SlideShare a Scribd company logo

Getting Started with IPv6: A toe-dip into the volatile world of IPv6 transitions

Download as PPTX, PDF
Private
Private

You may have hoped to retire before IPv6 became a reality, but unfortunately the IPv4 address exhaustion came too fast. For the rest of us, we’re going to bite off a small piece of the 15-year old IPv6 pie and talk about how to get started! • Address format refresher • IPv4 and IPv6 protocol comparison • IPv6 neighbor discovery and auto-configuration • Current migration and coexistence strategies • ICMPv6, DHCPv6, and DNSv6 • How to get started at home

Technology
1 of 35
A toe-dip into the volatile world of IPv6 transitions Getting Started with IPv6 Tanner 04.29.2011
Goals and Status GOAL Get IPv6 dual-stack running on a lab/home network and connect to the IPv6 internet. STATUS IPv4 Exhaustion Timeline IPv6 Today Google, Microsoft, Apple, Netflix, Cisco, Facebook, Gov’t Agencies Service Provider Plan Enterprise Plan
IPv4 Exhaustion Schedule 3
Advantages Lots of Addresses Automatic IP Address Configuration Duplicate Address Detection (DAD) Only available option post-IPv4 Still disagreements on implementation / transition methods Immature device / OS / application support Remembering long addresses IPv6 Mechanics Disadvantages
Interface Addressing Manual SLAAC DHCPv6 Link Local DNS Increased reliance due to lengthy addresses AAAA (“Quad A”) Records IPv6 Building Blocks Routable 2002:d82a:3bcc:deff:baca:3f97:872d:d00d/64 ICMPv6 Neighbor Discovery Routing EIGRPv6, OSPFv3
IPv6 Addressing 2002:adb8:85a3:af90:b8b8:8a2e:1773:ff31/64 8 x 16-bits separated by a :(colon) Prefix length in CIDR format NOT255.255.255.255.255.255.255.255.0.0.0.0.0.0.0.0 Each interface has a: Link local address Routable address [Modified] EUI-64 Auto w/privacy extensions Manual Neighbor Discovery Heavy use of ICMP and Multicast
IPv6 Subnetting # of bits Host portion 16 4 8 2001:0DB8:0800:3333:AAAA:BBBB:CCCC:DDDD /16 Network/Subnet portion /48 /64 /120 /128 CIDR
Key Prefixes
Prefix Sizes 1Assumes using the “standard” allocation of /64 for all links and segments
Comparison Table
Dual stack NAT NAT64 & DNS64 / NAT46 / NAT44 / NAT66 / NAT-PT / CGNAT / NAT444 / NAT464 / DS-Lite Tunnels 6to4 (RFC 3056) 6in4 ISATAP (RFC 5214) GRE/IPv6 over DMVPN 6rd LISP Reverse Proxy/Load Balancers Transition Technologies
Current FinalState
Transitional Transitional
Make sure there are no DNS AAAA records Alternate: Disable IPv6 on all devices Enable IPv6 in core, then firewall, then internet router Enable select DMZ servers / inside clients Dual Stack Transition Plan
DNSv6 and DNS64 Name Resolution IPv4 set type=a www.comcast6.net Address:  68.87.29.36 IPv6 set type=aaaa www.comcast6.net Address: 2001:558:1002:4:68:87:29:36 DNS64 IPv6 client makes DNS AAAA query, DNS64 gateway translates IPv4 response to AAAA format
Client detects presence of routers on the link using Router Solicitation Uses link-local address as the source IP No gateway needed. Learned from RA’s. DHCPv6
IPv6 Attacks IPv6 NDP Exhaustion Configuring /64’s per subnet is akin to configuring an IPv4 /8 on a LAN Allocate /64, Configure a /120 Breaks SLAAC Ping/Ping or Ping/Pong attack ND vulnerabilities ICMP must be open to inside hosts Dual Stack Hosts – IPv6 may not be locked down
Additional Resources Books Deploying IPv6 in WAN/Branch Networks Cisco Deploying IPv6 Networks Cisco Global IPv6 Strategies ARIN IPv6 Wiki Measuring IPv6 Adoption www.cisco.com/go/ipv6 Cisco IOS IPv6 Configuration Guide http://ipv6.he.net/certification/index.php http://www.iana.org/assignments/ipv6-address-space/ipv6-address-space.xml http://www.potaroo.net/ispcol/2011-02/transtools-part1.html http://www.potaroo.net/ispcol/2011-03/transtools-part2.html http://www.openwall.com/presentations/IPv6/index.html http://blogs.cisco.com/security/ipv6-whats-new/ http://www.openwall.com/presentations/IPv6/index.html http://owend.corp.he.net/ipv6/ http://www.infoblox.com/ipv6wp http://test-ipv6.com http://www.deepspace6.net/projects/ipv6calc.html ipv6forum.com
APPENDIX A Device Configuration Examples
Dual Stack ISP Request dual stack support from ISP or IPv6 Tunnel Broker Sign up for free IPv6 tunnel broker service (tunnelbroker.net from Hurricane Electric) IPv6 Internet Access Step 1
Cisco Router Security (IPv4) Step 2 Access List ip access-list extended ACL-OUTSIDE-IN remark --- Allow IPv6 Tunnel Broker permit icmp host 66.220.2.74 any echo permit 41 host 216.218.226.238 any permit … deny ip any any log interface F4 description Internet Interface ip access-group ACL-OUTSIDE-IN in ,[object Object]
IP Protocol 41is reserved for IPv6 encapsulationIP will change depending on IPv6 broker endpoint used
