IPv6 workshop-tm-0x1f
-
Upload
tim-martin -
Category
Internet
-
view
629 -
download
15
Transcript of IPv6 workshop-tm-0x1f
© 2012 Cisco and/or its affiliates. All rights reserved. 1
Cisco “Tech Session” Preparing for BYOD & the Internet of Everything, an IPv6 Workshop
Tim Martin
CCIE #2020
Solutions Architect
Spring 2016
© 2012 Cisco and/or its affiliates. All rights reserved. 2
• BYOD and the Internet of Everything • IPv6 Protocol Deep Dive • IPv6 Design Considerations • IPv6 Campus Design • IPv6 Data Center Transitions • IPv6 Translation Techniques • IPv6 Internet Edge Design • Summary
© 2012 Cisco and/or its affiliates. All rights reserved. 3
• Boomers are retiring, GenX is “tech savvy”, GenY is “tech dependent”
• 2016 GenY (the millennia's (18-34)) become the largest workforce segment
• 43% of 18-24 year-olds say that texting is just as meaningful as a phone conversation -eMarketer
• 40% of GenY believe that blogging about workplace issues is acceptable –Iconoculture
• 24% of GenY say that technology use is what makes their generation unique -Pew Research
• 74% of GenY used a smartphone for work purposes in the last year, compared to 37 percent of Baby Boomers -CompTIA
© 2012 Cisco and/or its affiliates. All rights reserved. 4 4
© 2012 Cisco and/or its affiliates. All rights reserved. 5
© 2012 Cisco and/or its affiliates. All rights reserved. 6
IPv6
RF Mesh (IEEE 802.15.4), PLC (IEEE 1901.2), LTE, Bluetooth LE, 6LoWPAN, RPL
Infrastructure Evolution Content & Applications
National IPv6 Strategies OS Developers
© 2012 Cisco and/or its affiliates. All rights reserved. 7
• Early Adopters, from ~2001-2005 (6bone) • Chasm, Refinement from 2005-2009 (Tunneling) • Early Majority, Launch June 2012 (Transitioning)
58% 42% 72%
53% 25%
© 2012 Cisco and/or its affiliates. All rights reserved. 8
Legacy Application
Intelligent Application
4 CLAT
6
4 PLAT
6
IPv4
Edge Services
IPv6
Internet Handset Carrier Network
• Legacy applications using embeded literals in their code
• RFC6877 464xLAT, “fixes” broken code for now
IPv6 only
© 2012 Cisco and/or its affiliates. All rights reserved. 9
• As of iOS 9, all iPhone/iPad apps will support IPv6!
• Use the networking frameworks (iOS SDK) • Avoid use of IPv4-specific APIs (inet_addr) • Avoid hard-coded IP addresses (literals)
“If your application doesn’t work properly with IPv6, it will simply not function on those networks, those carriers and for those customers.”
- Sebastien Marineau VP Core OS
© 2012 Cisco and/or its affiliates. All rights reserved. 10
© 2012 Cisco and/or its affiliates. All rights reserved. 11
© 2012 Cisco and/or its affiliates. All rights reserved. 12
© 2012 Cisco and/or its affiliates. All rights reserved. 13
340,282,366,920,938,463,463,374,607,431,768,211,456 340 undecillion, 282 decillion, 366 nonillion, 920 octillion, 938 septillion, 463 sextillion, 463 quintillion, 374 quadrillion, 607 trillion, 431 billion, 768 million, 211 thousand, 456
• Lot’s of talk about how big, it’s BIG, do NOT worry about waste
• Theoretical vs. Practical, split the 128 bits in half
• 64 bits will define the network topology, 64 bits define the host id
18,446,744,073,709,600,000 IPv6 addresses /64 (31,536,000 seconds/yr * 10,000,000 IPv6 addresses/second)
18,446,744,073,709,600,000 / 315,360,000,000,000
= 58,494 years - Ed Horley
© 2012 Cisco and/or its affiliates. All rights reserved. 14
IPv6 Address Family
Multicast Anycast Unicast
Assigned Solicited Node
Unique Local Link Local Global Special Embedded
*IPv6 does not use broadcast addressing
Well Known Temp
© 2012 Cisco and/or its affiliates. All rights reserved. 15
• Widely used in computing and programming Hex is a base 16 numerical system Typicaly expressd by 0x, i.e 0x34
• Every nibble is a Hex character 4 bits have 16 combinations Easier than high school algebra
16’s | 1’s 3 4 a c
100s | 10’s | 1’s 0 5 2 1 7 2
© 2012 Cisco and/or its affiliates. All rights reserved. 16
• IPv6 addresses are 128 bits long (32 hex characters) 8 groups (words, quad’s) of 16 bits separated by (:)
• Network or topology portion is the prefix Includes the “subnet”
Host Portion Network Portion
2001 : 0db8 : 0100 : 1111 : 0000 : 0000 : 0000 : 0001 16 bits 16 bits 16 bits 16 bits 16 bits 16 bits 16 bits 16 bits
Host Id Subnet Id Global Route Prefix
2001:0db8:0100:1111:0000:0000:0000:0001
© 2012 Cisco and/or its affiliates. All rights reserved. 17
• Leading 0’s can be omitted
• The double colon (::) can appear only once
2001:0db8:0000: :0000:0000:0000:1e2a 00a4 Full Format
2001:db8:0: :0:0:0:1e2a a4 Abbreviated Formats
2001:db8:0: ::1e2a a4
© 2012 Cisco and/or its affiliates. All rights reserved. 18
Link-Local – Non routable exists on single layer 2 domain (fe80::/10) fe80:0000:0000:0000
:: xxxx:xxxx:xxxx:xxxx
fc00:gggg:gggg: xxxx:xxxx:xxxx:xxxx ssss:
fd00:gggg:gggg: xxxx:xxxx:xxxx:xxxx ssss:
Unique-Local – Routable within administrative domain (fc00::/7)
2000:NNNN:NNNN HHHH:HHHH:HHHH:HHHH Global – Routable across the Internet (2000::/3)
:SSSS:
3fff:NNNN:NNNN HHHH:HHHH:HHHH:HHHH :SSSS:
© 2012 Cisco and/or its affiliates. All rights reserved. 19
• RecommendedAlloca,ons• Consumer,SMB/56/60/64• MunicipalGovernment,Enterprise,SingleAS/40/44/48• StateGovernments,Universi,es(LIR)/32/36/40
• Addressing Plan, Site Count • IPv4 Allocation, Multi-homed ISP • 1 - 12 sites, a /44 assignment • 13 - 192 sites, a /40 assignment • 193 - 3,072 sites, a /36 assignment • 3,073 - 49,152 sites, a /32 assignment
Registries
Level Four Entity
IANA
ISP Org
PA
/48
2000::/3
/12
/32
2000::/3
/48
/12
PI
/32
/48
RIPE
Subordinate
© 2012 Cisco and/or its affiliates. All rights reserved. 20
• IPv6 has a specific Ethernet Protocol ID • IPv6 relies heavily on Multicast
Destination Ethernet Address!
Source Ethernet Address!
0x0800!!
IPv4 Header and Payload!
Destination Ethernet Address!
Source Ethernet Address!
0x86DD!!
IPv6 Header and Payload!
xx 33 33 xx xx xx
I bit = Local Admin, L bit = Multicast/Broadcast
0000 00IL 0 = Universel/unique
1 = Local/not unique
© 2012 Cisco and/or its affiliates. All rights reserved. 21
Offset Flags
Total Length Type of Service IHL
Padding Options Destination Address
Source Address
Header Checksum Protocol Time to Live
Identification
Version
IPv4 Header (20-60)
Next Header Hop Limit
Flow Label Traffic Class
Destination Address
Source Address
Payload Length
Version
IPv6 Header (40)
• Length is constant in IPv6 • Fragmentation occurs in (EH 44)
• Option’s occur in (EH 0,6) • UDP must have valid Checksum, unlike v4.
