IPv6 Introduction

By David Beveridge

IPv4 Usage 2010

Why hasn’t it happened yet

• Waiting for everyone else

• Content providers say there are no users

• ISPs say there’s no content

• Lack of CPE Equipment

• Users say it’s not broken so why change

• But, the writing is on the wall

IPv4 Address Depletion

IPv4 Address Depletion

IPv6 Address Types

• Unicast - a single interface, on a single node (eg normal use)

• Anycast – deliver to one of the interfaces in the set (eg load

balance)

• Multicast – deliver to all interfaces in the set (eg broadcast)

Terminology

• node - a device that implements IPv6.

• router - a node that forwards IPv6 packets not

explicitly addressed to itself.

• host - any node that is not a router.

• link - a communication facility or medium over which nodes

can communicate at the link layer.

• neighbors - nodes attached to the same link.

• interface - a node's attachment to a link.

IPv6 – Address Format

An IPv6 address is represented as eight groups of four hexadecimal digits, each group representing 16 bits (two octets). The groups are separated by a colon (:). A typical example of an IPv6 address follows:

•2001:0db8:85a3:0000:0000:8a2e:0370:7334

•2001:db8:85a3:0:0:8a2e:370:7334

•2001:db8:85a3::8a2e:370:7334

The localhost (loopback) address, 0:0:0:0:0:0:0:1, and the IPv6 unspecified address, 0:0:0:0:0:0:0:0, are reduced to ::1 and ::, respectively

IPv4-mapped IPv6 address

::ffff:c000:280 is usually written as ::ffff:192.0.2.128

IPv6 Common Addresses

• ::/0 – The entire Internet (0.0.0.0/0)

• ::/128 – Unspecified Address (0.0.0.0)

• ::1/128 – Loopback Interface (127.0.0.1) • ::x.x.x.x/96 – deprecated IPv4 Compatible

• ::ffff:x.x.x.x/96 – an IPv4-mapped IPv6 address

• fe80::/10 – Local Link Addresses • ff00::/8 – Multicast

• 2000::/3 – Global Unicast • 2001::/32 - Used for Teredo tunneling

• 2002::/16 — Used for 6to4 addressing • 1000::/4, 4000::/3, 6000::/3, 8000::/3, A000::/3, C000::/3, E000::/4 all currently reserved

(future global unicast)

EUI-64 in IPv6

• Automatic Interface Addressing

• Implements IEEE 64-bit Extended Unique

Identifier (EUI-64)

• No need for DHCP or manual configuration

• This is accomplished on Ethernet interfaces by

referencing the already unique 48-bit MAC

address.

EUI-64 step1

• Convert the 48bit MAC address to 64 bit

• any EUI-64 address having 0xFFFE immediately

following its OUI portion can be recognized as having

been generated from an EUI-48 (or MAC) address.

EUI-64 step 2

• The second step is to invert the universal/local (U/L) flag (bit 7) in the OUI portion of the address

• The motivation for inverting the "u" bit when forming the interface identifier is to make it easy for system administrators to hand configure local scope identifiers when hardware tokens are not available. This is expected to be case for serial links, tunnel end-points, etc. The alternative would have been for these to be of the form 0200:0:0:1, 0200:0:0:2, etc., instead of the much simpler ::1, ::2

ICMPv6 Types

Neighbor Discovery defines five different ICMP packet types: A pair of Router Solicitation and Router Advertisement messages, a pair of Neighbor Solicitation and Neighbor Advertisements messages, and a Redirect message. The messages serve the following purpose:

•Router Solicitation: When an interface becomes enabled, hosts may send out Router Solicitations that request routers to generate Router Advertisements immediately rather than at their next scheduled time.

•Router Advertisement: Routers advertise their presence together with various link and Internet parameters either periodically, or in response to a Router Solicitation message. Router Advertisements contain prefixes that are used for determining whether another address shares the same link (on-link determination) and/or address configuration, a suggested hop limit value, etc.

ICMPv6 Types

• Neighbor Solicitation: Sent by a node to determine the link-layer address of a neighbor, or to verify that a neighbor is still reachable via a cached link-layer address. Neighbor Solicitations are also used for Duplicate Address Detection.

• Neighbor Advertisement: A response to a Neighbor Solicitation message. A node may also send unsolicited Neighbor Advertisements to announce a link-layer address change.

• Redirect: Used by routers to inform hosts of a better first hop for a destination.

IPv6 Network Blocks

• /64 is the standard network block

• 64 bits for the Local Part (as per EUI-64)

• 64 bits for the Network Part

• /48 is the ideal Multiple Network Block

Allocation (65536 x /64s)

• At one million packets per second on a IPv6

subnet with 10,000 hosts it would take over

28 years to find the first host to infect.