Cisco Router Configuration (IP) Step 3 ipv6 unicast-routing ipv6 cef interface Tu0 description IPv6 Internet ipv6 enable ipv6 address 2001:DB8:F::2/64 tunnel source F4 tunnel destination 216.218.226.238 tunnel mode ipv6ip interface G0 description LAN Segment ipv6 address 2001:DB8:1::1/64 ipv6 address 2001:DB8:1::/64 EUI-64 ipv6 enable ipv6 route ::/0 Tu0 Assigned from HE Internet Interface IPv6 Broker Endpoint IPv6 Encapsulated in IPv4 IP from /48 allocation IPv6 default route
Cisco Router IP Autoconfig IPV6-Router# shipv6 int GigabitEthernet0 is up, line protocol is up [Hardware is PQII_PRO_UEC, address is 68EF.BD61.4D13] IPv6 is enabled, link-local address is FE80::6AEF:BDFF:FE61:4D13 No Virtual link-local address(es): Stateless address autoconfig enabled Global unicast address(es): 2001:DB8:1:0:6AEF:BDFF:FE61:4D13, subnet is 2001:DB8:1::/64[EUI/CAL/PRE] valid lifetime 2591835 preferred lifetime 604635 Joined group address(es): FF02::1 FF02::1:FF61:4D13 MTU is 1500 bytes … ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds (using 30000) Default router is FE80::215:C6FF:FE53:9EC8 on GigabitEthernet0 Interface MAC EUI-64 Insertion U/L bit flip Learned via ND from upstream router All IPv6 nodes, link local Solicited node addr for replies Link local addr used for next hop
Cisco Router Security (IPv6) Step 4 Access List IOS Firewall (CBAC) ipv6 access-list ACL-IPV6-IN remark --- Block AfriNIC/APNIC deny ipv6 2001:4200::/23 any deny ipv6 2C00:0000::/12 any deny ipv6 2001:0200::/23 any deny ipv6 2001:0C00::/23 any deny ipv6 2001:0E00::/23 any deny ipv6 2001:4400::/23 any deny ipv6 2001:8000::/19 any deny ipv6 2001:A000::/20 any deny ipv6 2001:B000::/20 any deny ipv6 2400:0000::/12 any remark --- Allow Neighbor Discovery permit icmp any anynd-na permit icmp any anynd-ns remark --- Block everything else deny ipv6 any any log interface Tunnel0 ipv6 traffic-filter ACL-IPV6-IN in ipv6 inspect alert-off ipv6 inspect routing-header ipv6 inspect max-incomplete low 100 ipv6 inspect max-incomplete high 200 ipv6 inspect one-minute low 100 ipv6 inspect one-minute high 200 ipv6 inspect udp idle-time 15 ipv6 inspect tcp idle-time 1800 ipv6 inspect tcpfinwait-time 1 ipv6 inspect tcpsynwait-time 15 ipv6 inspect tcp max-incomplete host 500 block-time 0 ipv6 inspect name FW1 ftp ipv6 inspect name FW1 tcp ipv6 inspect name FW1 udp ipv6 inspect name FW1 icmp interface G0 ipv6 inspect FW1 in ipv6 inspect FW1 out
Windows Server Configuration Step 5a Manually Configure Server IP Address DHCPv6 scope created with local fc00 addressing (ULA) (Optional) View of DNS A and AAAA Record
Windows 7 Configuration Step 5b Enable IPv6 Disable IPv6 tunnels (6to4, isatap, teredo) Prefer IPv4 over IPv6 during transition (KB929852) LAN Network Connection:    Physical Address. . . . . . . . . : 00-22-68-1A-E1-4C    DHCP Enabled. . . . . . . . . . . : Yes    Autoconfiguration Enabled . . . . : Yes IPv6 Address. . . . . . . . . . . : 2001:db8:1::222:68ff:fe1a:e14c(Preferred) Temporary IPv6 Address. . . . . . : 2001:db8:1::a1fd:f339:f800:f7ff(Preferred)    Link-local IPv6 Address . . . . . : fe80::688f:1818:28fc:f11e%12(Preferred)    IPv4 Address. . . . . . . . . . . : 172.16.0.122(Preferred)    Subnet Mask . . . . . . . . . . . : 255.255.255.0    Default Gateway . . . . . . . . . : 172.16.0.1    DHCP Server . . . . . . . . . . . : 172.16.0.10    DHCPv6 IAID . . . . . . . . . . . : 218112349    DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-14-C0-65-37-00-23-54-66-DF-67   DNS Servers . . . . . . . . . . . : 2001:db8:1::10 172.16.0.10
Mac OS X Step 5c
OS Support Comparison 1Feature supported in IOS 12.4(24)T and later. 2EUI-64 capability disabled by default. Privacy extensions must be disabled to use. 3Privacy extensions disabled by default.
Test Connectivity Step 6 Ping Test c:gt; ping ipv6.google.com Pinging ipv6.l.google.com [2001:4860:800d::63] with 32 bytes of data:   Reply from 2001:4860:800d::63: time=45ms Reply from 2001:4860:800d::63: time=42ms Web Test
APPENDIX B Restrictions, Caveats, Considerations, and Tools
Does your L3 switch support hardware-based forwarding for IPv6? Platform Limitations
Do log parsing applications recognize IPv6? Syslog, etc. IP address calculation formulas in spreadsheets IP-enabled A/V equipment Network Video Recording software Application Compatibility
3560/3750 sdm prefer dual-ipv4-and-ipv6 default Others: ipv6 mld snooping IPv6 CEF disabled by default IPv6 will use resources from the IPv4 pool Cisco Notes
Tools stealthyb@nms2:~$ sudo aptitude install sipcalc stealthyb@nms2:~$ sipcalc2001:db8:1::/48 -[ipv6 : 2001:db8:1::/48] - 0 [IPV6 INFO] Expanded Address - 2001:0db8:0001:0000:0000:0000:0000:0000 Compressed address - 2001:db8:1:: Subnet prefix (masked) - 2001:db8:1:0:0:0:0:0/48 Address ID (masked) - 0:0:0:0:0:0:0:0/48 Prefix address - ffff:ffff:ffff:0:0:0:0:0 Prefix length - 48 Address type - Aggregatable Global Unicast Addresses Network range - 2001:0db8:0001:0000:0000:0000:0000:0000 - 2001:0db8:0001:ffff:ffff:ffff:ffff:ffff

