IPv6 Fundamentals

IPv6!Fundamentals !
Mukom Akong T. (@perfexcellent)
What you should be able to do after "nishing this module !

Fundamentals of IPv6 !
! Understand IPv4 exhaustion and its implications ! Identify IPv6 addresses ! Create an IPv6 addressing plan ! Congure and verify IPv6 on a LAN
www.afrinic.net | slide 2
Module Assumptions !
! Fundamental concepts of TCP/IPv4 ! Building basic IPv4 networks. ! Using the command line interface for common routing
platforms !! Cisco IOS !! Juniper JUNOS !! Quagga
Module deliverables !
Understand IPv4 exhaustion implications

Global IPv6 address distribution
Implications of exhaustion
Identify and work with IPv6 addresses

Address structure and notation Types of IPv6 addresses
Create an IPv6 addressing plan

Subnetting Estimate space Allocation
Describe differences between IPv4 and IPv6 Key protocols Basic configuration
Understanding!IPv4!Exhaustion!Implications !
After this section, you should be able to: ! Describe the world situation with respect to v4 addresses ! Describe the implications of IPv4 exhaustion
Understanding IPv4 Exhaustion Implications !
Central IPv4 Pool as at 16.06.2010 !
www.afrinic.net | slide 6!
Central IPv4 Pool as at 31.01.2011 !
Global IPv4 Address Distribution !
Source: www.ipv4depletion.com
Projected RIR Depletion Dates !
Source: Geof Houston
Exhaustion Consequence: IPv4 addresses are now more expensive !
$7.5m for 666,624 v4 addresses

Exhaustion Consequence: demand for IPv4 addresses may increase its price !
Exhaustion Consequence: An IPv4 address black market emerges !
"! Black markets have well-known contrary consequences

Implications of Africa running out last !

"! Scenario #1: We remain complacent and the world leaves us
behind in IPv4-land !! Cost of connecting to the rest of the world increases !! We miss any market opportunities v6 adoption presents "! Scenario #2: A rush for Africas pool by other regions !! African networks deprived of critical v4 needed to facilitate transition to v6 !! We are forced to deploy greeneld IPv6 (good) !! Use of NAT increases (bad)
IPv6!Addressing!Basics !
After this section, you should be able to:
! Work comfortably with IPv6s hexadecimal notation ! Identify, write and shorten IPv6 addresses
What is IPv6? !
Understanding IPv6 Addressing !
"! Network-layer successor to IPv4
!! 128 bits long (296 times the total IPv4 address space) !! Runs on the same physical infrastructure !! The same applications can also run on IPv6 !! Incompatible with IPv4!
"! The only sustainable answer to IPv4 exhaustion
!! Enables continued growth of the Internet !! Restores end-to-end model !! Enables the Internet of Things
IPv6 addresses are written in hexadecimal !

IPv6 address = 128 bits

(1 or 0)!
IPv6 address = 32 hexits

(0 - 9, a , b , c , d , e , f)!
IPv6 address = 8 groups of 4 hexits
2001 : db8 : c001 : face : b00c : dead : babe : 1cee : f001!
"! The 8 groups of hexits are separated by colons "! Addresses are conventionally written in lower case
How IPv6 addresses are written !

Jeff L. Carrell, Implementing IPv6 , the Nuts and Bolts about It, 2011
IPv6 pre"xes !
"! IPv6 is all CIDR i.e. no subnet masks "! A prex is written as:
aaaa:bbbb:cccc:dddd:eeee:ffff/prex length "! Prex length is a decimal in the range [0 , 128] "! Examples of prex notation: !! 2001:db8::/32 --- a prex assigned to an organisation !! 2001:db8:1ce:c001::/64 --- a prex assigned to a LAN !! 2001:db8:1ce:c001::a/64 ---an address out of a /64 prex
Rules for shortening IPv6 addresses !

! Zero-suppression: omit all leading zeroes in a group of hexits
A leading zero is that which comes immediately after a colon Each group must still contain at least one hexit ! Zero-compression: substitute two or more consecutive groups of zeroes with one double colon (::) !! This should only be done once to avoid ambiguity !! If more than substitution is possible, make that which replaces the most groups !! In case of two equal possible substitutions, make the leftmost one.
!! !!
Shortening IPv6 addresses: Example !

Shortening IPv6 addresses: Example !

Incorrect IPv6 shortening example !

IPv6!Address!Types !
! Identify different types of IPv6 addresses ! Describe the structure and scopes these addresses
Types of IPv6 addresses !

Unicast addresses ! Identifies and interface of an IPv6 node ! Can be used as source and destination of a packet ! An interface can have multiple valid IPv6 addresses Multicast addresses ! Identifies a group of IPv6 addresses ! Can only be used as the destination of a transmission ! An interface can belong to multiple multicast addresses Anycast addresses ! Same address on multiple nodes ! Packet to anycast address is delivered only to nearest one ! Packets are never sourced from an anycast address
Scope: An address extent of validity !

Global Scope Link-local Scope
Link Layer!
fe80::/10 These scopes do not apply to multicast addresses and the unspecified address
Global unicast addresses !

3 bits
45 bits Global Routing Prefix
16 bits
64 bits InterfaceID
001
SubnetID
IANA>>LIR>>ISP
"! Fixed high order bits of 001 => prex of 2000::/3 "! Example: 2001:db8:dead:beef:c001:babe:0000:aaaf
Link local unicast addresses !

10 bits
54 bits 0
64 bits InterfaceID
1111 1110 10
"! First 10 bits are 1111 1110 10 thus prex fe80::/10 "! Scope is link local thus not forwarded off-link by routers "! One per interface is always automatically congured when IPv6 is enabled "! Used for
!! !! !! !!
Automatic address conguration Default gateway on hosts Routing protocol updates Neighbor discovery
The Link local address reachability problem !

fe80::212:6bff:fe3a:9e9a N2 fe80::212:6bff:fe54:f99a N1
Fe 0/1
Fe 0/0
M2 fe80::212:6bff:fe17:fc0f
M1 fe80::245:bcff:fe47:1530
If you ping fe80::212:6bff:fe54:f99a (N1), what egress interface will router R use? see solution next slide
ZoneIDs resolving Link local address ambiguity !

