Ipv6 basics
-
Upload
jan-schaumann -
Category
Technology
-
view
4.065 -
download
2
description
Transcript of Ipv6 basics
http://etsy.me/KD4Dru
IPv6 Basics
Jan Schaumann <[email protected]>
B60D A9F7 0D89 544A 7995 7D25 5A5B 4375 275F 0BB5
Friday, June 1, 12
IPv6 Basics
What’s the big idea?
Friday, June 1, 12
IPv6 Basics
What’s the big idea?
Remember... back in February 2011:
Friday, June 1, 12
IPv6 Basics
Mommy, where do IP addresses come from?
Well,... when an LIR and an RIRlove each other very much...
Friday, June 1, 12
IPv6 Basics
Mommy, where do IP addresses come from?
Internet Assigned Numbers Authority (IANA) oversees global IP address/AS number allocation,
root zone management etc.
Friday, June 1, 12
IPv6 Basics
Mommy, where do IP addresses come from?
Regional Internet Registries (RIR) manage the allocation and registration of Internet number resources within a region of the world.
Friday, June 1, 12
IPv6 Basics
Mommy, where do IP addresses come from?
RIRs assign blocks of IP addresses to the Local Internet Registries (LIR).
LIRs are either ISPs, enterprises using a lot of addresses, or academic institutions.
Friday, June 1, 12
IPv6 Basics
Here’s what’s next:
IANA Address Pool Exhaustion: 2011-02-03
APNIC reached final /8: 2011-04-15
RIPENCC: 2012-08-08
ARIN: 2013-06-24
LACNIC: 2014-02-04
AFRINIC: 2014-11-09
https://ipv6.he.net/v4ex/sidebar/
Friday, June 1, 12
IPv6 Basics
You know what else?
1. Go out of business.2. ???3. Profit!
Friday, June 1, 12
IPv6 Basics
You know what else?
In December 2011, Borders sold a /16for $12 per IP address.
$786,432Friday, June 1, 12
IPv6 Basics
What’s the big idea?
Today:
ASes running IPv6: 13.7%
Top 1M sites running IPv6: 1.26%
Yahoo! users served over IPv6 onWorld IPv6 Day: >1.85M (0.229%)
http://bgp.he.net/ipv6-progress-report.cgi
Friday, June 1, 12
IPv6 Basics
Why don’t we just switch?
IPv6 was formalized in RFC1883 in December 1995.
Friday, June 1, 12
IPv6 Basics
Why don’t we just switch?
http://etsy.me/KqQZcR http://etsy.me/KqRdAK
Friday, June 1, 12
IPv6 Basics
Why don’t we just switch?
Friday, June 1, 12
IPv6 Basics
Why don’t we just switch?
•~ 0.022% of users have a “broken” configuration
•timeout for IPv4 fallbacks worsen user experience
•consumers are not demanding IPv6 (see chicken)
Friday, June 1, 12
IPv6 Basics
June 6th 2012
This time it’s for realsies!
Friday, June 1, 12
IPv6 Basics
June 6th 2012
This time it’s for realsies!
•Google•Facebook•YouTube•Yahoo•Bing•AOL•Netflix
Friday, June 1, 12
IPv6 Basics
June 6th 2012
This time it’s for realsies!
•Google•Facebook•YouTube•Yahoo•Bing•AOL•Netflix•Etsy?
Friday, June 1, 12
IPv6 Basics
June 6th 2012
This time it’s for realsies!
•Google•Facebook•YouTube•Yahoo•Bing•AOL•Netflix•Etsy :-(
Friday, June 1, 12
IPv6 Basics
Let’s rewind...
http://etsy.me/KDePjL
Friday, June 1, 12
IPv6 Basics
Yeah, yeah, 32 bits, I know.
01100000000001111010101000100101
Friday, June 1, 12
IPv6 Basics
Yeah, yeah, 32 bits, I know.
01100000000001111010101000100101
96.7.170.37
Friday, June 1, 12
IPv6 Basics
Yeah, yeah, 32 bits, I know.
01100000000001111010101000100101
96.7.170.37
www.etsy.com
Friday, June 1, 12
IPv6 Basics
Yeah, yeah, 32 bits, I know.
01100000000001111010101000100101
96.7.170.37
www.etsy.com
(mumble.frubmle.something.akamai.com)
Friday, June 1, 12
IPv6 Basics
Remember classful routing?