• Upper layer checksums use the Pseudo Header format: SRC/DST Addr + Next Header
© 2012 Cisco and/or its affiliates. All rights reserved. 22 22
• RFC 6437 – Flow label specification
• RFC 6438 – ECMP & LAG , typically 2 tuple {src, dst IP} – Effiency over searching the header chain – Frags, ICMP & Crypto may causes problems
• RFC 7098 – Flow label for Server Load Balancing – Flow label is efficient, fixed position of header – 2 or 3 tuple {src, dst IP, flow label}
• Setting the Flow Label – Set by host must not be changed in transit – First hop router may set if host cannot
Flow Label Traffic Class Version
4 bits 8 bits 20 bits
Servers
L3/4 Load Balancer
© 2012 Cisco and/or its affiliates. All rights reserved. 23
• EH are daisy chained, processed in order
• Length is variable, must be on 8 byte boundary
IPv6 Header Hop-by-Hop Destination Opt TCP Header Payload BRKRST-2116
Extension Header * Type Hop-by-Hop Options 0 Destination Options 60 Routing Header 43 Fragment Header 44 Authentication Header 51 ESP Header 50 Destination Options 60 Mobility Header 135 Experimental 253,254 No Next Header 59
© 2012 Cisco and/or its affiliates. All rights reserved. 24
Extension Header Type Hop-by-Hop Options 0 Destination Options* 60 Routing Header 43 Fragment Header 44 Authentication Header 51 ESP Header 50 Destination Options* 60 Mobility Header 135 Shim6 140 Experimental 253,254 No Next Header 59
© 2012 Cisco and/or its affiliates. All rights reserved. 25
Extension Header Type Hop-by-Hop Options Process by every router, must appear first Routing Header List or routers to cross Destination Options Processed by routers listed in 43 Fragment Header Processed by destination Authentication Header Authenticate packet after reassembly ESP Header Cipher the content of remaining information Destination Options Process only by destination
• Fragmentation EH is applied on the source • Destination Option is the only EH allowed to appear more than once
© 2012 Cisco and/or its affiliates. All rights reserved. 26
• Forwarding nodes should not inspect EH’s (2460)
• Discarding EH’s may cause connectivity failures
• Firewalls, Load balancers, Packet classifiers (7045) Drops valid EH’s If part of the operators policy Router “Should” process hop-by-hop EH’s Drop deprecated RH types 0,1
• RFC 6564 – uniformed format for extension headers
© 2012 Cisco and/or its affiliates. All rights reserved. 27
• Header Chains {IPv6, EH’s, Upper Layer Header}
• ULP Present or {NH = 59} Terminates the Chain
• IP in IP (2nd IPv6 Header) May Also Terminate
• First Fragment {Offset = 0, M = 1}, Must Include ULP
• ICMPv6 Type 4, Code 3. Incomplete Header Chain
IPv6 NH = 60
DO NH = 60
DO NH = 60
DO NH = 60
DO NH = 60
DO NH = 60
DO NH = 60
DO NH = 60
IPv6 Header NH = 44
Frag NH = 60
DO NH = 6, >1400B
© 2012 Cisco and/or its affiliates. All rights reserved. 28
Type Code Data
Checksum
• Neighbor Discovery, Router Discovery, Path MTU Discovery and (MLD) Type – (1-127) = Error Messages, (128-255) = Informational Messages Code – More Granularity within the Type Checksum – computed over the entire ICMPv6 Data - Original IPv6 Header, First 8 bytes of ULP, fill to Min MTU (1280)
58
1 Destination Unreachable
2 Packet Too Big
3 Time Exceeded
4 Parameter Problem ICMPv6 Header
Next Header *58, not 1 (ICMP)
© 2012 Cisco and/or its affiliates. All rights reserved. 29
Type – (1-127) = Error Messages Code – More Granularity within the Type Checksum – Computed over the entire ICMPv6 & pseudo header Data - Original IPv6 Header, First 8 bytes of ULP, fill to Min MTU (1280)
• Destination Unreachable, type (1) • Packet Too Big, type (2) • Time Exceeded, type (3) • Parameter Problem, type (4)
Type Code Data
Checksum
IPv6 NH = 58
© 2012 Cisco and/or its affiliates. All rights reserved. 30
Type – (128-255) = Informational Messages Code – More Granularity within the Type Checksum – Computed over the entire ICMPv6 & pseudo header Data – Message format based on each type of informational message
• Neighbor discovery, router discovery, Type (133-137) • Multicast Listener Discovery (MLD), Type (130-132, 143) • Diagnostics using Ping or Traceroute, Type (128, 129)
Type Code Data
Checksum
IPv6 NH = 58
© 2012 Cisco and/or its affiliates. All rights reserved. 31
Source Destination Link
MTU 1500 MTU 1500 MTU 1400 MTU 500
Packet, MTU=1500
ICMPv6 Packet Too Big, Use MTU=1400
2 Packets | EH type 44 | Payload=1380,120
ICMPv6 Type 2 PTB, Use MTU=500
4 Packets | EH type 44 | Payload=480,480,480,60
© 2012 Cisco and/or its affiliates. All rights reserved. 32
Similar to IPv4 New in IPv6
Manually configured StateLess Address AutoConfiguration SLAAC EUI64
SLAAC Privacy Extensions
Assigned via DHCPv6
*Secure Neighbor Discovery SeND
© 2012 Cisco and/or its affiliates. All rights reserved. 33
00 90 27 ff fe 17 fc 0f
OUI Device Identifier
00 90 27 17 fc 0f
02 90 27 ff fe 17 fc 0f
0000 00U0 U= 1 = Universel/unique
0 = Local/not unique U bit must be flipped
ff fe 00 90 27 17 fc 0f
© 2012 Cisco and/or its affiliates. All rights reserved. 34
• Generated on unique 802 using MD5, then stored for next iteration • Enabled by default in Windows, Android, iOS, Mac OS/X, Linux • Temporary or Ephemeral addresses for client application (web browser)
Recommendation: Good for the mobile user, but not for your organization/corporate networks (Troubleshooting and accountability)
34
2001 DB8
/32 /48 /64
Random Generated Interface ID 0000 1234
© 2012 Cisco and/or its affiliates. All rights reserved. 35
• RID = hash (Prefix, Net_Iface, DAD_Counter, secret_key) • Generate IID’s that are Stable/Constant for Each Network Interface • IID’s Change As Hosts Move From One Network to Another
35
Implementation of the RID is left to the OS Vendor and MAY differ between Client and Server
2001 DB8
/32 /48 /64
Random ID 0000 1234
© 2012 Cisco and/or its affiliates. All rights reserved. 36
DHCPv6 Server 2001:db8::feed:1
DHCPv6 Solicit
• Source – fe80::1234, Destination - ff02::1:2
• Client UDP 546, Server UDP 547
• Original Multicast Encapsulated in Unicast (Relay)
• DUID – Different from v4, used to identify clients
• ipv6 dhcp relay destination 2001:db8::feed:1
DHCPv6 Relay
DHCPv6 Relay
SOLICIT (any servers)
ADVERTISE (want this address)
REQUEST (I want that address)
REPLY (It’s yours)
© 2012 Cisco and/or its affiliates. All rights reserved. 37
• Each device has a RSA key pair • Ultra light check for validity
SHA-1
RSA Keys Priv Pub
Subnet Prefix
Interface Identifier
Crypto. Generated Address
Signature
SeND Messages
Modifier
Public Key Subnet Prefix CGA Params
37
© 2012 Cisco and/or its affiliates. All rights reserved. 38
Router R host
Certificate Authority CA0 Certificate Authority Certificate C0
Router certificate request
Router certificate CR
Certificate Path Solicit (CPS): I trust CA0, who are you ?
