTERNET PROTOCOL V6
Ing. Ondřej Ševeček | PM Windows Server | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security |[email protected] | www.sevecek.com |
MOTIVATIONInternet Protocol v6
2
Motivation
The IPv4 address space is exhausted
You will not receive any new IPv4 address in about mid 2011http://www.ipv6actnow.org/info/what-is-ipv4
Regional Authorities
Europe – RIPE NCC
America – ARIN
Latin America and Carribic – LACNIC
Asia and Pacific – APNIC
Africa – AfriNIC
3
Local Authorities
http://www-public.it-sudparis.eu/~maigron/RIR_Stats/RIPE_Allocations/IPv4/Alpha/CZ.html
Reason
IPv4 Address is only 4 Bytes
256^4 = 4 294 967 296
Not only it is not enough for all people
sensor networks etc.
It is highly fragmented
4
IPv4 Space Fragmentation
ISP receives for example 136.85.117.x / 24 subnet to be distributed to its clients
136.85.117.0 is network address
cannot be used
136.85.117.255 is broadcast address
cannot be used
If they distribute single addresses, they have 254 available for use
IPv4 Space Fragmentation
If they decide to subnet and distribute two subnets 136.85.117.0 / 25 136.85.117.128 / 25
Network addresses that cannot be used 136.85.117.0 136.85.117.128
Broadcast addresses that cannot be used 136.85.117.127 136.85.117.255
The result is only 252 usable addresses
5
IPv4 Address Space Fragmentation
Number of customers on a /24 mask
Each customer receives number of IP addresses
Number of usefuladdresses
1 254 254
2 126 252
4 62 248
8 30 240
16 14 224
32 6 192
64 2 128
INTRODUCTION TO IPV6Internet Protocol v6
6
IPv6 Addresses
16 Bytes = 128 bit
256^16 = 3.40 x 10^38
more than there is atoms in the whole universe
Example IP address
2001:0DB8:0000:0000:02AA:00FF:C0A8:640A/ 32
Netmask is specified in number of bits only
Format
End User is Assigned Allocation is Up to You
2001:0DB8:0000:0000 02AA:00FF:C0A8:640A
64 bit 64 bit
18 446 744 073 709 551 616 18 446 744 073 709 551 616
7
Format
Removing unnecessary zeros and reformatting in DEC
2001:0DB8:0000:0000:02AA:00FF:C0A8:640A
2001:DB8:0:0:2AA:FF:C0A8:640A
2001:DB8::2AA:FF:C0A8:640A
2001:DB8::2AA:FF:192.168.100.10
No IPv4 real meaning in the last 4 bytes, just a transcription
ping fe80:0:000:00:4907:caee:180.34.148.78 ping fe80:0::4907:caee:b422:944e
Special Addresses
Address What Does it Mean IPv4 Equivalent
:: / 128 Nothing, not configured 0.0.0.0
::1 / 128 Loopback 127.x.x.x / 8
::FFFF:IP.IP.IP.IP / 96Example: ::FFFF:192.168.0.35
IPv4 Mappedping ::FFFF:10.10.0.11 goes over IPv4 - real technical effect
FE80:: / 10 Link Local AddressAutomatically generated
169.254.x.x / 16
FC00:: / 7 Unique Local AddressPrivate address, non-routable publicly
10.x.x.x / 8172.16.x.x .. 172.31.x.x / 16192.168.x.x /24
8
Special Addresses
Link Local Address Unique Local Address
FE80:: / 10FE8 ...FE9 ...FEA ...FEB ...FEC ...FED ...
FC00:: / 7FC ...FD ...