Recommended

Ipv6
Ipv6Ipv6
Ipv6maha5960
 
Introduction of ipv6
Introduction of ipv6Introduction of ipv6
Introduction of ipv6KaushikMajumder22
 
Transitioning IPv4 to IPv6
Transitioning IPv4 to IPv6Transitioning IPv4 to IPv6
Transitioning IPv4 to IPv6Jhoni Guerrero
 
IPv6 Transition Strategies
IPv6 Transition StrategiesIPv6 Transition Strategies
IPv6 Transition StrategiesAPNIC
 
IPv6 translation methods
IPv6 translation methodsIPv6 translation methods
IPv6 translation methodsAhmad Hijazi
 
Addressing IPv6
Addressing IPv6Addressing IPv6
Addressing IPv6Fastly
 
Journey to IPv6 - A Real-World deployment for Mobiles
Journey to IPv6 - A Real-World deployment for MobilesJourney to IPv6 - A Real-World deployment for Mobiles
Journey to IPv6 - A Real-World deployment for MobilesAPNIC
 
Ipv6 tutorial
Ipv6 tutorialIpv6 tutorial
Ipv6 tutorialHarikaReddy115
 

Recommended

Ipv6
Ipv6Ipv6
Ipv6maha5960
 
Introduction of ipv6
Introduction of ipv6Introduction of ipv6
Introduction of ipv6KaushikMajumder22
 
Transitioning IPv4 to IPv6
Transitioning IPv4 to IPv6Transitioning IPv4 to IPv6
Transitioning IPv4 to IPv6Jhoni Guerrero
 