Subnetting a /48

• If 2001:db8:1234::/48 is your block

• Then your /64 networks are:-

– 2001:db8:1234:1::/64

– 2001:db8:1234:2::/64

– 2001:db8:1234:3::/64 ... etc to …

– 2001:db8:1234:ffff::/64

Subnetting a /56 or /60

• Every hex digit is 4 bits, so…

• 2001:db8:1234:aa00::/56 (256 subnets) – 2001:db8:1234:aa00::/64

– 2001:db8:1234:aaff::/64

• 2001:db8:1234:aaa0::/60 (16 subnets) – 2001:db8:1234:aaa0::/64 to

– 2001:db8:1234:aaaf::/64

Service Provider Allocation

• There is enough space to allocate /16 to every organisation who has an AS (autonomous system) number currently.

• Default allocation is currently only /32 which will allow the Internet to grow to 2^16 times the size it is now. (Many ISP allocations are in their own /24, so their

allocation can grow, Optus seems to be in a /20 by itself, Telstra has a full /20 allocated.)

• Every current IPv4 Address user already allocated /48 to allow them to communicate with new IPv6 only users. (2002::/16 range)

Minimum Allocation to an ISP

• /32 is the standard allocation to small ISPs.

• This allows for 65536 customers to receive a /48 each.

• Initial allocations larger than /32 may be justified if:

– The organization provides comprehensive documentation of planned IPv6 infrastructure which would require a larger allocation; or

– The organization provides comprehensive documentation of all of the following:

• its existing IPv4 infrastructure and customer base,

• its intention to provide its existing IPv4 services via IPv6, and

• its intention to move some of its existing IPv4 customers to IPv6 within two years.

Getting IPv6 now

• Internode – ADSL Broadband Trial with IPv6 PPP & DHCP Prefix Delgation

– http://ipv6.internode.on.net/access/tunnel-broker/

• Aarnet – http://broker.aarnet.net.au

– Allocates /64 only

• Hurricane Electric – http://tunnelbroker.net

– Allocates /48

– Tunnel Broker based in USA or Hong Kong

• Automatic 6to4 Tunnel – All public IPv4 Addresses already have /48 allocated

• Microsoft Teredo Tunnel (for NAT users with private IPs) – Windows XP/2003/Vista/2008 OS

How 6to4 works

• 6to4 performs three functions:

– Assigns a block of IPv6 address space to any host

or network that has a global IPv4 address.

– Encapsulates IPv6 packets inside IPv4 packets for

transmission over an IPv4 network using 6in4.

– Routes traffic between 6to4 and "native" IPv6

networks.

• Uses Protocol 41 (eg: 1=ICMP, 6=TCP, 17=UDP, 47=GRE, 50=ESP, 51=AH)

How 6to4 works

• Allocated IPv6 Addresses per IPv4 Address

– 2002:CAFE:F00D::/48 allocated to 202.254.240.13

– 2002:DEAD:BEEF::/48 allocated to 222.173.190.239

– 16 bits for 65536 x ::/64 local networks

• Routing

– BGP Anycast 192.88.99.1 is the path to IPv6

– 2000::/16 is the BGP Advertisement for IPv4

• Reverse DNS

– https://6to4.nro.net

How 6to4 works

Consumer routers with 6to4 support

• Apple's Airport Extreme & Airport Express base station

• Linksys WRT610N

• Various Buffalo Technology wireless routers

• D-Link DIR-615, DIR-825 (V2 firmware; currently available for the DIR-825 Rev. B *only*!)

• AVM FRITZ!Box 7270 (experimental “Labor” version)

• Mikrotik RouterOS software and RouterBoard hardware. Requires v3 and above with the IPv6 package installed

• Fortinet's FortiGate. Also supports stateful Firewalling, Antivirus, Application-Control and Intrusion-Protection for IPv6

D-Link 825 Rev B

http://www.gizmomart.com.au/product_info.php?products_id=262411 $169.95

Windows 6to4

• Windows XP SP2 or better

– For XP Install TCP/IP version 6 Protocol in Control

Panel Add/Remove Windows Components

• Then Enter the following into a command prompt

netsh interface ipv6 6to4 set relay 192.88.99.1

MacOS X

MacOS X

CentOS 6to4

/etc/sysconfig/network NETWORKING_IPV6=yes

IPV6_DEFAULTDEV="tun6to4"

IPV6FORWARDING=yes (optional)