"! ZoneID (or scopeID)
!! Provides the extra routing information required !! Automatically assigned by the operating system !! Only locally signicant !! [Windows] ping fe80::245:bcff:fe47:1530%11 !! [Linux] ping6 fe80::245:bcff:fe47:1530%eth0
"! A full link-local address is written as : address%zoneID "! Examples of some full link-local addresses with zoneIDs:
Examples of using ZoneID !

"! Windows Host X: fe80::1ce:c01d:dead:babe%7 "! Windows Host Y: fe80::dead:beef:1ce:c01d%10 "! Ping from X -> Y is accomplished thus
!! Use the link local address of Host Y !! Append the ZoneID of Host X on the same broadcast domain !! ping fe80::dead:beef:1ce:c01d%7 [correct] !! ping : fe80::dead:beef:1ce:c01d%11 [wrong]
Unique Local Addresses !

8 bits
40 bits Global ID
16 bits
64 bits InterfaceID
SubnetID
1111 110L
"! Private address space anyone can use without going to an ISP or
RIRs "! Prex fc00::/7 and L ag indicates whether the prex is locally assigned (1) or globally assigned (0) !! For L=1, we have fd00::/8 for ULAs that anyone can assign. !! For L=0, we have fc00::/8 for ULAs that are centrally assigned. "! Scope is global but they are usually ltered by e-BGP routers
Unique Local Addresses: GlobalID Algorithm !

8 bits
40 bits Global ID
16 bits
64 bits InterfaceID
SubnetID
1111 110L
1.! Get the current time on the day in 64bit NTP format. 2.! Get the EUI-64 identier from the MAC address or other unique
identier. 3.! Concatenate (1) and (2) 4.! Compute the SHA-1 digest of (3) 5.! Use the least signicant 40 bits of (4) as your globalID
6to4 Transition Addresses !

48 bits 2002 WWXX:YYZZ
16 bits
64 bits InterfaceID
SubnetID
w.x.y.z
"! IPv4-derrived address used in the 6to4 transition mechanism "! WWXX:YYZZ is the hex form of public v4 address w.x.y.z "! Each public IPv4 address gives an entire /48 IPv6 prex
Generating the InterfaceID Last 64 bits !

"! Manually typed by an admin on an interface "! Automatically
!! The EUI-64 algorithm. !! A pseudo-random number. !! A public key (e.g. in the CGAs)
"! Reserved interfaceIDs (RFC 5433)
!! Subnet router anycast: 0000:0000:0000:0000 !! Reserved subnet anycast: fdff:ffff:ffff:ff80 - ff

EUI-64 Automatic InterfaceID Generation !

Privacy concerns with EU-64 !

"! For a given MAC address
!! The EUI-64 interfaceID is xed !! It is re-used with the prex of any network encountered !! The prex says what network a user is on !! The MAC address can be inferred from the interfaceID
"! It is possible to track a user from their interfaceID
"! Privacy addressing (RFC4941) deals with this issue
learn.afrinic.net | slide 36!
IPv4-Mapped Transition Addresses !

80 bits 0
16 bits
32 bits IPv4 Address
ffff
"! An IPv4 address represented in IPv6 format "! Form: ::ffff:w.x.y.z/96 where w.x.y.z is a normal IPv4 address. "! Internally represents a v4 node to a v6 node "! Never used as a source or destination v6 address
ISATAP transition addresses !

64 bits Prefix
32 bits 0000:5efe
32 bits Private IPv4 Address
"! An IPv6 address formed from an private IPv4 address "! Automatically generated and assigned to ISATAP tunnels "! Form: 64bitPrex:0:5efe:a.b.c.d
!! Where a.b.c.d is an RFC1918 private IPv4 address

Multicast addresses !
8 bits 4 bits 4 bits
112 bits
Scope Flags
GroupID
1111 1111
"! Used as the destination of multicast communication "! Start with bits 1111 1111 which is prex: ff00::/8 "! Bits 8 16 specify further characteristics of the address
The Flag Bits in multicast addresses !

Bit 3 2 (R flag) 1 (P flag) 0 (T flag)
Description Reserved (must be set to 0) Rendezvous Point address is embedded (1) or not (0) Address is based on a unicast prefix (1) or not (0) Address is well-known (0) or dynamically assigned (1)
The Scope Bits in multicast addresses !

Understanding IPv6 Addressing ! Binary 0001
0010 0100 0101 1000 1110 Others
Hex 0x1 0x2 0x4 0x5 0x8 0xe Interface Link Administrative Site Organisation Global
Scope
Unassigned or Reserved
Some reserved multicast groups !

Some Well-Known/Reserved Multicast Groups Address FF01::1 FF02::1 FF01::2 FF02::2 FF05::2 FF02::5 FF02::6 FF02::A FF02::D Scope 1=Interface 2=Link 1=Interface 2=Link 5=site 2=Link 2=Link 2=Link 2=Link Description All nodes on the interface All nodes on the link All routers on the interface All routers on the link All routers in the site All OSPFv3 routers OSPFv3 designated routers All EIGRPv6 routers All PIM routers Solicited-node address
FF02::1:FFXX:XXXX 2=Link
The Solicited Node multicast address !

IPv6 Essential Theory !
Prefix InterfaceID
FF02:1::FF00: 104 bits
Lower 24 bits 24 bits
"! Multicast address for all nodes with the same IPv6 address "! Constructed as follows:
!! Prex FF02::1:FF00:/104 !! Last 24 bits of the IPv6 unicast address !! See examples next slide
Solicited node multicast addresses in action !

