IPv6 -- A practical guide to Implementationfacweb.cs.depaul.edu/brewster/ipv6/Full Course...
Transcript of IPv6 -- A practical guide to Implementationfacweb.cs.depaul.edu/brewster/ipv6/Full Course...
Revised 2010 August 17 Hurricane Electric
IPv6 -- A practical guide to Implementation
Owen [email protected]
2010 August 17 Hurricane Electric Page
Acknowledgements
Special thanks for: Content and graphics:
Mukom Akong Tamon (AfriNIC) Nishal Goburdhan (AfriNIC)
Research, Data, and graphics Geoff Huston (APNIC)
Inviting me to present this Srinivas Chendi (APNIC)
Attending All of you
2
2010 August 17 Hurricane Electric Page
Logistics
Location of rest rooms Please turn off your mobile phone(s) Please ask questions
Please don’t be afraid to speak up For any non-native English speakers: No matter
your English skills, I assure you they are better than my skills at your native language.
3
2010 August 17 Hurricane Electric Page
Why do we need IPv6?(1. NAT breaks IPSec)
This works fine until you want to secure the connection with IPSec
The NAT device modifies the packet header, breaking IPSec
7
Backend SQL Server
Private Network Public Network
Web Server
Client to Web Server
Web Server to SQL database
NAT Gateway
2010 August 17 Hurricane Electric Page
Why do we need IPv6?(2. NAT Complicates Communications)
Making this work (through NAT) is a nightmare.
It’s can be even worse for VOIP
8
2010 August 17 Hurricane Electric Page
Why do we need IPv6(3. NAT breaks remote management)
Branch offices behind NAT are not easily managed from remote locations
9
Kaduna Office
Bamenda Office
InternetRemote Management
Station
Tokyo Office
Adelaide Office
2010 August 17 Hurricane Electric Page
Why do we need IPv6(4. Other IPv4 Limitations) Only 3.2 billion global unicast addresses Figure at least 5 IP addresses per person World Population 6.5 Billion Also need addresses for servers, provider
infrastructure, etc. IPSec implemented as an afterthought mostly
at L4
10
2010 August 17 Hurricane Electric Page
Why do we need IPv6?(5. Other Implications of NAT) Single points of failure -- NAT Gateway keeps state Additional hardware resources to maintain state
tables/translation tables Breaks end-to-end model [p2p, voip, etc.] and hinders
incoming connections to inside hosts Significant overhead/application bloat dedicated to
working around NAT Causes problems for audit and abuse identification Complicates network troubleshooting and event
correlation
11
2010 August 17 Hurricane Electric Page
Why do we need IPv6?(6 -- The final answer) Even with NAT, we’re still rapidly running out of IPv4
addresses. IANA ran out in February. APNIC may be out as early as June. The largest three RIRs (APNIC, ARIN, RIPE NCC) will
likely be out* in less than a year, probably before the end of 2011.
* The definition of “out” is subjective and depends on the size block being requested.
12
2010 August 17 Hurricane Electric Page
Features of IPv6?
2^96 times as much address space (3.4x1038 addresses total)
No NAT IPSec built into the layer 3 protocol Path MTU discovery built in and required to work
(don’t indiscriminately block ICMP6) Multiple addresses per interface, easier and less
disruptive renumbering Very large subnets -- no more need to count
hosts13
2010 August 17 Hurricane Electric Page
Why a new protocol?
There simply aren’t enough addresses in IPv4 Restore the end-to-end model of communication enabling
significant innovation Smart grids IP Telephony & IPTV Smart devices (TVs, refrigerators, etc.) “Internet of Things” Internet access on planes, trains, and automobiles
Growing demand for addresses to reach more people While we’re at it, fix some (not all) of the issues with IPv4
14
2010 August 17 Hurricane Electric Page
Applications that require IPv6(not possible in IPv4) Green Tech - Give all energy consuming devices
an address and manage/monitor remotely Global IP Telephony - No intermediate servers Give all users the ability to host services
Video streams Personal web site or blog Host games (Console or PC games)
Natural Disaster warning systems Improved access to EMS, Medical telepresence
15
2010 August 17 Hurricane Electric Page
The choice to be made:
Which Approach will you take?
16
IPv4/IPv6 Dual Stack NowIPv4 is just fine.
We just need more NAT!!My dual stack
network is runninggreat!
2010 August 17 Hurricane Electric Page
Part 1 - Nuts and Bolts
First, we’ll teach you about all the little pieces that make IPv6 possible (basics)
Addresses Nomenclature Address Structure Address Scopes and Purposes Etc.
17
2010 August 17 Hurricane Electric Page
IPv6 -- The basics1. Address Notation 8 groups of 4 hex digits (16 bits) separated by colons (:) Rules for shortening:
Drop any leading zeroes in a group Replace ONE set of consecutive 0 groups with ::
Example: 2001:0001:0000:0000:00A1:0CC0:01AB:397A
18
2001:0001:0000:0000:00A1:0CC0:01AB:397A
2001:1:0:0:A1:CC0:1AB:397A
2001:1::A1:CC0:1AB:397A
2010 August 17 Hurricane Electric Page
IPv6 -- The Basics2. Types of IPv6 Addresses
19
Type Sub-Types Notes
Unicast
Global Unicast Currently 2000::/3
Unicast
Protocol Use Uses such as 6to4 , Teredo
Unicast Unspecified Default route or unknown address (::/0)Unicast
Loopback ::1/128
Unicast
Link Local fe80::/16 for use only on local link
Multicast Used to implement all ‘broadcast-like’ behaviorUsed to implement all ‘broadcast-like’ behavior
Anycast Globally Unique address shared by multiple hostsGlobally Unique address shared by multiple hosts
2010 August 17 Hurricane Electric Page
IPv6 -- The Basics3. Address Scopes
20
Type Notes
Global Routed throughout the entire IPv6 Internet
Link Local
•Can be used only by nodes on same link
•Never forwarded by routers•Prefix fe80::/10•IPv6 hosts automatically generate one per interface•Can also be manually configured•Requires ZoneID (%interface) for disambiguation
Unique Local
•Can be used with any site or group of sites on agreement•ULA Random (fd00::/8) High probability of uniqueness•fc00::/8 Reserved for future use (coordinated ULA?)
