SlideShare une entreprise Scribd logo

Swiss IPv6 Council: Konfusion um die Router Flags

Digicomp Academy AG
Digicomp Academy AG

Die monatlichen Anlässe in Zusammenarbeit mit dem Swiss IPv6 Council behandeln verschiedene technische Themenbereiche von IPv6. Das Referat vom 29. April 2015 widmete sich dem wiedersprüchlichen Verhalten von Betriebssystemen im SLAAC/DHCPv6-Umfeld. In einer IPv6-Umgebung können Knoten ihre IP-Konfiguration entweder stateless (SLAAC) oder stateful (DHPCv6) erhalten. Dafür gibt es in Router Advertisements (RA) drei Flags: das A-, M- und O-Flag. Die Spezifikation definiert jedoch kein klares Verhalten bei widersprüchlicher Konfiguration. Ein kürzliches IETF-Draft zeigt, dass verschiedene Betriebssysteme unterschiedlich auf diese Flags reagieren. Referent Enno Rey zeigte Resultate eines weiterführenden Tests dazu.

Internet
1  sur  62
Télécharger pour lire hors ligne
www.ernw.de OS IPv6 Behavior in Conflicting Environments Enno Rey, erey@ernw.de @Enno_Insinuator
www.ernw.de Who I Am ¬ Founder and managing director of vendor independent network consulting & security assessment company ERNW. ¬ Old-school network guy with some background in large scale operations. ¬ Involved with IPv6 since 1999 and regularly blogging at www.insinuator.net. 4/30/2015 #2
www.ernw.de Agenda ¬ Fundamentals  Quick Refresher of Basics & Specifications ¬ Results from the Lab  Some Surprises (?) ¬ Conclusions  What All this Means from an Operations Perspective 4/30/2015 #3
www.ernw.de Fundamentals What the textbook tells you 4/30/2015 #4
www.ernw.de Address Autoconfig Overview ¬ IPv6 interfaces are meant to configure themselves automatically, in terms of "basic IP parameters".  Even without DHCPv6.  In particular without DHCPv6!  Remember: IPv6 = consumer technology. ¬ Link-local addresses are always configured, for each interface. ¬ Using the router discovery process, other addresses, router addresses and other configuration parameters are selected. 4/30/2015 #5
www.ernw.de Types of Autoconfiguration ¬ Stateless  Via Router Advertisement Messages (with one or more prefix)  Can (in theory) also distribute "other parameters", see RFC 6106.  SLAAC: “stateless address autoconfiguration“ ¬ Stateful  Usage of a Stateful Address Protocol (e.g. DHCPv6). ¬ Stateless with DHCP  Use of Router Advertisement messages for allocation of prefixes  In addition, DHCP for "other parameters” (e.g. DNS Server, Domain Search List). (In all cases there is always at least one link-local address anyway!) 4/30/2015 #6
www.ernw.de Neighbor Discovery Protocol RFC 4861 ¬ Neighbor Discovery (ND) provides mechanisms for the following tasks: 1. Neighbor Discovery / Address Resolution 2. Router Discovery 3. Prefix Discovery 4. Parameter Discovery 5. Address Autoconfiguration 6. Next-Hop Determination 7. Neighbor Unreachability Detection 8. Duplicate Address Detection 9. Redirects 4/30/2015 #7
www.ernw.de Router Discovery ¬ Used to detect routers that are connected to the local network. ¬ IPv6 router discovery can also help to provide the following information:  Default value for the "Hop Limit" field  Whether any "stateful address protocol” (DHCPv6) should be used.  Settings for the “Retransmission Timer”  The network prefix for the local network  The MTU of the network  Mobile IPv6 Information  Routing Information 4/30/2015 #8
www.ernw.de Multicast Router Solicitation Message Router Alice 1. Multicast Router Solicitation Router Solicitation MAC: 00-01-02-03-04-05 IP: none MAC: 00-11-22-33-44-55 IP: FE80::211:22FF:FE33:4455 Ethernet Header • Dest.-MAC: 33-33-00-00-00-02 IPv6 Header • Source-IP::: • Dest.-IP: FF02::2 • Hop limit: 255 Router Solicitation 4/30/2015 #9
www.ernw.de Router AdvertisementMessageRouter Alice 2. Multicast Router Advertisement Router Advertisement MAC: 00-01-02-03-04-05 IP: none MAC: 00-11-22-33-44-55 IP: FE80::211:22FF:FE33:4455 Ethernet Header • Dest.-MAC: 33-33-00-00-00-01 IPv6 Header • Source-IP:FE80::211:22FF:FE33:4455 • Dest.-IP: FF02::1 • Hop limit: 255 Router Advertisement Header • Current Hop Limit, Flags, Router Lifetime, Reachable and Retransmission Timers Neighbor Discovery Options • Source Link-Layer Address • MTU • Prefix Information 4/30/2015 #10
www.ernw.de Router Advertisements, Flags (I) ¬ The “Autonomous address configuration” (A) flag. When set, this flag indicates that this prefix can be used for stateless address autoconfiguration, as specified in [RFC4862]. 4/30/2015 #11
www.ernw.de Router Advertisements, Flags (II) ¬ Routers can inform adjacent hosts (neighbors on the local link) that additional configuration parameters (like a DNS server) are available over a stateful configuration protocol (DHCPv6). ¬ In the router advertisement header two flags (M and O) can be included which can be set to inform the clients that additional configuration parameters are available. 4/30/2015 #12
www.ernw.de O-Flag ¬ 1-bit ”other configuration“ flag ¬ When set, it indicates that other configuration information is available via DHCPv6. ¬ Examples of such information are DNS- related information (DNS Server, DNS Suffix). ¬ Both flags are defined in RFC 4861 (Section 4.2). 4/30/2015 #13
www.ernw.de M-Flag ¬ 1-bit "Managed address configuration" flag. ¬ When set, it indicates that addresses are available through DHCPv6. ¬ If the M flag is set, the O flag is redundant and can be ignored because DHCPv6 will return all available configuration information. ¬ If neither M nor O flags are set, this indicates that no information is available via DHCPv6.  Rly? See below... 4/30/2015 #14
www.ernw.de And Finally There‘s RFC 6106 4/30/2015 #15
www.ernw.de DHCPv6 ¬ Specified (initially|mainly) in RFC 3315. ¬ Uses UDP Ports 546 (Clients) and 547 (Server/Relays). ¬ DHCPv6 uses multicast packets in IPv6. ¬ Clients/Server will be identified by:  DUID + IAID(s) ¬ Components of a DHCPv6 Infrastructure  DHCPv6 Clients  DHCPv6 Server  DHCPv6 Relay Agents 4/30/2015 #16
www.ernw.de DHCPv6 Message Types DHCPv6 Message Type DHCPv4 Message Type SOLICIT (1) DHCPDISCOVER ADVERTISE (2) DHCPOFFER REQUEST (3), RENEW (5), REBIND (6) DHCPREQUEST REPLY (7) DHCPACK/DHCPNAK RELEASE (8) DHCPRELEASE INFORMATION-REQUEST (11) DHCPINFORM DECLINE(9) DHCPDECLINE CONFIRM (4) - No equivalent - RECONFIGURE (10) DHCPFORCERENEW RELAY-FORW (12), RELAY REPLY (13) - No equivalent - 4/30/2015 #17
www.ernw.de DHCP Message Exchange [“M-Flag Variant”] 4/30/2015 #18
www.ernw.de Main Differences ¬ There is no “route option“ in DHCPv6 ¬ Concept of DUID ¬ The (Non-) Role of DHCPv6 in IPv6‘s “Subnet Model“ (RFC 5942) On the Protocol Level 4/30/2015 #19
www.ernw.de Differences ¬ (Informational) RFC 6434 IPv6 Node Requirements, sect. 5.9.5:  “[A]ll hosts SHOULD implement address configuration via DHCPv6.” ¬ For the record, RFC 2119 states:  “SHOULD This word[…] mean[s] that there may exist valid reasons in particular circumstances to ignore a particular item, but the full implications must be understood and carefully weighed before choosing a different course.” Here‘s another one not to strictly blame on the protocol itself. 4/30/2015 #20
www.ernw.de DHCPv6 Support by OSs ¬ “Marking [Support for DHCPv6] declined until there is a compelling use case.  -- Lorenzo Colitti (Google) on Dec 07 2014 ¬  No DHCPv6 on Android  Except for the Fairphone. ¬ There are people who expect that Android is going to be one of the major OS for #IoT... What could possibly go wrong? Who could possibly deviate? https://code.google.com/p/android/issues /detail?id=32621 4/30/2015 #21
www.ernw.de Once upon a Time ¬ They had a certain place for DHCPv6 in mind, within the IPv6 universe. ¬ This happened to be a very different role from the (at the time developing) role of DHCP in IPv4. ¬ Tell you what: this is going to haunt you. When our ancestors did the initial specs of IPv6 4/30/2015 #22
www.ernw.de What Do You Mean? ¬ DHCPv4 was meant to be exclusive.  Either configure basic IPv4 properties manually or get the stuff from DHCPv4.  Once DHCPv4 is used, it‘s used for everything. ¬ DHCPv6 is meant to be complementary.  It can (and must) be mixed with other spicy stuff.  Add some #RFCambiguity to the mix. ¬ To fully understand what this means, let‘s step back one step and look at... Can you please elude? 4/30/2015 #23
www.ernw.de Relevant Specifications 4/30/2015 #24
www.ernw.de RFC 4861 ¬ Sect. 4.2 “If neither M nor O flags are set, this indicates that no information is available via DHCPv6.” ¬ If the M flag is set, the O flag is redundant and it can be ignored. 4/30/2015 #25
www.ernw.de Some More Quotes ¬ RFC 4862, 5.5.2 Absence of Router Advertisements  “Even if a link has no routers, the DHCPv6 service to obtain addresses may still be available, and hosts may want to use the service.” ¬ RFC 4862, 5.6 Configuration Consistency  “If the same configuration information is provided by multiple sources, the value of this information should be consistent.”  “In any case, if there is no security difference, the most recently obtained values SHOULD have precedence over information learned earlier.” Not much RFC 2119 in there, is it? 4/30/2015 #26
www.ernw.de RFC 6106 “1.2 Coexistence of RA Options and DHCP Options for DNS Configuration Two protocols exist to configure the DNS information on a host, the Router Advertisement options described in this document and the DHCPv6 options described in [RFC3646]. They can be used together. The rules governing the decision to use stateful configuration mechanisms are specified in [RFC4861]. Hosts conforming to this specification MUST extract DNS information from Router Advertisement messages, unless static DNS configuration has been specified by the user. If there is DNS information available from multiple Router Advertisements and/or from DHCP, the host MUST maintain an ordered list of this information as specified in Section 5.3.1. 4/30/2015 #27
www.ernw.de RFC 6106 In the case where the DNS options of RDNSS and DNSSL can be obtained from multiple sources, such as RA and DHCP, the IPv6 host SHOULD keep some DNS options from all sources. Unless explicitly specified for the discovery mechanism, the exact number of addresses and domain names to keep is a matter of local policy and implementation choice. However, the ability to store at least three RDNSS addresses (or DNSSL domain names) from at least two different sources is RECOMMENDED. The DNS options from Router Advertisements and DHCP SHOULD be stored into the DNS Repository and Resolver Repository so that information from DHCP appears there first and therefore takes precedence. Thus, the DNS information from DHCP takes precedence over that from RA for DNS queries. Section 5.3.1 4/30/2015 #28
www.ernw.de In Short 4/30/2015 #29 ¬ It‘s a mess! At least on the specs level.
www.ernw.de Problem Statement From a High-Level Perspective 4/30/2015 #30
www.ernw.de Problem Statement (I) ¬ IPv6 provides two mechanisms for one task, that is provisioning of IP parameters to nodes. 4/30/2015 #31
www.ernw.de Problem Statement (II) ¬ They are independent.  Well, mostly. ¬ In many environments both of them are needed, in some combination.  In particular this applies in (wrt OSs, devices) heterogeneous environments. Read: probably in pretty much all of your environments. ¬ In some environments different groups might be responsible for operating them.  Why did you add this to the “problem statement“? Well... ¬ There‘s differences as for the degree of vendor support & their strategies. There‘s two mechanisms 4/30/2015 #32