Certificate Path Advertize (CPA): I am R, this is my certificate CR
1
2
3
4
5
6 Verify CR against CA0
7 Start using R as default gateway
Router Advertisement
• Most OS’s do NOT support it (Vista, 2007/8, OSX, iOS, Android)
© 2012 Cisco and/or its affiliates. All rights reserved. 39
• Prefix ff00::/8 8-bit 4-bit 4-bit 112-bit
1111 1111 0 R P T Scope Variable format
Flags
O Reserved
R = 0 R = 1
No embedded RP Embedded RP
P = 0 P = 1
Without Prefix Address based on Prefix
T = 0 T = 1
Well Known Address (IANA assigned) Temporary address (local assigned)
Scope 1 Node
2 Link
3 Realm
4 Admin
5 Site
8 Organization
E Global
© 2012 Cisco and/or its affiliates. All rights reserved. 40
Address Scope Meaning ff02::1 Link-Local All Nodes
ff02::2 Link-Local All Routers
ff02::5 Link-Local OSPFv3 Routers
ff02::6 Link-Local OSPFv3 DR Routers
ff02::9 Link-Local RIPng
ff02::A Link-Local EIGRP
• FF02, is a permanent address and has link scope
• Link Operations, Routing Protocols, Streaming Services
© 2012 Cisco and/or its affiliates. All rights reserved. 41
Corresponding Ethernet Address
ff3e:0040:2001:0db8:cafe:0001:11d7:4cd3 IPv6 Temporary
Multicast Address
33 33 D7 4C D3 11
Corresponding Ethernet Address
ff02:0000:0000:0000:0000:0000:0000:0001 IPv6 Well Known
Multicast Address
33 33 00 00 01 00
Every IPv6 Multicast address (layer 3), MUST map to a corresponding Ethernet address (layer 2)
© 2012 Cisco and/or its affiliates. All rights reserved. 42
• MLD uses LL source addresses Hop Limit = 1
• MLD packets use “Router Alert” in HBH Destination is not the routers interface
• 3 msg types: Query, Report, Done
• MLDv1 = (*,G) shared, MLDv2 = (S,G) source
MLD snooping
MLD IGMP Message Type
ICMPv6 Type Function
MLDv1 (RFC2710) IGMPv2 (RFC 2236) Listener Query
Listener Report
Listener Done
130
131
132
Used to find out if there are any multicast listeners
Response to a query, joins a group
Sent by node to report it has stopped listening
MLDv2 (RFC 3810) IGMPv3 (RFC 3376) Listener Query
Listener Report
130
143
Used to find out if there are any multicast listeners
Enhanced reporting, multiple groups and sources
© 2012 Cisco and/or its affiliates. All rights reserved. 43
• Always uses Link Local (fe80::/64) as its source
• Hop Limit must be set to 255 Generalized TTL Security Mechanism
• Neighbor discovery messages • Router solicitation (ICMPv6 type 133) • Router advertisement (ICMPv6 type 134) • Neighbor solicitation (ICMPv6 type 135) • Neighbor advertisement (ICMPv6 type 136) • Redirect (ICMPv6 type 137)
IPv4 IPv6 ARP Request Neighbor Solicitation
Broadcast Solicited Node Multicast
ARP Reply Neighbor Advertisement
Unicast Unicast
NDP
RA RS
NS NA Redirects
NUD DAD
IPv6
© 2012 Cisco and/or its affiliates. All rights reserved. 44
• Router solicitations (RS) are sent by nodes at bootup
• Routers forward packets as well as provide provisioning services
RS
ICMP Type 133 IPv6 Source fe80::a IPv6 Destination ff02::2 Opt. 1 SLLA SRC Link Layer Address
RA
ICMP Type 134 IPv6 Source fe80::2
IPv6 Destination fe80::a Data Options, subnet prefix,
lifetime, autoconfig flag
RS RA
A
© 2012 Cisco and/or its affiliates. All rights reserved. 45
• M-Flag – Stateful DHCPv6 to acquire IPv6 address
• O-Flag – Stateless DHCPv6 in addition to SLAAC
• Preference Bits – Low, Med, High
• Router Lifetime – Must be >0 for Default
• Options - Prefix Information, Length, Flags
• L bit – Only way a host get a On Link Prefix
• A bit – Set to 0 for DHCP to work properly
Type: 134 (RA) Code: 0 Checksum: 0xff78 [correct] Cur hop limit: 64 ∞ Flags: 0x84 1… …. = Managed (M flag) .0.. …. = Not other (O flag) ..0. …. = Not Home (H flag) …0 1… = Router pref: High Router lifetime: (s)1800 Reachable time: (ms) 3600000 Retrans timer: (ms) 1000 ICMPv6 Option 3 (Prefix Info) Prefix length: 64 ∞ Flags: 0x80 1… …. = On link (L Bit) .1.. …. = No Auto (A Bit) Prefix: 2001:0db8:4646:1234::/64
RA
© 2012 Cisco and/or its affiliates. All rights reserved. 46
RA
type = 134 code = 0 checksum
hop limit M|O|H|pref router lifetime reachable time
retransmit timer
options (variable)
• ICMPv6 – Type, Code, Checksum, Data
• Data – Body of the Message Type (Required)
• Option 1 – Source MAC, Option 5 – MTU
• Option 3 – Prefix and Host Provisioning
• Option 25 – Recursive DNS Servers, DNS Search List
© 2012 Cisco and/or its affiliates. All rights reserved. 47
• Router solicitations (RS) defined in RFC4861 3 RS’s seperated by 4 seconds (min) Could be lost before the upstream network is detected
• Resilient RS described in RFC7559 Keep trying, engage backoff algorithm to reduce “noise”
RS
ICMP Type 133 IPv6 Source FE80::A IPv6 Destination FF02::2
RS
A
© 2012 Cisco and/or its affiliates. All rights reserved. 48
• RA’s sent in response to solicitation, may be unicast or multicast Some networks benefit from periodic multicast (satellite, Lossy) Wifi and M2M consume battery charge
• Optional mechanism for hosts and routers New flag in RA & RS is proposed
RS
ICMP Type 133 IPv6 Source FE80::A IPv6 Destination FF02::2
RA
ICMP Type 134 IPv6 Source FE80::2
IPv6 Destination FF02::1 or unicast
RS RA
A
© 2012 Cisco and/or its affiliates. All rights reserved. 49
• Tentative – Address in verification process (DAD) • Preferred – Address can be used for communication • Valid – Address can be used, may be Preferred or Deprecated • Deprecated – Address can be used on existing connections • Invalid – Address is not available for use
Valid
Deprecated Preferred Tentative Invalid Preferred Lifetime
Valid Lifetime
TECRST-2166
© 2012 Cisco and/or its affiliates. All rights reserved. 50
• Maintained for each interface connected on a host
• Host uses the PL & DRL to work out the destination for outbound packet
• Then it saves the result in the DC
• The DC resolves the destination address to the next hop address
• Hosts uses neighbor discovery to get the link address and updates the NC
Default Router List (DRL)
Prefix List (PL)
Destination Cache (DC)
Neighbor Cache (NC)
TECRST-2166
© 2012 Cisco and/or its affiliates. All rights reserved. 51
• Prefix List – contains on link prefixes (L bit) and validation timers
• Default Router List – must be a neighbor usable to the host (Pref bits)
• Destination Cache – resolves next hop IPv6 address and May contain path MTU & RTT information Can be updated by ICMPv6 redirect message
Prefix List (PL) Valid Timer
fe80::/10 ∞
2001:db8:4646:34::/64 322486
Destination Cache (DC) Neighbor PMTU
fe80::34:1 fe80::34:1 1500
2001:db8:4646:34::1 2001:db8:4646:34::1 9000
2001:db8:4646:555::22 fe80::34:1 1500
2001:db8:4646:717::98 fe80::34:1 1500
2001:db8:4646:34::38 2001:db8:4646:34::38 9000
Default Router List (DRL) Preference
fe80::34:1 H
fe80::34:11 M
TECRST-2166
© 2012 Cisco and/or its affiliates. All rights reserved. 52
• Mapping of the neighbors IPv6 address to it’s link layer address
• Includes the status of the “R” flag in the returned NA’s
• Must not create a new entry for “gratuitous” NA Though such an NA can update an existing entry
Neighbor Link Layer Is Router State
fe80::34:1 00-00-0C-83-5C-3E 1 Reachable
2001:db8:4646:34::1 00-00-0C-83-5C-3E 0 Stale
2001:db8:4646:34::38 04-48-9A-16-37-FB 0 Stale
ff02::1 33-33-00-00-00-01 0 ~
TECRST-2166
© 2012 Cisco and/or its affiliates. All rights reserved. 53
• Incomplete – Pending address resolution, NS message outstanding
• Reachable – Recently used mapping, Can be refreshed by ULP
• Stale – Not currently communicating, waiting for next queued packet
• Delay –Using stale binding, awaiting (ULP) return traffic
• Probe – Sending Unicast NS to node (after Delay timer, 3x1 sec)
Reachable
Incomplete No Entry
Delay Stale Probe
NS
NA time expired NA
send packet ULP
TECRST-2166
© 2012 Cisco and/or its affiliates. All rights reserved. 54
• Can be used to cycle to the next router in the DRL
• In the case of multiple entries in the DRL, NUD should be “quick”
• RFC 7048 adds a new definition to the state table “Unreachable” Desires to make NUD more robust against network failures Speed into the next state, particularly if no other entry exists in the DRL Unreachable – Retains the link layer address and switches to Multicast for resolution
(DRL) Pref.
