Understanding IPv6

Nicholas A. Hay

Monroe County ISD

nicholas.hay@monroeisd.us

Some of the session materials in the presentation were from a presentation that Merit sponsored with a presenter from NYSERNet. A thank you goes to Jeff Harrington for his presentation and materials I used for this presentation.

Why IPv6?

• Address Depletion– As of 2/2011, the IANA free pool has been depleted.– APNIC and RIPE are under emergency allocation

policies and ARIN is projected to be depleted in March 2015.

• Services Providers who run out of IPV4 addresses are planning on implementing Carrier Grade NATs (sometimes referred to as NAT444)– Services like VPNs, Remote Desktop, Skype, etc. may

stop working from home networks to campuses.– How will that impact your user community?

Why IPv6?

• Removes the need to NAT since every address is a public address.– NAT can break things, especially multimedia.

• The size of the address space is 2^128, versus 2^32 in IPv4.

• Every organization receiving IPv6 address space will have enough addresses to cover current and long term needs.

• IPv6 may be the only way to continue to provide some services.

• IPv4 will probably be phased out over the next 15 years. It is not a matter of if but when.

Why IPv6?

• IPv6 only networks on the internet are increasing.– The XBOX network is a IPv6 only network.

• Note: a lot of IP phone systems do not support IPv6.

Why move to IPv6?

• Worldwide communication. IPv6 is needed for populated areas such as China and Europe.

• IPv6 only networks will be appearing sooner than later.

• Networks have grown haphazardly and organically.– Subnets have been allocated inefficiently.– Services have grown past their intended purpose.– Cannot make changes to design now, cannot impact

services in production.

• IPv6 gives you the opportunity for a fresh look at your network design.

Why move to IPv6?

• Adoption has been slow for no particular reason.– No deadline like Y2K– No killer app– IPv6 compatibility is now a requirement for

government bids.– People are desentizied since there has been

a lot of buzz about it but people are not seeing any urgency at implementing.

Why move to IPv6 now?

• Security– Most devices are already running IPv6.– Exploits for IPv6 already exist

• Deployment– IPv6 requires planning and may take 1-2

years to implement

• Eliminate the need to NAT users and devices.

IPv4 vs IPv6 Packet Types

• Similarities– Unicast– Multicast– Anycast

• Differences– No Broadcast in IPv6.

• This feature is taken over by multicast• Helps mitigate some DDoS attacks

IPv6 Addressing Usage

• 2 distinct components– 64-bit field designated for the network portion– 64-bit field designated for the host portion

• There are a few exceptions

IPv6 Address Representation

• All addresses are 128 bits• Write as sequence of eight groups of four

hex digits (16 bits each) separated by colons

• E.g. 3ffe:3700:0200:00ff:0000:0000:0000:0001

Types of Unicast Addresses

• Unspecified address– All zeros (::)– Used as source address during initialization– Also used in representing default

• Loopback address– Low-order one bit (::1)– Same as 127.0.0.1 in IPv4

• Link-local address– Unique on a subnet– Auto configured– High-order: FE80::/10– Low-order: interface identifier– Routers must not forward any packets with link-local source or

destination addresses

Obtaining IPv6 Addresses

• Provider-Independent (PI)– You can reserve a range from ARIN and you

can move it from one ISP to another.

• Provider-Assigned (PA)– The minimum you should receive is a /48– Only usable if you have a single connection.– You get this from your ISP that is part of their

scope.

IPv6 Addresses Scope

• Sizing– http://

www.howfunky.com/2014/01/getting-your-first-ipv6-address.html

 Number of Sites    Prefix Block Size  

1  /48

2-12  /44

13-192  /40

193-3,072  /36

3,072 - 49,152  /32

Representation of IPv6 Address

• All addresses are 128 bits• Write as sequence of eight groups of four

hex digits (16 bits each) separated by colons– Leading zeros in group may be omitted– A contiguous all-zero group may be replaced

by “::”• Only one such group can be replaced

IPv6 Notation

• In IPv6 every address is written:– <ipv6-address> / <prefix length>

• For example:– 2001:0db8::/36– 2001:0db8::/32

• At the bit level:– 0010 0000 0000 0001: 0000 1101 1011 1000::/36– 0010 0000 0000 0001: 0000 1101 1011 1000::/32

• These look the same, except for the prefix length

IPv6 Addressing Example

• Consider– 3ffe:3700:0200:00ff:0000:0000:0000:0001

• This can be written as – 3ffe:3700:200:ff:0:0:0:1 or– 3ffe:3700:200:ff::1

• Both reduction methods are used here.

Assigning IPv6 Addresses

• Static– Similar to IPv6, but it is not as easy to configure or

remember as IPv6– Good for Servers and Printers.

• Stateless Address Autoconfiguration (SLAAC)– Assumes that each interface can provide a unique

identifier for that interface

• DHCPv6– Provides DNS info– Better control and tracking of IPv6 usage– Doesn’t work on Android devices. SLAAC is needed.

