Networking Services Daniel Sörlöv Senior Consultant Trainer amp Speaker Svensk IT Funktion AB WSV312 History of IP Around 1980 IP was defined IPv6 started in the 1990s as IPNG First IPv6 RFC published in 1995 ID: 303010
Download Presentation The PPT/PDF document "IPv6 (Hard)core" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
IPv6 (Hard)coreNetworking Services
Daniel SörlövSenior Consultant, Trainer & SpeakerSvensk IT Funktion AB
WSV312Slide2
History of IP
Around 1980 IP was definedIPv6 started in the 1990s as IPNGFirst IPv6 RFC published in 1995Primary definition today is RFC 2640Slide3
IPv4 problems
Complicated headers (checksum calculations)Limited address spaceSlow option handlingNo QoS, Encryption, IntegrityNATSlide4
Why should we care about IPv4 exhaustion?
32-bits4 294 967 296 addresses256 /8 blocks”There is still reserved space”Slide5
Current IPv4 Situation & Projections
IANA: ExhaustedAPNIC: 19-apr-2011 (!)RIPENCC: 14-aug-2012
ARIN: 20-jun-2013LACNIC: 29-jan-2014AFRINIC: 05-nov-2014Slide6
Two routes to escape exhaustion
Decrease LIR allocation policyMore administrative work, complicates delegationsUse NAT, NAPTBreaks communications (?)Negative effect on old protocols (?)
Perceived as a security measure (?)Slide7
Solving the problem without magic tricks (NAT)
128-bits or340282366920938463263274607431768211456 addresses2^64 nodes per subnetFixed subnet size
Network ID
Interface ID
128 bits
64 bits
64 bits
IPv6
Address
:Slide8
Perspective to that scale
Total earth surface is about 198 million sq. milesYou end up with: 4.28^1020 addresses per sq. inch!Slide9
Dividing the address
001
routing prefix
subnet id
i
nterface id
45 bits
16 bits
64 bits
/48
assigned
to
customer
RIR->LIR
IANA->RIR
3 bitsSlide10
Will this be enough?
RIRs requesting new blocks every 18 monthsThe current block assigned by IETF will run out 21581/8th of the total is assigned!More than 5/8th will still be available000/3 and 111/3 are reserved!Slide11
Terminology
Node Equipment handling IPv6 in any wayRouter Equipment doing IPv6 routingHost Equipment that does NOT route packagesLink A LAN or WAN networkNeighbor A node in the same linkPacket Header + DataSlide12
IPv4 to IPv6 changes
Simplified headersScalabilityBetter option handlingQoS support built inEncryption (ESP, Encapsulating Security Payload)Authentication (AH, Authentication Header)Integrity (AH+ESP)
Self-configuringSlide13
IPv6 Address format
FE80:0:0:0:0290:27FF:0077:DE97Zero group compressionFE80:0:0:0:0290:27FF:0077:DE97
Leading zero trimingFE80::0290:27FF:0077:DE97FE80::290:27FF:77:DE97Slide14
IPv6 Allocations
This is about 15% of the total address spaceIf you heard of ”Site Local” (FEC0) that is deprecated
Address TypeBinary PrefixPrefixPart of TotalReserved by IETF
0000 0000
/8
1/256
Global Unicast
001
2000::/3
1/8
Link Local
1111 1110 10
FE80::/7
1/1024
Multicast
1111 1111
FF::/8
1/15
Unique Local Unicast
1111 1100
FC0::/7
1/1024
Source: http
://www.iana.org/assignments/ipv6-address-space/ipv6-address-space.txtSlide15
Very important about FEC0
Microsoft still uses the deprecated range for DNS-serversfec0:0:0:ffff::1fec0:0:0:ffff::2fec0:0:0:ffff::3As a last resort only!Slide16
Common addresses
Loopback0:0:0:0:0:0:0:1 or ::1 was 127.0.01Unspecified0:0:0:0:0:0:0:0 or :: was 0.0.0.0Slide17
Link Local Addresses
FE80 prefixSimilar to IPv4 APIPA (169.254.0.0/16)Only for on-link communication, not routableUsed forAuto configured addressesNeighbor discovery process
1111 1110 10
00 00 .. 00
Interface id
54 bits