IPv6 Transition Strategies
IPv6 Transition StrategiesIPv6 Transition Strategies
IPv6 Transition StrategiesAPNIC
 
IPv6 translation methods
IPv6 translation methodsIPv6 translation methods
IPv6 translation methodsAhmad Hijazi
 
Addressing IPv6
Addressing IPv6Addressing IPv6
Addressing IPv6Fastly
 
Journey to IPv6 - A Real-World deployment for Mobiles
Journey to IPv6 - A Real-World deployment for MobilesJourney to IPv6 - A Real-World deployment for Mobiles
Journey to IPv6 - A Real-World deployment for MobilesAPNIC
 
Ipv6 tutorial
Ipv6 tutorialIpv6 tutorial
Ipv6 tutorialHarikaReddy115
 
CHT IPv6 Measurement and Deployment
CHT IPv6 Measurement and DeploymentCHT IPv6 Measurement and Deployment
CHT IPv6 Measurement and DeploymentAPNIC
 
IPv6 Transition & Deployment, including IPv6-only in cellular and broadband
IPv6 Transition & Deployment, including IPv6-only in cellular and broadbandIPv6 Transition & Deployment, including IPv6-only in cellular and broadband
IPv6 Transition & Deployment, including IPv6-only in cellular and broadbandAPNIC
 
Ipv6
Ipv6Ipv6
Ipv6PrachiSharma304
 
Ipv6 presentation
Ipv6 presentation Ipv6 presentation
Ipv6 presentation Alee Hassan
 
Things I wish I had known about IPv6 before I started
Things I wish I had known about IPv6 before I startedThings I wish I had known about IPv6 before I started
Things I wish I had known about IPv6 before I startedFaelix Ltd
 
IPv6 Transition,Transcición IPv6
IPv6 Transition,Transcición IPv6IPv6 Transition,Transcición IPv6
IPv6 Transition,Transcición IPv6Suministros Obras y Sistemas
 
IPv6
IPv6IPv6
IPv6Abdelkhalik Mosa
 
Ipv6
Ipv6Ipv6
Ipv6Mutten
 
Ipv6 course
Ipv6 courseIpv6 course
Ipv6 courserinnocente
 
Introduction to ipv6 v1.3
Introduction to ipv6 v1.3Introduction to ipv6 v1.3
Introduction to ipv6 v1.3Karunakant Rai
 
IPV6 Network Simulation Projects Research Guidance
IPV6 Network Simulation Projects Research GuidanceIPV6 Network Simulation Projects Research Guidance
IPV6 Network Simulation Projects Research GuidancePhdtopiccom
 
464XLAT Tutorial
464XLAT Tutorial464XLAT Tutorial
464XLAT TutorialAPNIC
 
Colt IPv6 for Business Customers Case Study - Swiss IPv6 Council Jun 2013-v3
Colt IPv6 for Business Customers Case Study - Swiss IPv6 Council Jun 2013-v3Colt IPv6 for Business Customers Case Study - Swiss IPv6 Council Jun 2013-v3
Colt IPv6 for Business Customers Case Study - Swiss IPv6 Council Jun 2013-v3Javier Benitez
 
Ipv6 introduction - MUM 2011 presentation
Ipv6 introduction - MUM 2011 presentationIpv6 introduction - MUM 2011 presentation
Ipv6 introduction - MUM 2011 presentationIDEA4PRO
 
CommunicAsia 2017: IPv6 deployment architecture for IoT
CommunicAsia 2017: IPv6 deployment architecture for IoTCommunicAsia 2017: IPv6 deployment architecture for IoT
CommunicAsia 2017: IPv6 deployment architecture for IoTAPNIC
 
IPv4 to Ipv6
IPv4 to Ipv6IPv4 to Ipv6
IPv4 to Ipv6Amit kumar
 
Successfully Deploying IPv6
Successfully Deploying IPv6Successfully Deploying IPv6
Successfully Deploying IPv6Zivaro Inc
 
IPv6 Transition
IPv6 TransitionIPv6 Transition
IPv6 TransitionSwiss IPv6 Council
 
Ipv6
Ipv6Ipv6
Ipv6Nitesh Singh
 
Slides from Introduction to IPv6
Slides from Introduction to IPv6Slides from Introduction to IPv6
Slides from Introduction to IPv6Cyren, Inc
 
IPv6 next generation protocol
IPv6 next generation protocolIPv6 next generation protocol
IPv6 next generation protocolRupshanker Mishra
 
IPv6 Best Practice
IPv6 Best PracticeIPv6 Best Practice
IPv6 Best Practiceflyingpotato
 

More Related Content

What's hot

CHT IPv6 Measurement and Deployment
CHT IPv6 Measurement and DeploymentCHT IPv6 Measurement and Deployment
CHT IPv6 Measurement and DeploymentAPNIC
 
IPv6 Transition & Deployment, including IPv6-only in cellular and broadband
IPv6 Transition & Deployment, including IPv6-only in cellular and broadbandIPv6 Transition & Deployment, including IPv6-only in cellular and broadband
IPv6 Transition & Deployment, including IPv6-only in cellular and broadbandAPNIC
 
Ipv6 presentation
Ipv6 presentation Ipv6 presentation
Ipv6 presentation Alee Hassan
 
Things I wish I had known about IPv6 before I started
Things I wish I had known about IPv6 before I startedThings I wish I had known about IPv6 before I started
Things I wish I had known about IPv6 before I startedFaelix Ltd
 
Introduction to ipv6 v1.3
Introduction to ipv6 v1.3Introduction to ipv6 v1.3
Introduction to ipv6 v1.3Karunakant Rai
 
IPV6 Network Simulation Projects Research Guidance
IPV6 Network Simulation Projects Research GuidanceIPV6 Network Simulation Projects Research Guidance
IPV6 Network Simulation Projects Research GuidancePhdtopiccom
 
464XLAT Tutorial
464XLAT Tutorial464XLAT Tutorial
464XLAT TutorialAPNIC
 
Colt IPv6 for Business Customers Case Study - Swiss IPv6 Council Jun 2013-v3
Colt IPv6 for Business Customers Case Study - Swiss IPv6 Council Jun 2013-v3Colt IPv6 for Business Customers Case Study - Swiss IPv6 Council Jun 2013-v3
Colt IPv6 for Business Customers Case Study - Swiss IPv6 Council Jun 2013-v3Javier Benitez
 
Ipv6 introduction - MUM 2011 presentation
Ipv6 introduction - MUM 2011 presentationIpv6 introduction - MUM 2011 presentation
Ipv6 introduction - MUM 2011 presentationIDEA4PRO
 