www.ernw.de Problem Statement (III) ¬ Some properties and elements have been enhanced over time, e.g. RFC 6106.  Evolution is a good thing. Seriously! ¬ Still, there‘s a certain (alas, when it comes to IPv6: usual) amount of ambiguity and vagueness in the main RFCs. Let‘s look at the specs... 4/30/2015 #33
www.ernw.de Problem Statement (IV) ¬ The “cooperation“ of those two mechanisms has been discussed quite a bit, both in the specs and in “the relevant fora“. ¬ However, not so much as for scenarios where the information provided by them is conflicting. ¬ This is what this talk is about. 4/30/2015 #34
www.ernw.de Problem Statement (IV) ¬ Human error  Both on the active failure and latent failure level. ¬ Conflicting/differing vendor default settings  Network devices  CPEs!  Keep in mind: there might be any OS in customers‘ networks. ¬ Attacker injecting nasty packets  Boils down to “standard local-link sec“ discussion  I will only briefly cover this. Can this (“contradiction scenario“) happen? 4/30/2015 #35
www.ernw.de From the Lab 4/30/2015 #36
www.ernw.de Lab Setup ¬ A DHCPv6 Server (DHCP ISC Version 4.3.1) installed on CentOs 6.6 . The DHCPv6 server is configured to provide both IPv6 addresses and RDNSS information. ¬ Two (2) routers Cisco 4321 using Cisco IOS Software version 15.5(1)S. ¬ The following OS as clients:  Fedora 21, kernel version 3.18.3-201 x64  Ubuntu 14.04.1 LTS, kernel version 3.13.0-44-generic  CentOS 7, kernel version 3.10.0-123.13.2.el7  Mac OS X 10.10.2 Yosemite  Windows 7  Windows 8.1 See also: https://www.ernw.de/download/ERNW_White paper_IPv6_RAs_RDNSS_DHCPv6_Conflictin g_Parameters.pdf 4/30/2015 #37
www.ernw.de Case 1: One Router with the Management Flag not Set and a DHCPv6 Server ¬ Fedora 21, MAC OS X, CentOS 7 and Ubuntu 14.04  Get an IPv6 address and an RDNSS from the IPv6 router only. ¬ Windows 7  Get an IPv6 address from the router only, but they do not get any DNS information, neither from the router nor from the DHCPv6 server. They also do not get IPv6 address from the DHCPv6 server. ¬ Windows 8.1  Get an IPv6 address from both the IPv6 router and the DHCPv6 server, despite the fact that the Management flag (M) is not set. They get RDNSS information from the DHCPv6 only. Router: M=0, A=1, O=0 and an RDNSS is advertised. DHCPv6 server on the same link offering IPv6 addresses & RDNSS 4/30/2015 #38
www.ernw.de Case 2: One Router with Conflicting Parameters and a DHCPv6 Server ¬ Fedora 21, Centos 7 and Ubuntu 14.04  get IPv6 address using SLAAC only.  Fedora 21, Centos 7 get RDNSS from both the RAs and the DHCPv6 server. The RDNSS obtained from the router has a higher priority though.  Ubuntu 14.04 gets an RDNSS from the router, and a “domain search list” information from the DHCPv6 server – but not RDNSS information. Router: M=0, A=1, O=1, and an RDNSS is advertised. A DHCPv6 server on the same link advertising IPv6 addresses and RDNSS 4/30/2015 #39
www.ernw.de Case 2 Results cont‘d ¬ MAC OS X  gets RDNSS from both, IPv6 address using SLAAC (no IPv6 address from the DHCPv6 server) but the RDNSS obtained from the DHCPv6 server is first (it has a higher priority). However, the other obtained from the RAs is also present. ¬ Windows 7 and Windows 8.1  obtain IPv6 addresses using SLAAC and RDNSS from the DHCPv6 server. They do not get an IPv6 address from the DHCPv6 server.   compare the Windows 8.1 behaviour with the previous case. 4/30/2015 #40
www.ernw.de Additional Observations ¬ [draft-ietf-v6ops-dhcpv6-slaac-problem-03] explicitly discusses the role of state transitions. ¬ We can confirm that these lead to particularly interesting effects.   Pay special attention in times when you perform those deliberately. Be prepared for surprises... ¬ In general the order of events seems to play a role, too.  See also test cases with two routers. 4/30/2015 #41
www.ernw.de Case 4: All Flags are Set and a DHCPv6 Server is Present ¬ Fedora 21 and Centos 7:  They get IPv6 addresses both from SLAAC and DHCPv6 server.  They get RDNSS both from RAs and DHCPv6 server.  The DNS of the RAs has higher priority. ¬ Ubuntu 14.04:  It gets IPv6 addresses both using SLAAC and from the DHCPv6 server.  It gets RDNSS from RAs only.  From the DHCPv6 server it only gets “Domain Search List” information, no RDNSS. Router: M=1, A=1, O=1, and an RDNSS is advertised. A DHCPv6 server on the same link advertising IPv6 addresses and RDNSS. 4/30/2015 #42
www.ernw.de Case 4 Results cont‘d ¬ MAC OS X:  It gets IPv6 addresses both using SLAAC and from the DHCPv6 server.  It also gets RDNSS both from RAs and the DHCPv6 server.  The DNS server from DHCPv6 has higher priority. ¬ Windows 7 and Windows 8.1:  They get IPv6 addresses both from SLAAC and DHCPv6 server.  They get RDNSS only from the DHCPv6 server. 4/30/2015 #43
www.ernw.de Summary https://www.ernw.de/download/ERNW_Whitepaper_IPv6_RAs_RDNSS_DHCPv6_Conflicting_Parameters.pdf https://tools.ietf.org/html/draft-ietf-v6ops-dhcpv6-slaac-problem-03 4/30/2015 #44
www.ernw.de More Stuff from the Lab 4/30/2015 #45
www.ernw.de Case 7: Router 1 Advertising M=0, O=0 and RDNSS, and then Router 2 advertising M=1, O=1 while DHCPv6 is Present ¬ MAC OS X and Ubuntu 14.04:  Initially they get address and RDNSS from the first router.  When they receive RAs from the second router, they never get any information (IPv6 address or RDNSS) from the DHCPv6 server. Initially: One IPv6 router with the following settings: M=0, O=0, A=1 and RDNSS advertised and 15 seconds time interval of the RAs. After a while (when clients are configured by the RAs of the above router) another IPv6 router with the following: M=1, O=1, no advertised prefix information, and 30 seconds time interval of the RAs. 4/30/2015 #46
www.ernw.de Case 7 Results cont‘d ¬ Fedora 21 and Centos 7:  Initially they get IPv6 address and RDNSS from the RAs of the first router.  When they receive an RA from router 2, they also get an IPv6 address and RDNSS from the DHCPv6 server while retaining the ones (IPv6 address and RDNSS) obtained from the RAs of the first router.  The RDNSS obtained from the first router has a higher priority than the one obtained from the DHCPv6 server (probably because it was received first).  When they receive again RAs from the first router, they lose/forget the information (IPv6 address and RDNSS) obtained from the DHCPv6 server.  Troubleshooting nightmare… 4/30/2015 #47
www.ernw.de Case 7 Results cont‘d ¬ Windows 7:  Initially they get address from the first router – no RDNSS.  When they receive RAs from the second router, they never get any information (IPv6 address or RDNSS) from the DHCPv6 server. 4/30/2015 #48
www.ernw.de Case 7 Results cont‘d ¬ Windows 8.1:  Initially, they get just an IPv6 address from the first router 1 - no RDNSS information (since they do not implement RFC 6106).  When they receive RAs from the second router, then they also get an IPv6 address from the DHCPv6 server, as well as RDNSS from it. They do not lose the IPv6 address obtained by the first router using SLAAC.  When they receive another RA from the first router, they retain all the information obtained so far (there isn't any change). 4/30/2015 #49
www.ernw.de Summary 4/30/2015 #50
www.ernw.de Conclusions 4/30/2015 #51
www.ernw.de ¬ Don‘t assume a certain OS‘ IPv6 behavior just because:  “the specs say so“  “another OS does it that way“  you have a good understanding of IPv4. ¬ Sorry guys ;-) ¬ Test, test, test!  Helps to gain (even more) IPv6 knowledge anyway.  Yes, pls allocate budget for test lab. 4/30/2015 #52
www.ernw.de Keep RFC 1925 in Mind ¬ “(4) Some things in life can never be fully appreciated nor understood unless experienced firsthand. Some things in networking can never be fully understood by someone who neither builds commercial networking equipment nor runs an operational network.” ¬ Deploying IPv6 is not a paper exercise. You need hands-on experience! ¬ Did you note Jeff Carrell gives his cool workshops at the IPv6 Business Conference?  Mark June 17–19 2015 in your calendar! 4/30/2015 #53
www.ernw.de Operations Perspective ¬ Keep configs/properties related to IPv6 parameter provisioning in sync, at all times  IPv6 transition might be an opportunity to re-think your ops model.  Yes, we understand you‘ll be happy to survive that one mostly unscathed, hence concentrate on one task at a time. Still #justsayin ;-) 4/30/2015 #54
www.ernw.de Planning Perspective ¬ In short: it depends 😉 ¬ Seriously: it depends heavily on the client base you want to support. Here’s some thoughts:  in case there’s Android devices, your routers should advertise RDNSS info (RFC 6106), else the Android clients will have to rely on their IPv4 DNS or manual kludges. RFC 6106 is supported since Lollipop.  in case you don’t have Android devices, you might go _without_ advertising RDNSS in RAs, for the simple reason of reducing potential for errors/”unexpected behavior”.  once you go with m-flag DHCPv6 clearing the A-flag in prefix information, but leaving the L-flag set (to “circumvent RFC 5942″) is usually a good idea.  Ofc, you can‘t do this once there‘s Android devices as those won‘t generate any (non LL) address then.  we observe that most of our customers strive to go with m-flag DHCPv6. that‘s just an observation... 4/30/2015 #55 Considerations how to set up the whole SLAAC/DHCPv6 thing
www.ernw.de Troubleshooting ¬ You should know how to diagnose a node‘s exact properties on the OS level  incl. types of addresses and order of name resolution  “netsh int ipv6“ commands on Win  “ip -6 add show“ on Linux  btw: /etc/resolv.conf not relevant on Mac ¬ The truth is in the packets... For the poor sod responsible... A helpful resource: https://wikispaces.psu.edu/display/ipv6/IP v6+Rosetta+Stone 4/30/2015 #56
www.ernw.de Troubleshooting ¬ Being familiar with the following certainly helps  Flags in router advertisements  Main DHCPv6 messages  IPv6 Subnet Model (RFC 5942) and its (non-) relationship with DHCPv6 In such scenarios 4/30/2015 #57
www.ernw.de Summary ¬ There‘s a certain learning curve when it comes to IPv6. ¬ Just looking at the specs might not be sufficient. ¬ Start now ;-) 4/30/2015 #58
www.ernw.de There’s never enough time… THANK YOU… ...for yours! Slides: https://www.insinuator.net 4/30/2015 #59
www.ernw.de Save the Dates ¬ Pre-Conference Day – Wednesday,17. June 2015 IPv6 Workshop: Build it, Use it with Jeff Carrell  Hands-On ¬ IPv6 Business Conference – Thursday, 18. June 2015 ¬ Post-Conference Day – Friday, 19. June 2015 IPv6 Interactive Addressing Workshop with Practical Hands-on Labs with Jeff Carrell  Hands-On, Build your own lab and take it home! ¬ Do you want to be a sponsor? 4/30/2015 #60
www.ernw.de March, 14-18 2016 Heidelberg, Germany TROOPERS - Make the world a safer place. More info & extensive archives @ www.troopers.de Guys, we would love to see you in Heidelberg! 4/30/2015 #61
www.ernw.de Questions? ¬ You can reach us at:  erey@ernw.de, www.ernw.de ¬ Our blog:  www.insinuator.net ¬ Follow me at:  @Enno_Insinuator 4/30/2015 #62