fe80::34:1 H
fe80::34:11 M
Neighbor Link Layer R State
fe80::34:1 00-00-0C-83-5C-3E 1 Probe
fe80::34:11 00-03-7A-16-37-FB 1 Stale
TECRST-2166
© 2012 Cisco and/or its affiliates. All rights reserved. 55
Node A can start using address A
B A C
• Unspecified Source (::), No Option 1 SLLA
• Probing the Local Link to Verify Address Uniqueness
• An NA Indicates Address in Use, Administrative Intervention Required
ICMP Type 135 NS IPv6 Source UNSPEC = :: IPv6 Dest. A Solicited Node Multicast
ff02::1:ff00:a Query Anyone Using “a”
NS
ICMP Type 136 NA IPv6 Source fe80::a IPv6 Dest. ff02::1 Flags S = 0
O = 1
NA
© 2012 Cisco and/or its affiliates. All rights reserved. 56
• Unicast address MUST build corresponding solicited-node multicast
• Solicited-node multicast consists of ff02::1:ff/104 {lower 24 bits from IPv6 Unicast}
ff02 0000 0000 0000 0000 0001 ffbc fc0f
fe80 0000 0000 0000 1234 5678 9abc fc0f
33 33 BC FC 0F FF Every layer 3 IPv6 Multicast address Must map to the corresponding layer 2 Multicast address
© 2012 Cisco and/or its affiliates. All rights reserved. 57
R1#sh ipv6 int e0 Ethernet0 is up, line protocol is up
IPv6 is enabled, link-local address is FE80::200:CFF:FE3A:8B18 Global unicast address(es):
2001:DB8:0:1234::1 subnet is 2001:DB8:0:1234::/64 Joined group address(es): FF02::1 FF02::2 FF02::1:FF00:1 FF02::1:FF3A:8B18 MTU is 1500 bytes ICMP error messages limited to one every 100 milliseconds ICMP redirects are enabled ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds ND router advertisements are sent every 200 seconds *If EUI format is used then the 1rst solicited node mcast addr is used for both the LL & GU
Solicited-Node Multicast Address*
© 2012 Cisco and/or its affiliates. All rights reserved. 58
A! B!
ICMP Type 135 NS IPv6 Source fe80::a IPv6 Destination ff02::1:ff00:b Hop Limit 255 Target Address 2001:db8:1:46::b Query What is B link layer address? Opt. 1 SLLA A’s Link Layer Address
ICMP Type 136 NA IPv6 Source fe80::b
IPv6 Destination fe80::a Target Address 2001:db8:1:46::b Option 2 TLLA B’s Link Layer Address
*Flags R = Router S = Response to Solicitation O = Override cache information
NS NA
• ARP replacement, Map’s L3 to L2.
• Node B will add node A to it’s neighbor cache during this process w/o sending NS
• Multicast for resolution (new), Unicast for reachability (cache)
DfGW
© 2012 Cisco and/or its affiliates. All rights reserved. 59
Neighbors are only considered “reachable” for 30-seconds. “Stale” indicates that, we MAY need to send a NS packet.
© 2012 Cisco and/or its affiliates. All rights reserved. 60
R2 A B
Packet
IPv6 Source 2001:db8:4646:1::b IPv6 Dest. 2001:db8:4646:1::a ULP variable
Redirect 137
IPv6 Source fe80::2 IPv6 Dest. 2001:db8:4646:1::b ICMPv6 Type 137 Target Addr. 2001:db8:4636:1::a
Opt. 2 TLLA 001C.2D3E.00AA
Redirect Packet
• Cannot be used if destination is multicast
• Hosts should not send redirects, Should be turned off on routed links
• IPv6 Hosts Don’t Use Bitwise Masking, TLLA Avoids ND Round
© 2012 Cisco and/or its affiliates. All rights reserved. 61
• IPv4 Compatible 0:0:0:0:0:0.A.B.C.D/96 0:0:0:0:0:0.192.168.30.1 ::c0a8:1e01 Used by IPv6 aware devices, now deprecated
• IPv4 Mapped 0:0:0:0:0:ffff.A.B.C.D/96 0:0:0:0:0:ffff.192.168.30.1 ::ffff:c0a8:1e01
Used in automatic tunneling by device with no IPv6 knowledge
IPv4
IPv6 Internet
IPv6 Network
© 2012 Cisco and/or its affiliates. All rights reserved. 62
C:\ >ipconfig Tunnel adapter ISATAP Adapter Media State : Media disconnected Connection DNS Suffix : foo.com Tunnel adapter Teredo Adapter Media State : Media disconnected Connection-specific DNS Suffix : Tunnel adapter 6TO4 Adapter: Media State : Media disconnected Connection-specific DNS Suffix :
Can be disabled via Registry, GPO, Powershell, etc.
ß Used within administrative domain (IP41) ::0:5efe:w.x.y.z/96 – Private v4 ::200:5efe:w.x.y.z/96 – Global v4
ß Used with RFC 1918 address’s (UDP3544) 2001:0:{srvr v4}:{flags}:{udp}:{nat v4}
ß Used with global IPv4 address’s (IP41) 2002:xw.x.y.z::
© 2012 Cisco and/or its affiliates. All rights reserved. 63
• Loopback 0:0:0:0:0:0:0:1=> ::1
• Unspecified address 0:0:0:0:0:0:0:0=> 0::0 => :: => ::/128
• Documentation Prefix 2001:0db8::/32
• Discard Prefix 0100::/64
• 6to4 Automatic Tunneling 2002::/16
• Default Route ::/0
© 2012 Cisco and/or its affiliates. All rights reserved. 64
© 2012 Cisco and/or its affiliates. All rights reserved. 65
Windows 7, Mac OSX use pseudo random by default. iPad & iPhone generate a new temporary address per association
C:\Documents and Settings\>netsh netsh>interface ipv6 netsh interface ipv6>show address Querying active state... Interface 5: Local Area Connection Addr Type DAD State Valid Life Pref. Life Address --------- ---------- ------------ ------------ ----------------------------- Public Preferred 29d23h58m25s 6d23h58m25s 2001:0db8:2301:1:202:8a49:41ad:a136 Temporary Preferred 6d21h48m47s 21h46m 2001:0db8:2301:1:bd86:eac2:f5f1:39c1 Link Preferred infinite infinite fe80::202:8a49:41ad:a136 netsh interface ipv6>show route Querying active state... Publish Type Met Prefix Idx Gateway/Interface Name ------- -------- ---- ------------------------ --- --------------------- no Autoconf 8 2001:0db8:2301:1::/64 5 Local Area Connection no Autoconf 256 ::/0 5 fe80::20d:bdff:fe87:f6f9
© 2012 Cisco and/or its affiliates. All rights reserved. 66
• Scope, Preferred over Deprecated, Native over Transitional, Temporary over Public • Must support application override API, Choice of v6 over v4 is application dependent • Give IPv6 300ms Head Start. Lookup & Connect Retrieve and Display
Application Layer
TCP/UDP
IPv6 IPv4
Network Interface Card
NCSI – Network Connection Status Indicator
Public Preferred 2001:0db8:2301:1:202:8a34:bead:a136 Temporary Preferred 2001:0db8:2301:1:bd86:ea49:41f1:39c1 Link Preferred fe80::202:8a34:bead:a136
RFC 6555
© 2012 Cisco and/or its affiliates. All rights reserved. 67
© 2012 Cisco and/or its affiliates. All rights reserved. 68
ü Create a project team, assign a PM ü Identify business value & impacts ü Assess equipment & applications for IPv6 ü Begin training & develop training plan ü Develop the architectural solution ü Obtain a prefix and build the address plan ü Define an exception process for legacy systems ü Update the security policy ü Deploy IPv6 trials in the network ü Test and monitor your deployment
© 2012 Cisco and/or its affiliates. All rights reserved. 69
Data Center WAN Internet
SiSi SiSi SiSi SiSi SiSi SiSi
SiSi SiSi
SiSi SiSiSiSi SiSi
SiSi SiSi
Access
Core
Distribution
Distribution
Access
© 2012 Cisco and/or its affiliates. All rights reserved. 70
• Core-to-Access – Gain experience with v6
• Turn up your servers – Enable the experience
• Access-to-Core – Securing and monitoring
• Internet Edge – Business continuity
Servers
Branch Access
WAN
Campus Core
Access Layer
ISP ISP
Internet Edge
© 2012 Cisco and/or its affiliates. All rights reserved. 71
IPv6 Only
Dual Stack Core
IPv6-Only
Preserve Prepare Prosper
464-xlatDual-Stack
IPv6 Only
Dual Stack Core
MA
P, LW46…
4 over 6
2015 World IPv6 Day
2011 2012 2013 2014 World IPv6 Launch IPv6 in the laboratory IPv6-Centric Networking
2010
IPv6 at Scale
6
Internet
IPv4 Only
IPv4 Core
IPv4-OnlyNAT
NAT
Dual Stack Core
IPv4 Only
Dual-Stack
6rd, L2TP…
NAT6 over 4 4
Dual Stack
Dual-Stack
4 6
© 2012 Cisco and/or its affiliates. All rights reserved. 72
Distribution Layer
Access Layer
Core Layer
Aggregation Layer (DC)
Access Layer (DC)
IPv6/IPv4 Dual-stack
Server
IPv6/IPv4 Dual-stack Hosts
Data Center Block
Access Block
• Leverages existing IPv4 infrastructure • Allows “slower” roll into IPv6 deployment • Poor scalability and overall performance, no Multicast support • Tunneling everywhere, “flattens” the network you have built
© 2012 Cisco and/or its affiliates. All rights reserved. 73
ISATAP IPv6 Service Block
DA
Data Center Block
WAN/ISP Block
Access Layer
Dist. Layer
Core Layer
IPv4-only Campus Block
Server Internet
• Provides tighter control of where IPv6 is deployed • Allows for reduced time to deliver IPv6 services • Cost of SB equipment and it’s reuse in the network • Eventually hits scalability and overall performance, no Multicast support
© 2012 Cisco and/or its affiliates. All rights reserved. 74
Distribution Layer
Access Layer
Core Layer
Aggregation Layer (DC)
Access Layer (DC)
IPv6/IPv4 Dual-stack
Server
IPv6/IPv4 Dual-stack Hosts
Data Center Block
Access Block
74
• Preferred Method, Versatile, Scalable and Highest Performance • No Dependency on IPv4, runs in parallel on dedicated HW • No tunneling, MTU, NAT or performance degrading technologies • Does require IPv6 support on all devices
© 2012 Cisco and/or its affiliates. All rights reserved. 75
• Should we use both on the same link at Layer 3?