#show ipv6 interface g0/0 GigabitEthernet0/0 is up, line protocol is up IPv6 is enabled, link-local address is FE80::CA9C:1DFF:FE6B:B6A0 No Virtual link-local address(es): Description: [Link to R1] Global unicast address(es): 2001:43F8:90:C0::2, subnet is 2001:43F8:90:C0::/64 Joined group address(es): FF02::1 FF02::2 FF02::1:FF00:2 FF02::1:FF6B:B6A0 MTU is 1500 bytes
IPv6 Essential Theory !
IPv6 address literals in URLs !
"! Problem: The colon in v6 addresses has another meeting in urls
!! It is a core part of the http:// !! It is also used to specify the port
"! Solution: enclose the IPv6 address in square brackets
http://[2001:db8:85a3:8d3:1319:8a2e:370:7348]/ http://[2001:db8:85a3:8d3:1319:8a2e:370:7348]:80/
IPv6 literals in UNC path names !

"! Problem: The colon a illegal character in Microsoft UNC
pathnames "! The solution: !! Replace all colons in the address with a dash !! Replace any % in the zoneID with an s !! Append .ipv6-literal.net to the address
"! Example: 2001:db8:85a3:8d3:1319:8a2e:370:7348
2001-db8-85a3-8d3-1319-8a2e-370-7348.ipv6-literal.net
"! Example: fe80::1%4
fe80--1s4.ipv6-literal.net
Summary of IPv6 Address Types !

Summary of IPv6 Address Types Type Global Unicast Link-local Unique-local Unique-local IPv4-mapped 6to4 2002 ISATAP Unspecied Loopback Multicast ff<LS> 0 Multicast GroupID
Structure (16 bit boundaries) GlobalID fe80 fc00 fd00 0 0 0 <IPv4 Addr.> SubnetID <64bit v6 Prex> 0 0001 0 0 SubnetID SubnetID SubnetID InterfaceID InterfaceID InterfaceID InterfaceID ffff <IPv4 Addr.>
InterfaceID 5efe <IPv4 Addr.>
IPv6 addressing exercise !

! Display the IPv6 conguration on your laptop
IPv6!from!an!IPv4!Perspective !
! Describe the IPv6 header, noting differences from the v4 header ! Identify the IPv6 equivalents and functioning of key IPv4 protocols
The IPv6 packet structure !

IPv6 from an IPv4 Perspective !
Key characteristics of the IPv6 packet !

"! Fixed header size of 40 bytes (320 bits) "! Fragmentation not allowed by routers, only end hosts "! Minimum supported MTU is 1280 bytes "! Optional layer 3 information is put in extension headers
just before the upper-layer header
IPv6 extension headers !

"! Serve similar functionality to IPv4 Options headers "! Processed only at packet's destination, except for Hop-
by-Hop Options header "! Only appear once in a packet, except for the Destination Options header which appears twice "! A node discards the packet with a Parameter Problem message in the following circumstances "!It sees an un-recognized extension header "!A Next Header value 0 appears in a header other than the xed header
IPv6 packet without extension header !

Courtesy: cisco.com
IPv6 packet with extension headers !

Courtesy: cisco.com
List and order of IPv6 extension headers !

Order 1 2 3 4 5 6 7 8 9 Header Basic IPv6 header Hop-by-hop options Destination options Routing Fragment Authentication (AH) ESP Destination options Mobility 0 60 43 44 51 50 60 135 Examined by all hosts in path Examined only by destination node Specify the route for a datagram (mobile v6) Fragmentation parameters Verify packet authenticity Encrypted data Examined only by destination node Parameters for use with mobile IPv6 Code Description
The IPv6 header compared to IPv4 header !

0 4 8 12 16 20 24 28 32
Version
Header Length Identication TTL
TOS Flags Protocol Source Address Destination Address Options
Total Length Fragment Offset Header Checksum
Version
Trafc Class Payload Length
Flow Label Next Header Hop Limit
Source Address
Source Address
IPv6 packet header on the wire !

Packet header structure changes from IPv4 !

IPv4 header fields removed from the base IPv6 header !! Fragmentation fields [Identification, flags, fragment offset] !! Options IPv4 header fields eliminated in IPv6 !! Header checksum !! Header length Revised fields !! TTL # Hop count !! Protocol # Next header !! Precedence and ToS fields # Traffic class New fields !! Flow label
IPv4 vs IPv6 key functionality comparison !

IPv4
IPv6
Network Access Layer !! Ethernet and variants !! Ethernet and variants !! PPP for serial links !! PPP for serial links !! ATM !! ATM !! DHCP Host auto-configuration !! DHCPv6 !! Stateless Address configuration
Network to Link-layer Address Resolution !! ARP broadcasts !! NDP via ICMPv6 (NS, NA)

IPv6 FQDN to IP-address resolution !! DNS client-server !! DNS client-server !! A resource records !! AAAA resource records !! In-addr-arpa. reverse zone !! ip6.arpa reverse zone !! IGMPv1 !! IGMPv2 Host multicast group membership !! MLDv1
IPv4
Automatic default gateway configuration !! DHCP, IRDP, passive RIP !! NDP via ICMPv6 (RA)

IPv4 !! !! !! !! Static routing RIPv1, RIPv2 OSPFv2 BGP4+ IPv4 AF
IPv6 Routing protocols !! Static routing !! RIPng !! OSPFv3 !! BGP4+ IPv6 AF
Minimum MTU size !! 576 bytes !! 1280 bytes Sending packets to all hosts on subnet !! Broadcast to subnet Multicast to ALL_NODES (ff02::1) broadcast
Resolving names to IPv6 addresses !

"! Most modern DNS servers support IPv6
!! AAAA records for IPv6 to FQDN mapping !! PTR records under ip6.arpa. TLD for FQDN to IP
mapping "! DNS is transport-protocol agnostic i.e. !! A query over IPv4 could yield AAAA records !! A query over IPv6 could yield A records
Sample IPv6 resource records !