Special Addresses
Address What Does it Mean IPv4 Equivalent
2001:0000:: / 32 TeredoIPv4 over IPv6 tunneling
2001:0002:: / 48 BenchmarkingUsed in documentation
2001:0010:: / 28 OrchidFixed term experiments
2001:DB8:: / 32 Documentation
2002:: / 16 6to4
2000:: / 3 Global Unicast
FF00:: / 8 Multicast 224.x.x.x / 4
9
PLATFORM SUPPORT
Internet Protocol v6
Platform Support
Windows XP, Windows 2003
optionally installable
Windows Vista, Windows 2008 and newer
by default present
primary use
Windows Mobile 6.0 and newer
by default present
primary use
10
Default IPCONFIG on Vista+ versus 2003/XP
DNS client on Vista+ versus 2003/XP
11
Installing IPv6 on Windows XP
Installing IPv6 on Windows XP
Uff, installation doesnot requireinstallation media
Cannot be configuredfrom GUI
Use NETSH instead
12
NETSH
NETSH INTERFACE IPV6 INSTALL
NETSH INTERFACE IPV6 SET ADDRESS
NETSH INTERFACE IPV6
DELETE DNSSERVERS ALL
SET DNSSERVER ... PRIMARY
ADD DNSSERVER ...
Legacy Client Applications
Windows XP/2003 client application supporting IPv6 Note
DNS client
AAAA is only secondary address returned
and only if IPv6 installed
By default the DNS Client does not try to resolve AAAA
records
Internet Explorer 5.0
Windows Explorer (shared files) FTP or WebDAV access not supported
SMB client (shared files)
Klient Active Directory and Kerberos
Windows Firewallrules cannot distinguis between IPv4 and IPv6 and you
cannot specify IPv6 remote address ranges
Office 2007
13
Legacy Server Applications
Windows Server 2003 enabled IPv6 services
Note
DNS Server supports forward AAAA queriessupports AAAA records in its databaseworks/listens on IPv4 by default only, to listen on IPv6 as well, must enable: dnscmd /config /EnableIPv6 1
Active Directory
IIS 6.0 HTTP only. No support for FTP, SMTP or POP3 on IPv6 bindingsNo GUI support, use ADSUTIL.VBS
Routing and Remote Access IPv6 routing onlyTransition technologies 6to4, Teredo, ISATAPNo VPN client’s or IPv6overPPP support
DNS server on Windows 2003 and reverse DNS zones :-)
14
Server Applications
Unsupported IPv6 Note
Lync 2010 no support
Threat Management Gateway 2010 only IPv6 endpointDirect Access server (endpoint)no HTTP/S proxyno IPv6 address in firewall rules
ISA Server 2006 no support
Exchange 2007 full support only on Windows 2008
SQL Server 2006 full support
SharePoint Server 2007SharePoint Services 3.0
full support
Disabling IPv6 Correctly
15
Disabling IPv6 Tunnel Interfaces
netsh interface isatap set state disabled
netsh interface teredo set state disabled
netsh interface 6to4 set state disabled
netsh interface httpstunnel reset
Group Policy registry configuration
16
Group Policy registry configuration
Never Uncheck the Protocol
Unless you know whatyou are doing
Threat ManagementGateway 2010
Routing and RemoteAccesson Windows 2008
17
Disable Firewall Rules
BASIC LINK-LOCAL OPERATIONInternet Protocol v6
18
Vista+ Basic IP Configuration
Automatic link-local address FE80:: and automatic DNS server link-local addresses improve IPv6 transition for non-configured machines
You can configure these addresses manually on a DNS server in the same VLAN FEC0:0:0:FFFF::1/128, FEC0:0:0:FFFF::2/128, FEC0:0:0:FFFF::3/128
19
Windows 2008+ DC
Windows XP Basic IP Configuration
20
IP Address Generated Automatically
Windows XP uses the MAC address
Windows Vista+ hashes the MAC address
and checks uniqueness on its segment
Random, unique but permanent
In this case it is Link Local Address which is non-routable
you cannot ping any computer behind a router with such an address
Are not registered into DNS
Some options
Disable EUI-64 randomization
NETSH INTERFACE IPV6 SET GLOBAL
RANDOMIZEIDENTIFIERS=disabled
Enable temporary interfaces
NETSH INTERFACE IPV6 SET PRIVACY
STATE=enabled
21
Displaying address typesnetsh interface ipv6 show address
Pinging
22
Primary Use on Vista+
LLMNRLink Local Multicast Name Resolution
Force IPv4 Name Resolution
23
Primary Use on Vista+
Or Use IPv6 Address Directly
24
Other clients
Comparing IPv4 and IPv6 Traffic
25
Comparing IPv4 and IPv6 Ping
Comparing IPv4 and IPv6 Ping
26
Comparing IPv4 and IPv6 TCP
Static IPv6 settings
27
Static IPv6 settings using IPv4
What would be the source address of outgoing packets? The numerically lowestin the same subnet if not over gateway
28
PHYSICAL ADDRESS RESOLUTION
Internet Protocol v6
Ethernet/WiFi MAC Address
6 Bytes
still the same as with IPv4
normal switches used as ever
Example
00-1F-29-B4-0B-24
First 3 Bytes define vendor (Broadcom)
Google: IEEE OUI
29
IPv4 to MAC Address Resolution
ARP Protocol
Address Resolution Protocol
Broadcast “hey everybody, who has this IP address?”
