You may have hoped to retire before IPv6 became a reality, but unfortunately the IPv4 address exhaustion came too fast. For the rest of us, we’re going to bite off a small piece of the 15-year old IPv6 pie and talk about how to get started!
• Address format refresher
• IPv4 and IPv6 protocol comparison
• IPv6 neighbor discovery and auto-configuration
• Current migration and coexistence strategies
• ICMPv6, DHCPv6, and DNSv6
• How to get started at home
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Getting Started with IPv6: A toe-dip into the volatile world of IPv6 transitions
1. A toe-dip into the volatile world of IPv6 transitions Getting Started with IPv6 Tanner 04.29.2011
2. Goals and Status GOAL Get IPv6 dual-stack running on a lab/home network and connect to the IPv6 internet. STATUS IPv4 Exhaustion Timeline IPv6 Today Google, Microsoft, Apple, Netflix, Cisco, Facebook, Gov’t Agencies Service Provider Plan Enterprise Plan
4. Advantages Lots of Addresses Automatic IP Address Configuration Duplicate Address Detection (DAD) Only available option post-IPv4 Still disagreements on implementation / transition methods Immature device / OS / application support Remembering long addresses IPv6 Mechanics Disadvantages
5. Interface Addressing Manual SLAAC DHCPv6 Link Local DNS Increased reliance due to lengthy addresses AAAA (“Quad A”) Records IPv6 Building Blocks Routable 2002:d82a:3bcc:deff:baca:3f97:872d:d00d/64 ICMPv6 Neighbor Discovery Routing EIGRPv6, OSPFv3
6. IPv6 Addressing 2002:adb8:85a3:af90:b8b8:8a2e:1773:ff31/64 8 x 16-bits separated by a :(colon) Prefix length in CIDR format NOT255.255.255.255.255.255.255.255.0.0.0.0.0.0.0.0 Each interface has a: Link local address Routable address [Modified] EUI-64 Auto w/privacy extensions Manual Neighbor Discovery Heavy use of ICMP and Multicast
14. Make sure there are no DNS AAAA records Alternate: Disable IPv6 on all devices Enable IPv6 in core, then firewall, then internet router Enable select DMZ servers / inside clients Dual Stack Transition Plan
15. DNSv6 and DNS64 Name Resolution IPv4 set type=a www.comcast6.net Address: 68.87.29.36 IPv6 set type=aaaa www.comcast6.net Address: 2001:558:1002:4:68:87:29:36 DNS64 IPv6 client makes DNS AAAA query, DNS64 gateway translates IPv4 response to AAAA format
16. Client detects presence of routers on the link using Router Solicitation Uses link-local address as the source IP No gateway needed. Learned from RA’s. DHCPv6
17. IPv6 Attacks IPv6 NDP Exhaustion Configuring /64’s per subnet is akin to configuring an IPv4 /8 on a LAN Allocate /64, Configure a /120 Breaks SLAAC Ping/Ping or Ping/Pong attack ND vulnerabilities ICMP must be open to inside hosts Dual Stack Hosts – IPv6 may not be locked down
20. Dual Stack ISP Request dual stack support from ISP or IPv6 Tunnel Broker Sign up for free IPv6 tunnel broker service (tunnelbroker.net from Hurricane Electric) IPv6 Internet Access Step 1
21.
