* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download IPV6 Essentials - AFCEA International
Survey
Document related concepts
Piggybacking (Internet access) wikipedia , lookup
Dynamic Host Configuration Protocol wikipedia , lookup
SIP extensions for the IP Multimedia Subsystem wikipedia , lookup
Computer network wikipedia , lookup
Network tap wikipedia , lookup
IEEE 802.1aq wikipedia , lookup
Net neutrality law wikipedia , lookup
Recursive InterNetwork Architecture (RINA) wikipedia , lookup
Wake-on-LAN wikipedia , lookup
Airborne Networking wikipedia , lookup
List of wireless community networks by region wikipedia , lookup
Routing in delay-tolerant networking wikipedia , lookup
Transcript
IPv6 Essentials An Introduction to IPv6 Presented by: Brandon Ross Chief Network Architect and CEO [email protected] | +1-404-635-6667 Network Utility Force LLC | 15 Wieuca Trace Northeast, Atlanta, GA 30342 | +1-404-635-6667 | [email protected] ©2016 Company Confidential Information | Transmittal to Third Parties by Prior Permission Only 1 IPv4 and IPv6: Brief History • Internet Protocol version 4 – – – – 1978: Developed for ARPANET 4 billion addresses Allocation based on documented need Deployed globally and well entrenched • Internet Protocol version 6 – 1996: IPv6 design begins – 340 undecillion addresses – 1999: Completed, tested, and available • Management and use similar to IPv4 – Reality: IPv4 address pool is already depleted Network Utility Force LLC | 15 Wieuca Trace Northeast, Atlanta, GA 30342 | +1-404-635-6667 | [email protected] ©2016 Company Confidential Information | Transmittal to Third Parties by Prior Permission Only 2 The Case for IPv6 Exponential Internet Growth – Internet Users or PC – Emerging population/geopolitical and Address space – PDA, Tablet, Notepad,… – Mobile phones – Transportation • Planes, cars – Consumer devices – Billions of Home and Industrial Appliances Limitations of IPv4 – IPv4 address space exhaustion – Exponential Internet growth – Requirement for security at the IP level – Need for simpler configuration – Support for real-time delivery of data Network Utility Force LLC | 15 Wieuca Trace Northeast, Atlanta, GA 30342 | +1-404-635-6667 | [email protected] ©2016 Company Confidential Information | Transmittal to Third Parties by Prior Permission Only 3 Interim Solutions... • Drop address classes A, B, and C • Assign addresses in powerof-two chunks • Assign several Class C addresses instead of one Class B address • Assign providers large contiguous address block to be used for customers • Advertise chunks instead of individual address assignments Conservation Efforts – PPP / DHCP address sharing – CIDR (classless interdomain routing) – NAT (network address translation) – Address reclamation Network Utility Force LLC | 15 Wieuca Trace Northeast, Atlanta, GA 30342 | +1-404-635-6667 | [email protected] ©2016 Company Confidential Information | Transmittal to Third Parties by Prior Permission Only 4 Deployment Benefits • Chance to eliminate some complexity in IP header • Improve per-hop processing • Chance to upgrade functionality – Multicast, QoS, mobility • Chance to include new features • Binding updates Network Utility Force LLC | 15 Wieuca Trace Northeast, Atlanta, GA 30342 | +1-404-635-6667 | [email protected] ©2016 Company Confidential Information | Transmittal to Third Parties by Prior Permission Only 5 IPv6 Features • • • • • • • • Larger address space Simplified header format Stateless and stateful address configuration QoS: – Hierarchical architecture for prioritized delivery – Integrated services (int-serv), Differentiated Services (DiffServ) Required IPSec header support Multicast interaction Support for mobility Extensibility Network Utility Force LLC | 15 Wieuca Trace Northeast, Atlanta, GA 30342 | +1-404-635-6667 | [email protected] ©2016 Company Confidential Information | Transmittal to Third Parties by Prior Permission Only 6 IPv4 vs IPv6 Length in Bits 32 128 Amount of Addresses 232 4,294,967,296 2128 340,282,366,920,939,463,374,607,4 31,768,211,456 Address Format Dotted Decimal 192.168.100.1 Hexadecimal fe80::cae0:ebff:fe19:7a07 Dynamic Addressing DHCP SLAAC/DHCPv6 IPSec Optional Optional Header Length Variable Fixed Minimum Packet Size 576 bytes (fragmented) 1280 bytes Header Checksum Yes No Header Options Yes No (extensions) Flow No Packet Flow Label Network Utility Force LLC | 15 Wieuca Trace Northeast, Atlanta, GA 30342 | +1-404-635-6667 | [email protected] ©2016 Company Confidential Information | Transmittal to Third Parties by Prior Permission Only 7 IPv6 in a Nutshell • • • • More addresses Multiple addresses per interface End-to-end connectivity Upper protocols are unchanged • Features - Improved Security - Mobility - Improved Quality of Service - Privacy extensions for SLAAC - Source address selection Network Utility Force LLC | 15 Wieuca Trace Northeast, Atlanta, GA 30342 | +1-404-635-6667 | [email protected] ©2016 Company Confidential Information | Transmittal to Third Parties by Prior Permission Only 8 IPv6 Format and Header Packet Structure IPv6 Header Extension Headers Upper layer Protocol Data Unit Payload IPv6 Packet Network Utility Force LLC | 15 Wieuca Trace Northeast, Atlanta, GA 30342 | +1-404-635-6667 | [email protected] ©2016 Company Confidential Information | Transmittal to Third Parties by Prior Permission Only 9 Header Comparison Removed (6) ID, flags, flag offset TOS, hlen ,header checksum Changed (3) - total length => payload - protocol => next header - TTL => hop limit Added (2) - traffic class - flow label Expanded address 32 to 128 bits Network Utility Force LLC | 15 Wieuca Trace Northeast, Atlanta, GA 30342 | +1-404-635-6667 | [email protected] ©2016 Company Confidential Information | Transmittal to Third Parties by Prior Permission Only 10 Major Header Improvements • No option field – Replaced by extension header – Result: A fixed length, 40-byte IP header • No header checksum – Result: faster processing • No fragmentation at intermediate nodes – Result: faster IP forwarding Network Utility Force LLC | 15 Wieuca Trace Northeast, Atlanta, GA 30342 | +1-404-635-6667 | [email protected] ©2016 Company Confidential Information | Transmittal to Third Parties by Prior Permission Only 11 Chain of Pointers from Next Header IPv6 Header Next Header = 6 (TCP) TCP Segment IPv6 Header Next Header = 43 (Routing) Routing Header Next Header = 6 (TCP) IPv6 Header Next Header = 43 (Routing) Routing Header Next Header = 51 (AH) TCP Segment Authentication Header TCP Segment Next Header = 6 (TCP) Network Utility Force LLC | 15 Wieuca Trace Northeast, Atlanta, GA 30342 | +1-404-635-6667 | [email protected] ©2016 Company Confidential Information | Transmittal to Third Parties by Prior Permission Only 12 PMTU: Minimum MTU • MTU - The Maximum Transmission Unit, or largest size packet, that can be handled by a network • Link MTU - A link’s maximum transmission unit, i.e. the max IP packet size that can be transmitted over the link – Minimum link MTU for IPv4 is 68 octets and for IPv6 is 1280 octets • Path MTU – The smallest MTU of all the