Recommandé

Ipv6 cheat sheet
Ipv6 cheat sheetIpv6 cheat sheet
Ipv6 cheat sheetbalamurugan N
 
NAT Traversal
NAT TraversalNAT Traversal
NAT TraversalDavide Carboni
 
IPv6 Best Practice
IPv6 Best PracticeIPv6 Best Practice
IPv6 Best Practiceflyingpotato
 
PLNOG 3: Fredy Kunzler - IPv6. Now!
PLNOG 3: Fredy Kunzler - IPv6. Now!PLNOG 3: Fredy Kunzler - IPv6. Now!
PLNOG 3: Fredy Kunzler - IPv6. Now!PROIDEA
 
How to configure static nat on cisco routers
How to configure static nat on cisco routersHow to configure static nat on cisco routers
How to configure static nat on cisco routersIT Tech
 
Ipv6 cheat sheet
Ipv6 cheat sheetIpv6 cheat sheet
Ipv6 cheat sheetjulianlz
 
Ipv6 cheat sheet
Ipv6 cheat sheetIpv6 cheat sheet
Ipv6 cheat sheetSwarup Hait
 
Getting started with IPv6
Getting started with IPv6Getting started with IPv6
Getting started with IPv6Private
 

Recommandé

Ipv6 cheat sheet
Ipv6 cheat sheetIpv6 cheat sheet
Ipv6 cheat sheetbalamurugan N
 
NAT Traversal
NAT TraversalNAT Traversal
NAT TraversalDavide Carboni
 
IPv6 Best Practice
IPv6 Best PracticeIPv6 Best Practice
IPv6 Best Practiceflyingpotato
 
PLNOG 3: Fredy Kunzler - IPv6. Now!
PLNOG 3: Fredy Kunzler - IPv6. Now!PLNOG 3: Fredy Kunzler - IPv6. Now!
PLNOG 3: Fredy Kunzler - IPv6. Now!PROIDEA
 
How to configure static nat on cisco routers
How to configure static nat on cisco routersHow to configure static nat on cisco routers
How to configure static nat on cisco routersIT Tech
 
Ipv6 cheat sheet
Ipv6 cheat sheetIpv6 cheat sheet
Ipv6 cheat sheetjulianlz
 
Ipv6 cheat sheet
Ipv6 cheat sheetIpv6 cheat sheet
Ipv6 cheat sheetSwarup Hait
 
Getting started with IPv6
Getting started with IPv6Getting started with IPv6
Getting started with IPv6Private
 
From NAT to NAT Traversal
From NAT to NAT TraversalFrom NAT to NAT Traversal
From NAT to NAT TraversalLi-Wei Yao
 
The IPv6 Snort Plugin (at DeepSec 2014)
The IPv6 Snort Plugin (at DeepSec 2014)The IPv6 Snort Plugin (at DeepSec 2014)
The IPv6 Snort Plugin (at DeepSec 2014)Martin Schütte
 
Nat
NatNat
NatElshan86
 
Things I wish I had known about IPv6 before I started
Things I wish I had known about IPv6 before I startedThings I wish I had known about IPv6 before I started
Things I wish I had known about IPv6 before I startedFaelix Ltd
 
IPv6 - Jozi Linux User Group Presentation
IPv6 - Jozi Linux User Group PresentationIPv6 - Jozi Linux User Group Presentation
IPv6 - Jozi Linux User Group PresentationJumping Bean
 
I pv6 tutorial
I pv6 tutorialI pv6 tutorial
I pv6 tutorialFred Bovy
 
Fb i pv6-sparchimanv1.0
Fb i pv6-sparchimanv1.0Fb i pv6-sparchimanv1.0
Fb i pv6-sparchimanv1.0Fred Bovy
 
IPv6 Addressing
IPv6 AddressingIPv6 Addressing
IPv6 AddressingIrsandi Hasan
 
PLNOG 13: M. Czerwonka, T. Kossut: IPv6 in mobile network
PLNOG 13: M. Czerwonka, T. Kossut: IPv6 in mobile networkPLNOG 13: M. Czerwonka, T. Kossut: IPv6 in mobile network
PLNOG 13: M. Czerwonka, T. Kossut: IPv6 in mobile networkPROIDEA
 
Nat traversal in WebRTC context
Nat traversal in WebRTC contextNat traversal in WebRTC context
Nat traversal in WebRTC contextAudioCodes
 
Ccna 2 chapter 11 2014 v5
Ccna 2 chapter 11 2014 v5Ccna 2 chapter 11 2014 v5
Ccna 2 chapter 11 2014 v5Đồng Quốc Vương
 
IPV6 SIMPLE SECURITY CAPABILITIES
IPV6 SIMPLE SECURITY CAPABILITIESIPV6 SIMPLE SECURITY CAPABILITIES
IPV6 SIMPLE SECURITY CAPABILITIESOlle E Johansson
 
Fedv6tf-IPv6-new-friends
Fedv6tf-IPv6-new-friendsFedv6tf-IPv6-new-friends
Fedv6tf-IPv6-new-friendsTim Martin
 