CommunicAsia 2017: IPv6 deployment architecture for IoT
CommunicAsia 2017: IPv6 deployment architecture for IoTCommunicAsia 2017: IPv6 deployment architecture for IoT
CommunicAsia 2017: IPv6 deployment architecture for IoTAPNIC
 
Successfully Deploying IPv6
Successfully Deploying IPv6Successfully Deploying IPv6
Successfully Deploying IPv6Zivaro Inc
 
Slides from Introduction to IPv6
Slides from Introduction to IPv6Slides from Introduction to IPv6
Slides from Introduction to IPv6Cyren, Inc
 

What's hot (20)

CHT IPv6 Measurement and Deployment
CHT IPv6 Measurement and DeploymentCHT IPv6 Measurement and Deployment
CHT IPv6 Measurement and Deployment
 
IPv6 Transition & Deployment, including IPv6-only in cellular and broadband
IPv6 Transition & Deployment, including IPv6-only in cellular and broadbandIPv6 Transition & Deployment, including IPv6-only in cellular and broadband
IPv6 Transition & Deployment, including IPv6-only in cellular and broadband
 
Ipv6
Ipv6Ipv6
Ipv6
 
Ipv6 presentation
Ipv6 presentation Ipv6 presentation
Ipv6 presentation
 
Things I wish I had known about IPv6 before I started
Things I wish I had known about IPv6 before I startedThings I wish I had known about IPv6 before I started
Things I wish I had known about IPv6 before I started
 
IPv6 Transition,Transcición IPv6
IPv6 Transition,Transcición IPv6IPv6 Transition,Transcición IPv6
IPv6 Transition,Transcición IPv6
 
IPv6
IPv6IPv6
IPv6
 
Ipv6
Ipv6Ipv6
Ipv6
 
Ipv6 course
Ipv6 courseIpv6 course
Ipv6 course
 
Introduction to ipv6 v1.3
Introduction to ipv6 v1.3Introduction to ipv6 v1.3
Introduction to ipv6 v1.3
 
IPV6 Network Simulation Projects Research Guidance
IPV6 Network Simulation Projects Research GuidanceIPV6 Network Simulation Projects Research Guidance
IPV6 Network Simulation Projects Research Guidance
 
464XLAT Tutorial
464XLAT Tutorial464XLAT Tutorial
464XLAT Tutorial
 
Colt IPv6 for Business Customers Case Study - Swiss IPv6 Council Jun 2013-v3
Colt IPv6 for Business Customers Case Study - Swiss IPv6 Council Jun 2013-v3Colt IPv6 for Business Customers Case Study - Swiss IPv6 Council Jun 2013-v3
Colt IPv6 for Business Customers Case Study - Swiss IPv6 Council Jun 2013-v3
 
Ipv6 introduction - MUM 2011 presentation
Ipv6 introduction - MUM 2011 presentationIpv6 introduction - MUM 2011 presentation
Ipv6 introduction - MUM 2011 presentation
 
CommunicAsia 2017: IPv6 deployment architecture for IoT
CommunicAsia 2017: IPv6 deployment architecture for IoTCommunicAsia 2017: IPv6 deployment architecture for IoT
CommunicAsia 2017: IPv6 deployment architecture for IoT
 
IPv4 to Ipv6
IPv4 to Ipv6IPv4 to Ipv6
IPv4 to Ipv6
 
Successfully Deploying IPv6
Successfully Deploying IPv6Successfully Deploying IPv6
Successfully Deploying IPv6
 
IPv6 Transition
IPv6 TransitionIPv6 Transition
IPv6 Transition
 
Ipv6
Ipv6Ipv6
Ipv6
 
Slides from Introduction to IPv6
Slides from Introduction to IPv6Slides from Introduction to IPv6
Slides from Introduction to IPv6
 

Viewers also liked

IPv6 next generation protocol
IPv6 next generation protocolIPv6 next generation protocol
IPv6 next generation protocolRupshanker Mishra
 
IPv6 Best Practice
IPv6 Best PracticeIPv6 Best Practice
IPv6 Best Practiceflyingpotato
 
IPv6 Fundamentals
IPv6 FundamentalsIPv6 Fundamentals
IPv6 FundamentalsMatt Bynum
 

Viewers also liked (6)

IPv6 next generation protocol
IPv6 next generation protocolIPv6 next generation protocol
IPv6 next generation protocol
 
IPv6 Best Practice
IPv6 Best PracticeIPv6 Best Practice
IPv6 Best Practice
 
Ipv6 basics
Ipv6 basicsIpv6 basics
Ipv6 basics
 
IPv6 Fundamentals
IPv6 FundamentalsIPv6 Fundamentals
IPv6 Fundamentals
 
IPV6 INTRODUCTION
IPV6 INTRODUCTIONIPV6 INTRODUCTION
IPV6 INTRODUCTION
 
IPv6
IPv6IPv6
IPv6
 

Similar to Getting Started with IPv6: A toe-dip into the volatile world of IPv6 transitions

SVR401: DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and transition te...
SVR401: DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and transition te...SVR401: DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and transition te...
SVR401: DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and transition te...Louis Göhl
 
Deploying IPv6 in OpenStack Environments
Deploying IPv6 in OpenStack EnvironmentsDeploying IPv6 in OpenStack Environments
Deploying IPv6 in OpenStack EnvironmentsShannon McFarland
 
IPv6 Security - Myths and Reality
IPv6 Security - Myths and RealityIPv6 Security - Myths and Reality
IPv6 Security - Myths and RealitySwiss IPv6 Council
 
Implementing an IPv6 Enabled Environment for a Public Cloud Tenant
Implementing an IPv6 Enabled Environment for a Public Cloud TenantImplementing an IPv6 Enabled Environment for a Public Cloud Tenant
Implementing an IPv6 Enabled Environment for a Public Cloud TenantShixiong Shang
 
ULA network experience @ JANOG34, by Shishio Tsuchiya [APNIC 38 / APIPv6TF]
ULA network experience @ JANOG34, by Shishio Tsuchiya [APNIC 38 / APIPv6TF]ULA network experience @ JANOG34, by Shishio Tsuchiya [APNIC 38 / APIPv6TF]
ULA network experience @ JANOG34, by Shishio Tsuchiya [APNIC 38 / APIPv6TF]APNIC
 
CodiLime Tech Talk - Adam Kułagowski: IPv6 - introduction
CodiLime Tech Talk - Adam Kułagowski: IPv6 - introductionCodiLime Tech Talk - Adam Kułagowski: IPv6 - introduction
CodiLime Tech Talk - Adam Kułagowski: IPv6 - introductionCodiLime
 
IPv6 Security - Hacker Halted 2013
IPv6 Security - Hacker Halted 2013IPv6 Security - Hacker Halted 2013
IPv6 Security - Hacker Halted 2013Zivaro Inc
 