links in a path between a source and a destination – When a packet exceeds the path MTU, it must either be fragmented or a smaller packet resent Network Utility Force LLC | 15 Wieuca Trace Northeast, Atlanta, GA 30342 | +1-404-635-6667 | [email protected] ©2016 Company Confidential Information | Transmittal to Third Parties by Prior Permission Only 13 Network Utility Force LLC | 15 Wieuca Trace Northeast, Atlanta, GA 30342 | +1-404-635-6667 | [email protected] ©2016 Company Confidential Information | Transmittal to Third Parties by Prior Permission Only 14 QoS Fields in the IPv6 Header • Traffic Class: 8 bits – Distinguish packets from different classes or priorities – Same functionality as type of service field in IPv4 header • Flow label: 20 bits – Define the packets of the flow – Selected by source, never modified in the network – Fragmentation or encryption is not a problem in IPv6 Network Utility Force LLC | 15 Wieuca Trace Northeast, Atlanta, GA 30342 | +1-404-635-6667 | [email protected] ©2016 Company Confidential Information | Transmittal to Third Parties by Prior Permission Only 15 Flow Label • Changes how to make flow classification – Traditionally: IP sender, IP receiver, ports, transport protocol – Now based only in IP header information – Flow label, sender address, destination address • Packets with flow label=0, do not belong to a flow • Flow state expires after 120 seconds – Unless lifetime has been defined longer – Flow has been refreshed explicitly Network Utility Force LLC | 15 Wieuca Trace Northeast, Atlanta, GA 30342 | +1-404-635-6667 | [email protected] ©2016 Company Confidential Information | Transmittal to Third Parties by Prior Permission Only 16 IPv6 Address Architecture • 128-bit address space – 2128 possible addresses – 3.4 x 1038 (340 undecillion) • 340,282,366,920,939,463,374,607,431,768,211,456 addresses – 128 bits allow for multi-level, hierarchical routing infrastructure • 64-bit subnet prefix • 64-bit interface identifier Network Utility Force LLC | 15 Wieuca Trace Northeast, Atlanta, GA 30342 | +1-404-635-6667 | [email protected] ©2016 Company Confidential Information | Transmittal to Third Parties by Prior Permission Only 17 Benefits of 128 bit address • Easier address management and delegation • Easier address auto-configuration • Deploy end-to-end IPsec – (NATs removed as unnecessary) Network Utility Force LLC | 15 Wieuca Trace Northeast, Atlanta, GA 30342 | +1-404-635-6667 | [email protected] ©2016 Company Confidential Information | Transmittal to Third Parties by Prior Permission Only 18 Hexadecimal Review Grouping binary bits into groups of four Each group (nibble) assigned a hex digit value Digits are the same for decimals 0-9 Letters A-F used for 10-15 0000 = 0 1000 = 8 0001 = 1 1001 = 9 0010 = 2 1010 = A 0011 = 3 1011 = B 0100 = 4 1100 = C 0101 = 5 1101 = D 0110 = 6 1110 = E 0111 = 7 1111 = F The 16-bit binary number: 1011 0100 1010 0111 converted to hex is: B4A7 Network Utility Force LLC | 15 Wieuca Trace Northeast, Atlanta, GA 30342 | +1-404-635-6667 | [email protected] ©2016 Company Confidential Information | Transmittal to Third Parties by Prior Permission Only 19 IPv6 Address Syntax • Binary 0010000000000001000011011011100000000000000000000010111100111011 0000001010101010000000001111111111111110001010001001110001011010 • Divided on 16-bit boundaries 0010000000000001 0000110110111000 0000000000000000 0010111100111011 0000001010101010 0000000011111111 1111111000101000 1001110001011010 • 16-bit blocks converted to hexadecimal, delimited with colons 2001:0DB8:0000:2F3B:02AA:00FF:FE28:9C5A • Suppressing leading zeroes in each block 2001:DB8:0:2F3B:2AA:FF:FE28:9C5A Network Utility Force LLC | 15 Wieuca Trace Northeast, Atlanta, GA 30342 | +1-404-635-6667 | [email protected] ©2016 Company Confidential Information | Transmittal to Third Parties by Prior Permission Only 20 Compressing Zeroes • Single contiguous sequence of 16-bit blocks (hextet) set to 0 can be compressed to double colon (::) FE80:0:0:0:2AA:FF:FE9A:4CA2 becomes FE80::2AA:FF:FE9A:4CA2 • Can’t be used to include part of a hextet FF02:30:0:0:0:0:0:5 does not become FF02:3::5 it does become FF02:30::5 Network Utility Force LLC | 15 Wieuca Trace Northeast, Atlanta, GA 30342 | +1-404-635-6667 | [email protected] ©2016 Company Confidential Information | Transmittal to Third Parties by Prior Permission Only 21 IPv6 Prefixes • Express routes, address spaces or address ranges • Always uses address/prefix-length notation – Similar to CIDR Subnet prefix: 2001:DB8:0:2F3B::/64 Route prefix: 2001:DB8:3F::/48 • • • • /48: most common, longest routable prefix /64: longest usable subnet prefix /127: for point-to-point links /128: for router loopbacks Network Utility Force LLC | 15 Wieuca Trace Northeast, Atlanta, GA 30342 | +1-404-635-6667 | [email protected] ©2016 Company Confidential Information | Transmittal to Third Parties by Prior Permission Only 22 IPv6 Subnet Mask • IPv6 subnet ID is built into the address, example: – First 48 bits: Network prefix, used for Internet routing – Next 16 bits: (49-64) Subnet ID, used to define subnet – Last 62: (65-128) Interface ID (IID) • Example: For a network broken into 64 subnets, the binary mask for the subnetting range is 1111110000000000 = hex value FC00 – The full 128-bit hex mask is: FFFF:FFFF:FFFF:FC00:0:0:0:0: Network Utility Force LLC | 15 Wieuca Trace Northeast, Atlanta, GA 30342 | +1-404-635-6667 | [email protected] ©2016 Company Confidential Information | Transmittal to Third Parties by Prior Permission Only 23 Building an Address Plan • General Guidelines and Considerations – Documentation – Build sequentially – Hierarchical addressing plans allow for aggregation • Following existing IPv4 is easy but consider improvements – Allocate by organizational needs: • Geography, function, security zone, department... • Consider topological/aggregation to reflect wiring plans, supernets, large domains... Network Utility Force LLC | 15 Wieuca Trace Northeast, Atlanta, GA 30342 | +1-404-635-6667 | [email protected] ©2016 Company Confidential Information | Transmittal to Third Parties by Prior Permission Only 24 Example Allocation: Geography • 9 locations • Allocation from RIR: 2001:DB8:1234::/48 – 2001:DB8:1234:ABCD::/52 • Location: 4 bits = 16 locations – Function within location: 2001:DB8:1234:ABCD::/56 • Function: 4 bits = 16 functions per location – 2001:DB8:1234:ABCD::/64 • Host subnets: 8 bits = 256 subnets per function per location Network Utility Force LLC | 15 Wieuca Trace Northeast, Atlanta, GA 30342 | +1-404-635-6667 | [email protected] ©2016 Company Confidential Information | Transmittal to Third Parties by Prior Permission Only 25 New Subnetting Concepts • Not limited to 254 hosts per subnet • All 0’s and all 1’s can be used (0000, FFFF) • No “secondary subnets” (through >1 address/interface) • Switch-rich LANs allow larger broadcast domains with smaller collision domains • Numerous subnets mean IGP may carry thousands of routes - consider internal topology and aggregation to avoid future problems Network Utility Force LLC | 15 Wieuca Trace