IPv6 DHCP
IPv6 DHCPIPv6 DHCP
IPv6 DHCPIrsandi Hasan
 
AF-23- IPv6 Security_Final
AF-23- IPv6 Security_FinalAF-23- IPv6 Security_Final
AF-23- IPv6 Security_FinalMusa Stephen HONLUE
 
ICE basic
ICE basicICE basic
ICE basicVu Nguyen
 
PCTA e-Tech Show 2021: Securing Internet Routing
PCTA e-Tech Show 2021: Securing Internet RoutingPCTA e-Tech Show 2021: Securing Internet Routing
PCTA e-Tech Show 2021: Securing Internet RoutingAPNIC
 
6.Routing
6.Routing6.Routing
6.Routingphanleson
 
How to Use GSM/3G/4G in Embedded Linux Systems
How to Use GSM/3G/4G in Embedded Linux SystemsHow to Use GSM/3G/4G in Embedded Linux Systems
How to Use GSM/3G/4G in Embedded Linux SystemsToradex
 
WellGate 2644
WellGate 2644WellGate 2644
WellGate 2644Long Nguyen
 
Analyzing dhc pv6 stateful and stateless
Analyzing dhc pv6 stateful and statelessAnalyzing dhc pv6 stateful and stateless
Analyzing dhc pv6 stateful and statelessMarco Canales NAveda
 
2012 11-09 facex - i pv6 transition planning-
2012 11-09 facex - i pv6 transition planning-2012 11-09 facex - i pv6 transition planning-
2012 11-09 facex - i pv6 transition planning-Eduardo Coelho
 

Contenu connexe

Tendances

From NAT to NAT Traversal
From NAT to NAT TraversalFrom NAT to NAT Traversal
From NAT to NAT TraversalLi-Wei Yao
 
The IPv6 Snort Plugin (at DeepSec 2014)
The IPv6 Snort Plugin (at DeepSec 2014)The IPv6 Snort Plugin (at DeepSec 2014)
The IPv6 Snort Plugin (at DeepSec 2014)Martin Schütte
 
Things I wish I had known about IPv6 before I started
Things I wish I had known about IPv6 before I startedThings I wish I had known about IPv6 before I started
Things I wish I had known about IPv6 before I startedFaelix Ltd
 
IPv6 - Jozi Linux User Group Presentation
IPv6 - Jozi Linux User Group PresentationIPv6 - Jozi Linux User Group Presentation
IPv6 - Jozi Linux User Group PresentationJumping Bean
 
I pv6 tutorial
I pv6 tutorialI pv6 tutorial
I pv6 tutorialFred Bovy
 
Fb i pv6-sparchimanv1.0
Fb i pv6-sparchimanv1.0Fb i pv6-sparchimanv1.0
Fb i pv6-sparchimanv1.0Fred Bovy
 
PLNOG 13: M. Czerwonka, T. Kossut: IPv6 in mobile network
PLNOG 13: M. Czerwonka, T. Kossut: IPv6 in mobile networkPLNOG 13: M. Czerwonka, T. Kossut: IPv6 in mobile network
PLNOG 13: M. Czerwonka, T. Kossut: IPv6 in mobile networkPROIDEA
 
Nat traversal in WebRTC context
Nat traversal in WebRTC contextNat traversal in WebRTC context
Nat traversal in WebRTC contextAudioCodes
 
IPV6 SIMPLE SECURITY CAPABILITIES
IPV6 SIMPLE SECURITY CAPABILITIESIPV6 SIMPLE SECURITY CAPABILITIES
IPV6 SIMPLE SECURITY CAPABILITIESOlle E Johansson
 
Fedv6tf-IPv6-new-friends
Fedv6tf-IPv6-new-friendsFedv6tf-IPv6-new-friends
Fedv6tf-IPv6-new-friendsTim Martin
 
PCTA e-Tech Show 2021: Securing Internet Routing
PCTA e-Tech Show 2021: Securing Internet RoutingPCTA e-Tech Show 2021: Securing Internet Routing
PCTA e-Tech Show 2021: Securing Internet RoutingAPNIC
 
How to Use GSM/3G/4G in Embedded Linux Systems
How to Use GSM/3G/4G in Embedded Linux SystemsHow to Use GSM/3G/4G in Embedded Linux Systems
How to Use GSM/3G/4G in Embedded Linux SystemsToradex
 

Tendances (20)

From NAT to NAT Traversal
From NAT to NAT TraversalFrom NAT to NAT Traversal
From NAT to NAT Traversal
 
The IPv6 Snort Plugin (at DeepSec 2014)
The IPv6 Snort Plugin (at DeepSec 2014)The IPv6 Snort Plugin (at DeepSec 2014)
The IPv6 Snort Plugin (at DeepSec 2014)
 
Nat
NatNat
Nat
 
Things I wish I had known about IPv6 before I started
Things I wish I had known about IPv6 before I startedThings I wish I had known about IPv6 before I started
Things I wish I had known about IPv6 before I started
 
IPv6 - Jozi Linux User Group Presentation
IPv6 - Jozi Linux User Group PresentationIPv6 - Jozi Linux User Group Presentation
IPv6 - Jozi Linux User Group Presentation
 
I pv6 tutorial
I pv6 tutorialI pv6 tutorial
I pv6 tutorial
 
Fb i pv6-sparchimanv1.0
Fb i pv6-sparchimanv1.0Fb i pv6-sparchimanv1.0
Fb i pv6-sparchimanv1.0
 
IPv6 Addressing
IPv6 AddressingIPv6 Addressing
IPv6 Addressing
 
PLNOG 13: M. Czerwonka, T. Kossut: IPv6 in mobile network
PLNOG 13: M. Czerwonka, T. Kossut: IPv6 in mobile networkPLNOG 13: M. Czerwonka, T. Kossut: IPv6 in mobile network
PLNOG 13: M. Czerwonka, T. Kossut: IPv6 in mobile network
 
Nat traversal in WebRTC context
Nat traversal in WebRTC contextNat traversal in WebRTC context
Nat traversal in WebRTC context
 
Ccna 2 chapter 11 2014 v5
Ccna 2 chapter 11 2014 v5Ccna 2 chapter 11 2014 v5
Ccna 2 chapter 11 2014 v5
 
IPV6 SIMPLE SECURITY CAPABILITIES
IPV6 SIMPLE SECURITY CAPABILITIESIPV6 SIMPLE SECURITY CAPABILITIES
IPV6 SIMPLE SECURITY CAPABILITIES
 
Fedv6tf-IPv6-new-friends
Fedv6tf-IPv6-new-friendsFedv6tf-IPv6-new-friends
Fedv6tf-IPv6-new-friends
 
IPv6 DHCP
IPv6 DHCPIPv6 DHCP
IPv6 DHCP
 
AF-23- IPv6 Security_Final
AF-23- IPv6 Security_FinalAF-23- IPv6 Security_Final
AF-23- IPv6 Security_Final
 
ICE basic
ICE basicICE basic
ICE basic
 
PCTA e-Tech Show 2021: Securing Internet Routing
PCTA e-Tech Show 2021: Securing Internet RoutingPCTA e-Tech Show 2021: Securing Internet Routing
PCTA e-Tech Show 2021: Securing Internet Routing
 
6.Routing
6.Routing6.Routing
6.Routing
 
How to Use GSM/3G/4G in Embedded Linux Systems
How to Use GSM/3G/4G in Embedded Linux SystemsHow to Use GSM/3G/4G in Embedded Linux Systems
How to Use GSM/3G/4G in Embedded Linux Systems
 
WellGate 2644
WellGate 2644WellGate 2644
WellGate 2644
 

Similaire à Swiss IPv6 Council: Konfusion um die Router Flags

Analyzing dhc pv6 stateful and stateless
Analyzing dhc pv6 stateful and statelessAnalyzing dhc pv6 stateful and stateless
Analyzing dhc pv6 stateful and statelessMarco Canales NAveda
 
2012 11-09 facex - i pv6 transition planning-
2012 11-09 facex - i pv6 transition planning-2012 11-09 facex - i pv6 transition planning-
2012 11-09 facex - i pv6 transition planning-Eduardo Coelho
 
APNIC Update
APNIC Update APNIC Update
APNIC Update APNIC
 
Ipv6 tutorial
Ipv6 tutorialIpv6 tutorial
Ipv6 tutorialsaryu2011
 
Installation Of An Iso Image Dvd
Installation Of An Iso Image DvdInstallation Of An Iso Image Dvd
Installation Of An Iso Image DvdSusan Cox
 
7 2.5 3 Lab - Identifying IPv6 Addresses.pdf
7 2.5 3 Lab - Identifying IPv6 Addresses.pdf7 2.5 3 Lab - Identifying IPv6 Addresses.pdf
7 2.5 3 Lab - Identifying IPv6 Addresses.pdfSamantha Vargas
 
Panel with IPv6 CE Vendors
Panel with IPv6 CE VendorsPanel with IPv6 CE Vendors
Panel with IPv6 CE VendorsAPNIC
 
Ipv4 over ipv6 by Jigar Tarsariya
Ipv4 over ipv6 by Jigar TarsariyaIpv4 over ipv6 by Jigar Tarsariya
Ipv4 over ipv6 by Jigar TarsariyaJigar Tarsariya
 
ARIN 34 IPv6 IAB/IETF Activities Report
ARIN 34 IPv6 IAB/IETF Activities ReportARIN 34 IPv6 IAB/IETF Activities Report
ARIN 34 IPv6 IAB/IETF Activities ReportARIN
 

Similaire à Swiss IPv6 Council: Konfusion um die Router Flags (20)

Analyzing dhc pv6 stateful and stateless
Analyzing dhc pv6 stateful and statelessAnalyzing dhc pv6 stateful and stateless
Analyzing dhc pv6 stateful and stateless
 
2012 11-09 facex - i pv6 transition planning-
2012 11-09 facex - i pv6 transition planning-2012 11-09 facex - i pv6 transition planning-
2012 11-09 facex - i pv6 transition planning-
 