2010 August 17 Hurricane Electric Page
IPv6 -- The basicsAnatomy of a Global Unicast address
Every end site gets a /48 Global Unicast currently being allocated from 2000::/3
Top: Provider assigned Bottom: Provider Independent
21
3 bits 9 bits 20 bits 16 bits 16 bits 64 bits
001 IANA to RIR
RIR to ISP
ISP to End Site
Net Interface ID
001 IANA to RIR RIR to End SiteRIR to End Site Net Interface ID
3 bits 9 bits 36 bits36 bits 16 bits 64 bits
2010 August 17 Hurricane Electric Page
IPv6 -- The basicsAnatomy of a Link Local address
Always fe80::/64, re-used on every link Never forwarded off-link (link scope) Must be present for interface to participate in
IPv6, Automatically configured ZoneID used to disambiguate different links
22
16 bits 48 bits 64 bits
fe80 0 Interface ID
2010 August 17 Hurricane Electric Page
IPv6 -- The BasicsResolving Link Local Scope Ambiguity with Zone ID
Recall: every link has link local address in fe80::/64So out which interface should the router send out a packet to fe80/64?ZoneIDs (or scopeIDs) disambiguate by specifying the interface to which the address belongs.Specified as [RFC4007]: address%zoneIDZoneID could be the interface number or other identifier.e.g ping fe80::245:bcff:fe47:1530%fxp0 [on a FreeBSD system]
23
fe80::212:6bff:fe54:f99a
R
N1
Fe 0/0Fe 0/1
N2
M2 M1
fe80::212:6bff:fe3a:9e9a
fe80::212:6bff:fe17:fc0f fe80::245:bcff:fe47:1530
2010 August 17 Hurricane Electric Page 24
IPv6 -- The basicsAnatomy of Unique Local Addresses [RFC4193]
Like RFC1918 but lower chance of collision Prefix fc00::/7 + “L flag” (bit 8) indicates whether prefix is locally
assigned [1] or globally assigned [0]. (Global currently deprecated) Scope is global, but, filtered by most routers and ignored by most
eBGP peers fd00::/8 Global IDs generated at random (RFC4198) Uniqueness is NOT guaranteed but highly likely
17
8 bits 40 bits 16 bits 64 bits
fdXX Global ID SubnetID Interface ID
2010 August 17 Hurricane Electric Page 25
IPv6 -- The basicsAnatomy of a 6to4 Transition Address
WWXX:YYZZ is the hex form of a public IPv4 address Used to create global prefixes and hosts for v6 capable sites on the
IPv4 internet Better in theory than practice Example address: 192.159.10.200/32 (IPv4) becomes
2002:c09f:0ac8::/48 (65,536 IPv6 subnets for every IPv4 host)
17
48 bits48 bits 16 bits 64 bits
2002WWXX:YYZZIPv4 Address
SubnetID Interface ID
2010 August 17 Hurricane Electric Page 26
IPv6 -- The basicsAnatomy of an IPv4-Mapped Transition Address
Usually represented as ::ffff:w.x.y.z where w.x.y.z is a normal address Internally represents an IPv4 node to an IPv6 node Never used on the wire Simplifies software development for dual-stack (treat all connections as
IPv6)
17
80 bits 16 bits 32 bits
0 ffff IPv4 Address
2010 August 17 Hurricane Electric Page 27
IPv6 -- The basicsISATAP Transition Addresses
64 bit prefix (fe80:: for link local, others depend on ISATAP server being used)
Patented by SRI, License free Most widespread implementation of ISATAP is Teredo Brittle and hard to troubleshoot A poor substitute for native IPv6 connectivity or better tunnel choices
17
64 bits 32 bits 32 bits
Prefix 0000:5efe Private IPv4 Address
2010 August 17 Hurricane Electric Page 28
IPv6 -- The basicsAnatomy of a Multicast Address
Flags determine whether the address is transient, based on a unicast prefix, or embeds an RP address
ff00::/8 Permanent groupIDs are independent of scope while transient groupIDs
are only relevant within their scope.
17
8 bits 4 bits 4 bits 112 bits
ff Flags Scope GroupID
2010 August 17 Hurricane Electric Page
Flag and Scope Bits in Multicast Addresses
29
The Flag FieldThe Flag Field
Bit Position Description
Bit 3 Undefined
Bit 2 (R flag) Rendezvous Point address is embedded (1) or not (0)
Bit 1 (P flag) Address is based on a unicast prefix (1) or not (0)
Bit 0 (T flag) Address is IANA defined (0) or transient (1)
The Scope FieldThe Scope FieldThe Scope Field
Binary Hex Scope
0001 1 Interface
0010 2 Link
0100 4 Admin
0101 5 Site
1000 8 Organisation
1110 E Global
Others Unassigned or Reserved
2010 August 17 Hurricane Electric Page
Some Reserved/Well Known Multicast Groups
30
Some Well-Known/Reserved Multicast GroupsSome Well-Known/Reserved Multicast GroupsSome Well-Known/Reserved Multicast Groups
Address Scope Description
FF01::1 1=Interface All nodes on the interface
FF02::1 2=Link All nodes on the link
FF01::2 1=Interface All routers on the interface
FF02::2 2=Link All routers on the link
FF05::2 5=site All routers in the site
FF02::5 2=Link All OSPFv3 routers
FF02::6 2=Link OSPFv3 designated routers
FF02::A 2=Link All EIGRPv6 routers
FF02::D 2=Link All PIM routers
FF02::1:FFXX:XXXX 2=Link Solicited-node address
2010 August 17 Hurricane Electric Page
Solicited-Node Multicast Address
Used as destination for Neighbor Solicitation Constructed from prefix ff02::1:ff00:0/104 and the last
24 bits of the IPv6 address Every node will listen to and respond to its solicited
node address ALlows link-layer address resolution to not disturb
(most) unconcerned nodes.
31
Prefix InterfaceID
FF02:1::FF00: Lower 24 bits
104 bits 24 bits
2010 August 17 Hurricane Electric Page
IPv6 - The BasicsAddress Type Rehash
32
Summary of IPv6 Address TypesSummary of IPv6 Address TypesSummary of IPv6 Address TypesSummary of IPv6 Address TypesSummary of IPv6 Address TypesSummary of IPv6 Address TypesSummary of IPv6 Address TypesSummary of IPv6 Address TypesSummary of IPv6 Address Types
TYPESTRUCTURESTRUCTURESTRUCTURESTRUCTURESTRUCTURESTRUCTURESTRUCTURESTRUCTURE
TYPE16 BITS 16 BITS 16 BITS 16 BITS 16 BITS 16 BITS 16 BITS 16 BITS
Global Unicast Global IDGlobal IDGlobal ID Subnet ID Interface IDInterface IDInterface IDInterface ID
ULA-Reserved fcxx 00 Subnet ID Interface IDInterface IDInterface IDInterface ID
ULA-Local fdxx 00 Subnet ID Interface IDInterface IDInterface IDInterface ID
Link-Local fe80 000 Interface IDInterface IDInterface IDInterface ID
IPv4 Mapped 00000 ffff <IPv4 Address><IPv4 Address>
6to4 2002 <IPv4 Address><IPv4 Address> Subnet ID Interface IDInterface IDInterface IDInterface ID
ISATAP <64bit v6 Prefix><64bit v6 Prefix><64bit v6 Prefix><64bit v6 Prefix> 0 5efe <IPv4 Address><IPv4 Address>
Unspecified 00000000
Loopback 0000000 1
Multicast ff<LS> Multicast GroupIDMulticast GroupIDMulticast GroupIDMulticast GroupIDMulticast GroupIDMulticast GroupIDMulticast GroupID
2010 August 17 Hurricane Electric Page
IPv6 - The BasicsAddress Type Rehash
33
Summary of IPv6 Address TypesSummary of IPv6 Address TypesSummary of IPv6 Address Types
Type Range Application
Global Unicast 2000::/3 Normal host to host communications
Link-local fe80::/10 Connected-link communications
Anycast 2000::/3 One to Any (Any=topologically closest)
Unique-local fc00::/7 Normal host to host communications within a site
IPv4-mapped Represent an IPv4 address in IPv6 format
6to4 2002::/3 Automatic transition mechanism
ISATAP Intra-site transition mechanism
Unspecified ::/0 When node doesn’t have an address
Loopback ::1/128 Used for intra-node communications
Multicast ff00::/8 One to Many
2010 August 17 Hurricane Electric Page
IPv6 -- The basicsHow Global Unicast is Allocated
34
2000::/3 0::/0 (IETF»IANA)
2610::/12(IANA»RIR)
(RIR»LIR) 261f:1::/32 (204 /32s per Pixel)
261f:1:d405::/48 (409.6 /48s per pixel)(IANA or RIR » End Site)
2010 August 17 Hurricane Electric Page 35
IPv6 -- The basicsHow Global Unicast is Allocated
30
261f:1:d405::/48 (409.6 /48s per pixel)(IANA or RIR » End Site)
261f:1:d405:e008:/48 (409.6 /64s per pixel)(IANA or RIR » End Site)
The Numbers: 8 /3s, one of which is in use 512 /12 allocations to RIRs in first /3 (6 used so far) 1,048,576 LIR /32s in each RIR /12 65,536 /48 Assignments in each /32
2010 August 17 Hurricane Electric Page
IPv6 -- The BasicsGlobal Unicast in perspective The Numbers (cont.)
The first /12 assigned to each RIR can support 68,719,476,736 /48 End Sites
There are 506 /12s remaining if that’s not enough for any particular region.
Many ISPs will require more than a /32, but, even if we figure a /28 for every ISP on average, that’s still enough addresses for 65,536 ISPs in each RIR region without exhausting their first /12. (There are currently fewer than 30,000 BGP speaking ISPs worldwide)
In short... There is more than enough address space for liberal assignments under current and any likely policy.