all switches need to flood it to all ports
every machine must handle the packet in the operating system TCP/IP stack
Anonymous
Cached in memory for 1 minute
ARP Protocol Query (IPv4)
30
ARP Cache Entries (IPv4)
IPv6 to MAC Address Resolution
ICMPv6 Neighbor Solicitation
response in ICMPv6 Neighbor Advertisement
Multicast
destination MAC address limits the number of hosts which receive the multicast
switches can limit the scope of flooding
Cached in memory for 1 minute
Anonymous
31
ICMPv6 Neighbor Solicitation
Neighbor Cache (IPv6)netsh interface ipv6 show neighbors NicName
32
Interface IDs
Link Local Address is non-routable
Multihomed computers require interface ID to be used
Interface IDs and Multi-homing
MachineFE80::35%1 FE80::72%2
Machine
FE80::56
Machine
FE80::56
Switch Switch
Machine
FE80::69
Machine
FE80::21
Ping FE80::69
Ping FE80::69 %2
33
Interface IDs Used in Ping
MULTICASTInternet Protocol v6
34
Multicast vs. Broadcast
Broadcast
MAC = FF:FF:FF:FF:FF:FF
switch flooding all interfaces
Multicast
MAC
01:... – 03:...
33:33:00:...
switch flooding all interfaces
or IGMP snooping
IGMP Group/Listener Report
35
IGMP snooping
IGMP
PC
Switch
MMAC 01::05
IGMP snooping
PC
Switch
01::05
36
IGMP snooping
IGMP
MMAC 01::05
PC
PC
Switch
01::05
IGMP snooping
PC
PC
Switch
01::05
01::05
37
IPv6 Multicast Group Reporting
Multicast Listener Report
once when the service joins the group
once 10 minutes
on every status change
Multicast Listener Query
issued periodically by routers to query for reports
LINK LOCAL MULTICAST NAME RESOLUTION
Internet Protocol v6
38
Name Resolution (Vista+)
HOSTS (IPv6)
DNS AAAA (IPv6)
HOSTS (IPv4)
DNS A (IPv4)
LLMNR (IPv6 multicast)
NetBIOS (IPv4 broadcast)
Link Local Multicast Name Resolution
Supported with Vista+
Similar to NetBIOS name resolution
Anonymous
Uses multicasting instead of broadcasting
does not overload clients which do not support it
switches can support multicast by listening to IGMP
39
Default Use of LLMNR
Link Local Multicast Name Resolution
40
Link Local Multicast Name Resolution
MachineXP
MachineVista+
Disabled
IGMPIGMP
IGMP
MachineVista+
Enabled
MachineVista+
Enabled
Machine
Switch
Link Local Multicast Name Resolution
MachineXP
MachineVista+
Disabled
Switch
MachineVista+
Enabled
MachineVista+
Enabled
Machine
LLMNR
LLMNRLLMNR
41
LLMNR Packets - Query
LLMNR Packets - Response
42
Disable LLMNR
STATIC IP ADDRESS CONFIGURATION
Internet Protocol v6
43
Routable IP Addresses
Necessary to be able to reach other subnets
Can be configured manually on each host
Or distributed from DHCP or routers
DHCPv6
Router Solicitation (router discovery)
Static Address Configuration
44
Static Address Configuration
Static Address and DNS Registration
45
Static Address and Reverse DNS
Reverse DNS zones.ip6.arpa instead of in-addr.arpa
46
DNS Resolution is Primary Method
Querying DNS for IPv6
47
DYNAMIC ADDRESS CONFIGURATION
Internet Protocol v6
DHCPv6
Dynamic Host Configuration Protocol v6
similar to DHCPv4
uses multicasting