IPv4 FQDN to IP Address [A record] voyager.stareet.org A 197.1.0.77
IPv6 [AAAA record] voyager.stareet.org IN AAAA 2001:0470:0000:0064:0000:0000:0000 :0002
IP Address to FQDN
[PTR record] [PTR record] 2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.4.6.0.0.0 77.0.1.197.in-addr.arpa .0.0.0.0.7.4.0.1.0.0.2.ip6.arpa IN PTR PTR voyager.stareet.org voyager.stareet.org
Generating IPv6 PTR records !

! Write the IPv6 address in full reverse ! Separate each hexit by a period ! Append the ip6.arpa domain "! Example with sipcalc
The usual DNS test tools work as expected !

The!Key!IPv6!Functionality!Protocols !
! Describe the importance and functioning of IPv6 ND ! Describe how ND is used in other key functions of IPv6
IPv6 Neighbor Discovery Protocol (ND) !

The Key IPv6 Functionality Protocols !
"! Key protocol upon which most of IPv6s functionality
depends "! Used by both hosts and routers "! Consists of a set of ICMPv6 messages "! Works at network layer, thus can use IPsec "! Different message exchanges deliver various functionalities
Functions of IPv6 Neighbor Discovery (ND) !

Router discovery! Address resolution! Address resolution!
Pre"x discovery!
Next-hop determination! Neighbour unreachability detection! Duplicate address detection!

Host-Communication! Functions!
Parameter discovery! Address autocon"guration!

Host-Router Functions!
Neighbour Discovery Protocol!

5 ICMPv6 messages used by ND !

Neighbour Solicitation Neighbour Advertisement
Redirect
ND
Router Advertisement
Router Solicitation
Router Solicitations and Advertisement !

The Router Solicitation message !

Sent by IPv6 host Purpose Find out what routers are present on the link! !!IP of querying interface if one exist Src address !!Unspecied address (::) if there is no IP address yet Dst address FF02::2 (all-routers) Notes ICMP type 133, ICMP code 0
Sample RS packet capture!

The Router Advertisement message !

Sent by IPv6 router !!Advertise its presence prexes, MTU, hop limits Purpose !!Sent periodically or in response to a RS Src address Routers link local IPv6 address !!FF02::1 (all-v6-nodes) for periodic broadcasts Dst address !!v6 address of querying node if responding to a RS Notes ICMP type 134, ICMP code 0
RA Message on the Wire !

Sample RA packet capture !
Neighbour Solicitations and Advertisements !

The Neighbour Solicitation message !

Sent by IPv6 host !!Find out link layer address of another host. Purpose !!Duplicate address detection. !!Verify that a neighbour is reachable. !!IP of querying interface if one exist Src address !!Unspecied address (::) if there is no IP address yet Dst address !!Target neighbours address if known !!Solicited node multicast address of target otherwise!
Notes ICMP type 135, ICMP code 0

The Neighbour Advertisement message !

Sent by IPv6 host !!Response to a neighbour solicitation (NS) Purpose !!Periodically to update neighbors. !!Manual or auto congured address of originating Src address interface. Dst address !!IP address of the node which sent the NA. !!FF02::1 for periodic advertisements.!
Notes ICMP type 136, ICMP code 0

Capture of an NA from a router in response to a NS !
Packet capture of NA message from a host !

The Redirect message !

Sent by IPv6 router Purpose Informs a node of a better next-hop router. Src Link local address of router. address Dst IP address of requesting node.! address Notes ICMP type 137, ICMP code 0
Duplicate address detection !

N1
Tentative IP: 2001:db8::2:260:8ff:fe53:f9d8
1 src: :: 2 NA
NS
dst: FF02::1:FF53:F9D8 hop limit: 255 Target: 2001:DB8::2:260:8FF:FE53:F9D8 N3
src: 2001:DB8::2:260:8FF:FE53:F9D8 dst: FF02::1 N2 hop limit: 255 Target: 2001:DB8::2:260:8FF:FE53:F9D8
IP: 2001:db8::2:260:8ff:fe53:f9d8
Duplicate address detection!

"! DAD is performed on ALL unicast addresses "! DAD is NEVER performed for anycast addresses "! If DAD fails
!! That address cannot be assigned to the interface. !! All addresses using that InterfaceID are also not unique !! A system management error must be logged
"! Unrelated packets sent to a tentative address are discarded
How duplicate address detection works !

! Host N1 is going to assign address A on its interface I ! Interface I joins multicast groups:
!! ff02::1 -- All IPv6 nodes !! ff02::ff00:0:a solicited node multicast address for A
! N1 sends NS message to ff02::ff:0:a sourced from :: ! N1 listens for any NS messages to ff02::ff00:0:a from :: ! DAD fails under any of the following circumstances !! N1 receives an NS for a tentative address prior to sending one. !! More NSs are received than those expected based on loopback semantics
NS packet capture illustrating duplicate address detection (DAD) !
Link-layer address resolution using ND !

N1
1
NS
src: IPv6 address [N1] dst: Solicited node multicast [N2] data: Link layer address [N1] query: "what's your link layer address?"
NA
src: IPv6 address [N2] dst: IPv6 address [N1] data: Link layer address [N2]
N2
Neighbour unreachability detection !

"! Does not necessarily verify end-to-end reach-ability since a
neighbour could be a router (not the nal destination) "! How it works: !! Send a probe to desired hosts solicited node multicast address and receiving a NA or RA in response !! Receive a clue from higher level protocol that to say communication is happening e.g TCP ACK
NS packet capture for neighbour reachability veri"cation!
Basic!IPv6!Configuration !
! ! ! ! ! Congure and verify IPv6 on Windows operating systems Congure and verify IPv6 on Linux operating systems Congure and verify IPv6 on the MAC OS X operating system Congure and verify IPv6 on Cisco IOS Congure and verify IPv6 on Junos
Most Operating Systems have IPv6 enabled by default! !