• Separate links, possibly to collect protocol specific statistics
• Routing protocols OSPFv3, EIGRP combined or separate?
• Fate sharing between the data and control planes per protocol
OSPFv3
EIGRP
Internet
2001:db8:1:1::/64 198.51.100.0/24
IPv4 & IPv6
IPv4 & IPv6
2001:db8:6:6::/64 192.168.4.0/24
© 2012 Cisco and/or its affiliates. All rights reserved. 76
• Topology hiding, Interfaces cannot be seen by off link devices
• Reduces routing table prefix count, less configuration
• Need to use ULA or GUA for generating ICMPv6 messages
• What about DNS?, Traceroute, WAN Connections, etc..
• RFC7404 – Details pros and cons
WAN/MAN
Internet fe80::/64
fe80::/64
ULA/GUA
fe80::/64
ULA/GUA
ULA/GUA
ULA/GUA
ULA/GUA
© 2012 Cisco and/or its affiliates. All rights reserved. 77
• Automatic Prefix Generation (RFC 4193) non sequential /48, M&A challenges
• To be avoided in most cases, draft-ietf-v6ops-ula-usage-recommendations-05
• Caution with older OS’s (RFC 3484) using ULA & IPv4
• Multiple policies to maintain (ACL, QoS, Routing, etc..)
Corporate Backbone Branch 2
ULA Space fd9c:58ed:7d73::/48 Global – 2001:db8:cafe::/48
Internet
fd9c:58ed:7d73:3000::/64 2001:db8:cafe:3000::/64
fd9c:58ed:7d73::2::/64
Global
2001:db8:cafe::/48
© 2012 Cisco and/or its affiliates. All rights reserved. 78
• NAT allows for client/server model, difficult to deploy peer-to-peer
• UDP/TCP only, ALG’s & protocol fixups, what about SCTP & DCCP..
• IETF does NOT recommend the use of NAT66 w/IPv6
• NAT ≠ Firewall – RFC 4864 (Local Network Protection)
• Wait, who did what – RFC 6269 (Issues with IP address sharing)
Firewall+NAT Internet
NAT-PT, NAT66, NPTv6, NAT64
© 2012 Cisco and/or its affiliates. All rights reserved. 79
• PA or PI from each region you operate in
• Coordination of advertised space within each RIR, policy will vary
• Most run PI from primary region
© 2012 Cisco and/or its affiliates. All rights reserved. 80
Pt 2 Pt /127
WAN
Core /64 or /127
Servers /64
Hosts /64
Loopback /128
• Anywhere a host exists /64
• Point to Point /127 Should not use all 0’s or 1’s in the host portion Nodes 1&2 are not in the same subnet
• Loopback or Anycast /128
• RFC 7421 /64 is here
• RFC 6164 /127 cache exhaust
© 2012 Cisco and/or its affiliates. All rights reserved. 81
• Methods Follow IPv4 (/24 only), Organizational, Location, Function based
• Hierarchy is key (A /48 example) Bit twiddle's dream (16 bit subnet strategy) 4 or 8 bits = (16 or 256) Regions (states, counties, agencies, etc..) 4 or 8 more bits = (16 or 256) Sub Levels within those Regions 4 more bits = (16) Traffic Types (Admin, Guest, Telephony, Video, etc..)
• Cisco IPv6 Addressing White Paper http://www.cisco.com/go/IPv6
• Monotonically (1000, 2000, 3000, etc.) vs. Sparse (0000, 4000, 8000, c000 )
81
© 2012 Cisco and/or its affiliates. All rights reserved. 82
A!
• How about both.. Reality for the foreseable future
• SLAAC address tracking, Radius Accounting, Syslog, CAM table Scrapes • MicroSoft wont support RDNSS in RA’s
• DHCPv6 Challenges, MAC Address for Reservations, Inventory, Tracking • Android doesn’t support DHCPv6
• Understand the Implications of Switching Methods • Inconsistent amongst the OS’s
DfGW B! C!
Internet DHCPv6 Server
© 2012 Cisco and/or its affiliates. All rights reserved. 83
• Msg-type – relay-forw(12), relay-repl(13)
• Hop-count, set to 0, +1 for every relay
• Link-address - used by server to identify which link the client is located
• Peer-address - original client or relay agent address
• Options - must include a "Relay Message option"
• ipv6 dhcp relay destination 2001:db8::feed:1
DHCPv6 Server 2001:db8::feed:1 DHCPv6 Solicit DHCPv6 Relay
DHCPv6 Relay
Msg-type Hop-count
Link-address
Peer-address Options
Link-address
© 2012 Cisco and/or its affiliates. All rights reserved. 84
• Allow Relay Agents to Provide the Clients Link Layer Address Option (79) in the relay header format
• Inventory, Correlation, Logging, Debugging, etc..
• Legacy DHCP Used “htype” & “chaddr” Fields
• RFC 4361 Attempted to “Unify” DUID Option is not set by client
• Layer 2 adjacent DHCPv6 server Doesn’t require this option Can access frame header
Option (79)
Link Layer Type Link Layer Address
Length
Link Layer Address Continued
© 2012 Cisco and/or its affiliates. All rights reserved. 85
• PCI DSS 3.1 reomved ambiguity as it related to requiring NAT • Assign a /52 to the PCI servers, use stateful inspection device to block access to it
© 2012 Cisco and/or its affiliates. All rights reserved. 86
RFC 6879 Flag day ULA with PA mitigates internal downtime during transitiion DNS updates timed (TTLS expire) with
Network Design slide
© 2012 Cisco and/or its affiliates. All rights reserved. 87
© 2012 Cisco and/or its affiliates. All rights reserved. 88
• Enable DHCPv6 via the M flag • Disable auto configuration via the A bit in option 3 • Enable Router preference to high • Enable DHCPv6 relay
interface fastEthernet 0/0 ipv6 address 2001:db8:1122:acc1::1/64 ipv6 nd managed-config-flag ipv6 nd prefix default no-autoconfig ipv6 nd router-preference high ipv6 dhcp relay destination 2001:db8:add:café::1
© 2012 Cisco and/or its affiliates. All rights reserved. 89
• Can be used to cycle to the next router in the DRL • In the case of multiple entries in the DRL, NUD should be “quick” • RFC 7048 adds a new definition to the state table “Unreachable”
– Unreachable – Retains the link layer address and switches to Multicast for resolution – An exponential back off mechanism is employed to reduce noise (~60 sec)
RA Reach-
time
(DRL) Pref.