Northeast, Atlanta, GA 30342 | +1-404-635-6667 | [email protected] ©2016 Company Confidential Information | Transmittal to Third Parties by Prior Permission Only 26 IPv6 Address Types • Unicast – Address of single interface, delivery to single interface • Anycast – Address of set of interfaces, delivery to single interface within set • Multicast – Address of set of interfaces, delivery to all interfaces in set • No more broadcast • IPv6 nodes will have more than one IP address Network Utility Force LLC | 15 Wieuca Trace Northeast, Atlanta, GA 30342 | +1-404-635-6667 | [email protected] ©2016 Company Confidential Information | Transmittal to Third Parties by Prior Permission Only 27 Types of Unicast Addresses Single, unique address identifying an IPv6 interface • • • • Global Unicast Link-local Unique local Special and Compatibility Network Utility Force LLC | 15 Wieuca Trace Northeast, Atlanta, GA 30342 | +1-404-635-6667 | [email protected] ©2016 Company Confidential Information | Transmittal to Third Parties by Prior Permission Only 28 Unicast Addresses • Global Unicast – IPv4 Equivalent: Public IPv4 address – Scope: Entire Internet – Preferred • Structure: 45 bits 001 Global Routing Prefix 16 bits Subnet ID 64 bits Interface ID Network Utility Force LLC | 15 Wieuca Trace Northeast, Atlanta, GA 30342 | +1-404-635-6667 | [email protected] ©2016 Company Confidential Information | Transmittal to Third Parties by Prior Permission Only 29 Unicast Addresses • Link-local address – IPv4 equivalent: APIPA IPv4 address – Scope: Single link – Use: Single subnet, routerless configurations and Neighbor Discovery Process (NDP) – Prefix: FE80::/64 • Structure: 64 bits 1111 1110 1000 0000 . . . 0000 64 bits Interface ID Network Utility Force LLC | 15 Wieuca Trace Northeast, Atlanta, GA 30342 | +1-404-635-6667 | [email protected] ©2016 Company Confidential Information | Transmittal to Third Parties by Prior Permission Only 30 Zone IDs for Link-Local Addresses • Link-local addresses are ambiguous when attached to multiple links • Zone ID identifies specific link for link-local addresses – Set to the interface index of sending interface ping fe80::2b0:d0ff:fee9:4143%3 Network Utility Force LLC | 15 Wieuca Trace Northeast, Atlanta, GA 30342 | +1-404-635-6667 | [email protected] ©2016 Company Confidential Information | Transmittal to Third Parties by Prior Permission Only 31 Unicast Addresses • Unique local address (ULA) – Scope: Global, no zone ID required – Private to organization but unique across all organization sites – Prefix: FD00::/8 • Structure: 7 bits 1111 110 L 40 bits 16 bits 64 bits Global ID Subnet ID Interface ID Network Utility Force LLC | 15 Wieuca Trace Northeast, Atlanta, GA 30342 | +1-404-635-6667 | [email protected] ©2016 Company Confidential Information | Transmittal to Third Parties by Prior Permission Only 32 Anycast • Assigned to set of interfaces, typically more than one node, with delivery to single interface within the set – Same address space as Unicast • Not associated with any prefix • Routes used to locate nearest anycast group member • Structure: n bits Subnet Prefix 128 - n bits 000 . . . 000 Network Utility Force LLC | 15 Wieuca Trace Northeast, Atlanta, GA 30342 | +1-404-635-6667 | [email protected] ©2016 Company Confidential Information | Transmittal to Third Parties by Prior Permission Only 33 Multicast Defined multicast • Identifier for group of interfaces addresses include: – Interfaces may belong to more ‒ FF02::1 Link-local scope all-nodes ‒ FF02::2 Link-local scope all-routers Structure: than one multicast group – Usually belongs to more than one node – Replaces broadcast, delivers to all interfaces within the group – May not be used as a source address 8 bits 4 bits 4 bits 112 bits 1111 1111 Flags Scope Group ID Network Utility Force LLC | 15 Wieuca Trace Northeast, Atlanta, GA 30342 | +1-404-635-6667 | [email protected] ©2016 Company Confidential Information | Transmittal to Third Parties by Prior Permission Only 34 Multicast Groups - 2 • Solicited node multicast address is used by ICMP for neighbor discovery and duplicate address detection • Format: – FF02::1:FFxx:xxxx • xx xxxx is taken from the last 24-bits of a node’s unicast address A node’s IPv6 address of 4025::01:800:100F:7B5B belongs to the multicast group FF02::1:FF0F:7B5B Network Utility Force LLC | 15 Wieuca Trace Northeast, Atlanta, GA 30342 | +1-404-635-6667 | [email protected] ©2016 Company Confidential Information | Transmittal to Third Parties by Prior Permission Only 35 Solicited-Node Address • Used for Address resolution • For FE80::2AA:FF:FE28:9C5A, the corresponding solicitednode address is FF02::1:FF28:9C5A 64 bits 64 bits Unicast prefix Interface ID 24 bits FF02: 0:0:0:0 :1:FF Network Utility Force LLC | 15 Wieuca Trace Northeast, Atlanta, GA 30342 | +1-404-635-6667 | [email protected] ©2016 Company Confidential Information | Transmittal to Third Parties by Prior Permission Only 36 Address Type Identification Address Type Unspecified Loopback Multicast Link-local unicast Global unicast Binary Prefix 00…0 (128 bits) 00…1 11111111 1111111010 (everything else) IPv6 Notation ::/128 ::1/128 FF00::/8 FE80::/10 Network Utility Force LLC | 15 Wieuca Trace Northeast, Atlanta, GA 30342 | +1-404-635-6667 | [email protected] ©2016 Company Confidential Information | Transmittal to Third Parties by Prior Permission Only 37 Address Type Changes IPv4 IPv6 Internet address classes (deprecated other than D and E) N/A Multicast address 224.0.0.0/4 Broadcast addresses IPv6 multicast address FF00::/8 None Unspecified address 0.0.0.0 Unspecified address :: Loopback address 127.0.0.1 Loopback address ::1 Public IP adresss Global Unicast Address Private IP address Unique-local address FD00::/8 APIPA address Link-local address FE80::/64 Dotted decimal format Colon hexadecimal format Subnet mask or prefix length Prefix length notation only Network Utility Force LLC | 15 Wieuca Trace Northeast, Atlanta, GA 30342 | +1-404-635-6667 | [email protected] ©2016 Company Confidential Information | Transmittal to Third Parties by Prior Permission Only 38 Interface ID Unicast and Anycast addresses: – Two Parts • 64-bit network prefix used for routing • 64-bit interface identifier used to identify a host’s network interface – 64 bits long • Often derived from EUI-64 addresses ‒ Can be combined with a network prefix, (routing prefix and subnet ID), to determine a corresponding IPv6 address for the device ‒ Required to be unique within subnet prefix Network Utility Force LLC | 15 Wieuca Trace Northeast, Atlanta, GA 30342 | +1-404-635-6667 | [email protected] ©2016 Company Confidential Information | Transmittal to Third Parties by Prior Permission Only 39 Interface ID - 2 • Lowest-order 64-bit field of unicast address – Assigned in several different ways: • Auto-configured from a 64-bit EUI-64 • Expanded from a 48-bit MAC address (e.g.,Ethernet address) • Auto-generated pseudo-random number (privacy concerns) • Assigned via DHCP • Manually configured Network Utility Force LLC | 15 Wieuca Trace Northeast, Atlanta, GA 30342 | +1-404-635-6667 | [email protected] ©2016 Company Confidential Information | Transmittal to Third Parties by Prior Permission Only 40 Converting MAC to EUI-64 • Split MAC address – First three octets of MAC: Company-ID – Last three octets of MAC: Node-ID • 0xfffe inserted between Company-ID and Node-ID • Universal/Local-Bit (U/L-bit) is set to 1 for global scope Network Utility Force LLC | 15 Wieuca Trace Northeast, Atlanta, GA 30342 | +1-404-635-6667 | [email protected] ©2016 Company Confidential Information | Transmittal to Third Parties by Prior Permission Only 41 Converting MAC to EUI-64 IEEE 802 48-bit MAC 00 00 IEEE 802 64-bit MAC 00 22 22 0000 00X0 IEEE EUI-64 02 22 22 b0 75 b0 b0 FF FE FF FE b5 99 75 b5 99 75 b5 99 75 b5 99 X=1, X is universal bit b0 FF FE Network Utility Force LLC | 15 Wieuca Trace Northeast, Atlanta, GA 30342 | +1-404-635-6667 | [email protected] ©2016 Company Confidential Information | Transmittal to Third Parties by Prior Permission Only 42 ICMPv6 • Updated version of the Internet Control Message Protocol (ICMP) for IPv6 • Reports delivery or forwarding errors and a simple echo service for troubleshooting • Provides a framework for: – Multicast Listener Discovery (MLD) – Neighbor Discovery (ND) – Mobile IPv6 Network Utility Force LLC | 15 Wieuca Trace Northeast, Atlanta, GA 30342 | +1-404-635-6667 | [email protected] ©2016 Company Confidential Information | Transmittal to Third Parties by Prior Permission Only 43 Functions • • • • • • • Router discovery Prefix discovery Autoconfiguration of address & other parameters Duplicate address detection (DAD) Neighbor unreachability detection (NUD) Link-layer address resolution First-hop redirect Network Utility Force LLC | 15 Wieuca Trace Northeast, Atlanta, GA 30342 | +1-404-635-6667 | [email protected] ©2016 Company Confidential Information | Transmittal to Third Parties by Prior Permission Only 44 ICMPv6 Message Format Byte header: Each ICMP message is at least 8 bytes long • Type (1 byte): type of ICMP message • Code (1 byte): subtype of ICMP message • Checksum (2 bytes): similar to IP header checksum - Checksum is calculated over entire ICMP message • If there is no additional data, there are 4 bytes set to zero 32 bits 8 8 8 8 Type Code Unicast prefix Message Body Network Utility Force LLC | 15 Wieuca Trace Northeast, Atlanta, GA 30342 | +1-404-635-6667 | [email protected] ©2016 Company Confidential Information | Transmittal to Third Parties by Prior Permission Only 45 Neighbor Discovery (NDP) ● Messages and processes that determine relationships between neighboring nodes ND for Routers: - Advertise their presence, host config parameters, routes and on-link preferences - Inform hosts of best next-hop address for destination ND for Nodes: - Address auto config of nodes - Find routers and DNS server - Discover other nodes on link and determine their link-layer addresses - Determine if neighboring node’s link-layer address changes and if still reachable Network Utility Force LLC | 15 Wieuca Trace Northeast, Atlanta, GA 30342 | +1-404-635-6667 | [email protected] ©2016 Company Confidential Information | Transmittal to Third Parties by Prior Permission Only 46 ND Process 1. Router discovery 2. Prefix discovery 3. Parameter discovery 4. Address autoconfiguration 5. Address resolution 6. Next-hop determination 7. Neighbor unreachability detection 8. Duplicate address detection 9. Redirect function Network Utility Force LLC | 15 Wieuca Trace Northeast, Atlanta, GA 30342 | +1-404-635-6667 | [email protected] ©2016 Company Confidential Information | Transmittal to Third Parties by Prior Permission Only 47 ND Messages - 2 • • • • • Type 133: Router Solicitation Type 134: Router Advertisement Type 135: Neighbor Solicitation Type 136: Neighbor Advertisement Type 137: Neighbor Redirect Network Utility Force LLC | 15 Wieuca Trace Northeast, Atlanta, GA 30342 | +1-404-635-6667 | [email protected] ©2016 Company Confidential Information | Transmittal to Third Parties by Prior Permission Only 48 Neighbor Discovery • ICMPv6 message structure and ICMPv6 types 133 through 137 • To ensure local link traffic, all ND messages are sent with a hop limit of 255, and dropped if received messages are less than 255 • ND Options are formatted in Type-Length-Value (TLV) format Neighbor Discovery Message IPv6 Header Next Header = 58 (ICMPv6) Neighbor Discovery Message Header Neighbor Discovery Message Options Network Utility Force LLC | 15 Wieuca Trace Northeast, Atlanta, GA 30342 | +1-404-635-6667 | [email protected] ©2016 Company Confidential Information | Transmittal to Third Parties by Prior Permission Only 49 Neighbor Solicitation • ICMPv6 messages: Type 135, Code 0 • Solicit the mapping of an IPv6 address to a link-layer address • Facilitates communication between nodes attached to the same link 32 bits 4 Type = 135 8 16 Code = 0 2 4 Checksum Reserved Target Address ICMPv6 Options Network Utility Force LLC | 15 Wieuca Trace Northeast, Atlanta, GA 30342 | +1-404-635-6667 | [email protected] ©2016 Company Confidential Information | Transmittal to Third Parties by Prior Permission Only 50 Neighbor Solicitation Message • Determine link-layer address of another node – Source address in a neighbor solicitation message is the IPv6 address of the node sending the neighbor solicitation message (Type 135) • Destination address in neighbor solicitation message – Solicited-node multicast address corresponding to the IPv6 address of the destination node Network Utility Force LLC | 15 Wieuca Trace Northeast, Atlanta, GA 30342 | +1-404-635-6667 | [email protected] ©2016 Company Confidential Information | Transmittal to Third Parties by Prior Permission Only 51 Neighbor Solicitation Message - 2 • Neighbor solicitation message also includes the linklayer address of the source node • Also used to verify reachability of a neighbor after the link-layer address of a neighbor is identified • To verify the reachability of a neighbor, destination address in a neighbor solicitation message is the unicast address of the neighbor Network Utility Force LLC | 15 Wieuca Trace Northeast, Atlanta, GA 30342 | +1-404-635-6667 | [email protected] ©2016 Company Confidential Information | Transmittal to Third Parties by Prior Permission Only 52 Neighbor Advertisement • ICMPv6 messages of Type 136, Code 0 • Use to inform the mapping of an IPv6 address to a link-layer address 32 bits 8 4 Type = 136 16 2 4 Code = 0 Checksum Reserved Flags Target Address ICMPv6 Options 2 0 Flag (R) Flag (S) 8 Flag (O) Reserved Network Utility Force LLC | 15 Wieuca Trace Northeast, Atlanta, GA 30342 | +1-404-635-6667 | [email protected] ©2016 Company Confidential Information | Transmittal to Third Parties by Prior Permission Only 53 Neighbor Advertisement Message • Destination node replies to neighbor solicitation message on the local link – Neighbor advertisement message (Type 136) in Type field of ICMP header • Source address in the neighbor advertisement message – IPv6 address of the node interface sending the neighbor advertisement message • Destination address in the neighbor advertisement message – IPv6 address