36
2010 August 17 Hurricane Electric Page
IPv6 -- The BasicsSimple IPv6 Header
37
0....3 4...7 8...11 12...15 16...19 20...23 24...27 28...31Version Class of TrafficClass of Traffic Flow LabelFlow LabelFlow LabelFlow LabelFlow Label
Payload LengthPayload LengthPayload LengthPayload Length Next HeaderNext Header Hop LimitHop Limit
Source AddressSource AddressSource AddressSource AddressSource AddressSource AddressSource AddressSource Address
Destination AddressDestination AddressDestination AddressDestination AddressDestination AddressDestination AddressDestination AddressDestination Address
Total length: 40 octetsTotal length: 40 octetsTotal length: 40 octetsTotal length: 40 octetsTotal length: 40 octetsTotal length: 40 octetsTotal length: 40 octetsTotal length: 40 octets
2010 August 17 Hurricane Electric Page
IPv6 -- The BasicsExtension Headers
38
Hop-by-Hop Options Header(s)
Destination Options Header(s) (Intermediate)
Routing Header(s)
Fragmentation Header
Authentication Header
Encapsulation Secure Payload Header
Destination Options Header (final)
2010 August 17 Hurricane Electric Page
IPv6 -- The BasicsPutting Headers Together
39
40404040
242424
242424
88
Version Traffic ClassTraffic Class Flow LabelFlow LabelFlow LabelFlow LabelFlow LabelPayload LengthPayload LengthPayload LengthPayload Length Next Header=43 (Routing)Next Header=43 (Routing) H. LimitH. Limit
Source IPv6 Address (c/o Address of Mobile Node A) (128 bits)Source IPv6 Address (c/o Address of Mobile Node A) (128 bits)Source IPv6 Address (c/o Address of Mobile Node A) (128 bits)Source IPv6 Address (c/o Address of Mobile Node A) (128 bits)Source IPv6 Address (c/o Address of Mobile Node A) (128 bits)Source IPv6 Address (c/o Address of Mobile Node A) (128 bits)Source IPv6 Address (c/o Address of Mobile Node A) (128 bits)Source IPv6 Address (c/o Address of Mobile Node A) (128 bits)Destination IPv6 Address (c/o Address of Mobile Node B) (128 bits)Destination IPv6 Address (c/o Address of Mobile Node B) (128 bits)Destination IPv6 Address (c/o Address of Mobile Node B) (128 bits)Destination IPv6 Address (c/o Address of Mobile Node B) (128 bits)Destination IPv6 Address (c/o Address of Mobile Node B) (128 bits)Destination IPv6 Address (c/o Address of Mobile Node B) (128 bits)Destination IPv6 Address (c/o Address of Mobile Node B) (128 bits)Destination IPv6 Address (c/o Address of Mobile Node B) (128 bits)
NH=60 (Dest.)NH=60 (Dest.) HdrExtLen=2HdrExtLen=2 Rout.Type=2 Seg.Left=1Seg.Left=1Seg.Left=1Reserved (0) (32 bits)Reserved (0) (32 bits)Reserved (0) (32 bits)Reserved (0) (32 bits)Reserved (0) (32 bits)Reserved (0) (32 bits)Reserved (0) (32 bits)Reserved (0) (32 bits)
Home Address of Mobile Node B (128 bits / 16 Octets)Home Address of Mobile Node B (128 bits / 16 Octets)Home Address of Mobile Node B (128 bits / 16 Octets)Home Address of Mobile Node B (128 bits / 16 Octets)Home Address of Mobile Node B (128 bits / 16 Octets)Home Address of Mobile Node B (128 bits / 16 Octets)Home Address of Mobile Node B (128 bits / 16 Octets)Home Address of Mobile Node B (128 bits / 16 Octets)NH=44 (Fragment)NH=44 (Fragment) HdrExtLen=2HdrExtLen=2 Opt.Type=1 Opt.Len=2Opt.Len=2Opt.Len=2
0000 Opt.Type=201 Opt.Len=16Opt.Len=16Opt.Len=16Home Address of Mobile Node A (128 bits / 16 Octets)Home Address of Mobile Node A (128 bits / 16 Octets)Home Address of Mobile Node A (128 bits / 16 Octets)Home Address of Mobile Node A (128 bits / 16 Octets)Home Address of Mobile Node A (128 bits / 16 Octets)Home Address of Mobile Node A (128 bits / 16 Octets)Home Address of Mobile Node A (128 bits / 16 Octets)Home Address of Mobile Node A (128 bits / 16 Octets)
NH=6 (TCP) Rsvd. Fragment OffsetFragment OffsetFragment OffsetFragment Offset Res. MIdentificationIdentificationIdentificationIdentificationIdentificationIdentificationIdentificationIdentification
UL Header (TCP)UL Header (TCP) PayloadPayloadPayloadPayloadPayloadPayload
2010 August 17 Hurricane Electric Page
User Lab 1 -- IPv6 Newbie
Go to http://tunnelbroker.net Create an account Begin your training Take the Newbie Test
40
2010 August 17 Hurricane Electric Page
IPv6 -- Address PlanningDon’t oversimplify too much! There are lots of people saying “ISPs get
/32s, end sites get /48s.” That’s an unfortunate oversimplification. ISPs get AT LEAST a /32 and can get
whatever larger allocation they can justify. End sites should get at least a /48 and should
be given whatever larger assignment they can justify.
42
2010 August 17 Hurricane Electric Page
IPv6 -- Address PlanningMethodology Don’t start with a /32 and figure out how to
make your needs fit within it. Start by analyzing your needs and apply for a
prefix that will meet those needs. In your analysis, it’s worth while to try and
align allocation units to nibble boundaries. A nibble boundary is a single hex digit, or, a number 2^n such that n is a multiple of 4. (e.g. 16, 256, 4096, 16384, 65536...)
43
2010 August 17 Hurricane Electric Page
IPv6 Address PlanningAnalysis Start with the number of end sites served by
your largest POP. Figure a /48 for each. Round up to the a nibble boundary. (if it’s 3,000 end sites, round up to 4096, for example... a /36 per POP.
Next, calculate the number of POPs you will have. Include existing POPs and likely expansion for several years. Round that up to a nibble boundary, too. (140 POPs, round up to 256).
44
2010 August 17 Hurricane Electric Page
IPv6 Address PlanningAnalysis Now that you have an address size for each
POP (4096 = 12 bits in our example) and a number of POPs (256 = 8 bits in our example), you know that you need a total of POP*nPOPs /48s for your network (4096*256=1,048,576 or 12+8=20 bits).
48 bits - 20 bits is 28 bits, so, you actually need a /28 to properly number your network.
You probably could squeeze this into a /32, but, why complicate your life unnecessarily?
45
2010 August 17 Hurricane Electric Page
IPv6 Address PlanningApply for your addresses Now that you know what size block you need,
the next step is to contact your friendly neighborhood RIR (Regional Internet Registry) and apply.
Most RIRs provide either an email-based template or a web-based template for you to fill out to get addresses.
If you are a single-homed end-user, you usually should get your addresses from your upstream rather than an RIR.
46
2010 August 17 Hurricane Electric Page
IPv6 Address PlanningThe bad news The addressing methodology I described above
may not be consistent with RIR policy in all regions (yet)*.
This means you might have to negotiate to a smaller block.
All RIRs have an open policy process, so, you can submit a proposal to enable this kind of allocation, but, that may not help you immediately.
* Adopted 2011-3 in ARIN, mostly permitted in RIPE, not yet discussed in AfriNIC or LACNIC.
47
2010 August 17 Hurricane Electric Page
IPv6 Address PlanningThe good news Having things on nibble boundaries is
convenient, but, not necessary. ip6.arpa DNS delegations Human Factors Routing Table management Prefix lists
The techniques that follow should work either way.
48
2010 August 17 Hurricane Electric Page
IP Address PlanningCarving it up For the most part, you’ve already done this. Take the number you came up with for the
nPOPs round-up and convert that to a number of bits (256 = 8 bits in our example).
Now, take what the RIR gave you (/28 in our example) and add that number to the above number (28+8 = 36) and that’s what you need for each POP (a /36 in our example).
49
2010 August 17 Hurricane Electric Page
IPv6 Address PlanningCarving it up Now let’s give address segments to our POPs. First, let’s reserve the first /48 for our
infrastructure. Let’s use 2000:db80 - 2000:db8f as our example /28.