FE80::34:1 H
FE80::34:11 M
Neighbor Link Layer R State
FE80::34:1 00-00-0C-83-5C-3E 1 Probe
FE80::34:11 00-03-7A-16-37-FB 1 Stale
© 2012 Cisco and/or its affiliates. All rights reserved. 90
HSRP for IPv6 • Modification to NA, RA and ICMPv6 redirects
• Virtual MAC derived from HSRP group # and virtual IPv6 LLA HSRP Standby
HSRP Active
Neighbor Unreachability Detection • Rudimentary HA at the first HOP, that is slow to detect failures
• Hosts use NUD “reachable time” to cycle next known default GW
RA Reach-time
GLBP for IPv6 • Default Gateway is announced via RA’s from Virtual MAC
• Active Virtual Gateway (AVG), assigns MAC’s, responds to NDP and directs hosts to Active Virtual Forwarder (AVF)
GLBP AVG AVF
GLBP AVG AVF • Active/Standby design or load balancing via VLAN’s
• Multi-vendor interoperabilty
VRRP for IPv6
© 2012 Cisco and/or its affiliates. All rights reserved. 91
• Many similarities with HSRP for IPv4 from design perspective (odd/even prefix) • Changes occur in Neighbor Advertisement, Router Advertisement, and ICMPv6 redirects • Virtual MAC derived from HSRP group number and virtual IPv6 link-local address • Layer 2 - 0005.73A0.0000-0F0F à 3333.0000.0066 • Layer 3 – FE80::/64 à FF02::66 • Layer 4 – UDP port 2029 (HSRPv6)
interface FastEthernet0/1
ipv6 address 2001:DB8:66:67::2/64
standby version 2
standby 2 ipv6 autoconfig
standby 2 timers msec 250 msec 800
standby 2 preempt
standby 2 preempt delay minimum 180
standby 2 authentication cisco
Unix Host with GW of VIP unixhost# route -A inet6 | grep ::/0 | grep eth2 ::/0 fe80::5:73ff:fea0:1
HSRP Standby
HSRP Active
© 2012 Cisco and/or its affiliates. All rights reserved. 92
• Provides weighted or ~= load balancing across resources • Modification to NA, default GW is announced via RA using vmac • AVG assigns Vmac’s and responds to NDP, directing hosts to the AVF’s • Layer 2 – 0007.B4xx.xx08 à 3333.0000.0066 • Layer 3 – FE80::/64 à FF02::0100:5E00:66 • Layer 4 – UDP port 3222 (GLBPv6)
interface fastethernet0/0
ipv6 address 2001:db8::/64 eui-64
glbp 8 ipv6 2001:db8::D38:C677:2925:8
glbp 8 priority 110
glbp 8 preempt
glbp 8 load-balancing weighted
glbp 8 weighting 110 lower 95 upper 105
glbp 8 authentication md5 key-string 7 cisco
GLBP 8 AVF
GLBP 8 AVG AVF
© 2012 Cisco and/or its affiliates. All rights reserved. 93
• Sub second failover possible, multi vendor interoperation • Active/Standby design, Load Balancing via VLAN’s • Layer 2 – 0000.5E00.02xxà 3333.0000.0012 • Layer 3 – FE80::/64 à FF02::12 • Layer 4 – IP protocol 112
fhrp version vrrp v3
!
interface fastethernet0/0
ipv6 address 2001:db8::/64 eui-64
vrrp 4 address-family ipv6
vrrp 4 address fe80::1 primary
© 2012 Cisco and/or its affiliates. All rights reserved. 94
• IPv4 syntax has used “ip” following match/set statements Example: match ip dscp, set ip dscp
• New match criteria match dscp match precedence
• New set criteria set dscp set precedence
• Modification to support IPv6 and IPv4
Data Voice
Video Internet
© 2012 Cisco and/or its affiliates. All rights reserved. 95
• Control access to hardware resources on the system When TCAM is exhausted, SW switching is invoked
• First hop security features deny global-autoconf (Source guard policy) ND cache limits ND tracking – binding table limits
• Platform specific issues 6500 “mls ipv6 acl compress address unicast” Catalyst 3750/3560 “sdm prefer …”
• Routing table How much can the TCAM hold? Typically shared between IPv4 and IPv6
6500#show mls cef maximum-routes FIB TCAM maximum routes : ======================= Current : --------- IPv4 + MPLS - 512k (default) IPv6 + IP Multicast - 256k (default)
© 2012 Cisco and/or its affiliates. All rights reserved. 96
• SDM templates are used to configure system resources in the switch to optimize support for specific features
Highly dependent on how the switch is used in the network
• Three templates available Routing
Maximizes system resources for unicast routing Typically required for a router or aggregator in the core
VLAN Disables routing, supports maximum unicast MAC addresses Typically be selected for a Layer 2 switch
Default Provides balance to all functions
• Needed to configure IPv6 ACLs Even on a Layer 2 only switch
• Requires a reboot
© 2012 Cisco and/or its affiliates. All rights reserved. 97
• Recommendation is stick with /64 prefixes as the longest prefix that will have attached hosts
• What about prefixes that are longer than a /64? Most platforms consume 2 slots for every IPv6 route and 1 slot for IPv4
• LPM can consume a greater amount of HW switching resources Greatly limits the scalability of the platform for prefix lengths in the /64 - /127 range
• May be appropriate based on location of the device • See first point 2001:db8:4646::/48
2001:db8:4646:5::/64 2001:db8:4646:5::aa03/127
© 2012 Cisco and/or its affiliates. All rights reserved. 98
© 2012 Cisco and/or its affiliates. All rights reserved. 99
• Prefix FF00::/8 8-bit 4-bit 4-bit 112-bit
1111 1111 0 R P T Scope Variable format
Flags
O Reserved
R = 0 R = 1
No embedded RP Embedded RP
P = 0 P = 1
Without Prefix Address based on Prefix
T = 0 T = 1
Well Known Address (IANA assigned) Temporary address (local assigned)
Scope 1 Node
2 Link
3 Subnet
4 Admin
5 Site
8 Organization
E Global
© 2012 Cisco and/or its affiliates. All rights reserved. 100
• Every Unicast prefix can build custom multicast addresses
• Last 32 bits of unicast address mapped into Group ID (112 Bits) 8 Bits 4 Bits 4 Bits 8 Bits 8 Bits 64 Bits 32 Bits
1111 1111 0 0 1 1 1110 Rsvd plen Unicast Prefix Group ID
Example plen 40 = 64 bits
Prefix 2001:db8:cafe:1::
Group ID 11d7:4cd3
FF3E:0040:2001:DB8:CAFE:1:11D7:4CD3
© 2012 Cisco and/or its affiliates. All rights reserved. 101
• Static mapping of RP into Multicast group
• Solves MSDP and scaling issues 8 Bits 4 Bits 4 Bits 4 Bits 4 Bits 8 Bits 64 Bits 32 Bits
1111 1111 0 1 1 1 1110 Rsvd RPid plen Unicast Prefix Group ID
Example Rsvd/RPid 0000 | 0101
Prefix 2001:db8:cafe:1::
Group ID 645
FF7E:0540:2001:DB8:CAFE:1:0000:0645
FF7E:540:2001:db8:cafe:1::645
2001:db8:cafe:1::5
© 2012 Cisco and/or its affiliates. All rights reserved. 102
Address Scope Meaning FF02::1 Link-Local All Nodes
FF02::2 Link-Local All Routers
FF02::5 Link-Local OSPFv3 Routers
FF02::6 Link-Local OSPFv3 DR Routers
FF02::9 Link-Local RIPng
FF02::A Link-Local EIGRP
• FF02, is a permanent address and has link scope
• Link Operations, Routing Protocols, Streaming Services
© 2012 Cisco and/or its affiliates. All rights reserved. 103
Corresponding Ethernet Address
FF3E:0040:2001:0DB8:CAFE:0001:11D7:4CD3 IPv6 Temporary
Multicast Address
33 33 D7 4C D3 11
Corresponding Ethernet Address
FF02:0000:0000:0000:0000:0000:0000:0001 IPv6 Well Known
Multicast Address
33 33 00 00 01 00
Every IPv6 Multicast address (layer 3), MUST map to a corresponding Ethernet address (layer 2)
© 2012 Cisco and/or its affiliates. All rights reserved. 104
• MLD uses LL source addresses
• MLD packets use “Router Alert” in HBH Destination is not the routers interface
• 3 msg types: Query, Report, Done