01100000000001111010101000100101
Friday, June 1, 12
IPv6 Basics
Remember classful routing?
01100000 000001111010101000100101
Friday, June 1, 12
IPv6 Basics
That’s silly. Let’s CIDR this mofo!
01100000.00000111.10101010. 0010010111111111.11111111.11111111. 00000000
/24
Friday, June 1, 12
IPv6 Basics
CIDR Cheat Sheet
A.B.C.D/N•N = bits describing network portion•M = 32 - N = bits describing host portion•2M = number of addresses on this subnet•2M-2 = number of possible hosts•network address•broadcast address
•subnet division need not occur on dotted boundary only (divide a /24 into four /26)
Friday, June 1, 12
IPv6 Basics
CIDR Cheat SheetA.B.C.D/N•N = bits describing network portion•M = 32 - N = bits describing host portion•2M = number of addresses on this subnet•2M-2 = number of possible hosts•network address•broadcast address
•subnet division need not occur on dotted boundary only (divide a /24 into four /26)
The same approach works for IPv6!
Friday, June 1, 12
IPv6 Basics
IPv4
01100000000001111010101000100101
32 bit address space
Friday, June 1, 12
IPv6 Basics
IPv4
01100000000001111010101000100101
32 bit address space=>
232 addresses
Friday, June 1, 12
IPv6 Basics
IPv4
01100000000001111010101000100101
32 bit address space=>
232 addresses=>
4,294,967,296 addresses
Friday, June 1, 12
IPv6 Basics
IPv4
The archetypal prototype that escaped into production.
“It’s my fault.” - Vint Cerf
32-bit space thought sufficient for this experiment started in 1976.
Friday, June 1, 12
IPv6 Basics
Repeat after me:
There’s nothing as permanent as a temporary
solution.
Friday, June 1, 12
IPv6 Basics
IPv4
01100000000001111010101000100101
32 bit address space=>
232 addresses=>
4,294,967,296 addresses
Friday, June 1, 12
IPv6 Basics
IPv6
00100000000000010000000011011011000000000000000000000000000000000000011110101011000000000000000000000000000000000001001100001011
128 bit address space
Friday, June 1, 12
IPv6 Basics
IPv6
128 bit address space=>
2128 addresses
Friday, June 1, 12
IPv6 Basics
IPv6
128 bit address space=>
2128 addresses=>
340,282,366,920,938,463,463,374,607,431,768,211,456addresses
Friday, June 1, 12
IPv6 Basics
Hmm. That sure is a lot.But is it enough?
Friday, June 1, 12
IPv6 Basics
Hmm. That sure is a lot.But is it enough?
Friday, June 1, 12
IPv6 Basics
Hmm. That sure is a lot.But is it enough?
Friday, June 1, 12
IPv6 Basics
Hmm. That sure is a lot.But is it enough?
“"if the earth were made entirely out of 1 cubic millimeter grains of sand, then you could give a
unique [IPv6] address to each grain in 300 million planets the size of the earth"
Friday, June 1, 12
IPv6 Basics
IPv6 addresses
•8 16bit words in case insensitive colon hexadecimal representation
2001:00db8:0000:0000:07AB:0000:0000:130B
Friday, June 1, 12
IPv6 Basics
IPv6 addresses
•8 16bit words in case insensitive colon hexadecimal representation
2001:00db8:0000:0000:07AB:0000:0000:130B
•Leading zeros in a field are optional:2001:db8:0:0:7AB:0:0:130B
Friday, June 1, 12
IPv6 Basics
IPv6 addresses
•8 16bit words in case insensitive colon hexadecimal representation
2001:00db8:0000:0000:07AB:0000:0000:130B
•Leading zeros in a field are optional:2001:db8:0:0:7AB:0:0:130B
•Successive fields of 0 represented as ::, but only once in an address:
2001:db8::7AB:0:0:130B ok2001:db8:0:0:7AB::130B ok2001:db8::7AB::130B not ok
Friday, June 1, 12
IPv6 Basics
IPv6 address oddities
•address may include the interface name:fe80::e276:63ff:fe72:3900%eth0
Friday, June 1, 12
IPv6 Basics
IPv6 address oddities
•address may include the interface name:fe80::e276:63ff:fe72:3900%eth0
•IPv4-mapped addresses (dual-stack only): 0:0:0:0:ffff:166.84.7.99 ::ffff:a654:763
