IPv6 (Hard)core - PowerPoint Presentation

402 views
Uploaded On 2016-05-02

IPv6 (Hard)core - PPT Presentation

Networking Services Daniel Sörlöv Senior Consultant Trainer amp Speaker Svensk IT Funktion AB WSV312 History of IP Around 1980 IP was defined IPv6 started in the 1990s as IPNG First IPv6 RFC published in 1995 ID: 303010

ipv6 bits header address bits ipv6 address header microsoft local link interface ipv4 node rfc prefix multicast ff02 addresses

Link:

Copy

Embed:

<iframe width="560" height="315" src="https://www.docslides.com/embed/303010" frameborder="0" allowfullscreen></iframe>

Download Presentation from below link

Download Presentation The PPT/PDF document "IPv6 (Hard)core" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.

Presentation Transcript

Slide1

IPv6 (Hard)coreNetworking Services

Daniel SörlövSenior Consultant, Trainer & SpeakerSvensk IT Funktion AB

WSV312Slide2

History of IP

Around 1980 IP was definedIPv6 started in the 1990s as IPNGFirst IPv6 RFC published in 1995Primary definition today is RFC 2640Slide3

IPv4 problems

Complicated headers (checksum calculations)Limited address spaceSlow option handlingNo QoS, Encryption, IntegrityNATSlide4

Why should we care about IPv4 exhaustion?

32-bits4 294 967 296 addresses256 /8 blocks”There is still reserved space”Slide5

Current IPv4 Situation & Projections

IANA: ExhaustedAPNIC: 19-apr-2011 (!)RIPENCC: 14-aug-2012

ARIN: 20-jun-2013LACNIC: 29-jan-2014AFRINIC: 05-nov-2014Slide6

Two routes to escape exhaustion

Decrease LIR allocation policyMore administrative work, complicates delegationsUse NAT, NAPTBreaks communications (?)Negative effect on old protocols (?)

Perceived as a security measure (?)Slide7

Solving the problem without magic tricks (NAT)

128-bits or340282366920938463263274607431768211456 addresses2^64 nodes per subnetFixed subnet size

Network ID

Interface ID

128 bits

64 bits

IPv6

Address

:Slide8

Perspective to that scale

Total earth surface is about 198 million sq. milesYou end up with: 4.28^1020 addresses per sq. inch!Slide9

Dividing the address

001

routing prefix

subnet id

nterface id

45 bits

16 bits

64 bits

/48

assigned

customer

RIR->LIR

IANA->RIR

3 bitsSlide10

Will this be enough?

RIRs requesting new blocks every 18 monthsThe current block assigned by IETF will run out 21581/8th of the total is assigned!More than 5/8th will still be available000/3 and 111/3 are reserved!Slide11

Terminology

Node Equipment handling IPv6 in any wayRouter Equipment doing IPv6 routingHost Equipment that does NOT route packagesLink A LAN or WAN networkNeighbor A node in the same linkPacket Header + DataSlide12

IPv4 to IPv6 changes

Simplified headersScalabilityBetter option handlingQoS support built inEncryption (ESP, Encapsulating Security Payload)Authentication (AH, Authentication Header)Integrity (AH+ESP)

Self-configuringSlide13

IPv6 Address format

FE80:0:0:0:0290:27FF:0077:DE97Zero group compressionFE80:0:0:0:0290:27FF:0077:DE97

Leading zero trimingFE80::0290:27FF:0077:DE97FE80::290:27FF:77:DE97Slide14

IPv6 Allocations

This is about 15% of the total address spaceIf you heard of ”Site Local” (FEC0) that is deprecated

Address TypeBinary PrefixPrefixPart of TotalReserved by IETF

0000 0000

1/256

Global Unicast

001

2000::/3

1/8

Link Local

1111 1110 10

FE80::/7

1/1024

Multicast

1111 1111

FF::/8

1/15

Unique Local Unicast

1111 1100

FC0::/7

1/1024

Source: http

://www.iana.org/assignments/ipv6-address-space/ipv6-address-space.txtSlide15

Very important about FEC0

Microsoft still uses the deprecated range for DNS-serversfec0:0:0:ffff::1fec0:0:0:ffff::2fec0:0:0:ffff::3As a last resort only!Slide16

Common addresses

Loopback0:0:0:0:0:0:0:1 or ::1 was 127.0.01Unspecified0:0:0:0:0:0:0:0 or :: was 0.0.0.0Slide17

Link Local Addresses

FE80 prefixSimilar to IPv4 APIPA (169.254.0.0/16)Only for on-link communication, not routableUsed forAuto configured addressesNeighbor discovery process

