MendeleyMendeley Manual - Getting Started Manual - Getting Started
Getting started with IPv6
-
Upload
private -
Category
Technology
-
view
6.531 -
download
0
description
Transcript of Getting started with IPv6
A toe-dip into the volatile world of IPv6 transitions
Getting Started with IPv6
Tanner04.29.2011
GOALGet IPv6 dual-stack running on a lab/home network and connect to the IPv6 internet.
STATUSIPv4 Exhaustion TimelineIPv6 Today
Google, Microsoft, Apple, Netflix, Cisco, Facebook, Gov’t Agencies
Service Provider PlanEnterprise Plan
Goals and Status
3
IPv4 Exhaustion Schedule2/2011
IANA allocates remaining 5 /8’s to RIRs
5/2011 RIR APNIC pool depleted (estimated)
Q4CY2011
RIR RIPE pool depleted (estimated)
1HCY2012
RIR ARIN pool depleted (estimated)
Then… ISP unallocated pool depleted
Then… End user unallocated pool depleted
Then… ISP’s start thinking about IPv6???
Advantages
Lots of AddressesAutomatic IP
Address Configuration
Duplicate Address Detection (DAD)
Only available option post-IPv4
Still disagreements on implementation / transition methods
Immature device / OS / application support
Remembering long addresses
IPv6 Mechanics
Disadvantages
Interface AddressingManualSLAACDHCPv6Link Local
DNSIncreased reliance due to lengthy addressesAAAA (“Quad A”) Records
IPv6 Building Blocks2002:D
82A:3BCC:D
EFF:BACA:3F97:872D:D
00D/64
DHCP Type
IPv6 Address
Options
Stateless
No Yes
Stateful Yes Yes
ICMPv6Neighbor Discovery
RoutingEIGRPv6, OSPFv3
Routable
2002:adb8:85a3:af90:b8b8:8a2e:1773:ff31/648 x 16-bits separated by a : (colon)Prefix length in CIDR format
NOT 255.255.255.255.255.255.255.255.0.0.0.0.0.0.0.0
Each interface has a:Link local addressRoutable address
[Modified] EUI-64Auto w/privacy extensionsManual
Neighbor DiscoveryHeavy use of ICMP and Multicast
IPv6 Addressing
IPv6 Subnetting
2001:0DB8:0800:3333:AAAA:BBBB:CCCC:DDDD
/128
16
# of bits4 8
/16/48
CIDR
/64
/120
Host portion
Network/Subnet portion
Key PrefixesPrefix Allocation Example
2000::/3to 3FFF
Global Unicast 2002:AB::16/64
2001:DB8::/32to 2001:DB8:FFFF
Documentation Prefix
2001:DB8:AA::/64
FC00::/7to FDFF
Unique Local Unicast
FC00:AB::7/64
FE80::/10to FEBF
Link Local Unicast FE80::6AEF:BDFF:FE61:4D13
FF00::/8to FFFF
MulticastFF02::1FF02::1:FF61:4D13
Prefix SizesPrefix Lengt
h# of Addresses Subnet
s 1 Typical Use
/48280
1,208,925,819,614,629,174,706,176 65,536
Organization/Site allocationDefault allocation from ISP
/56272
4,722,366,482,869,645,213,696 256 Small
Site/Residential
/64264
18,446,744,073,709,551,616
18.4 Quintillion
1All links/LAN segments Required for SLAAC.
/12028
256 1 Alternate prefix for LAN segments
/12622
4 1 Alternate prefix for P2P segments
1 Assumes using the “standard” allocation of /64 for all links and segments
Comparison TableIPv4 IPv6
L2 Address Resolution
ARP(Broadcast)
ICMP Neighbor Discovery(Multicast)
View L2 Addressshow arparp –a
show ipv6 neighbor netsh interface ipv6 show
neighbors
Ping ping 1.1.1.1 ping ipv6 fec0:abcd::1ping -6 fec0:abcd::1
IP Assignment DHCP or Manual DHCPv6, SLAAC, or Manual
Gateway Assignment DHCP or
Manual DHCPv6 or IRDP
DNS Assignment DHCP or Manual AAAA
DNS Record Type A AAAA
Dual stackNAT
NAT64 & DNS64 / NAT46 / NAT44 / NAT66 / NAT-PT / CGNAT / NAT444 / NAT464 / DS-Lite
Tunnels6to4 (RFC 3056)
6in4ISATAP (RFC 5214)
GRE/IPv6 over DMVPN
6rdLISPReverse Proxy/Load Balancers
Transition Technologies
Cu
rren
tF
inal S
tate
Tra
nsi
tion
al T
ran
sition
al
Make sure there are no DNS AAAA recordsAlternate: Disable IPv6 on all devices
Enable IPv6 in core, then firewall, then internet routerEnable select DMZ servers / inside clients
Dual Stack Transition Plan
Name ResolutionIPv4
set type=awww.comcast6.netAddress: 68.87.29.36
IPv6set type=aaaawww.comcast6.netAddress: 2001:558:1002:4:68:87:29:36
DNS64IPv6 client makes DNS AAAA query, DNS64 gateway translates IPv4 response to AAAA format
DNSv6 and DNS64
Client detects presence of routers on the link using Router Solicitation
Uses link-local address as the source IPNo gateway needed. Learned from RA’s.