AutoIP -A mechanism for IPv6 migration and IPv4 sunsetting by Shishio Tsuchiy...
AutoIP -A mechanism for IPv6 migration and IPv4 sunsetting by Shishio Tsuchiy...AutoIP -A mechanism for IPv6 migration and IPv4 sunsetting by Shishio Tsuchiy...
AutoIP -A mechanism for IPv6 migration and IPv4 sunsetting by Shishio Tsuchiy...APNIC
 
Linux-wpan: IEEE 802.15.4 and 6LoWPAN in the Linux Kernel - BUD17-120
Linux-wpan: IEEE 802.15.4 and 6LoWPAN in the Linux Kernel - BUD17-120Linux-wpan: IEEE 802.15.4 and 6LoWPAN in the Linux Kernel - BUD17-120
Linux-wpan: IEEE 802.15.4 and 6LoWPAN in the Linux Kernel - BUD17-120Linaro
 
Upcoming internet challenges
Upcoming internet challengesUpcoming internet challenges
Upcoming internet challengesIvan Pepelnjak
 
IDNIC OPM 2023: IPv6 deployment planning and security considerations
IDNIC OPM 2023: IPv6 deployment planning and security considerationsIDNIC OPM 2023: IPv6 deployment planning and security considerations
IDNIC OPM 2023: IPv6 deployment planning and security considerationsAPNIC
 
Short Introduction to IPv6
Short Introduction to IPv6Short Introduction to IPv6
Short Introduction to IPv6Martin Schütte
 

Similar to Getting Started with IPv6: A toe-dip into the volatile world of IPv6 transitions (20)

SVR401: DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and transition te...
SVR401: DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and transition te...SVR401: DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and transition te...
SVR401: DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and transition te...
 
Deploying IPv6 in OpenStack Environments
Deploying IPv6 in OpenStack EnvironmentsDeploying IPv6 in OpenStack Environments
Deploying IPv6 in OpenStack Environments
 
IPv6 Security - Myths and Reality
IPv6 Security - Myths and RealityIPv6 Security - Myths and Reality
IPv6 Security - Myths and Reality
 
Implementing an IPv6 Enabled Environment for a Public Cloud Tenant
Implementing an IPv6 Enabled Environment for a Public Cloud TenantImplementing an IPv6 Enabled Environment for a Public Cloud Tenant
Implementing an IPv6 Enabled Environment for a Public Cloud Tenant
 
7 slaac-rick graziani
7 slaac-rick graziani7 slaac-rick graziani
7 slaac-rick graziani
 
IPv6
IPv6IPv6
IPv6
 
Network Security Best Practice (BCP38 & 140)
Network Security Best Practice (BCP38 & 140) Network Security Best Practice (BCP38 & 140)
Network Security Best Practice (BCP38 & 140)
 
ULA network experience @ JANOG34, by Shishio Tsuchiya [APNIC 38 / APIPv6TF]
ULA network experience @ JANOG34, by Shishio Tsuchiya [APNIC 38 / APIPv6TF]ULA network experience @ JANOG34, by Shishio Tsuchiya [APNIC 38 / APIPv6TF]
ULA network experience @ JANOG34, by Shishio Tsuchiya [APNIC 38 / APIPv6TF]
 
CodiLime Tech Talk - Adam Kułagowski: IPv6 - introduction
CodiLime Tech Talk - Adam Kułagowski: IPv6 - introductionCodiLime Tech Talk - Adam Kułagowski: IPv6 - introduction
CodiLime Tech Talk - Adam Kułagowski: IPv6 - introduction
 
Testing PPT
Testing PPTTesting PPT
Testing PPT
 
AF-23- IPv6 Security_Final
AF-23- IPv6 Security_FinalAF-23- IPv6 Security_Final
AF-23- IPv6 Security_Final
 
Tech f42
Tech f42Tech f42
Tech f42
 
IPv6 Security - Hacker Halted 2013
IPv6 Security - Hacker Halted 2013IPv6 Security - Hacker Halted 2013
IPv6 Security - Hacker Halted 2013
 
AutoIP -A mechanism for IPv6 migration and IPv4 sunsetting by Shishio Tsuchiy...
AutoIP -A mechanism for IPv6 migration and IPv4 sunsetting by Shishio Tsuchiy...AutoIP -A mechanism for IPv6 migration and IPv4 sunsetting by Shishio Tsuchiy...
AutoIP -A mechanism for IPv6 migration and IPv4 sunsetting by Shishio Tsuchiy...
 
Linux-wpan: IEEE 802.15.4 and 6LoWPAN in the Linux Kernel - BUD17-120
Linux-wpan: IEEE 802.15.4 and 6LoWPAN in the Linux Kernel - BUD17-120Linux-wpan: IEEE 802.15.4 and 6LoWPAN in the Linux Kernel - BUD17-120
Linux-wpan: IEEE 802.15.4 and 6LoWPAN in the Linux Kernel - BUD17-120
 
IPV6 IPv6 Routing Lab By Rob Hamm
IPV6 IPv6 Routing Lab By Rob HammIPV6 IPv6 Routing Lab By Rob Hamm
IPV6 IPv6 Routing Lab By Rob Hamm
 
Ipv6 questions
Ipv6 questionsIpv6 questions
Ipv6 questions
 
Upcoming internet challenges
Upcoming internet challengesUpcoming internet challenges
Upcoming internet challenges
 
IDNIC OPM 2023: IPv6 deployment planning and security considerations
IDNIC OPM 2023: IPv6 deployment planning and security considerationsIDNIC OPM 2023: IPv6 deployment planning and security considerations
IDNIC OPM 2023: IPv6 deployment planning and security considerations
 
Short Introduction to IPv6
Short Introduction to IPv6Short Introduction to IPv6
Short Introduction to IPv6
 

Recently uploaded

Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesZilliz
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 

Recently uploaded (20)

Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector Databases
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 