Assigning IPv6 Addresses

• Most organizations will probably need to implement SLAAC and DHCPv6

IPv6 Security Considerations

• Most of the same threats still exist– Sniffing– Rogue devices– Man-in-the-middle (MITM) attacks– Flooding

• IPsec is built-in to IPv6 spec– Could mitigate most of these threats, if used– IPv4 ESP traffic estimated as low as 0.9%– IPv6 accounts for <1% of traffic on Internet2, making

IPsec usage largely insignificant– http://www.uoregon.edu/~joe/ipv6-security/

IPv6 Security Considerations

• Most host OS implementations have IPv6 on by default– Devices can communicate using the link-local

addresses– Autoconfiguration means no administrative

involvement necessary to have “live” IPv6 hosts on your network

IPv6 DNS

• Similar to IPv4• It is impossible to remember IPv6 addresses

and DNS is the only way to remain sane.• Forward Lookups use AAAA to assign

addresses to names.• Can advertise both A and AAAA in the same

the same domain.• Host OS’s prefer IPv6 responses by default.

It will first use IPv6 before IPv4

IPv6 Planning

• IPv6 requires some thoughtful planning to help address future growth and grouping of subnets

• Perform an assessment of existing infrastructure– Get all swtiches, software versions, end of service

dates and validate if they support IPv6. Check to see what features are supported since IPv6 can mean many things.

• Access applications and validate if they are IPv6 ready.

IPv6 Planning: Subnetting

• Each “site” should receive a /48. This will leave 16 bits left for subnetting (0000 – FFFF). So what do you do with it?

• Subnets or combinations of nets & subnets, or VLANs, etc., e.g.– 192.168.129.0/24 2001:DB8:C0A8:0081::/64– 172.16.32.0/24 2001:DB8:AC10:0020::/64– 10.0.164.0/24 2001:DB8:0A00:00A4::/64

• /64 is what a subnet SHOULD BE!!!!! DON'T CHANGE IT. THIS MAY BREAK SOME SERVICES

EUI host address (64 bits)Network address (48 bits)

16 bits

IPv6 Planning: Subnetting

• A site is /48• First level subnetting (i.e. districts for

ISD’s) would be /52 top level subnets (16 subnets)

• Second level is usually /56 or /60• Third level usually /60 • /64 is the host/user level.

IPv6 Planning: Subnetting

New Subnet Concepts

• You can use “all 0s” and “all 1s”! (0000, ffff)• You’re not limited to 254 hosts per subnet!• Switch-rich LANs allow for larger broadcast domains

(with tiny collision domains), perhaps thousands of hosts/LAN…

• No “secondary subnets” (though >1 address/interface)• Every /64 subnet has far more than enough addresses to

contain all of the computers on the planet, and with a /48 you have 65536 of those subnets - use this power wisely!

IPv6 Planning

• Develop a plan once you get your address space subnets developed– Will probably run in Dual Stack mode rather than

just IPv4 or IPv6. Both will run side by side.– Get IPv6 address space– Work with ISP to advertise IPv6 range– Set up router/firewall– Configure other network switches with IPv6– Configure IPv6 on servers and other devices– Clients

IPv6 Tools

• UK CPNI Toolkit– Provides assessment tools to discover known ipv6 exploits -

icmp, na/nd, ra/rs, etc.– http://www.si6networks.com/tools/ipv6toolkit/

• THC-ipv6– Scans for IPv6 vulnerabilities– www.thc.org/thc-ipv6

• Ipv6mon– Active probes to discover IP addresses in use.– http://www.si6networks.com/tools/ipv6mon

• Chrome Plugin to detect IPv4 or IPv6 website– IPvFoo

Dual Stack

• This will be for many organizations that will allow you to run IPv4 and IPv6 together and makes migration painless since clients can use both.

Securing your Current Network

• http://blogs.cisco.com/security/securing-ipv6/

• RA (Router Advertisement) Guard– ipv6 nd suppress-ra– This will ensure that a device that is plugged

into your network can’t hijack traffic by advertising it’s route since IPv6 routes take priority over IPv4.

Sample Network Diagram

Our IPv6 Space

• We have approx. 20 districts and over 100 buildings. We are looking to tread each district as a “site” that get’s a /48.

Our IPv6 Space

• 2620:11B:1000::/48District 1– 2620:11B:1000:00::/56 Building 1 (up to 256)

• 2620:11B:1000:0000::/64 network a (up to 256) • 2620:11B:1000:0001::/64 network b

– Could do a /60 and /64 to segment network rather than /56 and /64 to further identify equipment

» Ex: one nibble could be an identifier if the network is wireless, wired, staff, students, printers, etc.

– Each /64 network can have up to 18,446,744,073,709,551,616 IP addresses!

– 2620:11B:1000:0f::/56 Building 15

• 2620:11B:1001::/48 District 2