Friday, June 1, 12
IPv6 Basics
IPv6 address oddities
•address may include the interface name:fe80::e276:63ff:fe72:3900%eth0
•IPv4-mapped addresses (dual-stack only): 0:0:0:0:ffff:166.84.7.99 ::ffff:a654:763
•brackets are used to separate port from address: IPv4: 166.84.7.99:80 IPv6: [2001:db8::07AB:0:0:130B]:80
Friday, June 1, 12
IPv6 Basics
IPv6 address scope
•Link-Local (fe80::e276:63ff:fe72:3900%eth0):• used on a single link• equivalent of 169.254.0.0/16•fe80::/64 (usually assigned via SLAAC)
Friday, June 1, 12
IPv6 Basics
IPv6 address scope
•Link-Local (fe80::e276:63ff:fe72:3900%eth0):• used on a single link• equivalent of 169.254.0.0/16•fe80::/64 (usually assigned via SLAAC)
•Unique Local Address (ULA):•equivalent of IPv4 RFC1918•not globally routable •fc00::/7
Friday, June 1, 12
IPv6 Basics
IPv6 address scope
•Link-Local (fe80::e276:63ff:fe72:3900%eth0):• used on a single link• equivalent of 169.254.0.0/16•fe80::/64 (usually assigned via SLAAC)
•Unique Local Address (ULA):•equivalent of IPv4 RFC1918•not globally routable •fc00::/7
•Global (Unicast, Anycast, Multicast)•unicast: 2a03:2880:2110:3f01:face:b00c::•anycast: undistinguishable from unicast•multicast: FF00::/8
Friday, June 1, 12
IPv6 Basics
Of IPv6 classful routing and CIDRs
•unicast addresses starting with 000 are logically divided into two parts: a 64-bit (sub-)network prefix, and a 64-bit interface identifier
•the default subnet size is thus /64
Friday, June 1, 12
IPv6 Basics
Of IPv6 classful routing and CIDRs
•unicast addresses starting with 000 are logically divided into two parts: a 64-bit (sub-)network prefix, and a 64-bit interface identifier
•the default subnet size is thus /64
Yes, that’s18,446,744,073,709,551,616 addresses
per subnet.
Friday, June 1, 12
IPv6 Basics
Of IPv6 classful routing and CIDRs
•unicast addresses starting with 000 are logically divided into two parts: a 64-bit (sub-)network prefix, and a 64-bit interface identifier
•the default subnet size is thus /64
Yes, that’s232 internetsper subnet.
Friday, June 1, 12
IPv6 Basics
IPv6 Allocations 2001:0db8:0123:4567:89ab:cdef:1234:5678|||| |||| |||| |||| |||| |||| |||| |||128 Single end-points and loopback|||| |||| |||| |||| |||| |||| |||| ||124|||| |||| |||| |||| |||| |||| |||| |120|||| |||| |||| |||| |||| |||| |||| 116|||| |||| |||| |||| |||| |||| |||112|||| |||| |||| |||| |||| |||| ||108|||| |||| |||| |||| |||| |||| |104|||| |||| |||| |||| |||| |||| 100|||| |||| |||| |||| |||| |||96|||| |||| |||| |||| |||| ||92|||| |||| |||| |||| |||| |88|||| |||| |||| |||| |||| 84|||| |||| |||| |||| |||80|||| |||| |||| |||| ||76|||| |||| |||| |||| |72|||| |||| |||| |||| 68|||| |||| |||| |||64 Single End-user LAN (default prefix size for SLAAC)|||| |||| |||| ||60|||| |||| |||| |56 Proposed minimal end sites assignment|||| |||| |||| 52|||| |||| |||48 Default end sites assignment|||| |||| ||44|||| |||| |40|||| |||| 36|||| |||32 Local Internet registry minimum allocations|||| ||28 Local Internet registry medium allocations|||| |24 Local Internet registry large allocations|||| 20 Local Internet registry extra large allocations|||16||12 Regional Internet Registry allocations from IANA
Friday, June 1, 12
IPv6 Basics
IPv6 transition mechanisms
End goal: native IPv6 / dual-stack
•6to4•6in4•6rd•teredo•NAT64/DNS64•terminate at edge of network
Friday, June 1, 12
IPv6 Basics
IPv6 transition mechanisms
•6to4 and 6rd
Friday, June 1, 12
IPv6 Basics
IPv6 transition mechanisms
•NAT64 / DNS64
Friday, June 1, 12
IPv6 Basics
IPv6 transition mechanisms
•6-to-4 load balancer
Friday, June 1, 12
IPv6 Basics
Enough already! Let’s do something!