DHCPv6
IPv6 NDP ExhaustionConfiguring /64’s per subnet is akin to configuring
an IPv4 /8 on a LANAllocate /64, Configure a /120
Breaks SLAAC
Ping/Ping or Ping/Pong attack
ND vulnerabilities
ICMP must be open to inside hosts
Dual Stack Hosts – IPv6 may not be locked down
IPv6 Attacks
Books Deploying IPv6 in WAN/Branch Networks Cisco Deploying IPv6 Networks Cisco Global IPv6 Strategies
ARIN IPv6 Wiki Measuring IPv6 Adoption www.cisco.com/go/ipv6 Cisco IOS IPv6 Configuration Guide http://ipv6.he.net/certification/index.php http://www.iana.org/assignments/ipv6-address-space/ipv6-address-space.xml http://www.potaroo.net/ispcol/2011-02/transtools-part1.html http://www.potaroo.net/ispcol/2011-03/transtools-part2.html http://www.openwall.com/presentations/IPv6/index.html http://blogs.cisco.com/security/ipv6-whats-new/ http://www.openwall.com/presentations/IPv6/index.html http://owend.corp.he.net/ipv6/ http://www.infoblox.com/ipv6wp http://test-ipv6.com http://www.deepspace6.net/projects/ipv6calc.html ipv6forum.com
Additional Resources
APPENDIX ADevice Configuration Examples
Dual Stack ISPRequest dual stack support from
ISP
or
IPv6 Tunnel BrokerSign up for free IPv6 tunnel
broker service (tunnelbroker.net from
Hurricane Electric)
IPv6 Internet Access
Step
1
ip access-list extended ACL-OUTSIDE-IN
remark --- Allow IPv6 Tunnel Broker
permit icmp host 66.220.2.74 any echo
permit 41 host 216.218.226.238 any
permit …
deny ip any any log
interface F4
description Internet Interface
ip access-group ACL-OUTSIDE-IN in
Cisco Router Security (IPv4)
Access List
Step
2
• Encapsulated traffic must be permitted in/out physical interface.
• IP Protocol 41 is reserved for IPv6 encapsulation IP will change
depending on IPv6 broker
endpoint used
ipv6 unicast-routing
ipv6 cef
interface Tu0
description IPv6 Internet
ipv6 enable
ipv6 address 2001:DB8:F::2/64
tunnel source F4
tunnel destination 216.218.226.238
tunnel mode ipv6ip
interface G0
description LAN Segment
ipv6 address 2001:DB8:1::1/64
ipv6 address 2001:DB8:1::/64 EUI-64
ipv6 enable
ipv6 route ::/0 Tu0
Cisco Router Configuration (IP)Step
3Assigned from HE
Internet Interface
IPv6 Broker Endpoint
IPv6 Encapsulated
in IPv4IP from /48 allocation
IPv6 default route
IPV6-Router# sh ipv6 int
GigabitEthernet0 is up, line protocol is up
[Hardware is PQII_PRO_UEC, address is 68EF.BD61.4D13]
IPv6 is enabled, link-local address is FE80::6AEF:BDFF:FE61:4D13
No Virtual link-local address(es):
Stateless address autoconfig enabled
Global unicast address(es):
2001:DB8:1:0:6AEF:BDFF:FE61:4D13, subnet is 2001:DB8:1::/64 [EUI/CAL/PRE]
valid lifetime 2591835 preferred lifetime 604635
Joined group address(es):
FF02::1
FF02::1:FF61:4D13
MTU is 1500 bytes
…
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds (using 30000)
Default router is FE80::215:C6FF:FE53:9EC8 on GigabitEthernet0
Cisco Router IP AutoconfigInterface MAC
EUI-64 Insertion
U/L bit flip
Learned via ND from upstream
routerAll IPv6 nodes, link
localSolicited node addr for replies
Link local addr used for
next hop
ipv6 access-list ACL-IPV6-IN
remark --- Block AfriNIC/APNIC
deny ipv6 2001:4200::/23 any
deny ipv6 2C00:0000::/12 any
deny ipv6 2001:0200::/23 any
deny ipv6 2001:0C00::/23 any
deny ipv6 2001:0E00::/23 any
deny ipv6 2001:4400::/23 any
deny ipv6 2001:8000::/19 any
deny ipv6 2001:A000::/20 any
deny ipv6 2001:B000::/20 any
deny ipv6 2400:0000::/12 any
remark --- Allow Neighbor Discovery
permit icmp any any nd-na
permit icmp any any nd-ns
remark --- Block everything else
deny ipv6 any any log
interface Tunnel0