22. IP Protocol 41is reserved for IPv6 encapsulationIP will change depending on IPv6 broker endpoint used
23. Cisco Router Configuration (IP) Step 3 ipv6 unicast-routing ipv6 cef interface Tu0 description IPv6 Internet ipv6 enable ipv6 address 2001:DB8:F::2/64 tunnel source F4 tunnel destination 216.218.226.238 tunnel mode ipv6ip interface G0 description LAN Segment ipv6 address 2001:DB8:1::1/64 ipv6 address 2001:DB8:1::/64 EUI-64 ipv6 enable ipv6 route ::/0 Tu0 Assigned from HE Internet Interface IPv6 Broker Endpoint IPv6 Encapsulated in IPv4 IP from /48 allocation IPv6 default route
24. Cisco Router IP Autoconfig IPV6-Router# shipv6 int GigabitEthernet0 is up, line protocol is up [Hardware is PQII_PRO_UEC, address is 68EF.BD61.4D13] IPv6 is enabled, link-local address is FE80::6AEF:BDFF:FE61:4D13 No Virtual link-local address(es): Stateless address autoconfig enabled Global unicast address(es): 2001:DB8:1:0:6AEF:BDFF:FE61:4D13, subnet is 2001:DB8:1::/64[EUI/CAL/PRE] valid lifetime 2591835 preferred lifetime 604635 Joined group address(es): FF02::1 FF02::1:FF61:4D13 MTU is 1500 bytes … ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds (using 30000) Default router is FE80::215:C6FF:FE53:9EC8 on GigabitEthernet0 Interface MAC EUI-64 Insertion U/L bit flip Learned via ND from upstream router All IPv6 nodes, link local Solicited node addr for replies Link local addr used for next hop
25. Cisco Router Security (IPv6) Step 4 Access List IOS Firewall (CBAC) ipv6 access-list ACL-IPV6-IN remark --- Block AfriNIC/APNIC deny ipv6 2001:4200::/23 any deny ipv6 2C00:0000::/12 any deny ipv6 2001:0200::/23 any deny ipv6 2001:0C00::/23 any deny ipv6 2001:0E00::/23 any deny ipv6 2001:4400::/23 any deny ipv6 2001:8000::/19 any deny ipv6 2001:A000::/20 any deny ipv6 2001:B000::/20 any deny ipv6 2400:0000::/12 any remark --- Allow Neighbor Discovery permit icmp any anynd-na permit icmp any anynd-ns remark --- Block everything else deny ipv6 any any log interface Tunnel0 ipv6 traffic-filter ACL-IPV6-IN in ipv6 inspect alert-off ipv6 inspect routing-header ipv6 inspect max-incomplete low 100 ipv6 inspect max-incomplete high 200 ipv6 inspect one-minute low 100 ipv6 inspect one-minute high 200 ipv6 inspect udp idle-time 15 ipv6 inspect tcp idle-time 1800 ipv6 inspect tcpfinwait-time 1 ipv6 inspect tcpsynwait-time 15 ipv6 inspect tcp max-incomplete host 500 block-time 0 ipv6 inspect name FW1 ftp ipv6 inspect name FW1 tcp ipv6 inspect name FW1 udp ipv6 inspect name FW1 icmp interface G0 ipv6 inspect FW1 in ipv6 inspect FW1 out
26. Windows Server Configuration Step 5a Manually Configure Server IP Address DHCPv6 scope created with local fc00 addressing (ULA) (Optional) View of DNS A and AAAA Record
29. OS Support Comparison 1Feature supported in IOS 12.4(24)T and later. 2EUI-64 capability disabled by default. Privacy extensions must be disabled to use. 3Privacy extensions disabled by default.
30. Test Connectivity Step 6 Ping Test c:gt; ping ipv6.google.com Pinging ipv6.l.google.com [2001:4860:800d::63] with 32 bytes of data: Reply from 2001:4860:800d::63: time=45ms Reply from 2001:4860:800d::63: time=42ms Web Test
32. Does your L3 switch support hardware-based forwarding for IPv6? Platform Limitations
33. Do log parsing applications recognize IPv6? Syslog, etc. IP address calculation formulas in spreadsheets IP-enabled A/V equipment Network Video Recording software Application Compatibility
34. 3560/3750 sdm prefer dual-ipv4-and-ipv6 default Others: ipv6 mld snooping IPv6 CEF disabled by default IPv6 will use resources from the IPv4 pool Cisco Notes
36. Q: How do I specify a port in an IPv6 URL? A: http://[2001:db8::dade:55]:8080/ Q: What are the group of addresses called in between each : (colon)? A: Depending on your source, they can be called “fields”, “groups”, “quads”, “hextets”, or “hexadecatet”. Q&A
Editor's Notes
Watch IPv4 Addresses run outhttp://www.potaroo.net/tools/ipv4/index.htmlIPv4 Internetwww.google.comwww.microsoft.comwww.*.comIPv6 Internetv6.cisco.comipv6.google.com
APNIC only has the remaining /8 from the trigger IANA release. They will be
Also in the Cisco world, CLI output of IPv6 features are ugly (lack of readability) compared to their IPv4 counterparts. For example: show ip interface brief vs show ipv6 interface brief show ipeigrp neighbors vs show ipv6 eigrp neighbors
DHCPv6http://technet.microsoft.com/en-us/magazine/2007.03.cableguy.aspx Options include DNS server IP, domain name, NTP server, etc.DNS (RFC3484)A client may show preference for DNS AAAA (IPv6) records over IPv4 and thus attempt to connect to the destination server via IPv6.IPv6 makes heavy use of ICMP multicast/unicast messages and must be allowed via ACLs
Routable addresses can be either local (think RFC1918 private IP’s) or global (public IP address).RFC4941: Privacy Extensions for Stateless Address Autoconfiguration in IPv6. Keep IP for 1-7 days.Q: How do L2 switches handle IPv6 addresses?A: L2 switches are only looking at the SMAC/DMAC so IPv6 addressing is transparent to them. Exceptions to this would be a QoS or VACL/PACL applied to the interface examining L3/L4 portions of the header.