APNIC Update
APNIC Update APNIC Update
APNIC Update
 
IPv6
IPv6IPv6
IPv6
 
CCNA CHAPTER 16 BY jetarvind kumar madhukar
CCNA CHAPTER 16 BY jetarvind kumar madhukarCCNA CHAPTER 16 BY jetarvind kumar madhukar
CCNA CHAPTER 16 BY jetarvind kumar madhukar
 
Ipv6 tutorial
Ipv6 tutorialIpv6 tutorial
Ipv6 tutorial
 
Ipv6 tutorial
Ipv6 tutorialIpv6 tutorial
Ipv6 tutorial
 
Installation Of An Iso Image Dvd
Installation Of An Iso Image DvdInstallation Of An Iso Image Dvd
Installation Of An Iso Image Dvd
 
Ipv6 questions
Ipv6 questionsIpv6 questions
Ipv6 questions
 
I pv6 aag-v3_019-kr
I pv6 aag-v3_019-krI pv6 aag-v3_019-kr
I pv6 aag-v3_019-kr
 
I pv6 aag-v3_019-kr
I pv6 aag-v3_019-krI pv6 aag-v3_019-kr
I pv6 aag-v3_019-kr
 
Neutron IPv6
Neutron IPv6Neutron IPv6
Neutron IPv6
 
7 2.5 3 Lab - Identifying IPv6 Addresses.pdf
7 2.5 3 Lab - Identifying IPv6 Addresses.pdf7 2.5 3 Lab - Identifying IPv6 Addresses.pdf
7 2.5 3 Lab - Identifying IPv6 Addresses.pdf
 
Autoconfig
AutoconfigAutoconfig
Autoconfig
 
Panel with IPv6 CE Vendors
Panel with IPv6 CE VendorsPanel with IPv6 CE Vendors
Panel with IPv6 CE Vendors
 
3hows
3hows3hows
3hows
 
Ipv4 over ipv6 by Jigar Tarsariya
Ipv4 over ipv6 by Jigar TarsariyaIpv4 over ipv6 by Jigar Tarsariya
Ipv4 over ipv6 by Jigar Tarsariya
 
ARIN 34 IPv6 IAB/IETF Activities Report
ARIN 34 IPv6 IAB/IETF Activities ReportARIN 34 IPv6 IAB/IETF Activities Report
ARIN 34 IPv6 IAB/IETF Activities Report
 
7 slaac-rick graziani
7 slaac-rick graziani7 slaac-rick graziani
7 slaac-rick graziani
 
IPv6 Security Overview by QS Tahmeed, APNIC RCT
IPv6 Security Overview by QS Tahmeed, APNIC RCTIPv6 Security Overview by QS Tahmeed, APNIC RCT
IPv6 Security Overview by QS Tahmeed, APNIC RCT
 

Plus de Digicomp Academy AG

Becoming Agile von Christian Botta – Personal Swiss Vortrag 2019
Becoming Agile von Christian Botta – Personal Swiss Vortrag 2019Becoming Agile von Christian Botta – Personal Swiss Vortrag 2019
Becoming Agile von Christian Botta – Personal Swiss Vortrag 2019Digicomp Academy AG
 
Swiss IPv6 Council – Case Study - Deployment von IPv6 in einer Container Plat...
Swiss IPv6 Council – Case Study - Deployment von IPv6 in einer Container Plat...Swiss IPv6 Council – Case Study - Deployment von IPv6 in einer Container Plat...
Swiss IPv6 Council – Case Study - Deployment von IPv6 in einer Container Plat...Digicomp Academy AG
 
Innovation durch kollaboration gennex 2018
Innovation durch kollaboration gennex 2018Innovation durch kollaboration gennex 2018
Innovation durch kollaboration gennex 2018Digicomp Academy AG
 
Roger basler meetup_digitale-geschaeftsmodelle-entwickeln_handout
Roger basler meetup_digitale-geschaeftsmodelle-entwickeln_handoutRoger basler meetup_digitale-geschaeftsmodelle-entwickeln_handout
Roger basler meetup_digitale-geschaeftsmodelle-entwickeln_handoutDigicomp Academy AG
 
Roger basler meetup_21082018_work-smarter-not-harder_handout
Roger basler meetup_21082018_work-smarter-not-harder_handoutRoger basler meetup_21082018_work-smarter-not-harder_handout
Roger basler meetup_21082018_work-smarter-not-harder_handoutDigicomp Academy AG
 
Xing expertendialog zu nudge unit x
Xing expertendialog zu nudge unit xXing expertendialog zu nudge unit x
Xing expertendialog zu nudge unit xDigicomp Academy AG
 
Responsive Organisation auf Basis der Holacracy – nur ein Hype oder die Zukunft?
Responsive Organisation auf Basis der Holacracy – nur ein Hype oder die Zukunft?Responsive Organisation auf Basis der Holacracy – nur ein Hype oder die Zukunft?
Responsive Organisation auf Basis der Holacracy – nur ein Hype oder die Zukunft?Digicomp Academy AG
 
IPv6 Security Talk mit Joe Klein
IPv6 Security Talk mit Joe KleinIPv6 Security Talk mit Joe Klein
IPv6 Security Talk mit Joe KleinDigicomp Academy AG
 
Agiles Management - Wie geht das?
Agiles Management - Wie geht das?Agiles Management - Wie geht das?
Agiles Management - Wie geht das?Digicomp Academy AG
 
Gewinnen Sie Menschen und Ziele - Referat von Andi Odermatt
Gewinnen Sie Menschen und Ziele - Referat von Andi OdermattGewinnen Sie Menschen und Ziele - Referat von Andi Odermatt
Gewinnen Sie Menschen und Ziele - Referat von Andi OdermattDigicomp Academy AG
 
Querdenken mit Kreativitätsmethoden – XING Expertendialog
Querdenken mit Kreativitätsmethoden – XING ExpertendialogQuerdenken mit Kreativitätsmethoden – XING Expertendialog
Querdenken mit Kreativitätsmethoden – XING ExpertendialogDigicomp Academy AG
 
Xing LearningZ: Digitale Geschäftsmodelle entwickeln
Xing LearningZ: Digitale Geschäftsmodelle entwickelnXing LearningZ: Digitale Geschäftsmodelle entwickeln
Xing LearningZ: Digitale Geschäftsmodelle entwickelnDigicomp Academy AG
 
Swiss IPv6 Council: The Cisco-Journey to an IPv6-only Building
Swiss IPv6 Council: The Cisco-Journey to an IPv6-only BuildingSwiss IPv6 Council: The Cisco-Journey to an IPv6-only Building
Swiss IPv6 Council: The Cisco-Journey to an IPv6-only BuildingDigicomp Academy AG
 
UX – Schlüssel zum Erfolg im Digital Business
UX – Schlüssel zum Erfolg im Digital BusinessUX – Schlüssel zum Erfolg im Digital Business
UX – Schlüssel zum Erfolg im Digital BusinessDigicomp Academy AG
 
Die IPv6 Journey der ETH Zürich
Die IPv6 Journey der ETH Zürich Die IPv6 Journey der ETH Zürich
Die IPv6 Journey der ETH Zürich Digicomp Academy AG
 
Xing LearningZ: Die 10 + 1 Trends im (E-)Commerce
Xing LearningZ: Die 10 + 1 Trends im (E-)CommerceXing LearningZ: Die 10 + 1 Trends im (E-)Commerce
Xing LearningZ: Die 10 + 1 Trends im (E-)CommerceDigicomp Academy AG
 
Zahlen Battle: klassische werbung vs.online-werbung-somexcloud
Zahlen Battle: klassische werbung vs.online-werbung-somexcloudZahlen Battle: klassische werbung vs.online-werbung-somexcloud
Zahlen Battle: klassische werbung vs.online-werbung-somexcloudDigicomp Academy AG
 
General data protection regulation-slides
General data protection regulation-slidesGeneral data protection regulation-slides
General data protection regulation-slidesDigicomp Academy AG
 

Plus de Digicomp Academy AG (20)

Becoming Agile von Christian Botta – Personal Swiss Vortrag 2019
Becoming Agile von Christian Botta – Personal Swiss Vortrag 2019Becoming Agile von Christian Botta – Personal Swiss Vortrag 2019
Becoming Agile von Christian Botta – Personal Swiss Vortrag 2019
 
Swiss IPv6 Council – Case Study - Deployment von IPv6 in einer Container Plat...
Swiss IPv6 Council – Case Study - Deployment von IPv6 in einer Container Plat...Swiss IPv6 Council – Case Study - Deployment von IPv6 in einer Container Plat...
Swiss IPv6 Council – Case Study - Deployment von IPv6 in einer Container Plat...
 
Innovation durch kollaboration gennex 2018
Innovation durch kollaboration gennex 2018Innovation durch kollaboration gennex 2018
Innovation durch kollaboration gennex 2018
 
Roger basler meetup_digitale-geschaeftsmodelle-entwickeln_handout
Roger basler meetup_digitale-geschaeftsmodelle-entwickeln_handoutRoger basler meetup_digitale-geschaeftsmodelle-entwickeln_handout
Roger basler meetup_digitale-geschaeftsmodelle-entwickeln_handout
 
Roger basler meetup_21082018_work-smarter-not-harder_handout
Roger basler meetup_21082018_work-smarter-not-harder_handoutRoger basler meetup_21082018_work-smarter-not-harder_handout
Roger basler meetup_21082018_work-smarter-not-harder_handout
 
Xing expertendialog zu nudge unit x
Xing expertendialog zu nudge unit xXing expertendialog zu nudge unit x
Xing expertendialog zu nudge unit x
 
Responsive Organisation auf Basis der Holacracy – nur ein Hype oder die Zukunft?
Responsive Organisation auf Basis der Holacracy – nur ein Hype oder die Zukunft?Responsive Organisation auf Basis der Holacracy – nur ein Hype oder die Zukunft?
Responsive Organisation auf Basis der Holacracy – nur ein Hype oder die Zukunft?
 