Since each POP gets a /36, that means we have 2 hex digits that designate a particular POP.
Unfortunately, in our example, that will be the last digit of the second group and the first digit of the third group.
50
2010 August 17 Hurricane Electric Page
IPv6 AddressingCarving it up Strategy
Sequential Allocation Advantage: Simple, easy to follow Advantage: POP Numbers correspond to addresses DisAdvantage: Complicates unexpected growth
Allocation by Bisection Advantage: Simplifies growth Advantage: Greatest probability of Aggregation Disadvantage: “Math is hard. Let’s go shopping!”
51
2010 August 17 Hurricane Electric Page
IPv6 AddressingAllocation by Bisection Bisection? What does THAT mean? Simple... It means to cut up the pieces by
taking the largest remaining piece and cutting in half until you have the number of pieces you need.
Imagine cutting up a pie into 8 pieces...
52
First, we cut it in half...Then we cut it in half againThen AgainAnd finally a fourth cut
2010 August 17 Hurricane Electric Page
IPv6 AddressingAllocation by Bisection It’s a similar process for IPv6 addresses.
Let’s start with our 2001:db80::/28 prefix. We’ve already allocated 2001:db80:0000::/48 Our available space is now 2001:db80:0001:: to
2001:db8f:ffff:ffff:ffff:ffff:ffff:ffff. Cutting that in half we get 2001:db88:0000::/36 as our first POP address.
That leaves the largest chunk at 2001:db88:1000:: to 2001:db8f:ffff:ffff:ffff:ffff:ffff:ffff. Cutting that in half, we get 2001:db8c:0000::/36 as our next POP
53
2010 August 17 Hurricane Electric Page
IPv6 Address PlanningAllocation by Bisection After repeating this for 19 POP allocations,
we have a table that looks like this:
54
Infrsastructure 2001:db80:0000:/48 POP1 2001:db88:0000::/36
POP12 2001:db80:8000::/36 POP13 2001:db88:8000::/36
POP8 2001:db81:0000::/36 POP9 2001:db89:0000::/36
POP4 2001:db82:0000::/36 POP5 2001:db8a:0000::/36
POP14 2001:db83:0000::/36 POP15 2001:db8b:0000::/36
POP2 2001:db84:0000::/36 POP3 2001:db8c:0000::/36
POP16 2001:db84:8000::/36 POP17 2001:db8c:8000::/36
POP10 2001:db85:0000::/36 POP11 2001:db8d:0000::/36
POP6 2001:db86:0000::/36 POP7 2001:db8e:0000::/36
POP18 2001:db87:0000::/36 POP19 2001:db8f:0000::/36
2010 August 17 Hurricane Electric Page
IPv6 Address PlanningAllocation by Bisection Notice how by doing that, most of the /36s we
created have 15 more /36s before they run into allocated space and all have at least 7.
Notice also that if any POPs get larger than we expect, we can expand them to /35s, /34s, /33s, and most all the way to a /32 without having to renumber.
By default, at /36, each pop has room for 4096 /48 customers. End sites that need more than a /48 should be extremely rare*.
55
2010 August 17 Hurricane Electric Page
IPv6 Address PlanningAllocation by Bisection* End Site means a single customer location,
not a single customer. Many customers may need more than a /48, but, with 65,536 /64 subnets available, even the largest building should be addressable within a /48.
56
2010 August 17 Hurricane Electric Page
TAKE A BREAK
It’s come time to accommodate that basic reality... Humans don’t do well sitting in one place for extended periods of time listening to the same person blather on and on no matter how interesting the topic.
EVERYONE stand up. EVERYONE leave the room for at least the
next 10 minutes. EVERYONE try to be back within 20 minutes,
please. There’s still lots to cover.57
2010 August 17 Hurricane Electric Page
Part 2 - Making it work
Now that we’ve covered the nuts and bolts, let’s talk about how they go together into subassemblies and assemblies to make a working network.
59
2010 August 17 Hurricane Electric Page
IPv6 Host Administration
Configuring IPv6 on Linux /etc/network/interfaces How to configure SLAAC How to configure a Static Address
60
2010 August 17 Hurricane Electric Page
IPv6 Host Administration
How to manually configure an interface Depends on your OS
MacOS -- System Preferences Linux
Debi-oid -- /etc[/network]/interfaces (depending on version) Red Hat-oids -- /etc/sysconfig/network-scripts/ifcfg-<iface>
Windows -- Control Panel Setting an interface up to get an address from
SLAAC Usually no configuration required Linux may require one-two line text config.
61
2010 August 17 Hurricane Electric Page
IPv6 and DNS
Forward IPv6 resolution AAAA Records
Mostly the same as A records Right Hand side is an IPv6 Address in standard
abbreviated form (e.g. 2620:0:930::200:2) 96 more bits, no magic.
Reverse IPv6 resolution PTR Records, just like IPv4
ip6.arpa instead of in-addr.arpa No abbreviating Each nibble is a zone boundary
62
2010 August 17 Hurricane Electric Page
IPv6 DNS Examples
Forward:dualhost.example.com. IN AAAA 2001:db8::5 IN A 192.9.200.5
Reverse:5.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa. IN PTR ipv6host.example.com
or:$ORIGIN 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.5.0.0.0.0.0.0.0.0.0.0.0 IN PTR dualhost.example.com.
Note: in-addr.arpa and ip6.arpa are separate zones maintained in separate files.
63
2010 August 17 Hurricane Electric Page
IPv6 DeploymentNative connectivity Native connectivity is, by far, the simplest and
cleanest way to deploy IPv6. Just like IPv4 (mostly) but with bigger
addresses that look different. Example:
64
DEVICE=eth0ONBOOT=yesMTU=1280IPADDR=192.159.10.2NETMASK=255.255.255.0GATEWAY=192.159.10.254
IPV6INIT=yesIPV6ADDR=2620:0:930::0200:1/64IPV6_DEFAULTGW=2620:0:930::1IPV6_AUTOCONF=no
2010 August 17 Hurricane Electric Page
IPv6 DeploymentUsing Tunnels Slightly more complicated than native
connectivity MTU problems Lower MTU reduces performance on some
platforms. (Significantly on some versions of Windows)
Harder to Configure or harder to Troubleshoot (depending on tunnel solution chosen)
65
2010 August 17 Hurricane Electric Page
IPv6 Tunneling6in4 or GRE Tunnels Require manual configuration Direct point to point tunnel
between two known (and configured) IPv4 nodes
6in4 is very similar to GRE, but, only IPv6 inside IPv4 payload, protocol 41.
GRE can support both IPv6 and IPv4 in an IPv4 payload, protocol 47.
66
Example:gr-0/0/0 { unit 2 { description "HE Tunnel Broker"; point-to-point; tunnel { source 24.4.178.41; destination 64.71.128.83; path-mtu-discovery; } family inet6 { mtu 1280; address 2001:470:1f03:9c::2/64; } }
}
2010 August 17 Hurricane Electric Page
IPv6 Tunneling6to4 Autotunneling
67
Also uses protocol 41 like 6in4 tunneling, but, uses IPv4 anycast and automatic IPv6 address construction based on IPv4 address.
Nothing to configure, per se, just turn it on. Non-deterministic. Changes can occur anywhere in the network. No control over which 6to4 gateway you use. Hard to troubleshoot Easy to deploy (when it works)
2010 August 17 Hurricane Electric Page
IPv6 tunnelingTeredo
68
Developed by Microsoft. Automatically on by default in Windows since
Vista Present in Windows since XP SP1 Works through NAT Even Microsoft calls it a “Last Resort” for
IPv6 connectivity. Unless you absolutely need it, disable it and block it at your firewall.