1 base-2 binary position = 2 bits (e.g., 0 or 1)1 base-16 hex position = 4 bits (e.g., 0-9, A-F). In other words, it takes 4 binary positions (2^4) to represent 16 unique values (0-9 and A-F) per position.http://en.wikipedia.org/wiki/IPv6_subnetting_reference
See http://www.iana.org/assignments/ipv6-multicast-addresses/ipv6-multicast-addresses.xml for details on multicast address spaceIPv4 has a documentation prefix as well (see RFC5737): 192.0.2.0/24 (TEST-NET-1), 198.51.100.0/24 (TEST-NET-2), and 203.0.113.0/24 (TEST-NET-3)
/64 prefix: 128-bits = 64 for network and 64 for hostWhy prefix lengths in increments of 8? Because then your IPv6 address fits nicely within the : boundaries /48 = 2001:1 Format: [Global:ISP:Org:Subnet:Host:Host:Host:Host] /56 = 2001:1:1 Format: [Global:ISP:ISP:(Org & Subnet):Host:Host:Host:Host] /64 = 2001:1:1:1 Format: [Global:ISP:ISP:Subnet:Host:Host:Host:Host]Some equipment may have issues assigning a mask other than /64. /64 required for automatic IP address configuration.Prefix examples:/48 /64 /120
IPv6 NDP allows host & router/gateway discoveryCisco and Windows-based commands shownStateless Address AutoConfiguration (SLAAC) Uses Modified EUI-64 or Privacy Extensions (RFC4941/Microsoft)
IPv6 OnlyDual StackRecommended approachTunnel IPv4 or MPLSSee Basic Transition Mechanisms for IPv6 Hosts and Routers (RFC4213)6to4 Tunnels (RFC 3056) 2002:IPv4::/48 IPv6 Range Route 2002/16 to tunnel interface
NAT-PT is the only transition NAT protocol supported in most Cisco devices today, but it is generally regarded as obsolete.http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-nat_trnsln_ps6350_TSD_Products_Configuration_Guide_Chapter.htmlThat leaves no good options to NAT IPv4 addresses to IPv6 addresses.
The popular solution today is end-to-end dual stack configuration where an end node runs both IPv4 and IPv6.With Cisco, only the ASR 1000 series router supports NAT64 todayJuniper supports stateful NAT64 todayNAT64 gateway for Linux. http://ecdysis.viagenie.ca/
IPv6 Native Dual Stack Over DOCSIS Comcast: IPv6 Native Dual Stack for users (January 31, 2011) Content natively over both IPv6 and IPv4 Allocating 18,446,744,073,709,551,616 (18 quintillion) per user (/64)
Notable NotesIf you have IPv6 and IPv4 enabled on your machine, IPv6 (and DNSv6) will be preferred.Websites already setup for IPv6c:\\ruby>ping www.comcast6.netPinging www.comcast6.g.comcast.net [2001:558:1004:9:69:242:76:78] with 32 bytes of data: c:\\ruby>ping ipv6.google.comPinging ipv6.l.google.com [2001:4860:b006::68] with 32 bytes of data:
Not all clients support DHCPv6, opting to support SLAAC only.DHCP-PD: Allows you to delegate a prefix which may contain multiple subnets to a router that can assign subnets on LAN segments.