• MLDv1 = (*,G) shared, MLDv2 = (S,G) source
MLD snooping
MLD IGMP Message Type
ICMPv6 Type Function
MLDv1 (RFC2710) IGMPv2 (RFC 2236) Listener Query
Listener Report
Listener Done
130
131
132
Used to find out if there are any multicast listeners
Response to a query, joins a group
Sent by node to report it has stopped listening
MLDv2 (RFC 3810) IGMPv3 (RFC 3376) Listener Query
Listener Report
130
143
Used to find out if there are any multicast listeners
Enhanced reporting, multiple groups and sources
© 2012 Cisco and/or its affiliates. All rights reserved. 105
• Hosts send MLD report to alert router they wish to join a multicast group
• Router then joins the tree to the source or RP
MLD Report (A)
ICMP Type 131
IPv6 Source fe80::209:5bff:fe08:a674
IPv6 Destination FF38::276
Hop Limit 1
Group Address ff38::276
Hop-by-Hop Header
Router Alert Yes
MLD Report
A MLD Report
B I wish to receive
ff38::276 I wish to receive
ff38::276
MLD Report (B)
ICMP Type 131
IPv6 Source fe80::250:8bff:fE55:78de
IPv6 Destination FF38::276
Hop Limit 1
Group Address ff38::276
Hop-by-Hop Header
Router Alert Yes
(S, G)
Source for multicast ff38::276
fe80::209:5bff:fe08:a674 fe80::250:8bff:fE55:78de fe80::207:85ff:fe80:692
© 2012 Cisco and/or its affiliates. All rights reserved. 106
MLD Done (A)
ICMP Type 132
IPv6 Source fe80::209:5bff:fe08:a674
IPv6 Destination FF02::2 (All routers)
Hop Limit 1
Group Address ff38::276
Hop-by-Hop Header
Router Alert Yes
MLD Done (A)
A
fe80::209:5bff:fe08:a674 MLD Report (B)
B
fe80::250:8bff:fE55:78de
I wish to leave ff38::276
I am watching ff38::276
MLD Query (C)
ICMP Type 130
IPv6 Source fe80::207:85ff:fe80:692
IPv6 Destination FF38::276
Hop Limit 1
Hop-by-Hop Header
Router Alert Yes
Query (C
)
fe80::207:85ff:fe80:692
C MLD Report (B)
ICMP Type 131
IPv6 Source fe80::250:8bff:fE55:78de
IPv6 Destination FF38::276
Hop Limit 1
Group Address ff38::276
Hop-by-Hop Header
Router Alert Yes
© 2012 Cisco and/or its affiliates. All rights reserved. 107
MLD Report (A)
ICMP Type 143
IPv6 Source fe80::209:5bff:fe08:a674
IPv6 Destination FF02::16
Hop Limit 1
# of Records Include/exclude
Group Address FF38::4000:BA11
Hop-by-Hop Header
Router Alert Yes
MLD Report
A I wish to receive FF38:4000:BA11
(S, G)
Source for multicast FF38::4000:BA11
fe80::209:5bff:fe08:a674
© 2012 Cisco and/or its affiliates. All rights reserved. 108
• General Query FF02::1 Group list empty, who’s listening?
• Group Specific Query FF38::4000:BA11 Anyone still interested in this stream?
• Group & Source Specific Query 2001:DB8:CAFÉ::1, FF38::4000:BA11
• Filter Mode, Change Record
• Multiple routers on link Lowest address value assumes Querier role
A Q
uery
Source for multicast FF38::4000:BA11
© 2012 Cisco and/or its affiliates. All rights reserved. 109
© 2012 Cisco and/or its affiliates. All rights reserved. 110
• BYOD: Massive influx of consumer devices to be placed on Enterprise networks
• Consumer devices are typically located within a single Layer 2 domain in the home
• Users may expect to have the same type of services in the Enterprise / Campus but also across L3 boundaries
• Device types include mobile devices (iOS, Android), printers, cameras, PCs etc.
© 2012 Cisco and/or its affiliates. All rights reserved. 111
• FF02::FB – Multicast DNS – mDNS (Apple Bonjour) (Chromecast)
• FF02::2:FF/104 – Node Information Query (FreeBSD)
• FF02::C – Simple Service Discovery Protocol – SSDP, UPnP (Microsoft)
• FF02::1:3 – Link Local Multicast Name Resolution – LLMNR (File Sharing enabled)
Personal Computer Operating Systems • Windows • Mac OS X • Linux
Appliances & Networking • Printers • Access Points • Switches • Routers
AV Equipment • Speakers • Cameras • Displays • AV Receivers
© 2012 Cisco and/or its affiliates. All rights reserved. 112
• Service Discovery Is your Phone Book. Tell me, where I can reach Mr. Printer Doesn’t necessarily mean that you can actually reach / talk to Mr. Printer
• Access Control Is like caller screening Even if a person is not listed in the phone book, you might call that person because you know the number “I know Mr. Printer is at 1.2.3.4, let’s call him even if I don’t see him in the phone book”
• Better Together use the phone book for easy lookup (Service Discovery) use the caller screening for security (ACL / SGT / SGACL ...)
© 2012 Cisco and/or its affiliates. All rights reserved. 113
© 2012 Cisco and/or its affiliates. All rights reserved. 114
• Catalyst Integrated Security Features (CISF)
• Dug Song - dsniff Port
Security
© 2012 Cisco and/or its affiliates. All rights reserved. 115
• ARP is replaced by Neighbor Discovery Protocol Nothing authenticated Static entries overwritten by dynamic ones
• Stateless Address Autoconfiguration rogue RA (malicious or not)
• Attack tools are real! Parasit6 Fakerouter6 Alive6 Scapy6 …
115
© 2012 Cisco and/or its affiliates. All rights reserved. 116
IPv6 Snooping
IPv6 FHS RA
Guard DHCPv6 Guard
Source/Prefix Guard
Destination Guard
Protection: • Rogue or
malicious RA • MiM attacks
Protection: • Invalid DHCP
Offers • DoS attacks • MiM attacks
Protection: • Invalid source
address • Invalid prefix • Source address
spoofing
Protection: • DoS attacks • Scanning • Invalid
destination address
RA Throttler
ND Multicast Suppress
Reduces: • Control traffic
necessary for proper link operations to improve performance
Core Features Advance Features Scalability & Performance
Facilitates: • Scale
converting multicast traffic to unicast
© 2012 Cisco and/or its affiliates. All rights reserved. 117
• Attacker hacks any victim's DAD attempts
• Victim will need manual intervention to configure IP address
Src = UNSPEC Dst = Solicited-node multicast A Data = A Query = Does anybody use A?
Src = any C’s IF address Dst = A Option = link-layer address of C
A B
NS
NA
C
© 2012 Cisco and/or its affiliates. All rights reserved. 118
• Admin/Intern sends RA’s with false prefix • Enthusiast who has a tunnel broker account • The most frequent threat by non-malicious user
B
Src = C link-local address Dst = All-nodes Options = prefix BAD
RA
A C
© 2012 Cisco and/or its affiliates. All rights reserved. 119
• Flooding RA’s overwhelms the system, OSX, MSFT, ipad/phone, Android
B RA, prefix BAD1
A 2 3 5
RA, prefix BAD2 RA, prefix BAD3 RA, prefix BAD4 RA, prefix BAD5 RA, prefix BAD6
C
Update: MSFT Addresses Vulnerability in IPv6 Could Allow Denial of Service (2904659) Published: Tuesday, February 11, 2014
© 2012 Cisco and/or its affiliates. All rights reserved. 120
• Attacker spoofs Router Advertisement with false on-link prefix • MITM, Splash Screen, Capture
B
Src = B’s link-local address Dst = All-nodes Options = prefix BAD
RA
A C
© 2012 Cisco and/or its affiliates. All rights reserved. 121
• Port ACL
interface FastEthernet0/2
ipv6 traffic-filter ACCESS_PORT in
deny icmp any any router-advertisement
• Feature Based
interface FastEthernet0/2
ipv6 nd raguard
• Policy Based
ipv6 snooping policy HOST!
security-level guard ! ! ! ! !
limit address-count 2 !
device-role node!
interface GigabitEthernet1/0/2!
ipv6 snooping attach-policy HOST!