of the node that sent the neighbor solicitation message. Network Utility Force LLC | 15 Wieuca Trace Northeast, Atlanta, GA 30342 | +1-404-635-6667 | [email protected] ©2016 Company Confidential Information | Transmittal to Third Parties by Prior Permission Only 54 Neighbor Advertisement Message - 2 • Data portion of neighbor advertisement message includes link-layer address of the node sending the neighbor advertisement message • Neighbor advertisement messages are also sent in response to change in the link-layer address of node on local link – Destination address for the neighbor advertisement is the all-nodes multicast address Network Utility Force LLC | 15 Wieuca Trace Northeast, Atlanta, GA 30342 | +1-404-635-6667 | [email protected] ©2016 Company Confidential Information | Transmittal to Third Parties by Prior Permission Only 55 Source/Target Address Options • The Source Link-layer Address contains the link-layer address corresponding to the Source Address of the packet • The Target Link-layer address contains the link-layer address corresponding to the Target Address of the Neighbor Solicitation message Network Utility Force LLC | 15 Wieuca Trace Northeast, Atlanta, GA 30342 | +1-404-635-6667 | [email protected] ©2016 Company Confidential Information | Transmittal to Third Parties by Prior Permission Only 56 Address Resolution • An exchange of Neighbor Solicitation and Neighbor Advertisement messages to resolve the link-layer address of the next-hop address – Multicast Neighbor Solicitation message – Unicast Neighbor Advertisement message • Both hosts update their neighbor caches • Unicast traffic can now be sent Network Utility Force LLC | 15 Wieuca Trace Northeast, Atlanta, GA 30342 | +1-404-635-6667 | [email protected] ©2016 Company Confidential Information | Transmittal to Third Parties by Prior Permission Only 57 Neighbor Function Equivalents IPv4 Neighbor Function ARP Request message ARP Reply message ARP cache Router Solicitation message (optional) IPv6 Neighbor Function Neighbor Solicitation message Neighbor Advertisement message Neighbor cache Router Solicitation (required) Router Advertisement message Router Advertisement (optional) (required) Redirect message Redirect message Network Utility Force LLC | 15 Wieuca Trace Northeast, Atlanta, GA 30342 | +1-404-635-6667 | [email protected] ©2016 Company Confidential Information | Transmittal to Third Parties by Prior Permission Only 58 Neighbor Reachability • Host A acquires the link-layer address of neighbor Host B • Host A can use NS and NA messages to check whether Host B is reachable 1. Host A sends an NS message whose destination address is the IPv6 address of Host B 2. If Host A receives an NA message from Host B, Host A decides that Host B is reachable otherwise, Host B is unreachable Network Utility Force LLC | 15 Wieuca Trace Northeast, Atlanta, GA 30342 | +1-404-635-6667 | [email protected] ©2016 Company Confidential Information | Transmittal to Third Parties by Prior Permission Only 59 Neighbor Reachability - 2 • Values in Neighbor Cache: Show reachability state for neighboring nodes Five possible states ● Incomplete: Address resolution in progress but LinkLayer data, MAC Address has not yet been determined ● Reachable: Neighbor was reachable recently ● Stale: Neighbor is no longer known to be reachable ● Delay: Neighbor is no longer known to be reachable, but traffic has been recently delivered to the neighbor successfully; resolution delayed ● Probe: Neighbor is no longer known to be reachable; in process of verifying reachability Network Utility Force LLC | 15 Wieuca Trace Northeast, Atlanta, GA 30342 | +1-404-635-6667 | [email protected] ©2016 Company Confidential Information | Transmittal to Third Parties by Prior Permission Only 60 Duplicate Address Detection • Use of a neighbor solicitation to detect duplicate unicast address – Target Address field in Neighbor Solicitation message is set to the IPv6 solicited node multicast address of address to be tested – The Source Address is set to the unspecified address (::) • For a duplicate address, defending node replies with a Neighbor Advertisement – Destination Address is set to the link-local scope all-nodes multicast address (FF02::1) – If received, then it’s a dupe! Network Utility Force LLC | 15 Wieuca Trace Northeast, Atlanta, GA 30342 | +1-404-635-6667 | [email protected] ©2016 Company Confidential Information | Transmittal to Third Parties by Prior Permission Only 61 Router Solicitation (RS) • RS Message sent by hosts at system startup – Immediately autoconfigure without needing to wait for next scheduled RA message – Host does not have a configured unicast address – Source address in router solicitation messages is usually unspecified IPv6 address (0:0:0:0:0:0:0:0) – ICMP Packet header value: (Type 133) • Router Advertisements (RA) are sent in response to router solicitation messages Network Utility Force LLC | 15 Wieuca Trace Northeast, Atlanta, GA 30342 | +1-404-635-6667 | [email protected] ©2016 Company Confidential Information | Transmittal to Third Parties by Prior Permission Only 62 Router Solicitation - 2 • Any node can send RS to all-routers multicast address FF02::2 on the local link • When RS is received, a router responds with RA using all-node multicast FF02::1 • To avoid flooding of RS on the link, each node can send only three RS at boot time 32 bits 4 Type = 135 8 16 Code = 0 2 4 Checksum Reserved ICMPv6 Options Network Utility Force LLC | 15 Wieuca Trace Northeast, Atlanta, GA 30342 | +1-404-635-6667 | [email protected] ©2016 Company Confidential Information | Transmittal to Third Parties by Prior Permission Only 63 Router Advertisement (RA) • Periodically sent out each configured interface of an IPv6 router – ICMP packet header value: 134 in Type field • Used to announce network configuration information to local hosts • Advertised prefix length in RA messages must always be 64 bits for autoconfiguration • The RA messages are sent to the all-nodes multicast address Network Utility Force LLC | 15 Wieuca Trace Northeast, Atlanta, GA 30342 | +1-404-635-6667 | [email protected] ©2016 Company Confidential Information | Transmittal to Third Parties by Prior Permission Only 64 Router Advertisement - 2 Message Parameters • IPv6 prefix – Default prefix length: 64 bits – Multiple IPv6 prefixes can be advertised per local link – Nodes get IPv6 address, append their link-layer in EUI-format to the prefix = 128 bit IPv6 node address •Default router information Information about existence and lifetime of default router’s IPv6 address Default router’s address = router’s link local address Network Utility Force LLC | 15 Wieuca Trace Northeast, Atlanta, GA 30342 | +1-404-635-6667 | [email protected] ©2016 Company Confidential Information | Transmittal to Third Parties by Prior Permission Only 65 Router Advertisement - 3 Message Parameters (cont’d) • Lifetime Lifetime may vary from 0 to infinite Two types of lifetime value per prefix: Valid Lifetime: how long node’s address remains in valid state Preferred Lifetime: how long address configured by a node