Basic IPv6 Con"guration !
Operating system Windows Mac OS X GNU Linux FreeBSD Cisco IOS Junos
IPv6 supported Windows XP Service Pack 2 and up 10.4 (Tiger) and up Kernel 2.6 and up FreeBSD 4.0 and up IOS 12.4; 12.3; 12.xT from 12.2T and up Junos 5.1 and up
Host Con"guration: Windows Vista/7 !

Host con"guration: Mac OS X !

Host Con"guration: Linux !

Congure IPv6 on an interface $ifcong eth0 inet6 add 2001:db8:fedc:abcd::1/64 force an interface to come up at boot-up and get address automatically. In /etc/network/interfaces auto eth0 iface eth0 inet manual up /sbin/ip -6 link set eth0 up Verify #ifcong eth0 !! #ip -6 addr show eth0 OR
Working with privacy addresses !

"! Privacy address status on various operating sytems
!! Windows Vista/7 Enabled by default !! Mac OS X Not enabled by default !! Linux - not enabled by default
"! Generally, enabling privacy addresses is not recommended
Disabling privacy addressing !

Windows Vista/7
c:\netsh interface ipv6 set privacy state=enabled|disabled c:\netsh interface ipv6 set global randomizeidentiers=enabled|disabled
Mac OS X
In /etc/sysctl.conf net.inet6.ip6.use_tempaddr=0|1 net.inet6.ip6.temppltime=XX //lifetime of temporary address
Linux
#echo "1" > /proc/sys/net/ipv6/conf/default/use_tempaddr
Con"guring basic IPv6 on Cisco IOS !

Enable IPv6 on an Interface (cong)#ipv6 enable Assign an IPv6 address with automatic interfaceID (cong)#ipv6 address Prex/prex-length eui-64 Assign a static IPv6 address (cong)#ipv6 address v6address/prex-length Enable IPv6 routing and CEF (cong)#ipv6 unicast-routing (cong)#ipv6 cef
Con"guring basic IPv6 on Junos !

Enable IPv6 on an Interface
Assign an IPv6 address with automatic interfaceID
Assign a static IPv6 address
Enable IPv6 routing and CEF
Address!Provisioning!in!IPv6 !
After this section, you should be able to: ! ! ! ! Describe the options for provisioning addresses in IPv6 Describe, and verify how SLAAC works Describe and verify how DHCPv6 works Describe how DHCPv6-PD works
Provision requirements !
IPv6 Address Provisioning !
Device! Hosts! IPv6 address! Default gateway! DNS server! CPEs! IPv6 address! Default gateway! DNS server! Prefix for LAN(s)!
Automatic IP Con"guration !
"! The Problem with Traditional DHCP
It's a link-layer protocol and thus can't be routed without use of relays on every subnet. !! Network and server staff are usually different thus close coordination is needed (plus usual OSI Layer 8 issues!!) !! Difcult to implement redundancy. !! Susceptible to rogue DHCP servers. !! If the lease database is corrupted, addresses can be given to multiple machines. "! Because there are no broadcasts in IPv6, traditional DHCP wont work. "! The options in IPv6 are: !! Stateless Auto-Conguration - new to IPv6 !! Stateful Auto-Conguration - DHCPv6
!!
Automatic IP Con"guration !
IPv6 address DNS resolvers IPv6 delegated prex
Typical conguration parameters For client WAN address Required by clients and CPEs Required by clients and CPEs Required by CPEs to automate LAN-side conguration
Automatic IPv6 Con"guration !

"! Enterprise and campus network cong requirements
!! IPv6 address for the hosts interface !! Default routers !! DNS resolvers & other options
"! Service Provider network cong requirements
!! IPv6 address for CPE WAN interface !! Default route to be used by client network !! Prex to be use for CPE LAN interface(s)
Options for Automatic Address Provisioning !

"! The problem:
SLAAC does not hand out DNS server addresses DHCPv6 does not hand out default router address CPEs need auto-delegated prex for simplicity "! Options: Stateful & stateless DHCPv6 and SLAAC+RDNSS
Stateful DHCP IPv6 Address Default routers DNS resolver Delegated prefix DHCPv6 RA DHCPv6 DHCPv6-PD Stateless DHCP RA RA DHCPv6 DHCPv6-PD SLAAC+RDNSS RA RA RA N/A
!! !! !!
Stateless Auto-Con"guration How it Works!

Network X
R1
2
[RA] 2001:db8:a::
N2
1
"! Host N2 will auto-congure an
[RS] RA?
ff02::1 ff02::1 ff02::1
M2
3
[RA] 2001:db8:d::
address for each of the advertises prexes 2001:db8:a::/64 and 2001:db8:d/64. "! Hosts will also auto-congure 2 default routers
R2 Network X

! Host generates an interfaceID and a link-local address ! Perform Duplicate Address Detection [DAD] on selected address ! Query all routers (via RS messages) for additional ! Router responds with Router Advertisement [RA] which lists
allocated prexes for the subnet and indicates if it can provide routing services to connected hosts. ! For each prex received, the host adds its 64bit interfaceID congures an address and does DAD. ! Host build a list of 'default routers' from RAs. There's no single default gateway like in IPv4.

"! The routers on the subnet are pre-congured with:
Appropriate IPv6 addresses on their interfaces. Desired prexes for use on the subnet. Someday: List of DNS servers to send to hosts [RFC6106] "! If the router advertise multiple prexes, the host(s) will autocongure an address for each of the prexes. "! If multiple routers advertise themselves as default, host typically chooses and uses one till it fails, then it uses other.
!! !! !!
Advantages of SLAAC Over Traditional DHCP !

"! No separate servers or relays needed on each subnet "! No need to involve server admins with management of IP "! "! "! "!
addresses Easy to provide redundancy by plugging in more routers since they don't keep state No risk of duplicate addresses even after a router fails Rogue routers less likely and if they do occur, their prex will just be in addition to the correct prexes Enables network re-numbering on the y
Con"guring a Cisco Router for Stateless Auto-Con"guration!