1111 1110 10

00 00 .. 00

Interface id

54 bits

64 bits

10 bitsSlide18

Multicast Addresses

1111 1111

flags

scope

reserve

64 bits

8 bits

plen

roup prefix

net prefix

8 bits

bits

32 bits

Flags

0: well known address, 1: transient address

Scope

1: Node Local, 2: Link Local, 14: Global Internet

Group ID

1: All nodes, 2: All routers, 101: all NTP serversSlide19

Global Unicast

001

routing prefix

subnet id

nterface id

45 bits

16 bits

64 bits

3 bits

Address

Type

Binary

Prefix

Unspecified

000…0

::/128

Loopback

0000…01

::1/128

ULA

1111 110

FC00::/7

Assigned

RIRs

001

2003:/3

Global

Unicast

Everything

else

!!Slide20

Unique Local Addresses (ULA)

1111 110

global

ubnet

bits

interface id

8 bits

64 bits

40 bits

1 bit

L=1

FC00::/7 prefix

Local or site local communications

Most likely will be unique and not expected to be routable

Well known, somewhat like the RFC1918Slide21

Windows and IPv6

IPv6 is PreferredNameserver queryTry to reach IPv6Try to reach IPv4TimeoutSlide22

PING

& NSLOOKUPSame tools and same syntax.Slide23

IPv6 Header Format

Ver

Traffic Class

Flow Label

Payload Length

Next Header

Hop Limit

128-bits source address

128-bits destination address

Total 40 bytesSlide24

IPv6 Header Format gains

Fixed lengthExtension headersIs not protected by checksumPayload length and not total lengthHop-Limit introducedSlide25

Extension Headers

IPv6 Header

Next-header:

Hop-by-hop

Hop-by-hop Header

Next-header:

Destination Options

Destination Header

Next-header:

Routing header

Fragment Header

Next-header:

Routing Header

Next header:

Fragment Header

Next-header:

ESP HeaderSlide26

Extension Header Handling

Only processed by the destination nodeExcept for Hop-By-Hop HeaderPacket voided if unrecognized headers foundRecommended orderingNext header value 59: ”No more headers”Slide27

Traffic Class & Flow Label

Traffic Class (8-bit)Similar to TOS in IPv4RFC 2460Flow labelReal-time applications

RFC 3697 obsoleted by RFC 643Both are still considered experimental!Slide28

Option Headers

Hop-by-hop OptionsFor all nodes along the pathDestination OptionsOnly for the destination node

Variable options part

Next-header

Header length

8 bits

8 bitsSlide29

Fragment Header

ext header

reserved

offset

res

8 bits

13 bits

2 bits

1 bit

fragment id

32 bitsSlide30

Control Protocols

IPv4ICMP, ARP etc..IPv6ICMPv6Slide31

ICMPv6

Type field0-127 is errors128-255 is informationalBody includes start of invoking packetMust not be fragmentedMust not be originated in reply to ICMPv6 error or redirects

type

code

checksum

message

8 bits

16 bitsSlide32

Broadcast is dead – long live multicast

Multicast replaces BroadcastAll IPv6 nodes must support multicastYou must enable IGMP snoopingSlide33

”All nodes on-link” multicast group

NodesNode-local is FF01::1Link-local is FF02::1RoutersNode-local is FF01::2Link-local is FF02::2Slide34

Solicited-node multicast groups

Nodes with similar addresses will joinGlobally assigned FF02::1:FF00:0:/104Low order 24 bits of node addressExample: Node 2001:db8::2:20ef:345f:

3254:d851 Joins FF02::1:FF00:0:3254:d851Slide35

Neighbor Discovery (ND)

Relies on ICMPv6Uses multicastRequests link-layer address by usingneighbor solicitation (NS) queryNeighbor Advertisement (NA)(flag S1=in response to NS, S2=unsolicited NA)

Neighbor information stored inNeighbor cache (NC)Destination cache (DC)Slide36

Neighbor Discovery Proxy (ND-Proxy)

Can reply to NS-queriesMust not be preferred from nodesFlags in response0=Reachable and stale1=Reachable and updatedSlide37

ND is the new ARP!

ARP is dependent on broadcastReduces network loadImproved robustnessNeighbor unreachability detectionHalf-link failure detectionNotification to upper-layerSlide38

Anycast

Same unicast assigned to multiple nodesDelivered to the ”nearest” interface matchingIncreases service availability and reliabilityAllocated from normal unicast poolSlide39

IPv6 Node Configuration

IPv6 AddressInterface IDManualAuto (statefull or stateless)Network IDManual

Auto (statefull or stateless)Pre-defined well-known prefix (FE80..)Additional parametersRoutersSlide40

Interface Identifier Configuration

Manual configurationAuto configuration (EUI-64)Auto configuration (Randomization)DHCPv6Pseudo-random IDCryptographically generated IDSlide41

Extended Unique

Identifier (EUI-64)

0001 0110

0001 01

MAC

EUI-64

EUI-64Slide42

Interface Auto configuration

Modified EUI-64 derived from MAC (not windows!!)Collisions/duplicate addressesDuplicate MAC-AddressesDuplicate Interface ID (manual configuration)Neighbor Discovery (ND) locates owner to addressDAD based on NDSlide43