remains preferred • Flags/options – Instruct nodes to use stateful configuration or stateless Network Utility Force LLC | 15 Wieuca Trace Northeast, Atlanta, GA 30342 | +1-404-635-6667 | [email protected] ©2016 Company Confidential Information | Transmittal to Third Parties by Prior Permission Only 66 Router Advertisement - 2 Configurable Parameters: • Time interval between periodic RA messages • "Router Lifetime” value: indicates the usefulness router as default router, for use by all nodes on a given link • Network prefixes in use on a given link • Time interval between neighbor solicitation message retransmissions on a given link • Amount of time a node considers a neighbor reachable for use by all nodes on a given link Network Utility Force LLC | 15 Wieuca Trace Northeast, Atlanta, GA 30342 | +1-404-635-6667 | [email protected] ©2016 Company Confidential Information | Transmittal to Third Parties by Prior Permission Only 67 Router Advertisement Message 32 bits 8 4 Type = 134 16 2 4 Code = 0 Current Hop Limit Autoconfig Flags Checksum Router Lifetime Reachable Time Retransmission Timer ICMPv6 Options 2 0 Flag (M) Flag (O) 8 Reserved Network Utility Force LLC | 15 Wieuca Trace Northeast, Atlanta, GA 30342 | +1-404-635-6667 | [email protected] ©2016 Company Confidential Information | Transmittal to Third Parties by Prior Permission Only 68 Router Discovery (RD) Core function: host method to locate routers on local network and configure default router • Prefix Discovery – Determine network being used – How to differentiate between local and distant destinations, whether to attempt direct or indirect delivery of datagrams • Parameter Discovery – Host learns important parameters about local network and/or routers, such as MTU of the local link • Address Autoconfiguration – Hosts in IPv6 automatically configure themselves, requires information normally provided by a router Network Utility Force LLC | 15 Wieuca Trace Northeast, Atlanta, GA 30342 | +1-404-635-6667 | [email protected] ©2016 Company Confidential Information | Transmittal to Third Parties by Prior Permission Only 69 Router Discovery - 2 • Nodes discover the set of routers on the local link – Router Advertisements – Router Solicitations • IPv6 router discovery also provides: – – – – – – – Default value of Hop Limit field Use of stateful address protocol Reachability and retransmission timers Network prefixes for the link MTU of the local link IPv6 mobility information Routes Network Utility Force LLC | 15 Wieuca Trace Northeast, Atlanta, GA 30342 | +1-404-635-6667 | [email protected] ©2016 Company Confidential Information | Transmittal to Third Parties by Prior Permission Only 70 Router Discovery - 3 • IPv4: RA includes Advertisement Lifetime field – Time the router is unavailable upon receiving last Router Advertisement message – Worst case: Router becomes unavailable, hosts won’t attempt to discover new default router until RA time has elapsed • IPv6: RA includes Router Lifetime field – Indicates the length of time that the router can be considered a default router • Neighbor Unreachability Detection – Detects if current default router becomes unavailable instead of the Router Lifetime field in RA – New router is chosen immediately from the default router list Network Utility Force LLC | 15 Wieuca Trace Northeast, Atlanta, GA 30342 | +1-404-635-6667 | [email protected] ©2016 Company Confidential Information | Transmittal to Third Parties by Prior Permission Only 71 Router Discovery: Process • IPv6 routers periodically send a Router Advertisement message on the local link advertising their existence as routers. – Also provide configuration parameters such as default hop limit, MTU, and prefixes • Active IPv6 hosts on local link receive the RA messages, – Use contents to maintain the default router list, the prefix list, and other configuration parameters • Starting up Host sends a Router Solicitation message – Link-local scope all-routers multicast address (FF02::2) • Receipt of RA message, all routers on the local link send unicast RA message to node that sent the Router Solicitation • Node receives RA messages – Use contents to build default router and prefix lists, set other configuration parameters Network Utility Force LLC | 15 Wieuca Trace Northeast, Atlanta, GA 30342 | +1-404-635-6667 | [email protected] ©2016 Company Confidential Information | Transmittal to Third Parties by Prior Permission Only 72 Autoconfiguration Overview • IPv6 interfaces can automatically configure themselves – Even without a stateful configuration protocol such as Dynamic Host Configuration Protocol for IPv6 (DHCPv6) • By default, link-local address for each interface • By using router discovery, a host can determine – Additional addresses – Router addresses – Other configuration parameters Network Utility Force LLC | 15 Wieuca Trace Northeast, Atlanta, GA 30342 | +1-404-635-6667 | [email protected] ©2016 Company Confidential Information | Transmittal to Third Parties by Prior Permission Only 73 Types of Autoconfiguration 1. Stateless (SLAAC) – Receipt of Router Advertisement messages with one or more Prefix Information options 2. Stateful – Use of a stateful address configuration protocol such as DHCPv6 3. Both – Receipt of Router Advertisement messages and stateful configuration protocol For all types, a link-local address is always configured Network Utility Force LLC | 15 Wieuca Trace Northeast, Atlanta, GA 30342 | +1-404-635-6667 | [email protected] ©2016 Company Confidential Information | Transmittal to Third Parties by Prior Permission Only 74 Autoconfiguration Process 1. Configure link-local address – Perform duplicate address detection 2. Perform router discovery – Use Router Advertisements to determine • Configuration parameters • Stateless addresses and on-link prefixes • For stateless addresses, perform duplicate address detection • Whether to use stateful address configuration Network Utility Force LLC | 15 Wieuca Trace Northeast, Atlanta, GA 30342 | +1-404-635-6667 | [email protected] ©2016 Company Confidential Information | Transmittal to Third Parties by Prior Permission Only 75 Autoconfiguration Process Link-Local Only Router Advertisement New Address: Tentative DAD Unsuccessful Duplicate DAD Successful Valid Preferred Preferred Lifetime Expired Valid Lifetime Expired Deprecated Invalid Network Utility Force LLC | 15 Wieuca Trace Northeast, Atlanta, GA 30342 | +1-404-635-6667 | [email protected] ©2016 Company Confidential Information | Transmittal to Third Parties by Prior Permission Only 76 Stateless Autoconfiguration • Uses Neighbor Discovery ICMPv6 messages • Host asks for network parameters: – IPv6 prefix(es) – default router address(es) – hop limit – (link local) MTU • • • • Routers must be manually configured Hosts can automatically get an IPv6 address Servers should be manually configured Hosts listening for Router Advertisements (RA) messages, periodically transmitted by routers • RA messages coming from the router(s) on the link identify the subnet Network Utility Force LLC | 15 Wieuca Trace Northeast, Atlanta, GA 30342 | +1-404-635-6667 | [email protected] ©2016 Company Confidential Information | Transmittal to Third Parties by Prior Permission Only 77 Stateless Autoconfiguration - 2 • Allows host to create a global IPv6 address from: – Its interface identifier (EUI-64 address) – Link Prefix (obtained via Router Advertisement) • Hosts usually use router sending the RA messages as the default router • Global Address = combine Link Prefix with EUI-64 address Network Utility Force LLC | 15 Wieuca Trace Northeast, Atlanta, GA 30342 | +1-404-635-6667 | [email protected] ©2016 Company Confidential Information | Transmittal to Third Parties by Prior Permission Only 78 Stateless Autoconfiguration - 3 • If the RA doesn’t carry any prefix: – Hosts don’t automatically configure any global IPv6 address but may configure the default gateway address • RA messages contain two flags indicating what type of stateful autoconfiguration (if any) should be performed Network Utility Force LLC | 15 Wieuca Trace Northeast, Atlanta, GA 30342 | +1-404-635-6667 | [email protected] ©2016 Company Confidential Information | Transmittal to Third Parties by Prior Permission Only 79 DHCPv6 • Key Differences from IPv4 – IPv6 hosts do not automatically configure a directly attached subnet route for a DHCPv6assigned IPv6 address • On-Link flag in the Prefix Information option – There is no Router option in DHCPv6 to assign a default router • Default route is configured from the RA Network Utility Force LLC | 15 Wieuca Trace Northeast, Atlanta, GA 30342 | +1-404-635-6667 | [email protected] ©2016 Company Confidential Information | Transmittal to Third Parties by Prior Permission Only 80 DHCPv6 • DHCPv6 requirements – IPv6 must be supported on routing path between DHCPv6 relay agents and the DHCPv6 server – IPv6 routers must advertise the Managed Address • Configuration (M), Other Stateful Configuration (O) flags set to 1 • Autonomous flag set to 0 in Prefix Information options •DHCPv6 planning – Determine whether IPv6 hosts will need stateless, stateful, or both types of addresses – Configure a DHCPv6 relay agent for each IPv6 subnet – Determine location of DHCPv6 servers Network Utility Force LLC | 15 Wieuca Trace Northeast, Atlanta, GA 30342 | +1-404-635-6667 | [email protected] ©2016 Company Confidential Information | Transmittal to Third Parties by Prior Permission Only 81 DHCPv6 - 2 • Provides stateful address configuration or stateless configuration settings for IPv6 hosts • Managed Address Configuration (M) flag – When set to 1, this flag instructs the host to use a configuration protocol to obtain stateful addresses • Other Stateful Configuration (O) flag – When set to 1, this flag instructs the host to use a configuration protocol to obtain other configuration settings • Components of a DHCPv6 infrastructure – DHCPv6 clients – DHCPv6 servers – DHCPv6 relay agents Network Utility Force LLC | 15 Wieuca Trace Northeast, Atlanta, GA 30342 | +1-404-635-6667 | [email protected] ©2016 Company Confidential Information | Transmittal to Third Parties by Prior Permission Only 82 DHCPv6 Communication • User Datagram Protocol (UDP) messages – DHCPv6 clients listen on UDP port 546 – DHCPv6 servers and relay agents listen on UDP port 547 • Multicast addresses – DHCPv6 servers and relay agents listen on ff02::1:2 – DHCPv6 client sends messages to ff02::1:2 • Relay agent forwards multicasts as unicasts to configured DHCPv6 servers Network Utility Force LLC | 15 Wieuca Trace Northeast, Atlanta, GA 30342 | +1-404-635-6667 | [email protected] ©2016 Company Confidential Information | Transmittal to Third Parties by Prior Permission Only 83 DHCPv6 Relay Agent • Node that acts as an intermediary to deliver DHCP messages between clients and servers – On the same link as the client – Listening on multicast addresses • All_DHCP_Relay_Agents_and_Servers (FF02::1:2) Network Utility Force LLC | 15 Wieuca Trace Northeast, Atlanta, GA 30342 | +1-404-635-6667 | [email protected] ©2016 Company Confidential Information | Transmittal to Third Parties by Prior Permission Only 84 Stateful Message Exchange (M and O flags: 1) 1. A Solicit message sent by the client to locate the servers 2. An Advertise message sent by a server to indicate that it can provide addresses and configuration settings 3. A Request message sent by the client to request addresses and configuration settings from a specific server 4. A Reply message sent by the requested server that contains addresses and configuration settings Network Utility Force LLC | 15 Wieuca Trace Northeast, Atlanta, GA 30342 | +1-404-635-6667 | [email protected] ©2016 Company Confidential Information | Transmittal to Third Parties by Prior Permission Only 85 Stateless Message Exchange (M flag: 0 O flag: 1) 1. An Information-Request message sent by the client to request configuration settings from a server 2. A Reply message sent by a server that contains the requested configuration settings Network Utility Force LLC | 15 Wieuca Trace Northeast, Atlanta, GA 30342 | +1-404-635-6667 | [email protected] ©2016 Company Confidential Information | Transmittal to Third Parties by Prior Permission Only 86 DNS Extensions In Use Experimental/Deprecated AAAA record A6 and DNAME records Textual representation in PTR record Binary Labels type IP6.arpa IP6.int domain New DNS Queries •AAAA • Forward lookup (Name → IPv6 Address) A 192.134.0.49 AAAA 2001:660:3006:1::1:1 •PTR • Reverse lookup (IPv6 Address → Name) Main tree: ip6.arpa Network Utility Force LLC | 15 Wieuca Trace Northeast, Atlanta, GA 30342 | +1-404-635-6667 | [email protected] ©2016 Company Confidential Information | Transmittal to Third Parties by Prior Permission Only 87 AAAA (Quad A) Record • • • • Similar to ‘A’ Resource Record for IPv4 Holds the IPv6 Record for a host Entered into zone file in standard representation Backward compatible with (most) non-IPv6 aware resolvers (ignored RR type) AAAA Record Fields: • NAME – Domain name • TYPE – AAAA (28) • CLASS – Internet (1) • TTL – Time to live ( in seconds) • RDLENGTH – Length of RDATA field • RDATA – String form of the IPv6 address Network Utility Force LLC | 15 Wieuca Trace Northeast, Atlanta, GA 30342 | +1-404-635-6667 | [email protected] ©2016 Company Confidential Information | Transmittal to Third Parties by Prior Permission Only 88 Reverse Lookup • Reverse DNS lookups for IPv6 addresses use the ip6.arpa domain • IPv6 address represented as a name in the ip6.arpa domain by a sequence of nibbles in reverse order • Represented as hexadecimal digits, separated by dots with the suffix .ip6.arpa IPv6: 4321:0:1:2:3:4:567:89AB B.A.9.8.7.6.5.0.4.0.0.0.3.0.0.0.2.0.0.0.1.0.0.0.0.0.0.0.1.2.3.4.ip6.arpa Network Utility Force LLC | 15 Wieuca Trace Northeast, Atlanta, GA 30342 | +1-404-635-6667 | [email protected] ©2016 Company Confidential Information | Transmittal to Third Parties by Prior Permission Only 89 Overview • The transition from IPv4 to IPv6 will take years – Some hosts will use IPv4 indefinitely – Migration is long term goal, coexistence in the interim • Transition criteria – Existing IPv4 hosts can be upgraded at any time