64 bits
10 bitsSlide18
Multicast Addresses
1111 1111
flags
scope
reserve
64 bits
8 bits
plen
g
roup prefix
net prefix
8 bits
8 bits
4
bits
4
bits
32 bits
Flags
0: well known address, 1: transient address
Scope
1: Node Local, 2: Link Local, 14: Global Internet
Group ID
1: All nodes, 2: All routers, 101: all NTP serversSlide19
Global Unicast
001
routing prefix
subnet id
i
nterface id
45 bits
16 bits
64 bits
3 bits
Address
Type
Binary
Prefix
Prefix
Unspecified
000…0
::/128
Loopback
0000…01
::1/128
ULA
1111 110
FC00::/7
Assigned
to
RIRs
001
2003:/3
Global
Unicast
Everything
else
!!Slide20
Unique Local Addresses (ULA)
1111 110
L
global
s
ubnet
7
bits
interface id
8 bits
64 bits
40 bits
1 bit
L=1
FC00::/7 prefix
Local or site local communications
Most likely will be unique and not expected to be routable
Well known, somewhat like the RFC1918Slide21
Windows and IPv6
IPv6 is PreferredNameserver queryTry to reach IPv6Try to reach IPv4TimeoutSlide22
PING
& NSLOOKUPSame tools and same syntax.Slide23
IPv6 Header Format
Ver
Traffic Class
Flow Label
Payload Length
Next Header
Hop Limit
128-bits source address
128-bits destination address
4
12
16
24
32
0
Total 40 bytesSlide24
IPv6 Header Format gains
Fixed lengthExtension headersIs not protected by checksumPayload length and not total lengthHop-Limit introducedSlide25
Extension Headers
IPv6 Header
Next-header:
Hop-by-hop
Hop-by-hop Header
Next-header:
Destination Options
Destination Header
Next-header:
Routing header
Fragment Header
Next-header:
AH
Routing Header
Next header:
Fragment Header
AH
Next-header:
ESP HeaderSlide26
Extension Header Handling
Only processed by the destination nodeExcept for Hop-By-Hop HeaderPacket voided if unrecognized headers foundRecommended orderingNext header value 59: ”No more headers”Slide27
Traffic Class & Flow Label
Traffic Class (8-bit)Similar to TOS in IPv4RFC 2460Flow labelReal-time applications
RFC 3697 obsoleted by RFC 643Both are still considered experimental!Slide28
Option Headers
Hop-by-hop OptionsFor all nodes along the pathDestination OptionsOnly for the destination node
Variable options part
Next-header
Header length
8 bits
8 bitsSlide29
Fragment Header
n
ext header
reserved
offset
res
8 bits
F
8 bits
13 bits
2 bits
1 bit
fragment id
32 bitsSlide30
Control Protocols
IPv4ICMP, ARP etc..IPv6ICMPv6Slide31
ICMPv6
Type field0-127 is errors128-255 is informationalBody includes start of invoking packetMust not be fragmentedMust not be originated in reply to ICMPv6 error or redirects
type
code
checksum
message
8 bits
8 bits
16 bitsSlide32
Broadcast is dead – long live multicast
Multicast replaces BroadcastAll IPv6 nodes must support multicastYou must enable IGMP snoopingSlide33
”All nodes on-link” multicast group
NodesNode-local is FF01::1Link-local is FF02::1RoutersNode-local is FF01::2Link-local is FF02::2Slide34
Solicited-node multicast groups
Nodes with similar addresses will joinGlobally assigned FF02::1:FF00:0:/104Low order 24 bits of node addressExample: Node 2001:db8::2:20ef:345f:
3254:d851 Joins FF02::1:FF00:0:3254:d851Slide35
Neighbor Discovery (ND)
Relies on ICMPv6Uses multicastRequests link-layer address by usingneighbor solicitation (NS) queryNeighbor Advertisement (NA)(flag S1=in response to NS, S2=unsolicited NA)
Neighbor information stored inNeighbor cache (NC)Destination cache (DC)Slide36
Neighbor Discovery Proxy (ND-Proxy)
Can reply to NS-queriesMust not be preferred from nodesFlags in response0=Reachable and stale1=Reachable and updatedSlide37
ND is the new ARP!