DAD – Duplicate Address Detection

Node X starts and will assign address Y on interface IInterface I joins multicast groupsFF02::1 (all hosts)FF02::1:FF00:0:Y (solicited node multicast)Is there any NS queries (dst FF02::1:FF00:0:Y,

src ::)X sends NS (dst FF02::1:FF00:0:Y, src ::)Is there a NA (flag=S0) sent to FF02::1Must be performed for all Unicast, but not AnycastSlide44

SLAAC – StateLess Address Auto Configuration

Link-local is already ”configured”well-known network id (FE80)Interface id (MEUI-64)DAD resolved any conflictsNeighbor communication established

Next is to find routers, networks etc.Slide45

Finding a router

All routers must join multicast group All Routers (FF02::2)Clients send a Router Solicitation (RS) queryRouters send out a Router Advertisement (RA) messagePeriodicallyIn response to RS queriesSlide46

Router advertisements

M=Address via DHCPv6O=Options via DHCPv6

type (134)

ode (0)

checksum

ttl

res

router lifetime

eachable time

retransmit time

ariable length options

8 bits

16 bitsSlide47

RA-options

Prefix informationPrefix ID and it’s lengthLifetime for the prefixMaximum Transmission Unit (MTU)Link-layer address of sourceSlide48

DEATH BY RA

Music by Martin MinorTraffic dumps by Hasain AlshakartiSlide49

Death by RA

Do NOT route RAFilter RA from ports that shouldn’t send them!All clients MUST process all RA!Slide50

Secure ND

On-link only!Do NOT route NDFilter RA with TTL < 255Generalized TTL Security Mecanism (GTSM, RFC5082)Slide51

Fragmentation notes

Problems with fragmentationInefficient use of resourcesDegraded performanceReassembly is hardReasons to fragmentPath MTU (PMTU) mismatch

The TCP/IP StackSlide52

Fragmentation deep-dive

“Fragmentation” by source only!No more ”Don’t fragment”-flagMinimum MTU set to 1280 bytesIf packet is above MTU a ICMP error is returnedDetecting PMTUSending packets increasingly from 1280 bytes

When hitting limit somewhere, store into DC (Destination Cache)Slide53

IPv6 & DNS

New (?) resource record type introducedwww.gurka.se IN AAAA 2001:ac8:ac2::1Reverse records (PTR)Arranged in ”nibbles” (4bits in hex)Domain namespace is ipv6.arpa.2001:db8::20:219f:bd8c:17af is now:

f.a.7.1.c.8.d.b.f.9.2.1.0.2.0.0.0.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ipv6.arpa.Slide54

LLMNR – Link-Local

Multicast Name ResolutionVery similar

to DNS queries and responsesSends query on UDP port 5355 on FF02::1:3Responses are

sent by

authorative

machines

via

unicast

Defined

in RFC 4795

Separate

cache, not same as DNS-resolver or

NetBT

Only

for

very

small

networksSlide55

Name resolution ordering

DNSLLMNR (if not FQDN, IPv6 & IPv4)NetBT (if not FQDN, IPv4)Slide56

Migration & Stacks

Dual stack mode (IPv4+IPv6)Most workstations are in this modeWindows prefers IPv6Make sure you have control!!Tunneling IPv6 over IPv4NAT64 to translate between versionsSlide57

Tunneling

6to4 (RFC 3056)Requires public IPv4 endpointsTeredo (RFC 4380)NAT-T SupportedEnabled by default (teredo.ipv6.microsoft.com)

ISATAP (RFC 4212)Relies on host ISATAPBlacklisted by default in domainSlide58

Routing principles

No big changes in routingFirst Host (128 bits)Longest prefix (up to 64 bits)Last resort is DefaultRIPng, BGP4+, OSPFv3Slide59

Routing protocols

RIPng Still have same problems (big networks, >15 hops)RFC 2080BGP4+IDRP (Inter-Domain Routing Protocol) was planned but replaced via RFC 2545 (Multiprotocol extensions for BGP4)OSPFv3

Routers still identified by 32-bit numbers, notated as ”ipv4”-addressesRFC 2740Slide60

Main advantages summarized

More efficient address space allocationEnd-to-end addressingNo more fragmentationRouters do not need to make header checksumsMulticasting instead of broadcastingOne control protocol (ICMPv6)Auto-configuration

Modular headersSecurity built-inSlide61

DHCP, DNS, IPAM, IPCONFIG

Again the same tools, only with some new menues.Slide62

Learning more!

www.tunnelbroker.netLearning based reward systemPretty

good hands on experiencewww.gogo6.comVery good free tunnelingForums

Reference

materialsSlide63

Myth: Cannot remember addresses!

Use DNSManual configuration gives easy addressesUse compact notationExample2001:2ac:f000::ff01 (18 chars) or 192.168.10.50 (13 chars)Slide64

Myth: I do not need it!

IPv6 is already hereUncontrolled IPv6 is a security riskSlide65