2010 August 17 Hurricane Electric Page
Routing LAB 1
Design the Network Plan the addressing for the lab network Assign addresses to various hosts Configure your host with the following information
IPv4 Address IPv6 Address DNS Forward Zone
Add your host to the appropriate ip6.arpa zone
69
2010 August 17 Hurricane Electric Page
AS65201 AS65202
AS65203 AS65204
Team 1Machine 1
Team 1Machine 2
Team 1Machine 3
Team 1Machine 4
Team 2Machine 1
Team 2Machine 2
Team 2Machine 3
Team 2Machine 4
Team 3Machine 1
Team 3Machine 2
Team 3Machine 3
Team 3Machine 4
Team 3Machine 1
Team 3Machine 2
Team 3Machine 3
Team 3Machine 4
IXP
Routing Lab 1 Design Criteria
70
Divide into 4 teams Each team has 4 systems See Diagram Exercise Goals:
Numbering Plan Number all interfaces Ping all adjacent machines
2010 August 17 Hurricane Electric Page
IPv6 RoutingRIPng Just like RIPv2 for IPv4 Don’t do this Same reasons as RIPv2. Don’t do this It’s just a bad idea. Really, Don’t use RIP.
71
2010 August 17 Hurricane Electric Page
IPv6 RoutingOSPF OSPF3 can handle both IPv6 and IPv4 (most
vendors) OSPF2 (common version) is only IPv4. OSPF3 available on most routers, but,
requires configuration as OSPF3, not just “OSPF”.
Can run OSPF2 for IPv4 and OSPF3 simultaneously on most routers
Largely like IPv4 OSPF2 configuration
72
2010 August 17 Hurricane Electric Page
IPv6 RoutingOSPFv3 differences from OSPFv2 Router and Network LSA don’t carry IP addresses, new
type 9 LSA instead. Relies on AH and ESP instead of having authentication
in OSPF protocol Advertises all prefixes on the interface LSAs now have Flooding Scope Supports multiple instances per link - only routers in the
same instance form adjacencies For all neighbor communications, all packets are
sourced from link-local addresses with the exception of virtual links.
73
2010 August 17 Hurricane Electric Page
IPv6 RoutingOSPFv3 LSA types
74
LSA Type
Common Name
DescriptionDescription Flooding Scope
1 Router LSA Describes a router’s link states and costs of its links to one area.Describes a router’s link states and costs of its links to one area. Area
2 Network LSA Generated by a DR to describe the aggregated link state and costs for all routers attached to an areaGenerated by a DR to describe the aggregated link state and costs for all routers attached to an area
Area
3 Inter-Area Prefix LSA for ABRs
Originated by ABRs to describe interarea networks to routers in other areas.Originated by ABRs to describe interarea networks to routers in other areas.
Area
4 Inter-Area Router LSA for ASBRs
Originated by ASBRs to advertise the ASBR location.Originated by ASBRs to advertise the ASBR location. Area
5 Autonomous System External LSA
Originated by an ASBR to describe networks learned from other protocols (redistributed routes).Originated by an ASBR to describe networks learned from other protocols (redistributed routes).
Autonomous System
8 Link LSA Advertises link-local address and prefix(es) of a router to all other routers on the link as well as option information. Sent only if more than one router is present on a link.
Advertises link-local address and prefix(es) of a router to all other routers on the link as well as option information. Sent only if more than one router is present on a link.
Link
9 Inter-Area Prefix LSA for ABRs
Performs one of two functionsPerforms one of two functions Area9 Inter-Area Prefix LSA for ABRs
Associates a list of IPv6 prefixes with a transit network by pointing to a Network LSAAssociates a list of IPv6 prefixes with a router by pointing to a Router LSA
Area
Still requires a 32 bit Router ID Either configure a loopback interface with an IPv4
address or Set the router-id in the appropriate configuration
block Note: router-id does not require an
IPv4 address and OSPF3 can workwithout IPv4.
Example: Juniper SRX-100
2010 August 17 Hurricane Electric Page
IPv6 RoutingOSPFv3 Configuration
75
ospf3 { export static-to-ospf; area 0.0.0.0 { interface lo0.0 { passive; } interface fe-0/0/0.0; interface gr-0/0/0.20; interface gr-0/0/0.21; }}
2010 August 17 Hurricane Electric Page
Routing Lab 2OSPF within your AS Refer back to the lab diagram Exercise Goals:
Assign routable Loopback addresses to each router
Get Quagga running Configure OSPF for all intra-AS interfaces (do not
configure OSPF for interfaces that connect to the IXP or other AS machines)
Make sure that each router in your AS can ping the loopback of every other router in your AS.
76
2010 August 17 Hurricane Electric Page
IPv6 Security -- IPSEC
What is IPSEC? IPSEC is a mechanism for protecting the
authentication and privacy of IP datagrams. Essentially acts as a tunnel in most cases. IPv4 IPSEC was backported from IPv6
development. IPv4 hacked IPSEC in as an L4 protocol with
some additional UDP/other workarounds. IPv6 IPSEC is implemented entirely in extension
headers.
77
2010 August 17 Hurricane Electric Page
Authentication and Privacy --What they mean Authentication
Who sent this? Is it exactly what the originator sent?
Privacy Only the intended recipient should be able to
know the content. Replies should only be viewable by the original
sender. Others should only see nothing (or meaningless
gibberish).
78
2010 August 17 Hurricane Electric Page
Encryption does both? -- How?
Encryption for Authentication Usually involves digitally signing a digest (hash,
checksum, or CRC) of the protected data. Signing = encrypt with local private key. Recipient then recomputes digest and compares
to decrypted signature (decrypted with remote public key). (Anyone can validate the authentication in this case, not just the recipient).
Technically this is known as “Authentication Header” or AH.
79
2010 August 17 Hurricane Electric Page
Encryption does both? -- Continued. Encrypting for Privacy
Entire payload (and possibly original headers) are encrypted.
This is done using Encapsulated Secure Payload (ESP for short).
Can use either of two forms of encryption: Symmetric (both sides have a known shared secret)
Less resource (processor) intensive algorithms Key distribution issues
Asymmetric (Public Key/Private Keys used) Simpler Key dstribution Higher resource (processor) utilization (lower performance?)
80
2010 August 17 Hurricane Electric Page
Cryptography 101
Shared Secrets -- The Challenge: You don’t yet have a secure channel. A chooses the secret and must tell B. A must tell B without C seeing/hearing. How?
Mail (postal) a CD (some risk) Sneaker-Net a USB-key (high-overhead, low frequency
of key changes, difficulty increases with distance) Telephone (risky) Other suggestions?
81
2010 August 17 Hurricane Electric Page
Why not just use Asymmetric?
Very CPU intensive Need to encrypt high-data-rate flows at wire-
speed. (many of them in some cases). Capable hardware is extremely expensive
(though GPUs may be changing this). Maintaining a Reliable Public Key
Infrastructure is non-trivial Compute time goes up exponentially with key
length.
82
2010 August 17 Hurricane Electric Page
What about the best of both worlds? Known as a Diffie-Hellman-Merkle Key Exchange
83
2010 August 17 Hurricane Electric Page
Diffie-Hellman-Merkle continued Mathematically, this is done with “multiplicative group of
integers modulo P”. Alice and Bob agree on the value of P (the public
modulus, a prime number) and g (the public “base”, an agreed finite cyclic generator). These numbers can be very large prime numbers in the case of 2048 bit keys.
Alice and Bob pick random numbers a and b, respectively.
They each send the other (A)=ga%p and (B)=gb%p. They compute s=Ba%p=Ab%p Alice and Bob now both know s. Eavesdroppers may
know g,p,A,B, but not a, b, or s.
84
2010 August 17 Hurricane Electric Page
Why does that work?
For one and only one simple reason... Factoring large numbers is hard. Determining a,b, or s from A, B, p, and g basically
requires you to determine the original prime factors a and b. (which you can validate using A and B with p and g).
So far, no real improvements over brute force trials of all primes until a and b are “discovered”.
Caveat: GPUs are making brute force faster, cheaper, easier.
85
2010 August 17 Hurricane Electric Page
Getting back to IPSEC
IPSEC already does all the math for you and implements the Diffie-Hellman-Merkle algorithm. It’s often called “Perfect Forward Secrecy” or “PFS” and is part of the Internet Key Exchange or “IKE”.
Understanding the above basics helps when it comes time to troubleshoot IKE.
86
2010 August 17 Hurricane Electric Page
IPSEC -- How it works
Can use AH, ESP, or AH+ESP. Two modes of ESP
Tunnel Mode Entire original packet is encrypted as payload of a new
ESP datagram. Usually used to connect network(s) to network(s) across
public link. Sometimes used for host to network(s) (User VPN) or
host to host (Host VPN). Transport Mode
Only the packet payload is encrypted.