IPv6 Security Talk mit Joe Klein
IPv6 Security Talk mit Joe KleinIPv6 Security Talk mit Joe Klein
IPv6 Security Talk mit Joe Klein
 
Agiles Management - Wie geht das?
Agiles Management - Wie geht das?Agiles Management - Wie geht das?
Agiles Management - Wie geht das?
 
Gewinnen Sie Menschen und Ziele - Referat von Andi Odermatt
Gewinnen Sie Menschen und Ziele - Referat von Andi OdermattGewinnen Sie Menschen und Ziele - Referat von Andi Odermatt
Gewinnen Sie Menschen und Ziele - Referat von Andi Odermatt
 
Querdenken mit Kreativitätsmethoden – XING Expertendialog
Querdenken mit Kreativitätsmethoden – XING ExpertendialogQuerdenken mit Kreativitätsmethoden – XING Expertendialog
Querdenken mit Kreativitätsmethoden – XING Expertendialog
 
Xing LearningZ: Digitale Geschäftsmodelle entwickeln
Xing LearningZ: Digitale Geschäftsmodelle entwickelnXing LearningZ: Digitale Geschäftsmodelle entwickeln
Xing LearningZ: Digitale Geschäftsmodelle entwickeln
 
Swiss IPv6 Council: The Cisco-Journey to an IPv6-only Building
Swiss IPv6 Council: The Cisco-Journey to an IPv6-only BuildingSwiss IPv6 Council: The Cisco-Journey to an IPv6-only Building
Swiss IPv6 Council: The Cisco-Journey to an IPv6-only Building
 
UX – Schlüssel zum Erfolg im Digital Business
UX – Schlüssel zum Erfolg im Digital BusinessUX – Schlüssel zum Erfolg im Digital Business
UX – Schlüssel zum Erfolg im Digital Business
 
Minenfeld IPv6
Minenfeld IPv6Minenfeld IPv6
Minenfeld IPv6
 
Was ist design thinking
Was ist design thinkingWas ist design thinking
Was ist design thinking
 
Die IPv6 Journey der ETH Zürich
Die IPv6 Journey der ETH Zürich Die IPv6 Journey der ETH Zürich
Die IPv6 Journey der ETH Zürich
 
Xing LearningZ: Die 10 + 1 Trends im (E-)Commerce
Xing LearningZ: Die 10 + 1 Trends im (E-)CommerceXing LearningZ: Die 10 + 1 Trends im (E-)Commerce
Xing LearningZ: Die 10 + 1 Trends im (E-)Commerce
 
Zahlen Battle: klassische werbung vs.online-werbung-somexcloud
Zahlen Battle: klassische werbung vs.online-werbung-somexcloudZahlen Battle: klassische werbung vs.online-werbung-somexcloud
Zahlen Battle: klassische werbung vs.online-werbung-somexcloud
 
General data protection regulation-slides
General data protection regulation-slidesGeneral data protection regulation-slides
General data protection regulation-slides
 

Dernier

Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGAPNIC
 
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一Fs
 
Git and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMGit and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMgdsc13
 
Denver Web Design brochure for public viewing
Denver Web Design brochure for public viewingDenver Web Design brochure for public viewing
Denver Web Design brochure for public viewingbigorange77
 
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxAWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxellan12
 
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls KolkataLow Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With RoomVIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Roomdivyansh0kumar0
 
Russian Call Girls Thane Swara 8617697112 Independent Escort Service Thane
Russian Call Girls Thane Swara 8617697112 Independent Escort Service ThaneRussian Call Girls Thane Swara 8617697112 Independent Escort Service Thane
Russian Call Girls Thane Swara 8617697112 Independent Escort Service ThaneCall girls in Ahmedabad High profile
 
Russian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsRussian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsstephieert
 
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)Damian Radcliffe
 
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...aditipandeya
 
VIP Call Girls Pune Madhuri 8617697112 Independent Escort Service Pune
VIP Call Girls Pune Madhuri 8617697112 Independent Escort Service PuneVIP Call Girls Pune Madhuri 8617697112 Independent Escort Service Pune
VIP Call Girls Pune Madhuri 8617697112 Independent Escort Service PuneCall girls in Ahmedabad High profile
 
AlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with FlowsAlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with FlowsThierry TROUIN ☁
 
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts servicevipmodelshub1
 
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607dollysharma2066
 

Dernier (20)

Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOG
 
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
 
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
 
Git and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMGit and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITM
 
Rohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
Denver Web Design brochure for public viewing
Denver Web Design brochure for public viewingDenver Web Design brochure for public viewing
Denver Web Design brochure for public viewing
 
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptxAWS Community DAY Albertini-Ellan Cloud Security (1).pptx
AWS Community DAY Albertini-Ellan Cloud Security (1).pptx
 
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls KolkataLow Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
 
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With RoomVIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
VIP Kolkata Call Girl Kestopur 👉 8250192130 Available With Room
 
Russian Call Girls Thane Swara 8617697112 Independent Escort Service Thane
Russian Call Girls Thane Swara 8617697112 Independent Escort Service ThaneRussian Call Girls Thane Swara 8617697112 Independent Escort Service Thane
Russian Call Girls Thane Swara 8617697112 Independent Escort Service Thane
 
Russian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsRussian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girls
 
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
 
Call Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
Call Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICECall Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
Call Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
 
How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)
 
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
 
VIP Call Girls Pune Madhuri 8617697112 Independent Escort Service Pune
VIP Call Girls Pune Madhuri 8617697112 Independent Escort Service PuneVIP Call Girls Pune Madhuri 8617697112 Independent Escort Service Pune
VIP Call Girls Pune Madhuri 8617697112 Independent Escort Service Pune
 
AlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with FlowsAlbaniaDreamin24 - How to easily use an API with Flows
AlbaniaDreamin24 - How to easily use an API with Flows
 