/etc/sysconfig/network-scripts/ifcfg-ppp0 IPV6INIT=yes

IPV6TO4INIT=yes

IPV6TO4_IPV4ADDR=192.0.1.2 (only required if behind NAT)

IPV6TO4_ROUTING=“eth0-:cafe::0/64 eth1-:face::0/64” (optional)

IPV6_CONTROL_RADVD=yes (optional)

CentOS Router Advertisements

/etc/radvd.conf

interface eth0

{

AdvSendAdvert on;

MinRtrAdvInterval 30;

MaxRtrAdvInterval 100;

prefix 0:0:0:cafe::/64

{

AdvOnLink on;

AdvAutonomous on;

AdvRouterAddr off;

Base6to4Interface ppp0;

AdvPreferredLifetime 120;

AdvValidLifetime 300;

};

};

interface eth1

{

AdvSendAdvert on;

MinRtrAdvInterval 30;

MaxRtrAdvInterval 100;

prefix 0:0:0:face::/64

{

AdvOnLink on;

AdvAutonomous on;

AdvRouterAddr off;

Base6to4Interface ppp0;

AdvPreferredLifetime 120;

AdvValidLifetime 300;

};

};

How Teredo works

• The Teredo protocol performs several functions:

– Diagnoses UDP over IPv4 (UDPv4) connectivity and discovers the kind of NAT present (using a simplified replacement to the STUN protocol);

– assigns a globally-routable unique IPv6 address to each host using it;

– encapsulates IPv6 packets inside UDPv4 datagrams for transmission over an IPv4 network (this includes NAT traversal);

– routes traffic between Teredo hosts and native (or otherwise non-Teredo) IPv6 hosts.

How Teredo Works

NAT Types

• Cone NAT – Once the NAT translation table entry is in place, inbound traffic to the external address

and port number from any source address and port number is allowed and translated.

• Port Restricted – A NAT in which the NAT translation table entry stores a mapping between an internal

address and port number and an external address and port number, for either specific

source addresses or specific source address and port numbers

• Symmetric – When random port maps are used it’s impossible for both side to choose matching

ports

Require Related Source IP Source Port Remote Port Remote IP

Full Cone 1:1 NAT X

Restricted Cone NAPT X X X

Port Restricted NAPT X X X X

Symmetric NAPT X X X X X

How Teredo Works

Teredo node types

• Teredo defines several different kinds of node:

– Teredo client (End User) – It is a host which has IPv4 connectivity to the internet from behind a NAT and uses the Teredo tunneling protocol to access the IPv6 Internet.

Teredo clients are assigned an IPv6 address that starts with the Teredo prefix (2001:0000::/32).

– Teredo server (NAT Setup) – It is a well-known host which is used for initial configuration of a Teredo tunnel. A Teredo server never forwards any traffic for the client

(apart from IPv6 pings), and has therefore very modest bandwidth requirements (a few hundred bits per second per client at most)[citation

needed], which allows a single server to support large numbers of clients. Additionally, a Teredo server can be implemented in a fully stateless manner, thus using the same amount of memory regardless of how many clients it supports.

– Teredo relay (Tunnel Terminator & Traffic Relay) – It serves as the remote end of a Teredo tunnel. A Teredo relay must forward all of the data on behalf of the Teredo clients it serves, with the

exception of direct Teredo client to Teredo client exchanges. Therefore, a relay requires a lot of bandwidth and can only support a limited number of simultaneous clients. Each Teredo relay serves a range of IPv6 hosts (e.g. a single campus/company, an ISP or a whole operator network, or even the whole IPv6 Internet); it forwards traffic between any Teredo clients and any host within said range

– Teredo host-specific relay (Stand alone server) – It is a Teredo relay whose range of service is limited to the very host it runs on. As such, it has no particular bandwidth or routing

requirements. A computer with a host-specific relay will use Teredo to communicate with Teredo clients, but it will stick to its main IPv6 connectivity provider to reach the rest of the IPv6 Internet.