87
2010 August 17 Hurricane Electric Page
IPSECESP Transport Mode In transport mode, routing remains unaltered
and only the payload is encrypted. If AH is used with ESP Transport Mode, the
packet header cannot be modified without invalidating the packet.
Strictly a Host to Host security association.
88
2010 August 17 Hurricane Electric Page
IPSECESP Tunnel Mode The entire original IP datagram is encrypted
as payload of a new datagram. Used to create VPNs for network-to-network
or host-to-network communications. Can be used for host-to-host, but Transport
mode is usually preferred and has less overhead.
89
2010 August 17 Hurricane Electric Page
Configuring IPSECThis shouldn’t be this hard! It isn’t so much hard as it is complex. StrongSwan Configuration Files:
strongswan.conf Daemon Parameters Library Parameters
ipsec.conf Overall IPSEC configuration
ipsec.secrets Shared Secrets RSA Private Keys
[daemon_name].conf Daemon specific configuration e.g. xl2tpd.conf for xl2tp (L2TP) daemon.
90
2010 August 17 Hurricane Electric Page
Configuring IPSECConfiguration Files (cont.) Example strongswan.conf
Specifies which plugins to load into charon daemon.
91
# /etc/strongswan.conf - strongSwan configuration file
charon { hash_and_url = yes load = curl aes des sha1 sha2 md5 pem pkcs1 gmp random nonce x509 \
revocation hmac stroke kernel-netlink socket-default updown}
2010 August 17 Hurricane Electric Page 92
Example ipsec.secrets
Local Private Key file is in moonKey.pem
Configuring IPSECConfiguration Files (cont.)
# /etc/ipsec.secrets - strongSwan IPsec secrets file
: RSA moonKey.pem
2010 August 17 Hurricane Electric Page
Configuring IPSECConfiguration Files (Cont.) Example ipsec.conf file
93
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
ca strongswan! cacert=strongswanCert.pem! certuribase=http://ip6-winnetou.strongswan.org/certs/! crluri=http://ip6-winnetou.strongswan.org/strongswan.crl! auto=add
conn %default! ikelifetime=60m! keylife=20m! rekeymargin=3m! keyingtries=1! keyexchange=ikev2! mobike=no
2010 August 17 Hurricane Electric Page 94
Configuring IPSECConfiguration Files (Cont.) Example ipsec.conf file (Cont.)
conn net-net! also=host-host! leftsubnet=2001:db8:4000::/36! rightsubnet=2001:db8:c000::/36
conn host-host! left=2001:db8:4000::1! leftcert=moonCert.pem! [email protected]! leftfirewall=yes! right=2001:db8:c000::2! [email protected]! auto=add
2010 August 17 Hurricane Electric Page
Securing OSPF3
OSPF3 does not provide for MD5 or Password authentication the way OSPF2 did.
Instead, to secure OSPF3, you must establish the neighbor relationship across an IPSEC Security Association in transport mode.
95
2010 August 17 Hurricane Electric Page
OSPF3 Security
Juniper Example:
96
security {ipsec {
security-association ospf-neighbor {mode transport;manual {
direction bidirectional {protocol ah;spi 256;authentication {
algorithm hmac-md5-96;key ascii-text “$9$<encrypted key text>”;
}}
}}
}}
2010 August 17 Hurricane Electric Page
OSPF3 Security
Juniper Example (Cont.):
Note: All neighbors on a segment must share a common SA.
97
protocols {ospf3 {
area 0.0.0.0 {interface ge-0/0/0 {
ipsec-sa ospf-neighbor;}
}}
}
2010 August 17 Hurricane Electric Page
IPv6 RoutingeBGP Nearly identical to BGP for IPv4 Different vendors have different ways of
differentiating routing tables Cisco: address-family ipv6
Misconfigurations usually silently ignore your intent Juniper: family inet6
Misconfigurations usually result in an error message
98
2010 August 17 Hurricane Electric Page
IPv6 RoutingeBGP
99
Configuration Example: Juniper SRX-100
bgp { family inet { unicast; } family inet6 { unicast; } local-as 1734; group l42 { family inet { unicast; } family inet6 { unicast; } export to-l42; peer-as 8121; neighbor 192.124.40.129; neighbor 2620:0:930:7fff::1 { family inet6 { unicast; } } }}
2010 August 17 Hurricane Electric Page
IPv6 RoutingiBGP Same set of differences as IPv4 e vs. i BGP. All border routers must peer in a mesh IGP must provide reachable routes to all
routers. Peering best between loopbacks. All the IPv4 lessons and best practices apply.
100
2010 August 17 Hurricane Electric Page
IPv6 RoutingiBGP
101
Configuration Example: Juniper SRX-100
bgp { local-as 1734; group internal { type internal; export ibgp-next-hop-self; peer-as 1734; neighbor 2620:0:930:7000::1 { family inet6 { unicast; } export v6-next-hop-self; } neighbor 192.124.40.193 { local-address 192.124.40.194; import via-cable; family inet { unicast; } } }}
2010 August 17 Hurricane Electric Page
Routing Lab 3iBGP and eBGP Exercise Goals:
Configure iBGP mesh among all intra-AS loopbacks.
When complete, have an instructor or aide validate your team’s iBGP configuration before proceeding to the next step.
Configure eBGP sessions to each ASN at the IXP. Configure eBGP session to the neighboring ASN
via the private peering link.
102
2010 August 17 Hurricane Electric Page
User Lab 2 -- IPv6 Explorer
Go to http://tunnelbroker.net Log in if you aren’t still logged in Make sure you have working IPv6
connectivity Restart your browser, go back to tunnel
broker. Click on the link to get your Explorer
certification.
103
2010 August 17 Hurricane Electric Page
IPv6 -- Much like IPv4 was supposed to be This time with enough Addresses
Basic weight comparison: If IP addresses were a unit of mass, then, if IPv4 weighed the same as 7 liters of water, IPv6 would weigh the same as the entire planet Earth.
104
2010 August 17 Hurricane Electric Page
IPv6 Transition IssuesThings that don’t route packets Software Upgrades
In-house tools Porting to IPv6 network Adding IPv6 address capability to
databases parsers data structures etc.
Vendor Provided Software Start talking to them now if you aren’t already You’re not the only one asking, no matter what they say. Call their bluff.
105
2010 August 17 Hurricane Electric Page
IPv6 Transition IssuesThings that forward packets Hardware Upgrades
Firewalls Really old routers Intrusion Detection systems Load Balancers Printers -- Probably just leave on internal IPv4. Clock sources Other infrastructure Other odd appliances
106
2010 August 17 Hurricane Electric Page
IPv6 OperationsSLAAC and the need for RA-Guard Stateless Autoconfiguration provides a very
convenient way to number hosts. Unfortunately, all routers are created equal,
including the ones created by someone else. In DHCP, a rogue server tends to break things. With RA, a rogue router can intercept traffic
without breaking anything. RA Guard blocks RA transmissions on
switchports not defined as routers.
108
2010 August 17 Hurricane Electric Page
IPv6 OperationsDHCPv6 Overview Can assign prefix lengths other than /64 Bootstrapped by RS/RA process DHCP-PD -- Potentially very useful feature for
ISPs Can provide DNS, NTP, and other server
locations (RA/SLAAC cannot, but, ND has a process for doing DNS servers).
Limited field deployment/support so far. IETF religious problem (SLAAC vs. DHCP war)
109
2010 August 17 Hurricane Electric Page
DHCPv6 Process and Options
It all begins with Router Solicitation Three ways to get an automatic address:
StateLess Address Auto-Configuration (SLAAC) Stateless DHCP (SLAAC address + DHCP “other info”) Stateful DHCP
All three methods start when the host sends a Router Solicitation Packet
110
2010 August 17 Hurricane Electric Page
DHCPv6 ProcessStep by Step
111
Step # SLAAC Statless DHCPv6
Stateful DHCPv6
1
22
3
Host sends out a Router Solicitation to the “All Routers on Link” multicast addressHost sends out a Router Solicitation to the “All Routers on Link” multicast addressHost sends out a Router Solicitation to the “All Routers on Link” multicast addressRouter(s) send back a Unicast Router AdvertisementRouter(s) send back a Unicast Router AdvertisementRouter(s) send back a Unicast Router AdvertisementM=0,O=0 M=0,O=1 M=1,O=?Host completes auto-configuration
Host requests DHCPv6 Information (if host supports DHCPv6)
Host requests DHCPv6 Information (if host supports DHCPv6)
2010 August 17 Hurricane Electric Page
DHCPv6 ProcessHost that supports SLAAC+DHCPv6
112
M0,O0 M0, O1 M1,O?