Distributes subnet prefix to clients
Anonymous
Reservations use MAC addresses again
48
DHCP Operation (Stateful)
Client
MACMulticast SOLICIT
DHCPv6Unicast ADVERTISE
Multicast REQUEST
Unicast REPLY
DHCP Operation (Stateless)
Client
MAC
DHCPv6
Multicast REQUEST
Unicast
Link-local Address
Options Only
REPLY
49
DHCP Solicit (~ v4 Discover)
DHCP Configuration
50
DHCP preference to speed up configuration
DHCP Notes
IPCONFIG /RELEASE6
IPCONFIG /RENEW6
Preference
client waits for all DHCP servers to respond
configure 255 to speed-up Primary DHCP server usage (1 second delay)
No DHCPv6 Router Option
06/2011 as draft only
51
Router Discovery
Routers are found by multicasting ICMPv6 Router Solicitation
Routing must be enabled either with NETSHor with RRAS
Anonymous
Router Solicitation
52
Router Advertisement
Router Configuration
53
Router advertisementsDefault route must be published in order to configure default gateway on clients
Published Routes
54
Client with Static Configuration
Client with static/DHCP/router advertised configurationno IP addresses from router
55
Resulting Address Types
Resulting routes on the client
56
Client with static/DHCP/router advertised configurationIP addresses from router
Resulting address types
57
Combining Router and DHCP
Two flags are sent out from routers
M flag = 1 – managed configuration
DHCPv6 used for address configuration
O flag = 1 – other configuration
DHCPv6 used to configure other options
NETSH INTERFACE IPv6 SET INTERFACE
managedaddress=disableotherstateful=enabled
WINDOWS FIREWALLInternet Protocol v6
58
Windows XP/2003
IPv6 inspection
No IPv6 address configuration
exceptions apply to both IPv4/IPv6
Windows Vista/2008 and newer
Full support
No IPv6 “checkbox”
must specify remote/local IP address manually
Inbound/outbound rules
Block rules
can disable IPv6/IPv4 traffic
59
TRANSITIONING AND TUNNELING
Internet Protocol v6
Transition technologies
Technology Supported Notes
6to4 Windows XP/2003 IP protocol 41
Teredo Windows XP/2003 UDP 3544 inbound/outbound
ISATAP Windows XP/2003 IP protocol 41
IP-HTTPS Windows 7/2008 R2 HTTPS TCP 443
60
ISATAP
R
IPv6
IPv4
RRIPv6
IPv4
IPv4
IPv4
IPv6
RIPv4
IPv4
IPv6
Teredo, 6to4 and IP-HTTPS
LANIPv6
LANIPv4
RIPv4
R
RRIPv4
R
IPv4
IPv6
IPv4
IPv4
IPv4
IPv6IPv4
IPv4
Client
61
Public Gateways
6to4
http://bgpmon.net/6to4.php
6to4.ipv6.microsoft.com
ipv6-lab-gw.cisco.com
Teredo
http://bgpmon.net/teredo.php
teredo.ipv6.microsoft.com
teredo.nic.cz
IP-HTTPS configuration
NETSH only
Group Policy for server addresses
Server computer HTTPS certificate, client computer HTTPS certificate
Windows 2012+, Windows 8+ can authenticate with Kerberos using Kerberos Proxy service
62
IP-HTTPS on SRV1 and on JudithPCDisable all other IPv6 over IPv4 tunnels
netsh interface isatap set state disabled
netsh interface teredo set state disabled
netsh interface 6to4 set state disabled
IP-HTTPS on RRipv6.gopas.cz name for outside access to R1 public IP
63
IP-HTTPS on R1NAT forward 80 and 443 to SRV1