Teredo IP Address

• As an example, the IPv6 address 2001:0000:4136:e378:8000:63bf:3fff:fdd2 refers to a Teredo client:

• using Teredo server at address 65.54.227.120 (4136e378 in hexadecimal),

• located behind a cone NAT (bit 64 is set),

• using UDP mapped port 40000 on its NAT (in hexadecimal 63bf xor ffff equals 9c40, or decimal number 40000),

• whose NAT has public IPv4 address 192.0.2.45 (3ffffdd2 xor ffffffff equals c000022d, which is to say 192.0.2.45

Bits 0 - 31 32 - 63 64 - 79 80 - 95 96 - 127

Length 32 bits 32 bits 16 bits 16 bits 32 bits

Description Prefix

Teredo

server IPv4

Flags Obfuscated

UDP port

Client

public IPv4

Part 2001:0000 4136:e378 8000 63bf 3fff:fdd2

Decoded 65.54.227.120 cone NAT 40000 192.0.2.45

Initial communication between

Teredo clients in different sites

with restricted NATs

Initial communication

from an IPv6-only host to

a Teredo client with a

restricted NAT

Initial communication from a

Teredo client to an IPv6-only

host with a restricted NAT

Example Cisco PIX Config

interface Ethernet0

nameif outside

ipv6 address 2001:db8:c000:1051::37/64

ipv6 enable

ipv6 nd suppress-ra

interface Ethernet1

nameif inside

ipv6 address 2001:db8:c000:1052::1/64

ipv6 enable

ipv6 unicast-routing

ipv6 route outside ::/0 2001:db8:c000:1051::1

IPv6 DNS Records

• AAAA – Forward Lookup

box6.bevhost.com IN AAAA 2607:f878:1:668::84

• PTR – Reverse Lookup

4.8.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.6.6.0.1.0.0.0.8.7.8.f.7.0.6.2.ip6.arpa IN PTR box6.bevhost.com.

• Glue

For self hosted domains where supported by domain registrar (Melbourne IT only in Australia)

bevhost.com is registered with gkg.net yourhostname.ip6.name can be used if anyone here needs it.

Setting up Bind

/etc/named.conf

options {

listen-on port 53 {

127.0.0.1;

96.9.149.84;

96.9.149.85;

};

listen-on-v6 port 53 {

::1;

2607:f878:1:668::84;

2607:f878:1:668::85;

};

};

Setting up postfix & dovecot

/etc/postfix/main.cf

inet_protocols = ipv4,ipv6

/etc/dovecot.conf

listen = *, [::]

Setting Up Apache

NameVirtualHost [2607:f878:1:668::84]:80

<VirtualHost [2607:f878:1:668::84]:80>

…

</VirtualHost>

cPanel Scripts

http://wiki.netniche.com.au/index.php/Cpanel_IPv6

•Creates a local part address for each web site based

on an MD5 hash of the domain name

Useful PHP 5.1 features

• string inet_ntop ( string $in_addr ) – This function converts a 32bit IPv4, or 128bit IPv6 address (if PHP was built with IPv6

support enabled) into an address family appropriate string representation.

• string inet_pton ( string $address ) – This function converts a human readable IPv4 or IPv6 address (if PHP was built with IPv6

support enabled) into an address family appropriate 32bit or 128bit binary structure.

<?php $packed = chr(127) . chr(0) . chr(0) . chr(1); $expanded = inet_ntop($packed); /* Outputs: 127.0.0.1 */ echo $expanded; $packed = str_repeat(chr(0), 15) . chr(1); $expanded = inet_ntop($packed); /* Outputs: ::1 */ echo $expanded; ?>

Useful PHP 5.2 features

• Filter can be used to validate IP Addresses • mixed filter_var ( mixed $variable [, int $filter = FILTER_DEFAULT [, mixed $options ]] )

$ip = ‘2001:db8:1234::1';

if (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6)) {

echo "This ($ip) IPv6 address is considered valid.";

}

Migration States

Dual Stack Network

Doesn’t solve the problem, as only customers with IP4 Address can access IP4 Content

DS Lite style NAT464

• Requires special CPE equipment or software

Dual Stack with NAT444

Requires subscribers to have dual stack to get to both networks

Stateful NAT64

• Suitable for greenfield networks or sites

• Requires modified DNS and CGN

Stateless NAT IVI

CERNET in China has been running IPv6↔IPv4 IVI translators for a couple of years and considers the IVI path well proven for enabling v4-v6 transition compared with other coexistence techniques.

DHCPv6 Overview • Used to configure nodes with the following:

– One or more IPv6 addresses, or

– Configuration information, or

– One or more IPv6 prefixes

– Or all of the above

• Offer similar functionality to DHCPv4 but for IPv6

• Additional mode of operation in DHCPv6 – Stateless DHCPv6 where configuration information only is exchanged

– Stateful is similar to how DHCPv4 traditionally operates

• Requires IPv6 transport

• DHCPv6 is not simply an upgrade to DHCPv4, it is a separate and distinct protocol

• Generally DHCPv4 and DHCPv6 transmit information respective to the versions of IP being used – In some cases this information can intersect or conflict, for example:

• DNS server IP address, DNS search path

Fundamentals of DHCPv6

• DHCPv6 clients listen on port 546, servers and relays listen on port 547

• Solely layer 3 protocol unlike DHCPv4

• DHCPv6 clients and servers (relays) communicate via link-local multicast

addresses

– All_DHCP_Relay_Agents_and_Servers and All_DHCP_Servers multicast addresses are

used by DHCPv6

– Relays may forward DHCPv6 messages to other relays or server using link-local multicast

or global unicast IPv6 addresses

• Relay agent “chaining” through DHCPv6 message encapsulation

– Information about each relay agent between the client and server is encapsulated

• DHCPv6 employs a larger option code space

– DHCPv6 options are TLV similar to those in DHCPv4

– 16 bit option type code and length with variable length data

– Most information carried in options, instead of fixed header fields

– Vendor options also help to ensure that core DHCPv6 options are maximized and not

overloaded

DHCPv6 Role of Routers

• Routers in IPv6 deployments have different roles in the network compared to routers in IPv4 deployments

• IPv6 routers advertise their availability using IPv6 Router Advertisement Messages – Unlike in IPv4 deployments hosts are explicitly told where routers are

statically, via DHCPv4, etc.

– Details of IPv6 Router behaviour is out of scope

• IPv6 routers also transmit additional information that is relevant to the links it serves including but not limited to the following: – Prefix information or information about prefixes that are in use or valid for a

given link or links

– Flags that suggest how DHCPv6 should be used by nodes • Managed bit suggests use of stateful DHCPv6

• Other bit suggests use of stateless DHCPv6

– Additionally the Autonomous bit indicates that auto-configuration should be used by nodes

Stateful DHCPv6

• Used when a DHCPv6 client wishes to be allocated an IPv6 address using DHCPv6

• Similar to DHCPv4 today, a DHCPv6 server will allocate one or more IPv6 addresses or prefixes to a DHCPv6 client – DHCPv6 may leverage a four message exchange (SOLICIT,

ADVERTISE, REQUEST, REPLY), or

– Rapid Commit may be employed which uses only two message (SOLICIT, REPLY)

• Configuration options like DNS Server IPv6 Addresses (RFC3646) may or may not be requested and offered to the client – Note in DHCPv6 adherence to the option request option is more

rigidly evaluated and adhered to unlike in DHCPv4 where the parameter request list is more of a hint

Stateful DHCPv6

Stateful DHCPv6 with Rapid Commit

Stateful DHCPv6 with Relay Agent

Stateless DHCPv6

• Assumes one or more techniques used by a node to acquire one or more IPv6 addresses

– Static assignment

– Auto-configuration

• Stateless DHCPv6 is a two message exchange (INFORMATION-REQUEST, REPLY) between a DHCPv6 client and server where configuration information only is provided (e.g. DNS server configuration where no IPv4 stack is present)

Stateless DHCPv6

DHCPv6 Server Preference Option

• DHCPv6 server preference option indicates the preferences as configured administratively for a DHCPv6 server – Per RFC3315 DHCPv6 clients wait a specified amount of

time and gather DHCPv6 server responses to its requests

– If a DHCPv6 server responses contains a preference less than 255

– No preference indicating a preference of zero

– Preference of 255 suggest that no further waiting is required, this is the highest preference

• After waiting the specified amount of time a DHCPv6 client must select the best response

DHCPv6 Reconfigure

• Unlike that of DHCPv4, DHCPv6 Reconfigure affords a secure technique for DHCPv6 servers to interact with DHCPv6 clients

• The Reconfiguration Key Authentication Protocol, as specified in RFC3315, is the mechanism used to enable this interaction securely

• DHCPv6 clients must advertise support and willingness to enable Reconfigure – DHCPv6 server must obviously be enabled and support this behavior

as well

• After successfully negotiating willingness to support Reconfigure DHCPv6 servers can be triggered to transmit Reconfigure messages to DHCPv6 clients – Renew, Information-Request, or Rebind can result from the

transmission of a Reconfigure message

• Reconfigure Key Authentication Protocol does not imply support for DHCPv6 Authentication as specified in RFC3315

DOCSISv3.0 DHCPv6 Reconfigure Data over cable standard Interface specification (for Cable Modems)

IPv6 is supported by

Google, YouTube, Facebook

BitTorrent

World of Warcraft, Xbox, PS3

RFC5514 – IPv6 over Social Networks (1st April 09)

Conclusions and Recommendations

• DO

– Start now

– Evaluate your networks

– Experiment & Learn

– Plan you migration

– Harden your hosts

• DON’T

– Accept Private NAT IPv4 from an ISP unless IPv6 is offered alongside.

– Purchase new equipment without IPv6 support