http://test-ipv6.com/
Friday, June 1, 12
IPv6 Basics
EC2 Example
Friday, June 1, 12
IPv6 Basics
EC2 Example
Friday, June 1, 12
IPv6 Basics
EC2 Example
Friday, June 1, 12
IPv6 Basics
EC2 Example
Friday, June 1, 12
IPv6 Basics
EC2 Example
Friday, June 1, 12
IPv6 Basics
EC2 Example
Friday, June 1, 12
IPv6 Basics
EC2 Example
Friday, June 1, 12
IPv6 Basics
EC2 Example
Friday, June 1, 12
IPv6 Basics
EC2 Example
Friday, June 1, 12
IPv6 Basics
EC2 Example
Friday, June 1, 12
IPv6 Basics
EC2 Example
Friday, June 1, 12
IPv6 Basics
That was exciting! Let’s move on...
Friday, June 1, 12
IPv6 Basics
See, IPv6 is hilarious!
Friday, June 1, 12
IPv6 Basics
Hmmm.
Friday, June 1, 12
IPv6 Basics
Duh.
Friday, June 1, 12
IPv6 Basics
Duh.
Friday, June 1, 12
IPv6 Basics
Duh.
Friday, June 1, 12
IPv6 Basics
A few notes so far:
•DNS lookup of AAAA records works over IPv4
•IPv6 may be enabled•your interfaces may already have IPv6 addresses
•your host may not be configured for IPv6
•we need different tools for IPv4 and IPv6
Friday, June 1, 12
IPv6 Basics
Friday, June 1, 12
IPv6 Basics
Friday, June 1, 12
IPv6 Basics
Friday, June 1, 12
IPv6 Basics
Friday, June 1, 12
IPv6 Basics
Friday, June 1, 12
IPv6 Basics
Friday, June 1, 12
IPv6 Basics
Friday, June 1, 12
IPv6 Basics
Configuring IPv6
Friday, June 1, 12
IPv6 Basics
Configuring IPv6
Friday, June 1, 12
IPv6 Basics
Hooray IPv6
Friday, June 1, 12
IPv6 Basics
Now let’s use it!
Friday, June 1, 12
IPv6 Basics
Now let’s use it!
Friday, June 1, 12
IPv6 Basics
Now let’s use it!
Friday, June 1, 12
IPv6 Basics
Booooooring!
Friday, June 1, 12
IPv6 Basics
Let’s see who’s out there...
Friday, June 1, 12
IPv6 Basics
Let’s see who’s out there...
Friday, June 1, 12
IPv6 Basics
Ah, but IPv6 has no broadcast address.
Friday, June 1, 12
IPv6 Basics
Instead, IPv6 uses multicast to all-hosts.
Friday, June 1, 12
IPv6 Basics
IPv4 has ARP...
Friday, June 1, 12
IPv6 Basics
IPv6 has the Neighbor Discovery Protocol
Friday, June 1, 12
IPv6 Basics
IPv6 has the Neighbor Discovery Protocol
Friday, June 1, 12
IPv6 Basics
IPv6 has the Neighbor Discovery Protocol
•NDP used for:•router, prefix and parameter discovery
•address autoconfiguration (SLAAC)
•address resolution (think ARP)
•uses ICMPv6
•operates on the Internet Layer
•BSD: ndp(8)
•Linux: ip(8), ip-neighbour(8)
Friday, June 1, 12
IPv6 Basics
ICMPv6ECHO REQUEST / REPLY
Friday, June 1, 12
IPv6 Basics
ICMPv6ECHO REQUEST / REPLY
Friday, June 1, 12
IPv6 Basics
ICMPv6TIME EXCEEDED / DESTINATION UNREACHABLE
Friday, June 1, 12
IPv6 Basics
ICMPv6TIME EXCEEDED / DESTINATION UNREACHABLE
Friday, June 1, 12
IPv6 Basics
ICMPv6
•much like ICMP in IPv4•ECHO REQUEST/REPLY
•Destination Unreachable
•Time Exceeded
•Packet Too Big (PMTU Discovery)
•Neighbor Discovery Protocol
•ping6(8), traceroute6(8), ...