IP-HTTPS
64
IP-HTTPS on SRV1Obtain server certificate and test HTTPS from JudithPC from London
IP-HTTPS on SRV1Obtain server certificate and test HTTPS from JudithPC from London
65
IP-HTTPS on SRV1Obtain server certificate and test HTTPS from JudithPC from London
IP-HTTPS on SRV1Temporarily test bind the server HTTPS certificate on the portal web site
66
IP-HTTPS on JudithPCObtain and verify client computer authentication certificate
IP-HTTPS on JudithPCObtain and verify client computer authentication certificate
67
IP-HTTPS on JudithPCVerify the https://ipv6.gopas.cz works to the test web server from LondonSave the certificate into a file
IP-HTTPS on JudithPCVerify CRL of the server HTTPS certificatecertutil -urlfetch -verify
68
IP-HTTPS on SRV1Unbind the temporary test binding from the web server againOn IP-HTTPS gateway you will not have IIS in production
IP-HTTPS on SRV1Verify that there is really no HTTPS :443 binding anymorenetsh http show sslcert
69
IP-HTTPS on SRV1Create the virtual IPHTTPS server interface
netsh interface httpstunnel show interface
netsh interface httpstunnel add interface Server
https://ipv6.gopas.cz:443/IPHTTPS State=Enabled
AuthMode=Certificates
netsh interface ipv6 set address IPHTTPSInterface 8000::1
netsh interface ipv6 set interface IPHTTPSInterface
Forwarding=enable Advertise=enable
netsh interface ipv6 set route 8000::/64 IPHTTPSInterface
Publish=yes
netsh interface ipv6 set route ::/0 Prague Publish=yes
POWERSHELL: dir cert:\LocalMachine\My
netsh http add sslcert ipport=0.0.0.0:443
CertHash=D97A04158FE01954F2598E08089E1741B6FD6463
appid={5d8e2743-ef20-4d38-8751-7e400f200e65}
ClientCertNegotiation=Enable DSMapperUsage=Enable
IP-HTTPS on SRV1Verify IP config of the IPHTTPSInterfaceipconfig /allnetsh interface httpstunnel show interface
70
IP-HTTPS on SRV1Verify IPv6 routing tablenetsh interface ipv6 show route
IP-HTTPS on SRV1Verify the HTTPS binding for IPHTTPS listener
71
IP-HTTPS on SRV1Restart IP Helper service (IPHLPSVC) just to be sure
IP-HTTPS on JudithPCVerify HTTPS "connectivity" from London with browser
72
IP-HTTPS on JudithPCDefine the IPHTTPSInterface virtual tunnel NIC in clientLeave default state to connect only if necessary
netsh interface httpstunnel add interface Client
https://ipv6.gopas.cz/IPHTTPS State=default
AuthMode=Certificates
IP-HTTPS on JudithPCVerify interface stateipconfig /allnetsh interface httpstunnel show interfaceIf necessary, restart IPHLPSVC to reconnect
73
IP-HTTPS on SRV1Verify logon events of the JudithPC$ workstation accountEvent 4624, Logon type 3, Logon process Schannel
IP-HTTPS on DC1Verify account logon events of the client workstation computer accountEvent 4774, Authentication package: Schannel
74
IP-HTTPS on SRV1 and R1Enable forwarding and advertising on the internal Prague NIC of SRV1Add static route on R1
IP-HTTPS on DC1Possibly configure IP-HTTPS gateway centrally through Group Policy (GPO)
75
IP-HTTPS on DC1Possibly configure IP-HTTPS gateway centrally through Group Policy (GPO)