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
 
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
 

Swiss IPv6 Council: Konfusion um die Router Flags

  • 1. www.ernw.de OS IPv6 Behavior in Conflicting Environments Enno Rey, erey@ernw.de @Enno_Insinuator
  • 2. www.ernw.de Who I Am ¬ Founder and managing director of vendor independent network consulting & security assessment company ERNW. ¬ Old-school network guy with some background in large scale operations. ¬ Involved with IPv6 since 1999 and regularly blogging at www.insinuator.net. 4/30/2015 #2
  • 3. www.ernw.de Agenda ¬ Fundamentals  Quick Refresher of Basics & Specifications ¬ Results from the Lab  Some Surprises (?) ¬ Conclusions  What All this Means from an Operations Perspective 4/30/2015 #3
  • 5. www.ernw.de Address Autoconfig Overview ¬ IPv6 interfaces are meant to configure themselves automatically, in terms of "basic IP parameters".  Even without DHCPv6.  In particular without DHCPv6!  Remember: IPv6 = consumer technology. ¬ Link-local addresses are always configured, for each interface. ¬ Using the router discovery process, other addresses, router addresses and other configuration parameters are selected. 4/30/2015 #5
  • 6. www.ernw.de Types of Autoconfiguration ¬ Stateless  Via Router Advertisement Messages (with one or more prefix)  Can (in theory) also distribute "other parameters", see RFC 6106.  SLAAC: “stateless address autoconfiguration“ ¬ Stateful  Usage of a Stateful Address Protocol (e.g. DHCPv6). ¬ Stateless with DHCP  Use of Router Advertisement messages for allocation of prefixes  In addition, DHCP for "other parameters” (e.g. DNS Server, Domain Search List). (In all cases there is always at least one link-local address anyway!) 4/30/2015 #6
  • 7. www.ernw.de Neighbor Discovery Protocol RFC 4861 ¬ Neighbor Discovery (ND) provides mechanisms for the following tasks: 1. Neighbor Discovery / Address Resolution 2. Router Discovery 3. Prefix Discovery 4. Parameter Discovery 5. Address Autoconfiguration 6. Next-Hop Determination 7. Neighbor Unreachability Detection 8. Duplicate Address Detection 9. Redirects 4/30/2015 #7
  • 8. www.ernw.de Router Discovery ¬ Used to detect routers that are connected to the local network. ¬ IPv6 router discovery can also help to provide the following information:  Default value for the "Hop Limit" field  Whether any "stateful address protocol” (DHCPv6) should be used.  Settings for the “Retransmission Timer”  The network prefix for the local network  The MTU of the network  Mobile IPv6 Information  Routing Information 4/30/2015 #8
  • 9. www.ernw.de Multicast Router Solicitation Message Router Alice 1. Multicast Router Solicitation Router Solicitation MAC: 00-01-02-03-04-05 IP: none MAC: 00-11-22-33-44-55 IP: FE80::211:22FF:FE33:4455 Ethernet Header • Dest.-MAC: 33-33-00-00-00-02 IPv6 Header • Source-IP::: • Dest.-IP: FF02::2 • Hop limit: 255 Router Solicitation 4/30/2015 #9
  • 10. www.ernw.de Router AdvertisementMessageRouter Alice 2. Multicast Router Advertisement Router Advertisement MAC: 00-01-02-03-04-05 IP: none MAC: 00-11-22-33-44-55 IP: FE80::211:22FF:FE33:4455 Ethernet Header • Dest.-MAC: 33-33-00-00-00-01 IPv6 Header • Source-IP:FE80::211:22FF:FE33:4455 • Dest.-IP: FF02::1 • Hop limit: 255 Router Advertisement Header • Current Hop Limit, Flags, Router Lifetime, Reachable and Retransmission Timers Neighbor Discovery Options • Source Link-Layer Address • MTU • Prefix Information 4/30/2015 #10
  • 11. www.ernw.de Router Advertisements, Flags (I) ¬ The “Autonomous address configuration” (A) flag. When set, this flag indicates that this prefix can be used for stateless address autoconfiguration, as specified in [RFC4862]. 4/30/2015 #11
  • 12. www.ernw.de Router Advertisements, Flags (II) ¬ Routers can inform adjacent hosts (neighbors on the local link) that additional configuration parameters (like a DNS server) are available over a stateful configuration protocol (DHCPv6). ¬ In the router advertisement header two flags (M and O) can be included which can be set to inform the clients that additional configuration parameters are available. 4/30/2015 #12
  • 13. www.ernw.de O-Flag ¬ 1-bit ”other configuration“ flag ¬ When set, it indicates that other configuration information is available via DHCPv6. ¬ Examples of such information are DNS- related information (DNS Server, DNS Suffix). ¬ Both flags are defined in RFC 4861 (Section 4.2). 4/30/2015 #13
  • 14. www.ernw.de M-Flag ¬ 1-bit "Managed address configuration" flag. ¬ When set, it indicates that addresses are available through DHCPv6. ¬ If the M flag is set, the O flag is redundant and can be ignored because DHCPv6 will return all available configuration information. ¬ If neither M nor O flags are set, this indicates that no information is available via DHCPv6.  Rly? See below... 4/30/2015 #14
  • 15. www.ernw.de And Finally There‘s RFC 6106 4/30/2015 #15
  • 16. www.ernw.de DHCPv6 ¬ Specified (initially|mainly) in RFC 3315. ¬ Uses UDP Ports 546 (Clients) and 547 (Server/Relays). ¬ DHCPv6 uses multicast packets in IPv6. ¬ Clients/Server will be identified by:  DUID + IAID(s) ¬ Components of a DHCPv6 Infrastructure  DHCPv6 Clients  DHCPv6 Server  DHCPv6 Relay Agents 4/30/2015 #16
  • 17. www.ernw.de DHCPv6 Message Types DHCPv6 Message Type DHCPv4 Message Type SOLICIT (1) DHCPDISCOVER ADVERTISE (2) DHCPOFFER REQUEST (3), RENEW (5), REBIND (6) DHCPREQUEST REPLY (7) DHCPACK/DHCPNAK RELEASE (8) DHCPRELEASE INFORMATION-REQUEST (11) DHCPINFORM DECLINE(9) DHCPDECLINE CONFIRM (4) - No equivalent - RECONFIGURE (10) DHCPFORCERENEW RELAY-FORW (12), RELAY REPLY (13) - No equivalent - 4/30/2015 #17
  • 18. www.ernw.de DHCP Message Exchange [“M-Flag Variant”] 4/30/2015 #18
  • 19. www.ernw.de Main Differences ¬ There is no “route option“ in DHCPv6 ¬ Concept of DUID ¬ The (Non-) Role of DHCPv6 in IPv6‘s “Subnet Model“ (RFC 5942) On the Protocol Level 4/30/2015 #19
  • 20. www.ernw.de Differences ¬ (Informational) RFC 6434 IPv6 Node Requirements, sect. 5.9.5:  “[A]ll hosts SHOULD implement address configuration via DHCPv6.” ¬ For the record, RFC 2119 states:  “SHOULD This word[…] mean[s] that there may exist valid reasons in particular circumstances to ignore a particular item, but the full implications must be understood and carefully weighed before choosing a different course.” Here‘s another one not to strictly blame on the protocol itself. 4/30/2015 #20
  • 21. www.ernw.de DHCPv6 Support by OSs ¬ “Marking [Support for DHCPv6] declined until there is a compelling use case.  -- Lorenzo Colitti (Google) on Dec 07 2014 ¬  No DHCPv6 on Android  Except for the Fairphone. ¬ There are people who expect that Android is going to be one of the major OS for #IoT... What could possibly go wrong? Who could possibly deviate? https://code.google.com/p/android/issues /detail?id=32621 4/30/2015 #21
  • 22. www.ernw.de Once upon a Time ¬ They had a certain place for DHCPv6 in mind, within the IPv6 universe. ¬ This happened to be a very different role from the (at the time developing) role of DHCP in IPv4. ¬ Tell you what: this is going to haunt you. When our ancestors did the initial specs of IPv6 4/30/2015 #22
  • 23. www.ernw.de What Do You Mean? ¬ DHCPv4 was meant to be exclusive.  Either configure basic IPv4 properties manually or get the stuff from DHCPv4.  Once DHCPv4 is used, it‘s used for everything. ¬ DHCPv6 is meant to be complementary.  It can (and must) be mixed with other spicy stuff.  Add some #RFCambiguity to the mix. ¬ To fully understand what this means, let‘s step back one step and look at... Can you please elude? 4/30/2015 #23
  • 25. www.ernw.de RFC 4861 ¬ Sect. 4.2 “If neither M nor O flags are set, this indicates that no information is available via DHCPv6.” ¬ If the M flag is set, the O flag is redundant and it can be ignored. 4/30/2015 #25
  • 26. www.ernw.de Some More Quotes ¬ RFC 4862, 5.5.2 Absence of Router Advertisements  “Even if a link has no routers, the DHCPv6 service to obtain addresses may still be available, and hosts may want to use the service.” ¬ RFC 4862, 5.6 Configuration Consistency  “If the same configuration information is provided by multiple sources, the value of this information should be consistent.”  “In any case, if there is no security difference, the most recently obtained values SHOULD have precedence over information learned earlier.” Not much RFC 2119 in there, is it? 4/30/2015 #26
  • 27. www.ernw.de RFC 6106 “1.2 Coexistence of RA Options and DHCP Options for DNS Configuration Two protocols exist to configure the DNS information on a host, the Router Advertisement options described in this document and the DHCPv6 options described in [RFC3646]. They can be used together. The rules governing the decision to use stateful configuration mechanisms are specified in [RFC4861]. Hosts conforming to this specification MUST extract DNS information from Router Advertisement messages, unless static DNS configuration has been specified by the user. If there is DNS information available from multiple Router Advertisements and/or from DHCP, the host MUST maintain an ordered list of this information as specified in Section 5.3.1. 4/30/2015 #27
  • 28. www.ernw.de RFC 6106 In the case where the DNS options of RDNSS and DNSSL can be obtained from multiple sources, such as RA and DHCP, the IPv6 host SHOULD keep some DNS options from all sources. Unless explicitly specified for the discovery mechanism, the exact number of addresses and domain names to keep is a matter of local policy and implementation choice. However, the ability to store at least three RDNSS addresses (or DNSSL domain names) from at least two different sources is RECOMMENDED. The DNS options from Router Advertisements and DHCP SHOULD be stored into the DNS Repository and Resolver Repository so that information from DHCP appears there first and therefore takes precedence. Thus, the DNS information from DHCP takes precedence over that from RA for DNS queries. Section 5.3.1 4/30/2015 #28
  • 29. www.ernw.de In Short 4/30/2015 #29 ¬ It‘s a mess! At least on the specs level.
  • 30. www.ernw.de Problem Statement From a High-Level Perspective 4/30/2015 #30
  • 31. www.ernw.de Problem Statement (I) ¬ IPv6 provides two mechanisms for one task, that is provisioning of IP parameters to nodes. 4/30/2015 #31
  • 32. www.ernw.de Problem Statement (II) ¬ They are independent.  Well, mostly. ¬ In many environments both of them are needed, in some combination.  In particular this applies in (wrt OSs, devices) heterogeneous environments. Read: probably in pretty much all of your environments. ¬ In some environments different groups might be responsible for operating them.  Why did you add this to the “problem statement“? Well... ¬ There‘s differences as for the degree of vendor support & their strategies. There‘s two mechanisms 4/30/2015 #32