Getting Started with IPv6: A toe-dip into the volatile world of IPv6 transitions

  • 1. A toe-dip into the volatile world of IPv6 transitions Getting Started with IPv6 Tanner 04.29.2011
  • 2. Goals and Status GOAL Get IPv6 dual-stack running on a lab/home network and connect to the IPv6 internet. STATUS IPv4 Exhaustion Timeline IPv6 Today Google, Microsoft, Apple, Netflix, Cisco, Facebook, Gov’t Agencies Service Provider Plan Enterprise Plan
  • 4. Advantages Lots of Addresses Automatic IP Address Configuration Duplicate Address Detection (DAD) Only available option post-IPv4 Still disagreements on implementation / transition methods Immature device / OS / application support Remembering long addresses IPv6 Mechanics Disadvantages
  • 5. Interface Addressing Manual SLAAC DHCPv6 Link Local DNS Increased reliance due to lengthy addresses AAAA (“Quad A”) Records IPv6 Building Blocks Routable 2002:d82a:3bcc:deff:baca:3f97:872d:d00d/64 ICMPv6 Neighbor Discovery Routing EIGRPv6, OSPFv3
  • 6. IPv6 Addressing 2002:adb8:85a3:af90:b8b8:8a2e:1773:ff31/64 8 x 16-bits separated by a :(colon) Prefix length in CIDR format NOT255.255.255.255.255.255.255.255.0.0.0.0.0.0.0.0 Each interface has a: Link local address Routable address [Modified] EUI-64 Auto w/privacy extensions Manual Neighbor Discovery Heavy use of ICMP and Multicast
  • 7. IPv6 Subnetting # of bits Host portion 16 4 8 2001:0DB8:0800:3333:AAAA:BBBB:CCCC:DDDD /16 Network/Subnet portion /48 /64 /120 /128 CIDR
  • 9. Prefix Sizes 1Assumes using the “standard” allocation of /64 for all links and segments
  • 11. Dual stack NAT NAT64 & DNS64 / NAT46 / NAT44 / NAT66 / NAT-PT / CGNAT / NAT444 / NAT464 / DS-Lite Tunnels 6to4 (RFC 3056) 6in4 ISATAP (RFC 5214) GRE/IPv6 over DMVPN 6rd LISP Reverse Proxy/Load Balancers Transition Technologies
  • 14. Make sure there are no DNS AAAA records Alternate: Disable IPv6 on all devices Enable IPv6 in core, then firewall, then internet router Enable select DMZ servers / inside clients Dual Stack Transition Plan
  • 15. DNSv6 and DNS64 Name Resolution IPv4 set type=a www.comcast6.net Address:  68.87.29.36 IPv6 set type=aaaa www.comcast6.net Address: 2001:558:1002:4:68:87:29:36 DNS64 IPv6 client makes DNS AAAA query, DNS64 gateway translates IPv4 response to AAAA format
  • 16. Client detects presence of routers on the link using Router Solicitation Uses link-local address as the source IP No gateway needed. Learned from RA’s. DHCPv6
  • 17. IPv6 Attacks IPv6 NDP Exhaustion Configuring /64’s per subnet is akin to configuring an IPv4 /8 on a LAN Allocate /64, Configure a /120 Breaks SLAAC Ping/Ping or Ping/Pong attack ND vulnerabilities ICMP must be open to inside hosts Dual Stack Hosts – IPv6 may not be locked down
  • 18. Additional Resources Books Deploying IPv6 in WAN/Branch Networks Cisco Deploying IPv6 Networks Cisco Global IPv6 Strategies ARIN IPv6 Wiki Measuring IPv6 Adoption www.cisco.com/go/ipv6 Cisco IOS IPv6 Configuration Guide http://ipv6.he.net/certification/index.php http://www.iana.org/assignments/ipv6-address-space/ipv6-address-space.xml http://www.potaroo.net/ispcol/2011-02/transtools-part1.html http://www.potaroo.net/ispcol/2011-03/transtools-part2.html http://www.openwall.com/presentations/IPv6/index.html http://blogs.cisco.com/security/ipv6-whats-new/ http://www.openwall.com/presentations/IPv6/index.html http://owend.corp.he.net/ipv6/ http://www.infoblox.com/ipv6wp http://test-ipv6.com http://www.deepspace6.net/projects/ipv6calc.html ipv6forum.com
  • 19. APPENDIX A Device Configuration Examples
  • 20. Dual Stack ISP Request dual stack support from ISP or IPv6 Tunnel Broker Sign up for free IPv6 tunnel broker service (tunnelbroker.net from Hurricane Electric) IPv6 Internet Access Step 1
  • 21.
  • 22. IP Protocol 41is reserved for IPv6 encapsulationIP will change depending on IPv6 broker endpoint used
  • 23. Cisco Router Configuration (IP) Step 3 ipv6 unicast-routing ipv6 cef interface Tu0 description IPv6 Internet ipv6 enable ipv6 address 2001:DB8:F::2/64 tunnel source F4 tunnel destination 216.218.226.238 tunnel mode ipv6ip interface G0 description LAN Segment ipv6 address 2001:DB8:1::1/64 ipv6 address 2001:DB8:1::/64 EUI-64 ipv6 enable ipv6 route ::/0 Tu0 Assigned from HE Internet Interface IPv6 Broker Endpoint IPv6 Encapsulated in IPv4 IP from /48 allocation IPv6 default route
  • 24. Cisco Router IP Autoconfig IPV6-Router# shipv6 int GigabitEthernet0 is up, line protocol is up [Hardware is PQII_PRO_UEC, address is 68EF.BD61.4D13] IPv6 is enabled, link-local address is FE80::6AEF:BDFF:FE61:4D13 No Virtual link-local address(es): Stateless address autoconfig enabled Global unicast address(es): 2001:DB8:1:0:6AEF:BDFF:FE61:4D13, subnet is 2001:DB8:1::/64[EUI/CAL/PRE] valid lifetime 2591835 preferred lifetime 604635 Joined group address(es): FF02::1 FF02::1:FF61:4D13 MTU is 1500 bytes … ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds (using 30000) Default router is FE80::215:C6FF:FE53:9EC8 on GigabitEthernet0 Interface MAC EUI-64 Insertion U/L bit flip Learned via ND from upstream router All IPv6 nodes, link local Solicited node addr for replies Link local addr used for next hop
  • 25. Cisco Router Security (IPv6) Step 4 Access List IOS Firewall (CBAC) ipv6 access-list ACL-IPV6-IN remark --- Block AfriNIC/APNIC deny ipv6 2001:4200::/23 any deny ipv6 2C00:0000::/12 any deny ipv6 2001:0200::/23 any deny ipv6 2001:0C00::/23 any deny ipv6 2001:0E00::/23 any deny ipv6 2001:4400::/23 any deny ipv6 2001:8000::/19 any deny ipv6 2001:A000::/20 any deny ipv6 2001:B000::/20 any deny ipv6 2400:0000::/12 any remark --- Allow Neighbor Discovery permit icmp any anynd-na permit icmp any anynd-ns remark --- Block everything else deny ipv6 any any log interface Tunnel0 ipv6 traffic-filter ACL-IPV6-IN in ipv6 inspect alert-off ipv6 inspect routing-header ipv6 inspect max-incomplete low 100 ipv6 inspect max-incomplete high 200 ipv6 inspect one-minute low 100 ipv6 inspect one-minute high 200 ipv6 inspect udp idle-time 15 ipv6 inspect tcp idle-time 1800 ipv6 inspect tcpfinwait-time 1 ipv6 inspect tcpsynwait-time 15 ipv6 inspect tcp max-incomplete host 500 block-time 0 ipv6 inspect name FW1 ftp ipv6 inspect name FW1 tcp ipv6 inspect name FW1 udp ipv6 inspect name FW1 icmp interface G0 ipv6 inspect FW1 in ipv6 inspect FW1 out
  • 26. Windows Server Configuration Step 5a Manually Configure Server IP Address DHCPv6 scope created with local fc00 addressing (ULA) (Optional) View of DNS A and AAAA Record
  • 27. Windows 7 Configuration Step 5b Enable IPv6 Disable IPv6 tunnels (6to4, isatap, teredo) Prefer IPv4 over IPv6 during transition (KB929852) LAN Network Connection:    Physical Address. . . . . . . . . : 00-22-68-1A-E1-4C    DHCP Enabled. . . . . . . . . . . : Yes    Autoconfiguration Enabled . . . . : Yes IPv6 Address. . . . . . . . . . . : 2001:db8:1::222:68ff:fe1a:e14c(Preferred) Temporary IPv6 Address. . . . . . : 2001:db8:1::a1fd:f339:f800:f7ff(Preferred)    Link-local IPv6 Address . . . . . : fe80::688f:1818:28fc:f11e%12(Preferred)    IPv4 Address. . . . . . . . . . . : 172.16.0.122(Preferred)    Subnet Mask . . . . . . . . . . . : 255.255.255.0    Default Gateway . . . . . . . . . : 172.16.0.1    DHCP Server . . . . . . . . . . . : 172.16.0.10    DHCPv6 IAID . . . . . . . . . . . : 218112349    DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-14-C0-65-37-00-23-54-66-DF-67   DNS Servers . . . . . . . . . . . : 2001:db8:1::10 172.16.0.10
  • 28. Mac OS X Step 5c
  • 29. OS Support Comparison 1Feature supported in IOS 12.4(24)T and later. 2EUI-64 capability disabled by default. Privacy extensions must be disabled to use. 3Privacy extensions disabled by default.
  • 30. Test Connectivity Step 6 Ping Test c:gt; ping ipv6.google.com Pinging ipv6.l.google.com [2001:4860:800d::63] with 32 bytes of data:   Reply from 2001:4860:800d::63: time=45ms Reply from 2001:4860:800d::63: time=42ms Web Test
  • 31. APPENDIX B Restrictions, Caveats, Considerations, and Tools
  • 32. Does your L3 switch support hardware-based forwarding for IPv6? Platform Limitations
  • 33. Do log parsing applications recognize IPv6? Syslog, etc. IP address calculation formulas in spreadsheets IP-enabled A/V equipment Network Video Recording software Application Compatibility
  • 34. 3560/3750 sdm prefer dual-ipv4-and-ipv6 default Others: ipv6 mld snooping IPv6 CEF disabled by default IPv6 will use resources from the IPv4 pool Cisco Notes
  • 35. Tools stealthyb@nms2:~$ sudo aptitude install sipcalc stealthyb@nms2:~$ sipcalc2001:db8:1::/48 -[ipv6 : 2001:db8:1::/48] - 0 [IPV6 INFO] Expanded Address - 2001:0db8:0001:0000:0000:0000:0000:0000 Compressed address - 2001:db8:1:: Subnet prefix (masked) - 2001:db8:1:0:0:0:0:0/48 Address ID (masked) - 0:0:0:0:0:0:0:0/48 Prefix address - ffff:ffff:ffff:0:0:0:0:0 Prefix length - 48 Address type - Aggregatable Global Unicast Addresses Network range - 2001:0db8:0001:0000:0000:0000:0000:0000 - 2001:0db8:0001:ffff:ffff:ffff:ffff:ffff
  • 36. Q: How do I specify a port in an IPv6 URL? A: http://[2001:db8::dade:55]:8080/ Q: What are the group of addresses called in between each : (colon)? A: Depending on your source, they can be called “fields”, “groups”, “quads”, “hextets”, or “hexadecatet”. Q&A