Network X
R1
2
R1(cong)Interface fastethernet 0/1 R1(cong-if) ipv6 nd prex 2001:db8:a::/64
[RA] 2001:db8:a::
N2
1
[RS] RA?
ff02::1 ff02::1 ff02::1
M2
3
[RA] 2001:db8:d::
R2 Network X
R1(cong)Interface fastethernet 0/1 R1(cong-if) ipv6 nd prex 2001:db8:d::/64
Stateful Con"guration with DHCPv6 !

"! Host gets all of its cong parameters from central server
"! Central server can keep state of who has what address "! A host will use DHCPv6 instead of SLAAC if it gets an RA
message with the M ag = ON and A ag=OFF "! Multicast addresses used by DHCPv6 !! All_DHCP_Relay_Agents_and_Servers (FF02::1:2) !! All_DHCP_Servers (FF05::1:3) "! DHCP Messages: !! Clients listen on UDP port 546 !! Servers and relay agents listen on UDP port 547 "! Currently does not support a default gateway option!!
How Stateful DHCPv6 Works !

Client Router/DHCP Relay DHCP Server
[ND] RS? [ND] RA (M set)

2 4 6 8
[DHCP] Solicit [DHCP] Advertise (addr)
[DHCP] Solicit [DHCP] Advertise (addr)

5
[DHCP] Request (addr) [DHCP] Reply (addr)
[DHCP] Request (addr) [DHCP] Reply (addr) [DHCP] Conrm (addr)

9
10
11
[DHCP] Conrm (addr)
12
Stateful DHCPv6 !
Advantages: a)! Similar to DHCPv4, so will be familiar to most operators. b)! More options to control how addresses are allocated e.g. !! Restrict assignments to a small range of addresses !! Map IP addresses to specic clients. c)! Dynamic DNS (DDNS) updates from a central server is more secure than permitting individual host to update the DNS. d)! It has options to congure other services. e)! Can produce centralized accounting logs (troubleshooting and forensics). Disadvantages: a)! No DHCPv6 clients yet on some operating systems e.g, Android. b)! Conguration information for addresses and DNS resolvers must be maintained in separate locations.
Stateless DHCPv6 !
Client Router DHCP Server
[ND] RS? [ND] RA Prex: Default router: "O" ag set

2
[DHCP] Solicit Options e.g DNS server [DHCP-RELAY] Advertise DNS server address
[DHCP-RELAY] Solicit Options

5
[DHCP] Advertise DNS server address
Stateless DHCPv6 !
Advantages: !! Support for SLAAC is ubiquitous. !! Non-DHCPv6 hosts will still be able to get basic connectivity. (the DNS resolvers can be manually congured ) !! Like stateful DHCPv6, other options possible (e.g NTP etc) Disadvantages: !! Zero control over how addresses are allocated !! If using DDNS, permitting DDNS updates from all clients is insecure. !! Privacy concerns if EUI-64 method is used for interfaceID !! No centralized log for forensics
SLAAC + RDNSS !
"! SLAAC plus the Recursive DNS server option "! Advantages:
!! Single protocol (IPv6 ND) thus simpler conguration !! Support for SLAAC is ubiquitous !! RDNSS option not widely supported !! No other parameters besides DNS resolver are possible
"! Disadvantages:
DHCPv6 - PD !
CPE
1
DHCP Server
PE
Provision CPE WAN address
[DHCP] Solicit Options: IAPD
[DHCP-RELAY] Solicit Option: IAPD
[DHCP-RELAY] Advertise Delegated Prex
[DHCP] Advertise Delegated Prex
"! Used to assign a delegated prex to CPE to use on its LAN. "! The PE inserts a static route for the delegated prex in its table
Key Di#erences Between DHCPv4 & DHCPv6 !

DHCPv6 Server Software !

IPv6!Address!Planning !
After this section, you should be able to: ! ! ! ! Subnet an IPv6 prex Describe how IPv6 addresses are globally managed Estimate the IPv6 addressing needs of your network Carve out your allocated addresses and assign them
The generic IPv6 subnetting problem !

For a given IPv6 prex P and prex length L a)! List all the sub-prexes of length L therein b)! Break P into N subnets Repeat for each sub-prex as required
IPv6 subnetting !
Parent prefix
Sub-prefix #1
Sub-prefix #2
Sub-prefix #3
Sub-prefix #n
IPv4 subnetting concepts to FORGET! !
IPv6 subnetting !
! The purpose of subnetting
IPv4: conserve address space IPv6: planning and optimization for routing or security ! VLSM vs SLSM theres no point to do VLSM in IPv6 ! Subnets vs hosts number of hosts is rarely relevant in v6
!! !!
Generic IPv6 subnetting procedure !
IPv6 subnetting !
Find subnet bits (s)!
Find Subnet hexits!
Find SubnetID increment (B)!
Enumerate subnetIDs!
Step #1: Finding the subnet bits (s) !

a)! Both L and L are known
IPv6 subnetting !
s = L L1 Ex: breaking a /32 to /56s needs 56-32=24 bits b)! Only the number of desired subnets is known
logN 2 ! N thus s = log2
s
Ex: breaking a /36 into 900 networks needs

log700 2 ! 700 thus s = = 9.45 " 10bits log2
s
Step #2: Finding the number of subnet hexits !
"! The distinguishing hexits of each subnet

IPv6 subnetting !
!! Knowing number of subnet bits s !! Knowing that 1 hexit = 4 bits, then !! Number of subnet hexits = s/4 (round up)
"! Ex: Breaking 2001:db8:c000::/36 to 900 subnets
!! s = log 900 log 2 = 9.81 10 !! # subnet hexits = 10/4 = 2.5 3 !! Each of the subnets will be like: 2001:db8:cHHH::/46
Step #3: Finding the Increment or Block (B) !
"! This is difference between consecutive subnetIDs

IPv6 subnetting !
B = 216!(L'%16) "! Ex: Breaking 2001:db8:c000::/36 to 900 subnets !! s = 3 (calculated in previous slides) !! L = L + s = 36 + 10 = 46 !! Format 2001:db8:cHHH::/46 (calculated previously) 16!(46%16) 16!14 2 =2 = 2 = 4 (0x4) !! B = 2
Step #4: Enumerating the subnetIDs !