List of IPv6 Tunnel Brokers: http://en.wikipedia.org/wiki/List_of_IPv6_tunnel_brokers
See RFC 2473 and RFC 3056 for IPv6 tunnel encapsulation information
IGP just uses link local address. No need for global IP address on interface.IPv6 management done by an IPv6 loopback.To verify IPv6 configuration, use:show ipv6 interface briefshow ipv6 router discovery
EUI = Extended Unique IdentifierMore details, see http://packetlife.net/blog/2008/aug/4/eui-64-ipv6/Solicited-node addressThe solicited-node address facilitates efficient querying of network nodes during address resolution. In IPv4, the ARP Request frame is sent to the MAC-level broadcast, disturbing all nodes on the network segment, including those that are not running IPv4. IPv6 uses the Neighbor Solicitation message to perform address resolution. However, instead of using the local-link scope all-nodes address as the Neighbor Solicitation message destination, which would disturb all IPv6 nodes on the local link, the solicited-node multicast address is used. The solicited-node multicast address consists of the prefix FF02::1:FF00:0/104 and the last 24-bits of the IPv6 address that is being resolved.For example, for the node with the link-local IPv6 address of FE80::2AA:FF:FE28:9C5A, the corresponding solicited-node address is FF02::1:FF28:9C5A. To resolve the FE80::2AA:FF:FE28:9C5A address to its link layer address, a node sends a Neighbor Solicitation message to the solicited-node address of FF02::1:FF28:9C5A. The node that is using the address of FE80::2AA:FF:FE28:9C5A is listening for multicast traffic at the solicited-node address and, for interfaces that correspond to a physical network adapter, has registered the corresponding multicast address with the network adapter.The result of using the solicited-node multicast address is that address resolution, which commonly occurs on a link, is not required to use a mechanism that disturbs all network nodes. In fact, very few nodes are disturbed during address resolution. In practice, because of the relationship between the Ethernet MAC address, the IPv6 interface ID, and the solicited-node address, the solicited-node address acts as a pseudo-unicast address for very efficient address resolution.http://technet.microsoft.com/en-us/library/cc781068%28WS.10%29.aspxRouter join “All Routers” multicast group FF02::2
Firewall shown is the stateful IOS Firewall/CBAC. Zone-based firewall configuration should work as well. For configuration example, see: https://supportforums.cisco.com/message/3194077Items in red are implicit rules for every ACLnd-na = neighbor discovery, neighbor advertisement (L2 resolution reply/unsolicited addr announcement)nd-ns = neighbor discovery, neighbor solicitation (L2 resolution request)
IP: Consider using the last 1-2 octets of the IPv4 address in the IPv6 address to help with device recognition.DNS:When creating a DNSv6 reverse lookup zone, enter the address including prefix, e.g., fc00:a::/64DHCP: In Windows Server 2008 R2 the DHCPv6 scope prefixes are fixed at /64.
Windows 7 supports DHCPv6 in addition to SLAAC and manual modes.The Link Local address is dynamically generated for you.To use IPv4 instead of IPv6 in prefix policies (e.g. DNS queries):http://support.microsoft.com/kb/929852Disable Automatic Tunnelingnetsh interface 6to4 set state state=disabled undoonstop=disablednetsh interface isatap set state state=disablednetsh interface teredo set state type=disabled
No DHCPv6 Support. Either SLAAC or Manual.Link local (fe80) address is assigned automaticallyIPv6 ULA address is learned from the ICMP router advertisement
SEND = Secure Neighbor DiscoveryWindows 7 can enable/disable privacy extensions by using:netsh interface ipv6 set global randomizeidentifiers=disablednetsh interface ipv6 set global randomizeidentifiers=enabledRecommendation is to use RFC4941 privacy extensions for external use, and EUI-64/DHCPv6 for internalDisable Rogue Tunnelsnetsh interface 6to4 set state state=disabled undoonstop=disablednetsh interface isatap set state state=disablednetsh interface teredo set state type=disabledEnable Mac OS X privacy extensions: Edit "/etc/sysctl.conf" and add net.inet6.ip6.use_tempaddr=1. Then reboot.Enable Linux privacy extensions: Edit "/etc/sysctl.conf" and add net.inet6.ip6.use_tempaddr=2. Then reboot.Assignment of DNS via SLAAC RDNSS options