Editor's Notes

  1. Watch IPv4 Addresses run outhttp://www.potaroo.net/tools/ipv4/index.htmlIPv4 Internetwww.google.comwww.microsoft.comwww.*.comIPv6 Internetv6.cisco.comipv6.google.com
  2. APNIC only has the remaining /8 from the trigger IANA release. They will be
  3. Also in the Cisco world, CLI output of IPv6 features are ugly (lack of readability) compared to their IPv4 counterparts. For example: show ip interface brief vs show ipv6 interface brief show ipeigrp neighbors vs show ipv6 eigrp neighbors
  4. DHCPv6http://technet.microsoft.com/en-us/magazine/2007.03.cableguy.aspx Options include DNS server IP, domain name, NTP server, etc.DNS (RFC3484)A client may show preference for DNS AAAA (IPv6) records over IPv4 and thus attempt to connect to the destination server via IPv6.IPv6 makes heavy use of ICMP multicast/unicast messages and must be allowed via ACLs
  5. Routable addresses can be either local (think RFC1918 private IP’s) or global (public IP address).RFC4941: Privacy Extensions for Stateless Address Autoconfiguration in IPv6. Keep IP for 1-7 days.Q: How do L2 switches handle IPv6 addresses?A: L2 switches are only looking at the SMAC/DMAC so IPv6 addressing is transparent to them. Exceptions to this would be a QoS or VACL/PACL applied to the interface examining L3/L4 portions of the header.
  6. 1 base-2 binary position = 2 bits (e.g., 0 or 1)1 base-16 hex position = 4 bits (e.g., 0-9, A-F). In other words, it takes 4 binary positions (2^4) to represent 16 unique values (0-9 and A-F) per position.http://en.wikipedia.org/wiki/IPv6_subnetting_reference
  7. See http://www.iana.org/assignments/ipv6-multicast-addresses/ipv6-multicast-addresses.xml for details on multicast address spaceIPv4 has a documentation prefix as well (see RFC5737): 192.0.2.0/24 (TEST-NET-1), 198.51.100.0/24 (TEST-NET-2), and 203.0.113.0/24 (TEST-NET-3)
  8. /64 prefix: 128-bits = 64 for network and 64 for hostWhy prefix lengths in increments of 8? Because then your IPv6 address fits nicely within the : boundaries /48 = 2001:1 Format: [Global:ISP:Org:Subnet:Host:Host:Host:Host] /56 = 2001:1:1 Format: [Global:ISP:ISP:(Org & Subnet):Host:Host:Host:Host] /64 = 2001:1:1:1 Format: [Global:ISP:ISP:Subnet:Host:Host:Host:Host]Some equipment may have issues assigning a mask other than /64. /64 required for automatic IP address configuration.Prefix examples:/48 /64 /120
  9. IPv6 NDP allows host & router/gateway discoveryCisco and Windows-based commands shownStateless Address AutoConfiguration (SLAAC) Uses Modified EUI-64 or Privacy Extensions (RFC4941/Microsoft)
  10. IPv6 OnlyDual StackRecommended approachTunnel IPv4 or MPLSSee Basic Transition Mechanisms for IPv6 Hosts and Routers (RFC4213)6to4 Tunnels (RFC 3056) 2002:IPv4::/48 IPv6 Range Route 2002/16 to tunnel interface
  11. NAT-PT is the only transition NAT protocol supported in most Cisco devices today, but it is generally regarded as obsolete.http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-nat_trnsln_ps6350_TSD_Products_Configuration_Guide_Chapter.htmlThat leaves no good options to NAT IPv4 addresses to IPv6 addresses.
  12. The popular solution today is end-to-end dual stack configuration where an end node runs both IPv4 and IPv6.With Cisco, only the ASR 1000 series router supports NAT64 todayJuniper supports stateful NAT64 todayNAT64 gateway for Linux. http://ecdysis.viagenie.ca/
  13. IPv6 Native Dual Stack Over DOCSIS Comcast: IPv6 Native Dual Stack for users (January 31, 2011) Content natively over both IPv6 and IPv4 Allocating 18,446,744,073,709,551,616 (18 quintillion) per user (/64)
  14. Notable NotesIf you have IPv6 and IPv4 enabled on your machine, IPv6 (and DNSv6) will be preferred.Websites already setup for IPv6c:\\ruby>ping www.comcast6.netPinging www.comcast6.g.comcast.net [2001:558:1004:9:69:242:76:78] with 32 bytes of data: c:\\ruby>ping ipv6.google.comPinging ipv6.l.google.com [2001:4860:b006::68] with 32 bytes of data:
  15. Not all clients support DHCPv6, opting to support SLAAC only.DHCP-PD: Allows you to delegate a prefix which may contain multiple subnets to a router that can assign subnets on LAN segments.
  16. http://inconcepts.biz/~jsw/IPv6_NDP_Exhaustion.pdfhttps://wikispaces.psu.edu/download/attachments/15162205/Cisco+IPv6+security+slide.pdf?version=1&modificationDate=1251830658000
  17. List of IPv6 Tunnel Brokers: http://en.wikipedia.org/wiki/List_of_IPv6_tunnel_brokers
  18. See RFC 2473 and RFC 3056 for IPv6 tunnel encapsulation information
  19. IGP just uses link local address. No need for global IP address on interface.IPv6 management done by an IPv6 loopback.To verify IPv6 configuration, use:show ipv6 interface briefshow ipv6 router discovery
  20. EUI = Extended Unique IdentifierMore details, see http://packetlife.net/blog/2008/aug/4/eui-64-ipv6/Solicited-node addressThe solicited-node address facilitates efficient querying of network nodes during address resolution. In IPv4, the ARP Request frame is sent to the MAC-level broadcast, disturbing all nodes on the network segment, including those that are not running IPv4. IPv6 uses the Neighbor Solicitation message to perform address resolution. However, instead of using the local-link scope all-nodes address as the Neighbor Solicitation message destination, which would disturb all IPv6 nodes on the local link, the solicited-node multicast address is used. The solicited-node multicast address consists of the prefix FF02::1:FF00:0/104 and the last 24-bits of the IPv6 address that is being resolved.For example, for the node with the link-local IPv6 address of FE80::2AA:FF:FE28:9C5A, the corresponding solicited-node address is FF02::1:FF28:9C5A. To resolve the FE80::2AA:FF:FE28:9C5A address to its link layer address, a node sends a Neighbor Solicitation message to the solicited-node address of FF02::1:FF28:9C5A. The node that is using the address of FE80::2AA:FF:FE28:9C5A is listening for multicast traffic at the solicited-node address and, for interfaces that correspond to a physical network adapter, has registered the corresponding multicast address with the network adapter.The result of using the solicited-node multicast address is that address resolution, which commonly occurs on a link, is not required to use a mechanism that disturbs all network nodes. In fact, very few nodes are disturbed during address resolution. In practice, because of the relationship between the Ethernet MAC address, the IPv6 interface ID, and the solicited-node address, the solicited-node address acts as a pseudo-unicast address for very efficient address resolution.http://technet.microsoft.com/en-us/library/cc781068%28WS.10%29.aspxRouter join “All Routers” multicast group FF02::2
  21. Firewall shown is the stateful IOS Firewall/CBAC. Zone-based firewall configuration should work as well. For configuration example, see: https://supportforums.cisco.com/message/3194077Items in red are implicit rules for every ACLnd-na = neighbor discovery, neighbor advertisement (L2 resolution reply/unsolicited addr announcement)nd-ns = neighbor discovery, neighbor solicitation (L2 resolution request)
  22. IP: Consider using the last 1-2 octets of the IPv4 address in the IPv6 address to help with device recognition.DNS:When creating a DNSv6 reverse lookup zone, enter the address including prefix, e.g., fc00:a::/64DHCP: In Windows Server 2008 R2 the DHCPv6 scope prefixes are fixed at /64.
  23. Windows 7 supports DHCPv6 in addition to SLAAC and manual modes.The Link Local address is dynamically generated for you.To use IPv4 instead of IPv6 in prefix policies (e.g. DNS queries):http://support.microsoft.com/kb/929852Disable Automatic Tunnelingnetsh interface 6to4 set state state=disabled undoonstop=disablednetsh interface isatap set state state=disablednetsh interface teredo set state type=disabled
  24. No DHCPv6 Support. Either SLAAC or Manual.Link local (fe80) address is assigned automaticallyIPv6 ULA address is learned from the ICMP router advertisement
  25. SEND = Secure Neighbor DiscoveryWindows 7 can enable/disable privacy extensions by using:netsh interface ipv6 set global randomizeidentifiers=disablednetsh interface ipv6 set global randomizeidentifiers=enabledRecommendation is to use RFC4941 privacy extensions for external use, and EUI-64/DHCPv6 for internalDisable Rogue Tunnelsnetsh interface 6to4 set state state=disabled undoonstop=disablednetsh interface isatap set state state=disablednetsh interface teredo set state type=disabledEnable Mac OS X privacy extensions: Edit "/etc/sysctl.conf" and add net.inet6.ip6.use_tempaddr=1. Then reboot.Enable Linux privacy extensions: Edit "/etc/sysctl.conf" and add net.inet6.ip6.use_tempaddr=2. Then reboot.Assignment of DNS via SLAAC RDNSS options
  26. Defined in RFC4291