  • 33. www.ernw.de Problem Statement (III) ¬ Some properties and elements have been enhanced over time, e.g. RFC 6106.  Evolution is a good thing. Seriously! ¬ Still, there‘s a certain (alas, when it comes to IPv6: usual) amount of ambiguity and vagueness in the main RFCs. Let‘s look at the specs... 4/30/2015 #33
  • 34. www.ernw.de Problem Statement (IV) ¬ The “cooperation“ of those two mechanisms has been discussed quite a bit, both in the specs and in “the relevant fora“. ¬ However, not so much as for scenarios where the information provided by them is conflicting. ¬ This is what this talk is about. 4/30/2015 #34
  • 35. www.ernw.de Problem Statement (IV) ¬ Human error  Both on the active failure and latent failure level. ¬ Conflicting/differing vendor default settings  Network devices  CPEs!  Keep in mind: there might be any OS in customers‘ networks. ¬ Attacker injecting nasty packets  Boils down to “standard local-link sec“ discussion  I will only briefly cover this. Can this (“contradiction scenario“) happen? 4/30/2015 #35
  • 37. www.ernw.de Lab Setup ¬ A DHCPv6 Server (DHCP ISC Version 4.3.1) installed on CentOs 6.6 . The DHCPv6 server is configured to provide both IPv6 addresses and RDNSS information. ¬ Two (2) routers Cisco 4321 using Cisco IOS Software version 15.5(1)S. ¬ The following OS as clients:  Fedora 21, kernel version 3.18.3-201 x64  Ubuntu 14.04.1 LTS, kernel version 3.13.0-44-generic  CentOS 7, kernel version 3.10.0-123.13.2.el7  Mac OS X 10.10.2 Yosemite  Windows 7  Windows 8.1 See also: https://www.ernw.de/download/ERNW_White paper_IPv6_RAs_RDNSS_DHCPv6_Conflictin g_Parameters.pdf 4/30/2015 #37
  • 38. www.ernw.de Case 1: One Router with the Management Flag not Set and a DHCPv6 Server ¬ Fedora 21, MAC OS X, CentOS 7 and Ubuntu 14.04  Get an IPv6 address and an RDNSS from the IPv6 router only. ¬ Windows 7  Get an IPv6 address from the router only, but they do not get any DNS information, neither from the router nor from the DHCPv6 server. They also do not get IPv6 address from the DHCPv6 server. ¬ Windows 8.1  Get an IPv6 address from both the IPv6 router and the DHCPv6 server, despite the fact that the Management flag (M) is not set. They get RDNSS information from the DHCPv6 only. Router: M=0, A=1, O=0 and an RDNSS is advertised. DHCPv6 server on the same link offering IPv6 addresses & RDNSS 4/30/2015 #38
  • 39. www.ernw.de Case 2: One Router with Conflicting Parameters and a DHCPv6 Server ¬ Fedora 21, Centos 7 and Ubuntu 14.04  get IPv6 address using SLAAC only.  Fedora 21, Centos 7 get RDNSS from both the RAs and the DHCPv6 server. The RDNSS obtained from the router has a higher priority though.  Ubuntu 14.04 gets an RDNSS from the router, and a “domain search list” information from the DHCPv6 server – but not RDNSS information. Router: M=0, A=1, O=1, and an RDNSS is advertised. A DHCPv6 server on the same link advertising IPv6 addresses and RDNSS 4/30/2015 #39
  • 40. www.ernw.de Case 2 Results cont‘d ¬ MAC OS X  gets RDNSS from both, IPv6 address using SLAAC (no IPv6 address from the DHCPv6 server) but the RDNSS obtained from the DHCPv6 server is first (it has a higher priority). However, the other obtained from the RAs is also present. ¬ Windows 7 and Windows 8.1  obtain IPv6 addresses using SLAAC and RDNSS from the DHCPv6 server. They do not get an IPv6 address from the DHCPv6 server.   compare the Windows 8.1 behaviour with the previous case. 4/30/2015 #40
  • 41. www.ernw.de Additional Observations ¬ [draft-ietf-v6ops-dhcpv6-slaac-problem-03] explicitly discusses the role of state transitions. ¬ We can confirm that these lead to particularly interesting effects.   Pay special attention in times when you perform those deliberately. Be prepared for surprises... ¬ In general the order of events seems to play a role, too.  See also test cases with two routers. 4/30/2015 #41
  • 42. www.ernw.de Case 4: All Flags are Set and a DHCPv6 Server is Present ¬ Fedora 21 and Centos 7:  They get IPv6 addresses both from SLAAC and DHCPv6 server.  They get RDNSS both from RAs and DHCPv6 server.  The DNS of the RAs has higher priority. ¬ Ubuntu 14.04:  It gets IPv6 addresses both using SLAAC and from the DHCPv6 server.  It gets RDNSS from RAs only.  From the DHCPv6 server it only gets “Domain Search List” information, no RDNSS. Router: M=1, A=1, O=1, and an RDNSS is advertised. A DHCPv6 server on the same link advertising IPv6 addresses and RDNSS. 4/30/2015 #42
  • 43. www.ernw.de Case 4 Results cont‘d ¬ MAC OS X:  It gets IPv6 addresses both using SLAAC and from the DHCPv6 server.  It also gets RDNSS both from RAs and the DHCPv6 server.  The DNS server from DHCPv6 has higher priority. ¬ Windows 7 and Windows 8.1:  They get IPv6 addresses both from SLAAC and DHCPv6 server.  They get RDNSS only from the DHCPv6 server. 4/30/2015 #43
  • 45. www.ernw.de More Stuff from the Lab 4/30/2015 #45
  • 46. www.ernw.de Case 7: Router 1 Advertising M=0, O=0 and RDNSS, and then Router 2 advertising M=1, O=1 while DHCPv6 is Present ¬ MAC OS X and Ubuntu 14.04:  Initially they get address and RDNSS from the first router.  When they receive RAs from the second router, they never get any information (IPv6 address or RDNSS) from the DHCPv6 server. Initially: One IPv6 router with the following settings: M=0, O=0, A=1 and RDNSS advertised and 15 seconds time interval of the RAs. After a while (when clients are configured by the RAs of the above router) another IPv6 router with the following: M=1, O=1, no advertised prefix information, and 30 seconds time interval of the RAs. 4/30/2015 #46
  • 47. www.ernw.de Case 7 Results cont‘d ¬ Fedora 21 and Centos 7:  Initially they get IPv6 address and RDNSS from the RAs of the first router.  When they receive an RA from router 2, they also get an IPv6 address and RDNSS from the DHCPv6 server while retaining the ones (IPv6 address and RDNSS) obtained from the RAs of the first router.  The RDNSS obtained from the first router has a higher priority than the one obtained from the DHCPv6 server (probably because it was received first).  When they receive again RAs from the first router, they lose/forget the information (IPv6 address and RDNSS) obtained from the DHCPv6 server.  Troubleshooting nightmare… 4/30/2015 #47
  • 48. www.ernw.de Case 7 Results cont‘d ¬ Windows 7:  Initially they get address from the first router – no RDNSS.  When they receive RAs from the second router, they never get any information (IPv6 address or RDNSS) from the DHCPv6 server. 4/30/2015 #48
  • 49. www.ernw.de Case 7 Results cont‘d ¬ Windows 8.1:  Initially, they get just an IPv6 address from the first router 1 - no RDNSS information (since they do not implement RFC 6106).  When they receive RAs from the second router, then they also get an IPv6 address from the DHCPv6 server, as well as RDNSS from it. They do not lose the IPv6 address obtained by the first router using SLAAC.  When they receive another RA from the first router, they retain all the information obtained so far (there isn't any change). 4/30/2015 #49
  • 52. www.ernw.de ¬ Don‘t assume a certain OS‘ IPv6 behavior just because:  “the specs say so“  “another OS does it that way“  you have a good understanding of IPv4. ¬ Sorry guys ;-) ¬ Test, test, test!  Helps to gain (even more) IPv6 knowledge anyway.  Yes, pls allocate budget for test lab. 4/30/2015 #52
  • 53. www.ernw.de Keep RFC 1925 in Mind ¬ “(4) Some things in life can never be fully appreciated nor understood unless experienced firsthand. Some things in networking can never be fully understood by someone who neither builds commercial networking equipment nor runs an operational network.” ¬ Deploying IPv6 is not a paper exercise. You need hands-on experience! ¬ Did you note Jeff Carrell gives his cool workshops at the IPv6 Business Conference?  Mark June 17–19 2015 in your calendar! 4/30/2015 #53
  • 54. www.ernw.de Operations Perspective ¬ Keep configs/properties related to IPv6 parameter provisioning in sync, at all times  IPv6 transition might be an opportunity to re-think your ops model.  Yes, we understand you‘ll be happy to survive that one mostly unscathed, hence concentrate on one task at a time. Still #justsayin ;-) 4/30/2015 #54
  • 55. www.ernw.de Planning Perspective ¬ In short: it depends 😉 ¬ Seriously: it depends heavily on the client base you want to support. Here’s some thoughts:  in case there’s Android devices, your routers should advertise RDNSS info (RFC 6106), else the Android clients will have to rely on their IPv4 DNS or manual kludges. RFC 6106 is supported since Lollipop.  in case you don’t have Android devices, you might go _without_ advertising RDNSS in RAs, for the simple reason of reducing potential for errors/”unexpected behavior”.  once you go with m-flag DHCPv6 clearing the A-flag in prefix information, but leaving the L-flag set (to “circumvent RFC 5942″) is usually a good idea.  Ofc, you can‘t do this once there‘s Android devices as those won‘t generate any (non LL) address then.  we observe that most of our customers strive to go with m-flag DHCPv6. that‘s just an observation... 4/30/2015 #55 Considerations how to set up the whole SLAAC/DHCPv6 thing
  • 56. www.ernw.de Troubleshooting ¬ You should know how to diagnose a node‘s exact properties on the OS level  incl. types of addresses and order of name resolution  “netsh int ipv6“ commands on Win  “ip -6 add show“ on Linux  btw: /etc/resolv.conf not relevant on Mac ¬ The truth is in the packets... For the poor sod responsible... A helpful resource: https://wikispaces.psu.edu/display/ipv6/IP v6+Rosetta+Stone 4/30/2015 #56
  • 57. www.ernw.de Troubleshooting ¬ Being familiar with the following certainly helps  Flags in router advertisements  Main DHCPv6 messages  IPv6 Subnet Model (RFC 5942) and its (non-) relationship with DHCPv6 In such scenarios 4/30/2015 #57
  • 58. www.ernw.de Summary ¬ There‘s a certain learning curve when it comes to IPv6. ¬ Just looking at the specs might not be sufficient. ¬ Start now ;-) 4/30/2015 #58
  • 59. www.ernw.de There’s never enough time… THANK YOU… ...for yours! Slides: https://www.insinuator.net 4/30/2015 #59
  • 60. www.ernw.de Save the Dates ¬ Pre-Conference Day – Wednesday,17. June 2015 IPv6 Workshop: Build it, Use it with Jeff Carrell  Hands-On ¬ IPv6 Business Conference – Thursday, 18. June 2015 ¬ Post-Conference Day – Friday, 19. June 2015 IPv6 Interactive Addressing Workshop with Practical Hands-on Labs with Jeff Carrell  Hands-On, Build your own lab and take it home! ¬ Do you want to be a sponsor? 4/30/2015 #60
  • 61. www.ernw.de March, 14-18 2016 Heidelberg, Germany TROOPERS - Make the world a safer place. More info & extensive archives @ www.troopers.de Guys, we would love to see you in Heidelberg! 4/30/2015 #61
  • 62. www.ernw.de Questions? ¬ You can reach us at:  erey@ernw.de, www.ernw.de ¬ Our blog:  www.insinuator.net ¬ Follow me at:  @Enno_Insinuator 4/30/2015 #62