"!At this point you know the general subnet format
IPv6 subnetting !
"!Taking the subnetIDs only, these form an arithmetic
progression with following characteristics !! Common difference d = block B !! Initial term = 000 "!Any term of the progression is an = a0 + (n ! 1)d
"!Substituting for d = B and initial term = 000 "!The nth term is: an = (n ! 1)B
Step #4: Enumerating the subnetID example !

"! Ex: Breaking 2001:db8:c000::/36 to 900 subnets
IPv6 subnetting !
!! s = 3 (calculated in previous slides) !! L = L + s = 36 + 10 = 46 !! Format 2001:db8:cHHH::/46 (calculated previously) !! B = 4 (0x4) - as previously calculated !! [Decimal]: a1= 4(1-1) = 0 (0x0) !! First subnet: 2001:db8:000::/46 !! [Decimal]: a1024 = 4(1024-1) = 4(1023) = 4092 (0xFFC) !! [Hex]: a400= 4(400-1) = 4(3ff) = FFC !! Last subnet: 2001:db8:ffc::/46
"! First subnetID
"! Last subnetID
Subnetting example : problem !
IPv6 subnetting !
An ISP with operations in 10 cities just got a 2001:db8:: / 32 allocation from AfriNIC, subnet this prex accordingly
Subnetting example : analysis !

"! Number of subnets: N = 10
IPv6 Address Planning !
"! Subnet bits required (s): 2s 10 , s = 4 (round to nearest integer)
s=
log 10 1 = = 3.32 [4 approx] log 2 0.301
"! Thus, to subnet 2001:db8::/32 to cover 10 subnets,
!! Well need to use 4 bits !! Those 4 bits give us 24 = 16 subnets (weve 6 spare subnets) !! Prex length of each subnet is /36 (32 + 4 = 36) !! e.g. sipcalc 2001:db8::/32 v6split=36
"! Use the procedure discussed to enumerate the various subnets "! Verify your answer using subnet tools
Subnetting Enumerate Subnets (sipcalc) !

sipcalc 2001:db8::/32 v6split=36 | grep Network Network - 2001:0db8:0000:0000:0000:0000:0000:0000 Network - 2001:0db8:1000:0000:0000:0000:0000:0000 Network - 2001:0db8:2000:0000:0000:0000:0000:0000 Network - 2001:0db8:3000:0000:0000:0000:0000:0000 Network - 2001:0db8:4000:0000:0000:0000:0000:0000 Network - 2001:0db8:5000:0000:0000:0000:0000:0000 Network - 2001:0db8:6000:0000:0000:0000:0000:0000 Network - 2001:0db8:7000:0000:0000:0000:0000:0000 Network - 2001:0db8:8000:0000:0000:0000:0000:0000 Network - 2001:0db8:9000:0000:0000:0000:0000:0000 Network - 2001:0db8:a000:0000:0000:0000:0000:0000 Network - 2001:0db8:b000:0000:0000:0000:0000:0000 Network - 2001:0db8:c000:0000:0000:0000:0000:0000 Network - 2001:0db8:d000:0000:0000:0000:0000:0000 Network - 2001:0db8:e000:0000:0000:0000:0000:0000 Network - 2001:0db8:f000:0000:0000:0000:0000:0000 www.afrinic.net | slide 129
Global IPv6 address management hierarchy !

2000::/3 RIRpre!x::/w RIRpre !! x::/w RIRpre x::/w RIRpre !! x::/w RIRpre x::/w LIRpre!x::/x LIRpre!x::/x LIRpre !! x::/x LIRpre x::/x LIRpre !! x::/x LIRpre x::/x LIRpre!x::/x End-sitepre !! x::/y End-sitepre x::/y End-sitepre !! x::/y End-sitepre x::/y End-sitepre!x::/y End-sitepre !! x::/y End-sitepre x::/y Subnet::/z Subnet::/z Subnet::/z Subnet::/z Subnet::/z Subnet::/z Host:network:pre !! xSubnet::/64 Host:network:pre xSubnet::/64 Host:network:pre ! xSubnet::/64 Host:network:pre ! xSubnet::/64 Host:network:pre ! xSubnet::/64 Host:network:pre ! xSubnet::/64 Host:network:pre ! xSubnet::/64 12 ! w ! 24 12 !! w !! 24 12 w 24 12 ! w ! 24
12 ! w ! 24
y ! x ! 32 y ! x ! 32 yy !! xx !! 32 32 yy !! xx !! 32 32
y ! x ! 32
xx !! yy !! [48 || 52 || 56 || 60] [48 52 56 60] xx !! yy !! [48 | 52 | 56 || 60] [48 | 52 | 56 60] x ! y ! [48 | 52 | 56 | 60] x ! y ! [48 | 52 | 56 | 60]
x ! y ! [48 | 52 | 56 | 60]
[48 || 52 || 56 || 60] !! zz !! 64 [48 52 56 60] 64 [48 | 52 | 56 | 60] ! z !! 64 [48 | 52 | 56 | 60] ! z 64 [48 | 52 | 56 | 60] ! z ! 64
[48 | 52 | 56 | 60] ! z ! 64
InterfaceID InterfaceID InterfaceID InterfaceID InterfaceID InterfaceID InterfaceID
IPv6 address planning a few clari"cations !
"! /32 for LIRs is just minimum size according to most RIR policies. "! If you can show that you need more, you usually can get more!
!! Do NOT start with /32 [or /48] and try to t in. !! INSTEAD analyse your needs and apply based on them.
"! RFCs recommend /64 for all subnets (even p2p and loopbacks)
!! DO allocate a /64 for all links but, !! DO congure what makes operational sense (e.g /127 for p2p !!
and /128 for loopbacks) Do understand what will break if you use longer prexes
Some recommendations for planning !