RA contains On-Link Prefixes
SLAAC SLAAC Address, DHCP other information
DHCP Address, SLAAC Address?, DHCP other information
RA does not contain On-Link Prefixes
No Automatic Global AddressNo Automatic Global Address
DHCP Address, DHCP other information
2010 August 17 Hurricane Electric Page
DHCPv6 ProcessSLAAC Only Host
113
M0,O0 M0, O1 M1,O?
RA contains On-Link Prefixes
SLAAC SLAAC Address
SLAAC Address?
RA does not contain On-Link Prefixes
No Automatic Global AddressNo Automatic Global AddressNo Automatic Global Address
2010 August 17 Hurricane Electric Page
Some caveats about RA contents Lots of knobs
It is important to understand what the nobs do before you turn them.
Example: No Advertise vs. No Autoconfig No Advertise removes the prefix from the issued RAs No Autoconfig leaves the prefix in the RA, but turns off
the A flag for that prefix which will prevent the host from using that prefix to configure a local address, but will still treat the prefix as local for Neighbor Solicitation rather than using the default router to reach hosts with that prefix.
114
2010 August 17 Hurricane Electric Page
Adding IPv6 to a Web Server
Start with a working IPv4 web server:
115
Listen 192.159.10.7:80<VirtualHost 192.159.10.7:80> Handler cgi-script .cgi .pl ServerName www.delong.com SuexecUserGroup owen nogroup Options +FollowSymLinks ServerAdmin [email protected] DocumentRoot /var/www/sites/delong.com/pages</VirtualHost>
2010 August 17 Hurricane Electric Page
Adding IPv6 to a Web Server
Add the configuration for IPv6:
Restart Apache Test!
116
Listen 192.159.10.7:80Listen [2620:0:930::400:7]:80<VirtualHost 192.159.10.7:80 [2620:0:930::400:7]:80> Handler cgi-script .cgi .pl ServerName www.delong.com SuexecUserGroup owen nogroup Options +FollowSymLinks ServerAdmin [email protected] DocumentRoot /var/www/sites/delong.com/pages</VirtualHost>
2010 August 17 Hurricane Electric Page
User Lab 3 -- IPv6 Enthusiast
Go to http://tunnelbroker.net Log in if you aren’t still logged in Get a user code If you need a domain, bring me your web server
IP address and I will create one for you. Configure your web server on your machine. Create a file named <usercode>.txt in your
document root. Test Take quiz, get Enthusiast Certification
117
2010 August 17 Hurricane Electric Page
Packet Filtersip6tables
118
ip6tables much like iptables Excerpt from my ip6tables configuration
-A RH-Firewall-1-INPUT -d 2620:0:930::200:2/128 -m state --state NEW -m tcp -p tcp --dport 3784 -j ACCEPT-A RH-Firewall-1-INPUT -d 2620:0:930::200:1/128 -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT-A RH-Firewall-1-INPUT -d 2001:470:1f00:3142::200:1/128 -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT-A RH-Firewall-1-INPUT -d 2620:0:930::200:2/128 -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT
2010 August 17 Hurricane Electric Page
Packet FiltersCisco ACL Cisco ACLs for IPv6 just like IPv4 (mostly):
Reflexive Temporary ACL (REFLECTOUT) OUTBOUND creates state table entries using reflect
keyword INBOUND evaluates packets against state table.
119
ipv6 access-list OUTBOUND permit tcp 2001:DB8:0300:0201::/32 any reflect REFLECTOUT permit udp 2001:DB8:0300:0201::/32 any reflect REFLECTOUT deny fec0:0:0:0201::/64 any
ipv6 access-list INBOUND evaluate REFLECTOUT
interface ethernet 0 ipv6 traffic-filter OUTBOUND out ipv6 traffic-filter INBOUND in
2010 August 17 Hurricane Electric Page
Packet FiltersJuniper Filter Very similar to Juniper IPv4 filters
120
interfaces {ge-0/0/0 {
unit 0 {family inet6 {
filter {input tcp_filter;
}}
}}
}firewall {
family inet6 {filter tcp_filter {
term 1 {from {
next-header tcp;tcp-flags syn;
}then {
count tcp_syn_pkt;log;accept;
}}
}}
}
2010 August 17 Hurricane Electric Page
Security Concerns in IPv6
Mostly the same as IPv4 Buffer Overruns Misconfigured Firewalls Errant Route Filters Social Engineering Attacks Malware/Trojans/Adware DoS
Some new attacks unique to IPv6 Neighbor Table Overflow/Scanning Extension Headers
121
2010 August 17 Hurricane Electric Page
IPv6 Unique AttacksNeighbor/Router Discovery Unlikely, but possible
Most require Link Local acces High Risk, Low Value for attacker
Mostly DoS oriented Scanning Attack -- NT Exhaustion Fake ND Responses
Possible Traffic Snooping Rogue RA
122
2010 August 17 Hurricane Electric Page
IPv6 Unique AttacksExtension Headers Primarily used to facilitate other forms of
attack In some cases, extension headers can be used to
evade attack mitigation by pushing the relevant information into the second fragment.
Very low value proposition for most attackers Some hosts have Ext. Header vulnerabilities
due to bugs in the header parsing code. Most of these have been resolved in current software.
123
2010 August 17 Hurricane Electric Page
IPv6 Security Best Practices
Some good IPv6 Security resources: http://www.sans.org/reading_room/whitepapers/
detection/complete-guide-ipv6-attack-defense_33904
http://csrc.nist.gov/publications/nistpubs/800-119/sp800-119.pdf
http://www.nsa.gov/ia/mitigation_guidance/security_configuration_guides/IPv6.shtml
http://www.cisco.com/web/about/security/security_services/ciag/documents/v6-v4-threats.pdf
124
2010 August 17 Hurricane Electric Page
IPv6 Security Best Practices
IPv6 Security Toolkit Fernando Gont has released these tools:
http://twitter.com/teamcymru/status/234908090766589952
nmap 6 now supports IPv6 No host enumeration capabilities as yet.
125
2010 August 17 Hurricane Electric Page
Lazy IPv6 deployments = insecurity Many people add IPv6 to hosts without
applying the same diligence as the IPv4 configuration. If you have iptables rules, remember to add
comparable ip6tables rules. If your web server has rewrite rules for v4, make
sure they apply equally to v6. If your application has different v4 and v6 code
paths, make sure all the security patches, etc. get incorporated into the v6 code.
126
2010 August 17 Hurricane Electric Page
IPv6 SecurityExploitable Vulnerabilities From the SANS paper:
What is it about the IPv6 application vulnerability which may be exploited to gain access to the target machine? There is no difference with an IPv4 application vulnerability like stack-based buffer overflow, heap-based buffer overflow, format string vulnerability, off-by-one vulnerability, null pointer dereference, and others which may be used to execute the command remotely and to gain access to the vulnerable machine.
In other words... 96 more bits, no magic. All the same problems still have all the same solutions.
127
2010 August 17 Hurricane Electric Page
IPv6 SecurityMan in the Middle Various forms of MITM attacks possible in
IPv6 Spoofed ICMPv6 Neighbor Advertisement
Same as ARP spoofing in IPv4 Solution: Secure Neighbor Discovery (SEND)
Spoofed ICMPv6 Router Advertisement Similar to rogue DHCP server, but injects default router
only, so less visible. Solution: RA-Guard
128
2010 August 17 Hurricane Electric Page
IPv6 Smurf Attack
Similar principal to IPv4 smurf Must have local access to amplification network
(bigger challenge and easier to trace than IPv4 Smurf)
Send All-Hosts multicast packets with target as source address
129
Gargamel just turned on IPv6!!!