ARP is dependent on broadcastReduces network loadImproved robustnessNeighbor unreachability detectionHalf-link failure detectionNotification to upper-layerSlide38
Anycast
Same unicast assigned to multiple nodesDelivered to the ”nearest” interface matchingIncreases service availability and reliabilityAllocated from normal unicast poolSlide39
IPv6 Node Configuration
IPv6 AddressInterface IDManualAuto (statefull or stateless)Network IDManual
Auto (statefull or stateless)Pre-defined well-known prefix (FE80..)Additional parametersRoutersSlide40
Interface Identifier Configuration
Manual configurationAuto configuration (EUI-64)Auto configuration (Randomization)DHCPv6Pseudo-random IDCryptographically generated IDSlide41
Extended Unique
Identifier (EUI-64)
22
1F
74
C5
16
51
22
1F
74
FF
FE
16
C5
51
20
1F
74
FF
FE
16
C5
51
0001 0110
0001 01
0
0
MAC
EUI-64
M
EUI-64Slide42
Interface Auto configuration
Modified EUI-64 derived from MAC (not windows!!)Collisions/duplicate addressesDuplicate MAC-AddressesDuplicate Interface ID (manual configuration)Neighbor Discovery (ND) locates owner to addressDAD based on NDSlide43
DAD – Duplicate Address Detection
Node X starts and will assign address Y on interface IInterface I joins multicast groupsFF02::1 (all hosts)FF02::1:FF00:0:Y (solicited node multicast)Is there any NS queries (dst FF02::1:FF00:0:Y,
src ::)X sends NS (dst FF02::1:FF00:0:Y, src ::)Is there a NA (flag=S0) sent to FF02::1Must be performed for all Unicast, but not AnycastSlide44
SLAAC – StateLess Address Auto Configuration
Link-local is already ”configured”well-known network id (FE80)Interface id (MEUI-64)DAD resolved any conflictsNeighbor communication established
Next is to find routers, networks etc.Slide45
Finding a router
All routers must join multicast group All Routers (FF02::2)Clients send a Router Solicitation (RS) queryRouters send out a Router Advertisement (RA) messagePeriodicallyIn response to RS queriesSlide46
Router advertisements
M=Address via DHCPv6O=Options via DHCPv6
type (134)
c
ode (0)
checksum
ttl
M
O
res
router lifetime
r
eachable time
retransmit time
v
ariable length options
8 bits
8 bits
16 bitsSlide47
RA-options
Prefix informationPrefix ID and it’s lengthLifetime for the prefixMaximum Transmission Unit (MTU)Link-layer address of sourceSlide48
DEATH BY RA
Music by Martin MinorTraffic dumps by Hasain AlshakartiSlide49
Death by RA
Do NOT route RAFilter RA from ports that shouldn’t send them!All clients MUST process all RA!Slide50
Secure ND
On-link only!Do NOT route NDFilter RA with TTL < 255Generalized TTL Security Mecanism (GTSM, RFC5082)Slide51
Fragmentation notes
Problems with fragmentationInefficient use of resourcesDegraded performanceReassembly is hardReasons to fragmentPath MTU (PMTU) mismatch
The TCP/IP StackSlide52
Fragmentation deep-dive
“Fragmentation” by source only!No more ”Don’t fragment”-flagMinimum MTU set to 1280 bytesIf packet is above MTU a ICMP error is returnedDetecting PMTUSending packets increasingly from 1280 bytes
When hitting limit somewhere, store into DC (Destination Cache)Slide53
IPv6 & DNS
New (?) resource record type introducedwww.gurka.se IN AAAA 2001:ac8:ac2::1Reverse records (PTR)Arranged in ”nibbles” (4bits in hex)Domain namespace is ipv6.arpa.2001:db8::20:219f:bd8c:17af is now:
f.a.7.1.c.8.d.b.f.9.2.1.0.2.0.0.0.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ipv6.arpa.Slide54
LLMNR – Link-Local
Multicast Name ResolutionVery similar
to DNS queries and responsesSends query on UDP port 5355 on FF02::1:3Responses are
sent by
authorative
machines
via
unicast
Defined
in RFC 4795
Separate
cache, not same as DNS-resolver or
NetBT
Only
for
very
small
networksSlide55
Name resolution ordering
DNSLLMNR (if not FQDN, IPv6 & IPv4)NetBT (if not FQDN, IPv4)Slide56
Migration & Stacks
Dual stack mode (IPv4+IPv6)Most workstations are in this modeWindows prefers IPv6Make sure you have control!!Tunneling IPv6 over IPv4NAT64 to translate between versionsSlide57
Tunneling
6to4 (RFC 3056)Requires public IPv4 endpointsTeredo (RFC 4380)NAT-T SupportedEnabled by default (teredo.ipv6.microsoft.com)
ISATAP (RFC 4212)Relies on host ISATAPBlacklisted by default in domainSlide58
Routing principles
No big changes in routingFirst Host (128 bits)Longest prefix (up to 64 bits)Last resort is DefaultRIPng, BGP4+, OSPFv3Slide59
Routing protocols
RIPng Still have same problems (big networks, >15 hops)RFC 2080BGP4+IDRP (Inter-Domain Routing Protocol) was planned but replaced via RFC 2545 (Multiprotocol extensions for BGP4)OSPFv3
Routers still identified by 32-bit numbers, notated as ”ipv4”-addressesRFC 2740Slide60
Main advantages summarized
More efficient address space allocationEnd-to-end addressingNo more fragmentationRouters do not need to make header checksumsMulticasting instead of broadcastingOne control protocol (ICMPv6)Auto-configuration
Modular headersSecurity built-inSlide61
DHCP, DNS, IPAM, IPCONFIG
Again the same tools, only with some new menues.Slide62
Learning more!
www.tunnelbroker.netLearning based reward systemPretty
good hands on experiencewww.gogo6.comVery good free tunnelingForums
Reference
materialsSlide63
Myth: Cannot remember addresses!
Use DNSManual configuration gives easy addressesUse compact notationExample2001:2ac:f000::ff01 (18 chars) or 192.168.10.50 (13 chars)Slide64
Myth: I do not need it!
IPv6 is already hereUncontrolled IPv6 is a security riskSlide65
Related Content
WCL324: IPv6
Bootcamp
: Get up to speed quickly
WSV06-TLC: Windows Server 2008 Networking
Windows Server 2012 Networking @ Tuesday
12:30
PM - 3:30 PM
Windows Server 2012 Networking @ Thursday
10:30 AM - 12:30 PMSlide66
SIA, WSV, and VIR Track Resources
DOWNLOAD Windows Server 2012
Release Candidate
microsoft.com/
windowsserver
#TEWSV410
DOWNLOAD
Microsoft System Center 2012 Evaluation
microsoft.com/
systemcenter
Hands-On Labs
Talk to our Experts at the TLCSlide67
Resources
Connect. Share. Discuss.
http
://europe.msteched.com
Learning
Microsoft Certification & Training Resources
www.microsoft.com/learning
TechNet
Resources for IT Professionals
http://microsoft.com/technet
Resources for Developers
http://microsoft.com/msdn Slide68
Evaluations
http://europe.msteched.com/sessionsSubmit your evals online Slide69
©
2012 Microsoft
Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the
part
of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.
MICROSOFT
MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.Slide70