! Assign at least one /64 per individual network segment
! Ensure that all prexes fall on nibble boundaries ! Plan a hierarchical plan to allow for aggregation
Site: any logical L3 aggregation point (POP, building, oor, ) Region: a collection of site Autonomous System ! Assign at least one /48 per site ! Reserve one /48 per region for infrastructure needs !! Loopback addresses assign from the rst bottom of range !! Inter-device links assign a /64 but congure what makes operational sense (/126 , /127 ) ! Use same prex lengths for all prexes of the same level (SLSM)
!! !! !!
Estimating the size of your initial IPv6 request !

! For your largest SITE
! ! ! !
Estimate the number of end-networks in it now Adjust for growth in 5 years Round to nearest nibble boundary. (maxSITEsize) Estimate the number of #SITEs in your largest region (round to nibble boundary) #of end-site prexes: N = #regions x #SITEs x maxSITEsize log N Subnet bits required to give us N prexes: s = 10 log10 2 Allocation size is !! 48 s [if assigning /48s per end-site] !! 52 s [if assigning /52s per end-site]
!! !! !!
About Nibble Boundaries !

Try to align allocation units to nibble boundaries !! Round up your estimates to 2n where n is a multiple of 4 [16, 256, 4096, 65536 etc] !! Ensure your prexes fall on the following nibbles: /12, /16, /20, /24, /28, /32, /36, /40, /44, /48, /52, /56, /60, /64
Nibble boundary alignment example !

"! Consider the range of addresses for 2001:db8:3c00::/40 [rst] 2001:db8:3c00:0000:0000:0000:0000:0000 [last] 2001:db8:3cff:ffff:ffff:ffff:ffff:ffff
!! Easy see that differentiating hexits range from 0 - f

"! Consider the range of addresses for 2001:df8:3c00::/42
[rst] 2001:db8:3c00:0000:0000:0000:0000:0000 [last] 2001:db8:3c3f:ffff:ffff:ffff:ffff:ffff
!! Youll have to calculate the differentiating hexits

IPv6 Address Planning | Example !

An ISP has operations in 10 provinces. The largest province has 50 POPs, the largest of which has about 2700 clients. Estimate the IPv6 addressing needs of this ISP
Address planning example analysis and solution !

! We know
!! Number of regions: #regions = 10 [round to 16] !! Number of sites: #SITEs = 50 [round up to 256] !! maxSITEsize = 2700 [round up to 4096] !! Total number of end-network prexes required is N !! N=16 x 256 x 4096 = 16,777,216 !! Number of subnet bits required: s=log16,777,216/log2 = 24. !! 48 24 = 24 [Assuming /48s to end-sites] !! 52 24 = 28 [Assuming /52s to end-sites]
! We calculate
"! Allocation size:
"! Thus the ISP needs to request a /24 or /28 from AfriNIC.

IPv6 Fundamentals

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

IPv6 Fundamentals

Uploaded by

Copyright:

Available Formats

IPv6!Fundamentals !

Mukom Akong T. (@perfexcellent)

What you should be able to do after "nishing this module !

platforms !! Cisco IOS !! Juniper JUNOS !! Quagga

Understand IPv4 exhaustion implications

Identify and work with IPv6 addresses

Create an IPv6 addressing plan

Understanding IPv4 Exhaustion Implications !

Central IPv4 Pool as at 16.06.2010 !

Understanding IPv4 Exhaustion Implications !

Central IPv4 Pool as at 31.01.2011 !

Understanding IPv4 Exhaustion Implications !

Global IPv4 Address Distribution !

Understanding IPv4 Exhaustion Implications !

Projected RIR Depletion Dates !

Source: Geof Houston

Understanding IPv4 Exhaustion Implications !

Exhaustion Consequence: IPv4 addresses are now more expensive !

$7.5m for 666,624 v4 addresses

Understanding IPv4 Exhaustion Implications !

www.afrinic.net | slide 11!

Understanding IPv4 Exhaustion Implications !

Exhaustion Consequence: An IPv4 address black market emerges !

"! Black markets have well-known contrary consequences

Understanding IPv4 Exhaustion Implications !

Implications of Africa running out last !

"! Network-layer successor to IPv4

IPv6 addresses are written in hexadecimal !

IPv6 address = 128 bits

IPv6 address = 32 hexits

IPv6 address = 8 groups of 4 hexits

2001 : db8 : c001 : face : b00c : dead : babe : 1cee : f001!

How IPv6 addresses are written !

Rules for shortening IPv6 addresses !

Shortening IPv6 addresses: Example !

Shortening IPv6 addresses: Example !

Incorrect IPv6 shortening example !

Types of IPv6 addresses !

Scope: An address extent of validity !

Global unicast addresses !

45 bits Global Routing Prefix

Link local unicast addresses !

The Link local address reachability problem !

ZoneIDs resolving Link local address ambiguity !

"! ZoneID (or scopeID)

Examples of using ZoneID !

Unique Local Addresses !

Unique Local Addresses: GlobalID Algorithm !

6to4 Transition Addresses !

Generating the InterfaceID Last 64 bits !

"! Manually typed by an admin on an interface "! Automatically

!! Subnet router anycast: 0000:0000:0000:0000 !! Reserved subnet anycast: fdff:ffff:ffff:ff80 - ff

EUI-64 Automatic InterfaceID Generation !

Privacy concerns with EU-64 !

"! For a given MAC address

"! It is possible to track a user from their interfaceID

"! Privacy addressing (RFC4941) deals with this issue

learn.afrinic.net | slide 36!

IPv4-Mapped Transition Addresses !

32 bits IPv4 Address

ISATAP transition addresses !

32 bits Private IPv4 Address

!! Where a.b.c.d is an RFC1918 private IPv4 address

The Flag Bits in multicast addresses !