2010 August 17 Hurricane Electric Page
IPv6 SecurityDAD DOS DOH!
130
Duplicate Address Detection A denial of service attack is possible by making all
new nodes think any address they try is a duplicate Simply reply with an ICMPv6 Neighbor
Advertisement in response to any ICMPv6 Neighbor Solicitation.
Only disables new nodes trying to join network. Requires link local access Easily identified and mitigated, minimal benefit to
attacker
2010 August 17 Hurricane Electric Page
IPv6 SecurityFragmentation Attack Stick important headers in subsequent
fragments to avoid IDS Unique to IPv6 in that IPv6 extension headers
make this easier to do.
131
2010 August 17 Hurricane Electric Page
IPv6 SecurityOther attacks
Routing Loop attack against auto-tunnels Teredo can bypass IPv4 IDS and/or Firewall
132
2010 August 17 Hurricane Electric Page
Email over IPv6
Now that we have our web server running on IPv6, our next step is to get email working.
IPv4 only sendmail.mc fragment:
Same fragment for dual-stack:
133
dnl # The following causes sendmail to listen for both protocolsdnl #DAEMON_OPTIONS(`port=smtp, Name=MTA, Family=inet6')dnldnl #dnl # If IPv6_V6ONLY doesn’t work correctly you might also need:dnl #dnl DAEMON_OPTIONS(`Name=MTA-v4, Family=inet')
dnl # IPv4 only Listener configurationDAEMON_OPTIONS(`Name=MTA-v4, Family=inet')
2010 August 17 Hurricane Electric Page
Postfix on Mac
Command Line launchctl unload /System/Library/LaunchDaemons/
org.postfix.master.plist defaults write /System/Library/LaunchDaemons/
org.postfix.master RunAtLoad -bool true defaults write /System/Library/LaunchDaemons/
org.postfix.master KeepAlive -bool true launchctl load /System/Library/LaunchDaemons/
org.postfix.master.plist; launchctl start org.postfix.master /etc/postfix/main.cf
inet_protocols = all myhostname = [yourname].training.delong.com
134
2010 August 17 Hurricane Electric Page
User Lab 4 -- Administrator
Use the same domain you used for the web site. Create a user account.
Set up your SMTP server to work with IPv6 Update sendmail.mc to listen on both protocols. “make sendmail.cf” Restart sendmail
Go back to Tunnelbroker. Generate new user code and put in email address. Receive email and put usercode from email into web
form. Take quiz
135
2010 August 17 Hurricane Electric Page
IPv6 DNS
DNS is very similar to IPv4 DNS. Forward:
IPv4: foo.com. IN A 192.0.2.123 IPv6: foo.com. IN AAAA 2001:db8::2:123
Reverse: IPv4: 123.2.0.192.in-addr.arpa. IN PTR foo.com. IPv6:3.2.1.0.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa. IN PTR foo.com.
(See, identical except the font size) ;-)
136
2010 August 17 Hurricane Electric Page
User lab 5 -- IPv6 Professional
This one is a gimme. Your RDNS for your mail server should already be set up.
Go to Tunnelbroker. Test the RDNS for your mail server. If it
reports a problem, come to me, we’ll look at it together.
Take the quiz.
137
2010 August 17 Hurricane Electric Page
IPv6 Glue Records
What is a glue record? DNS Hierarchy has a bootstrapping problem. If ns.he.net serves he.net, you need to have the
address of ns.he.net in order to ask ns.he.net about he.net (or ns.he.net).
Glue records are address records in the parent domain that point give “hints” to reach nameservers inside the child domain.
A records for IPv4 AAAA records for IPv6
138
2010 August 17 Hurricane Electric Page
IPv6 Glue Records
Example:
Note each of these nameservers are inside the he.net zone. All 5 require glue to be resolvable in order to query the he.net zone.
139
$ORIGIN NET.he IN NS ns1.he.net. IN NS ns2.he.net. IN NS ns3.he.net. IN NS ns4.he.net. IN NS ns5.he.net.
2010 August 17 Hurricane Electric Page
IPv6 Glue Records
IPv4 Only glue record set:
For dual-stack, we added these:
140
ns1.he.net. IN A 216.218.130.2ns2.he.net. IN A 216.218.131.2ns3.he.net. IN A 216.218.132.2ns4.he.net. IN A 216.66.1.2ns5.he.net. IN A 216.66.80.18
ns2.he.net. IN AAAA 2001:470:200::2ns3.he.net. IN AAAA 2001:470:300::2ns4.he.net. IN AAAA 2001:470:400::2 ns5.he.net. IN AAAA 2001:470:500::2
2010 August 17 Hurricane Electric Page
User lab 6 -- IPv6 Sage
This one is also a gimme as your zone should already have glue records.
Browse Tunnelbroker Test the glue records Take the quiz Don’t forget to specify your T-Shirt size
141
2010 August 17 Hurricane Electric Page
IPv6 Anycast
Two Kinds of Anycast Both essentially provide a common service from
multiple hosts. Both deliver a packet to at least one of a group of
hosts sharing a common IP address. IPv6 RFCs define certain types of subnet local
anycast addresses (prefix:fdff:ffff:ffff:ffxx where xx is in the range 80-ff)
More general anycast is implemented identical to IPv4 Anycast and is in much more common use.
143
2010 August 17 Hurricane Electric Page
IPv6 Deployment -- Next Steps This was just an introduction. Hopefully you have enough knowledge to build
an IPv6 test lab and start gaining experience. Use a tunnel at first if you need to. Don’t forget to pressure your vendors so that
they are ready when you need them to be (or only a little late) Network Equipment
144
2010 August 17 Hurricane Electric Page
IPv6 Deployment -- Next Steps part 2 Build your test lab Try it out Try different scenarios Get to know what works and doesn’t work in
your particular environment Help is available
ARIN IPv6 wiki: http://www.getipv6.info Hurricane Electric: http://www.tunnelbroker.net “Rent” me: [email protected]
145
2010 August 17 Hurricane Electric Page
Parting Thoughts: What if IP Addresses were M&Ms -- IPv4 IPv4: Standard network size: /24
Number of usable addresses: 254
Number of /24s: Aprox. 14.5 Mililon
146
One IPv4 /24 -- 254 M&Ms
Full Address Space, One M&M per/24 covers 70% of a football* field
*An American Football field
2010 August 17 Hurricane Electric Page
Parting Thoughts: IP Addresses as M&Ms -- IPv6 How many M&Ms in IPv6? Standard Network size: /64
Host addresses: 18,446,744,073,709,551,616 Number of Networks:
18,446,744,073,709,551,616 In short, Enough M&Ms to fill the great lakes
in either measure*
147
*Warning: Do not eat 18,446,744,073,709,551,616 M&Ms as adverse health consequences are likely.
2010 August 17 Hurricane Electric Page
If IP addresses were M&MsFinal thought:
They’d taste better.
148
2010 August 17 Hurricane Electric Page
OK.. The real conclusion
You’ve learned a lot about the structure of IPv6 and IPv6 addressing
You’ve learned how to plan your addressing strategy.
You’ve learned a little about deploying IPv6. Mostly, deployment is a lot like IPv4, but,
without the address scarcity.
149
2010 August 17 Hurricane Electric Page
Similarities
Same routing protocols (mostly) Same issues Same solutions (mostly) Similar security models and tactics
Note: NAT isn’t security in IPv4. Stateful ispection provides security, NAT just depends on stateful inspection.
Similar host configuration methods
150
2010 August 17 Hurricane Electric Page
Differences
Much bigger address space Restoration of the End-to-End model of
networking (Really, this is a good thing, even if you find it a little scary at first)
Stateless Autoconfiguration (Slightly) Crippled DHCP DHCP Prefix Delegation Hex Notation No more writing out netmasks (YAY!)
151
2010 August 17 Hurricane Electric Page
Q&A
Contact: Owen DeLong IPv6 Evangelist Hurricane Electric 760 Mission Court Fremont, CA 94539, USA http://he.net/ owend at he dot net +1 (408) 890 7992
?
152