independent of the upgrade of other hosts or routers – New hosts using only IPv6 can be added at any time without dependencies on other hosts or routing infrastructure – Existing IPv4 hosts with IPv6 installed continue to use their IPv4 address, don’t need additional addresses – Little preparation needed to upgrade existing IPv4 nodes to IPv6 or deploy new IPv6 nodes Network Utility Force LLC | 15 Wieuca Trace Northeast, Atlanta, GA 30342 | +1-404-635-6667 | [email protected] ©2016 Company Confidential Information | Transmittal to Third Parties by Prior Permission Only 90 Transition Mechanisms Dual-Stack IPv6/IPv4 co-existence on one device ● Ideal transition mechanism ● DS-ready core gives flexibility at edge Technologies: Dual Stack 6PE 6VPE Translation IPv6 IPv4 translation ● Edge-based solution ● Expected to co-exist with dual-stack for some time Technologies: NAT64 464XLAT Tunnels Initial tunnel IPv6 over IPv4, then IPv4 over IPv6 ● Good when core isn’t IPv6 ready or when edges are built with IPv6 only ● Requires IPv6 capable CPEs Technologies: 6to4 6rd DS-Lite MAP-E/MAP-T Network Utility Force LLC | 15 Wieuca Trace Northeast, Atlanta, GA 30342 | +1-404-635-6667 | [email protected] ©2016 Company Confidential Information | Transmittal to Third Parties by Prior Permission Only 91 Dual Stack • Allows coexistence between IPv4-based nodes and IPv6 based nodes – Any application based on only one protocol stack may coexist and be used with other applications based on the other protocol stack – DS nodes may disable one IP stack and run only IPv4 or IPv6 • Nodes can support both automatic and configured tunnels • Allows gradual transition Network Utility Force LLC | 15 Wieuca Trace Northeast, Atlanta, GA 30342 | +1-404-635-6667 | [email protected] ©2016 Company Confidential Information | Transmittal to Third Parties by Prior Permission Only 92 Dual Stack: Stack Selection • Manual Entry – User can fill in IPv6 address of destination IPv6 hostname to establish the session – Good for and debugging • Using a Name Service – Querying for an IPv4 address • A record – Querying for an IPv6 address • AAAA record – Querying for all types of Addresses • First look for AAAA, then look for A record Network Utility Force LLC | 15 Wieuca Trace Northeast, Atlanta, GA 30342 | +1-404-635-6667 | [email protected] ©2016 Company Confidential Information | Transmittal to Third Parties by Prior Permission Only 93 Tunneling Configurations • Tunneling – IPv6 encapsulated in IPv4 by tunnel endpoints. Transparents for intermediate nodes – Tunneling used by most transition mechanisms – Protocol 41 used to let packets through security gateways present in the path Network Utility Force LLC | 15 Wieuca Trace Northeast, Atlanta, GA 30342 | +1-404-635-6667 | [email protected] ©2016 Company Confidential Information | Transmittal to Third Parties by Prior Permission Only 94 Protocol Translations • May prefer to use IPv6-IPv4 protocol translation for: – New kinds of Internet devices (e.g., cell phones, cars, appliances) – Benefits of shedding IPv4 stack (e.g., serverless autoconfig) • Simple extension to NAT techniques, to translate header format as well as addresses – IPv6 nodes behind a translator get full IPv6 functionality when talking to other IPv6 nodes located anywhere – Get the normal (i.e., degraded) NAT functionality when talking to IPv4 devices – Drawback : minimal gain over IPv4/IPv4 NAT approach Network Utility Force LLC | 15 Wieuca Trace Northeast, Atlanta, GA 30342 | +1-404-635-6667 | [email protected] ©2016 Company Confidential Information | Transmittal to Third Parties by Prior Permission Only 95 IPv6 Routing Protocols • RIPng for IPv6 – Distance vector • OSPF for IPv6 – Link state • Integrated Intermediate System-to-Intermediate System (IS-IS) for IPv6 – Link state • BGP+ – Path vector Network Utility Force LLC | 15 Wieuca Trace Northeast, Atlanta, GA 30342 | +1-404-635-6667 | [email protected] ©2016 Company Confidential Information | Transmittal to Third Parties by Prior Permission Only 96 IPv6 Solutions and Improvements • Scanning of gateways and hosts – Longer address makes scanning more complex • Privacy/tracking – Multiple addresses per interface, privacy extensions inhibit user/device tracking Network Utility Force LLC | 15 Wieuca Trace Northeast, Atlanta, GA 30342 | +1-404-635-6667 | [email protected] ©2016 Company Confidential Information | Transmittal to Third Parties by Prior Permission Only 97 IPv6 Solutions and Improvements - 2 • Performance attacks with fragmented headers – Multiple IPv6 fragmentation filtering capabilities • Protocol weakness – Hierarchical addresses, globally aggregated. Spoof mitigation easy to deploy at aggregation points • DDOS attacks – No more Broadcast Network Utility Force LLC | 15 Wieuca Trace Northeast, Atlanta, GA 30342 | +1-404-635-6667 | [email protected] ©2016 Company Confidential Information | Transmittal to Third Parties by Prior Permission Only 98 IPv6 Security Features • Improvements – Address size – Replace ARP with ND Network Utility Force LLC | 15 Wieuca Trace Northeast, Atlanta, GA 30342 | +1-404-635-6667 | [email protected] ©2016 Company Confidential Information | Transmittal to Third Parties by Prior Permission Only 99 IPv6 Security Best Practices • • • • • • • • • • Use standard, non-obvious static addresses for critical systems Ensure adequate filtering capabilities for IPv6 Filter internal-use IPv6 addresses at border routers Block all IPv6 traffic on IPv4-only networks Filter unnecessary services at the firewall Develop a granular ICMPv6 filtering policy and filter all unnecessary ICMP message types Maintain host and application security with a consistent security policy for both IPv4 and IPv6 Use IPsec to authenticate and provide confidentiality Document procedures for last-hop traceback Pay close attention to the security aspects of transition mechanisms. Network Utility Force LLC | 15 Wieuca Trace Northeast, Atlanta, GA 30342 | +1-404-635-6667 | [email protected] ©2016 Company Confidential Information | Transmittal to Third Parties by Prior Permission Only 100 Deployment Planning Steps • Establish an IPv6 project management team – Decide IPv6 architecture strategy – Develop IPv6 exception strategy – Assess network, including hardware, software, applications and back end operations – Develop adoption timelines, cost analysis, and a procurement plan – Obtain IPv6 prefix, develop addressing plan, develop security plan – Create detailed Phase 1 design • Test solution with applications, network mgt – Train remaining users on new Technology and the deployed Solution Network Utility Force LLC | 15 Wieuca Trace Northeast, Atlanta, GA 30342 | +1-404-635-6667 | [email protected] ©2016 Company Confidential Information | Transmittal to Third Parties by Prior Permission Only 101 Brandon Ross Chief Network Architect and CEO [email protected] | +1-404-635-6667 Network Utility Force LLC | 15 Wieuca Trace Northeast, Atlanta, GA 30342 | +1-404-635-6667 | [email protected] ©2016 Company Confidential Information | Transmittal to Third Parties by Prior Permission Only 102