Friday, June 1, 12
IPv6 Basics
SidenoteIPv6 Tunnel Traffic
Friday, June 1, 12
IPv6 Basics
SidenoteIPv6 Tunnel Traffic
Friday, June 1, 12
IPv6 Basics
SidenoteIPv6 Tunnel Traffic
Friday, June 1, 12
IPv6 Basics
TCPNothing to see here...
Friday, June 1, 12
IPv6 Basics
TCPNothing to see here...
Friday, June 1, 12
IPv6 Basics
UDPNothing to see here...
Friday, June 1, 12
IPv6 Basics
UDPNothing to see here...
Friday, June 1, 12
IPv6 Basics
UDPNothing to see here...
Friday, June 1, 12
IPv6 Basics
Dual Stack Implications
Regardless of transport mechanism to DNS server:•ask DNS for AAAA
•if AAAA exists, assume (and use) IPv6 for the connection
•only ask for A if no AAAA was found
•if A exists, use IPv4 for the connect
Friday, June 1, 12
IPv6 Basics
Address ResolutionC
•replace gethostby* with getaddrinfo(3)•RFC3484 section 6 rule 9 prefix-length based sorting
may break DNS round-robin
•you may get back multiple results
•replace sockaddr_in with struct sockaddr_storage
•use sockaddr_storage.ai_addrlen for length
•replace inet_ntoa(3)/inet_aton(3) with
inet_ntop(3)/inet_pton(3)
Friday, June 1, 12
IPv6 Basics
Address ResolutionC
•some OS default their sockets to IPV6_V6ONLY;
•check sysctl net.inet6.ip6.v6only
if (setsockopt(s, IPPROTO_IPV6, IPV6_V6ONLY, (char *)&on, sizeof(on)) == -1) perror("setsockopt IPV6_V6ONLY"); else printf("IPV6_V6ONLY set\n");
Without IPV6_V6ONLY, you will get IPv4-mapped addresses (::ffff:192.0.2.128).
Other languages mostly follow logically from C.
Friday, June 1, 12
IPv6 Basics
Address ResolutionPHP
•use dns_get_record instead of gethostbyname
•fsockopen and friends handle IPv6
•you may need to use bracket notationtcp://[2600:809:600::3f50:412]:80
Friday, June 1, 12
IPv6 Basics
Address ResolutionPython, Perl etc.
•pretty much depends on the modules used.
•some are terrible, some are great
NodeJS and all the other new hotness
•I have no idea. Sorry.
Friday, June 1, 12
IPv6 Basics
Beware of IP regexes!In IPv4, sometimes you can get away with:
•(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
•([0-9]+.){3}[0-9]+)
•(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)
Friday, June 1, 12
IPv6 Basics
Beware of IP regexes!In IPv6... not so much:
/^\s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?\s*$/
Friday, June 1, 12
IPv6 Basics
Beware of IP regexes!
Better:
if (inet_pton(AF_INET, $ip)) { # AF_INET } elsif (inet_pton(AF_INET6, $ip)) { # AF_INET6 } else { # not an IP address }
Friday, June 1, 12
IPv6 Basics
So... now what?
Friday, June 1, 12
IPv6 Basics
So... now what?
•get yourselves a few internets from your LIR (/48, /56)•assess your infrastructure•routers/switches usually ok, but verify•verify firewalls, IDS, load balancers, other “appliances”
•choose your transition approach•terminate/translate as close to the edge as possible
•use a test domain•do a short live test, then•see what broke•review data collection tools (can they cope with 128bit addresses, new format)?
•use short TTL for DNS records
Friday, June 1, 12
IPv6 Basics
So... now what?
•repeat•go live•Profit!
Friday, June 1, 12
IPv6 Basics
Links:http://www.worldipv6launch.org/https://www.google.com/intl/en/ipv6/statistics/https://en.wikipedia.org/wiki/IPv6http://pretty-rfc.herokuapp.com/RFC2460http://www.slideshare.net/IOSHints/getting-ready-for-world-ipv6-day-in-6-dayshttp://tunnelbroker.net/http://test-ipv6.comhttps://www.arin.net/policy/nrpm.htmlhttp://ipv6friday.org
Lists:http://lists.si6networks.com/listinfo/ipv6hackershttp://www.nanog.org/mailinglist/http://lists.cluenet.de/mailman/listinfo/ipv6-ops
Friday, June 1, 12