ipv6 traffic-filter ACL-IPV6-IN in
Cisco Router Security (IPv6)
ipv6 inspect alert-off
ipv6 inspect routing-header
ipv6 inspect max-incomplete low 100
ipv6 inspect max-incomplete high 200
ipv6 inspect one-minute low 100
ipv6 inspect one-minute high 200
ipv6 inspect udp idle-time 15
ipv6 inspect tcp idle-time 1800
ipv6 inspect tcp finwait-time 1
ipv6 inspect tcp synwait-time 15
ipv6 inspect tcp max-incomplete host 500 block-time 0
ipv6 inspect name FW1 ftp
ipv6 inspect name FW1 tcp
ipv6 inspect name FW1 udp
ipv6 inspect name FW1 icmp
interface G0
ipv6 inspect FW1 in
ipv6 inspect FW1 out
IOS Firewall (CBAC) Access List
Step
4
Windows Server Configuration
Manually Configure Server IP Address
DHCPv6 scope created with local fc00 addressing (ULA)
View of DNS A and AAAA Record
Step
5a
(Optional)
Enable IPv6Disable IPv6 tunnels (6to4, isatap,
teredo)Prefer IPv4 over IPv6 during transition
(KB929852)
Windows 7 Configuration
LAN Network Connection: Physical Address. . . . . . . . . : 00-22-68-1A-E1-4C DHCP Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes IPv6 Address. . . . . . . . . . . : 2001:db8:1::222:68ff:fe1a:e14c(Preferred) Temporary IPv6 Address. . . . . . : 2001:db8:1::a1fd:f339:f800:f7ff(Preferred) Link-local IPv6 Address . . . . . : fe80::688f:1818:28fc:f11e%12(Preferred) IPv4 Address. . . . . . . . . . . : 172.16.0.122(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 172.16.0.1 DHCP Server . . . . . . . . . . . : 172.16.0.10 DHCPv6 IAID . . . . . . . . . . . : 218112349 DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-14-C0-65-37-00-23-54-66-DF-67 DNS Servers . . . . . . . . . . . : 2001:db8:1::10 172.16.0.10
Step
5b
Mac OS XStep
5c
OS Support Comparison
Address Feature
Cisco
Win XP
Win 7/2008
Mac OS X
Linux
Manual Yes No Yes Yes Yes
EUI-64/SLAAC Yes Yes Yes2 Yes Yes
Privacy Extensions
No No Yes Yes3 Yes3
DHCPv6 Yes1 No Yes No Yes
SEND Yes1 No No No No
1 Feature supported in IOS 12.4(24)T and later.2 EUI-64 capability disabled by default. Privacy extensions must be disabled to use.3 Privacy extensions disabled by default.
Test ConnectivityStep
6
c:\> ping ipv6.google.comPinging ipv6.l.google.com [2001:4860:800d::63] with 32 bytes of data: Reply from 2001:4860:800d::63: time=45msReply from 2001:4860:800d::63: time=42ms
Ping Test
Web Test
APPENDIX BRestrictions, Caveats, Considerations, and Tools
Does your L3 switch support hardware-based forwarding for IPv6?
Platform Limitations
Do log parsing applications recognize IPv6?Syslog, etc.
IP address calculation formulas in spreadsheets
IP-enabled A/V equipmentNetwork Video Recording software
Application Compatibility
3560/3750sdm prefer dual-ipv4-and-ipv6 default
Others: ipv6 mld snoopingIPv6 CEF disabled by defaultIPv6 will use resources from the IPv4 pool
Cisco Notes
stealthyb@nms2:~$ sudo aptitude install sipcalc
stealthyb@nms2:~$ sipcalc 2001:db8:1::/48
-[ipv6 : 2001:db8:1::/48] - 0
[IPV6 INFO]
Expanded Address - 2001:0db8:0001:0000:0000:0000:0000:0000
Compressed address - 2001:db8:1::
Subnet prefix (masked) - 2001:db8:1:0:0:0:0:0/48
Address ID (masked) - 0:0:0:0:0:0:0:0/48
Prefix address - ffff:ffff:ffff:0:0:0:0:0
Prefix length - 48
Address type - Aggregatable Global Unicast Addresses
Network range - 2001:0db8:0001:0000:0000:0000:0000:0000 -
2001:0db8:0001:ffff:ffff:ffff:ffff:ffff
Tools
Q: How do I specify a port in an IPv6 URL?A: http://[2001:db8::dade:55]:8080/
Q: What are the group of addresses called in between each : (colon)?A: Depending on your source, they can be called “fields”, “groups”, “quads”, “hextets”, or “hexadecatet”.
Q&A