INTERNET EVOLUTIONInternet Protocol v6
76
Querying for IPv6DNS Resolution
LANIPv4
IPv6 Internet Evolutiongoogle.com
LANIPv6
LANIPv4
IPv6
R
IPv6IPv4
RIPv4
R
IPv4
R
IPv4RIPv4
R
IPv4
IPv4IPv4
IPv4
IPv4
IPv4
IPv4
google.com
IPv4
IPv4
77
LANIPv4
IPv6 Internet Evolutiongoogle.com
LANIPv6
LANIPv4
IPv6
R
IPv6IPv4
RIPv4
R
IPv4
R
IPv4RIPv4
R
IPv4
IPv4IPv4
IPv4
IPv4
IPv4
IPv4
google.com
IPv4
IPv4
LANIPv4
IPv6 Internet Evolutiongoogle.com
LANIPv6
LANIPv4
IPv6
R
IPv6IPv4
RIPv4
R
IPv4
R
IPv4RIPv6
R
IPv4
IPv4IPv4
IPv4
IPv4
IPv4
IPv6
google.com
IPv4
IPv4
78
LANIPv4
IPv6 Internet Evolutiongoogle.com
LANIPv6
LANIPv4
IPv6
R
IPv6IPv4
RIPv4
R
IPv4
R
IPv4RIPv6
R
IPv4
IPv4IPv4
IPv4
IPv4
IPv4
IPv6
IPv6
IPv6
google.com
IPv4
IPv4
LANIPv4
IPv6 Internet Evolutiongoogle.com
LANIPv6
LANIPv4
IPv6
R
IPv6IPv6
RIPv4
R
IPv4
R
IPv4RIPv6
R
IPv4
IPv6IPv4
IPv4
IPv4
IPv4
IPv6
IPv6
IPv6
google.com
IPv4
IPv4
79
IPv6 Internet Evolutiongoogle.com
LANIPv6
LANIPv4
IPv6
R
IPv6IPv6
RIPv4
R
RRIPv6
R
IPv6
IPv6IPv6
IPv4
IPv4
IPv4
IPv6IPv6
IPv6
google.com
IPv4
IPv4
IPv6 Internet Evolutiongoogle.com
LANIPv6
LANIPv4
IPv6
R
IPv6IPv6
RIPv4
R
RRIPv6
R
IPv6
IPv6IPv6
IPv4
IPv6
IPv6
IPv6IPv6
IPv6
80
IPv6 Internet Evolutiongoogle.com
LANIPv6
LANIPv4
IPv6
R
IPv6IPv6
RIPv6
R
RRIPv6
R
IPv6
IPv6IPv6
IPv6
IPv6
IPv6
IPv6IPv6
IPv6
Application Support for IPv6 (11/2010)
Internet Explorer
Exchange Server 2007 must be running on Windows 2008 only
Windows 2003 DNS quite unpleasant reverse zones user experience
Windows 2003 Active Directory
SQL Server 2005 serverName=fc05::7\InstanceA
Windows 2008 full
81
COMMON PROBLEMS (11/2010)
Internet Protocol v6
Single Checkbox Registers Both
82
DNS Problems
DNS dynamic update registers only AAAA records
PTR can be registered by DHCP (unsecure)
or manually
CNAME translates to both IPv4 and IPv6 names
DNS Problems
No IPv6 root hints defined by default A = 2001:503:ba3e::2:30
B = 2001:478:65::53
F = 2001:500:2f::f
H = 2001:500:1::803f:235
I = 2001:7fe::53
J = 2001:503:c27::2:30
K = 2001:7fd::1
L = 2001:500:3::42
M = 2001:dc3::35
83
Others
IE security sites
cannot use wildcard (such as [fc00:5::*])
Windows Firewall
does not offer TCPv6 vs. TCPv4 protocols
cannot distinguish
SQL Server 2008 R2
Listen All cannot disable IPv4
if IPv6 only interface IP is configured, no SPN is registered for the port
Others
TMG 2010 does not support IPv6 at all
only IPv6 source/target
no pass-through, no proxy
create A record for wpad
cannot configure IPv6 elements (only AnywhereIPv6)
must be installed with specific switches
Lync 2010 dos not support IPv6
84
What works? (tested by me)
AD/LDAP/Kerberos, DNS, AD CS, Group Policy, SMB/NTLM, WMI, DCOM, NTP, Exchange 2007/2010, Outlook 2007/2010, SQL Server 2008/R2, SharePoint 2010
Windows Server 2008/R2, Windows Vista
IE 7+, Telnet, Ping, Explorer, MMC
HOST file
THANK YOU!
Ing. Ondřej Ševeček | PM Windows Server | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security |[email protected] | www.sevecek.com |