HOST Device-role
RA
RA
RA
RA
RA
ROUTER Device-role
© 2012 Cisco and/or its affiliates. All rights reserved. 122
IPv6 NH=44 NH=60, Offset = 0, M=1 DO - Frag 1, >1400 Bytes
ICMP RA IPv6 NH=44 NH=58, Offset = 176, M=0 Fragment 2
ICMP RA IPv6 NH=44 NH=58, Offset = 1, M=0 Fragment 2
IPv6 NH=44 NH=58, Offset = 0, M=1 Fragment 1 ICMP
Hidden ULP
Overlapping Fragments
Offset Flag
Length ToS IHL
Checksum Prot TTL
ID
Ver Routing Type!Reserved Next Header Offset Reserved | M!Identification
Fragmentation EH (type 44)
Aug 2013 RFC 6980
• RFC 6980 ≥ deny ipv6 fe80::/64 any fragments
deny ipv6 any any undetermined-transport
RFC 5722, hosts to reject id’s with overlaps
© 2012 Cisco and/or its affiliates. All rights reserved. 123
• RFC 7112 – ULP present in initial frag • RFC 1858 – Firewall Processing of Fragments
• RFC 2460 – PTB with NH-MTU <1280 bytes Not required to reduce transmission size below 1280 Will include a type 44 fragmentation header
• Atomic fragments (Offset = 0, M = 0) Could trigger predictable fragment id attacks
• RFC 6946 – Advises how to handle atomic frag’s Process it in isolation, must stand on it’s on Must not interfere with existing set {source, destination IP’s, Identification number}
• RFC 5722 – Host based overlap protection Drop all packets with same set {source, destination IP’s, Identification number} Silent drop, no ICMPv6 error message generated
© 2012 Cisco and/or its affiliates. All rights reserved. 124
Prevent Rogue DHCP responses from misleading the client
DHCP Server
DHCP Req.
I am a DHCP Server
DHCP Client
© 2012 Cisco and/or its affiliates. All rights reserved. 125
• Deep control packet Inspection • Address Glean (ND , DHCP, data) • Address watch • Binding Guard
Instrumental link-operation security feature that analyzes control/data switch traffic, detect IP address, and store/update them in Binding Table to ensure rogue users cannot spoof or steal addresses.
Intf IPv6 MAC VLAN State
g1/0/10 ::000A 001A 110 Active
g1/0/11 ::001C 001C 110 Stale
g1/0/16 ::001E 001E 200 Verifying
IPv6 Binding Table (RFC6620)
IPv6 Source Guard
IPv6 Destination
Guard Device Tracking
© 2012 Cisco and/or its affiliates. All rights reserved. 126
Mitigates Address High Jacking, Ensures Proper Prefix
Intf IPv6 MAC VLAN State
g1/0/10 ::000A 001A 110 Active
g1/0/11 ::001C 001C 110 Stale
g1/0/16 ::001E 001E 200 Verifying
g1/0/21 ::0021 0021 200 Active
~Host A
NDP or DHCPv6
Host A
© 2012 Cisco and/or its affiliates. All rights reserved. 127
• Mitigate prefix-scanning attacks and Protect ND cache • Drops packets for destinations without a binding entry
Intf IPv6 MAC VLAN State
g1/0/10 ::0001 001A 110 Active
g1/0/11 ::001C 001C 110 Stale
g1/0/16 ::001E 001E 200 Verifying
Forward packet
Lookup Table
found No
Yes
NS 2001:db8::1
Ping 2001:db8::1
Ping 2001:db8::4 Ping 2001:db8::3
Ping 2001:db8::2
© 2012 Cisco and/or its affiliates. All rights reserved. 128 128
• Prevent Node-Node Layer-2 communication Promiscuous (router port) talks to all other port types Isolated port can only contact a promiscuous port/s Community ports can contact their group and promiscuous port/s
• DAD ND Proxy Prevents address conflicts
• Internet Edge, Data Center Reducing attack surface, malware propagation
• Service Provider Client/customer isolation
Community Ports
Community Ports Isolated
Port
Promiscuous Port
R
© 2012 Cisco and/or its affiliates. All rights reserved. 129
© 2012 Cisco and/or its affiliates. All rights reserved. 130
§ Radioisasharedmedia§ Hostsmust“awaken”toseeifMul,castisforthem§ Onlyunicastframesareacknowledgedandretransmi1ed§ APtransmitsbcast/mcastframesatthelowestpossibleratetoensurerecep,on§ DisablelegacyIEEE802.11bdatarates(1,2,5.5Mbps)
!
© 2012 Cisco and/or its affiliates. All rights reserved. 131
§ DAD– 1packetperIPaddressconfiguredonthenetwork
§ RS– 1packetperhostthatjoinsthenetwork
§ RA– Periodic:1packeteveryXseconds– Solicited:1packetforeveryhostthatjoinsthenetwork
§ NS– 1packetforeverynewhost/hostpair
§ NA– 1packetforeverynewhostaddress
§ MLD– 1packetforsolicitednodemul,castgroup
§ Whataboutbrokenstuff(i.e.MLDpacketssenttoSolicitedNodeMcast)
© 2012 Cisco and/or its affiliates. All rights reserved. 132
• Scaling the 802.11 multicast reliability issues • NDP process is multicast “chatty”, consumes airtime • Controller rate limits the period RA’s, while allowing RS to flow • Caching allows the Controller to “proxy” the NA, based on gleaning
(NS)
00:24:56:75:44:33 2001:db8:0:20::2 00:24:56:11:93:28 2001:db8:0:20::4
(Unicast NA)
(NS) (Unicast NA)
2
4 Periodic (RA’s)
(Multicast NS)
(Multicast NS)
© 2012 Cisco and/or its affiliates. All rights reserved. 133
• Management access - Telnet/SSH/HTTP/HTTPs • Mobility – Auto anchor, Guest access, WebAuth, • Services – NTP, SNMP, Syslog, Radius, CDP, CAPWAPv6 • UDP Lite – Speeds calculating checksums using pseudo-header • WebAuth - Captive portal for IPv6 only clients
© 2012 Cisco and/or its affiliates. All rights reserved. 134
Anchor
Foreign
Mobility Tunnel
Unicast RA
Mcast RA
Roaming Client
• Roaming client must be able to receive the original router advertisement • Controllers must be part of the same mobility group domain • The anchor controller sends the RA to the foreign in the mobility tunnel • AP convert’s multicast RA to an L2 unicast (MC2UC)
© 2012 Cisco and/or its affiliates. All rights reserved. 135
• Existing VideoStream support using MC2UC (Multicast to Unicast) for IPv4 works the same for IPv6 multicast streams
• The multicast to unicast conversion occurs at the Access Point for efficiency and scalability
Ethernet
IPv6 802.11
VLAN IPv6 Ethernet IPv4 IPv6 CAPWAP 802.11
CAPWAP Multicast Group
Stream A
A
135
© 2012 Cisco and/or its affiliates. All rights reserved. 136
© 2012 Cisco and/or its affiliates. All rights reserved. 137
• Enable IPv6 routing - “ipv6 unicast-routing” - “no switchport”
• IPv6 Next Hop - Link local addresses
• Router ID - Unique 32-bit number that identifies the router - Happens to be written in dotted decimal notation L
• Addressing considerations - Structure - Hierarchy - Summarization
Management Routing Switching Services
© 2012 Cisco and/or its affiliates. All rights reserved. 138
ipv6 general-prefix foo-core 2001:0db8:4646:6000::/52 ipv6 general-prefix foo-acc 2001:0db8:4646:6acc::/56 ipv6 unicast-routing ! interface GigabitEthernet1/0/1 description To 6k-core-right ipv6 address foo-core ::3:0:0:0:d63/64 ipv6 eigrp 10 ipv6 hello-interval eigrp 10 1 ipv6 hold-time eigrp 10 3 ipv6 authentication mode eigrp 10 md5 ipv6 authentication key-chain eigrp 10 eigrp ipv6 summary-address eigrp 10 2001:0db8:4646:6000::/52 ! interface GigabitEthernet1/0/2 description To 6k-core-left ipv6 address foo-core ::C:0:0:0:d63/64 ipv6 eigrp 10 ipv6 summary-address eigrp 10 2001:0db8:4646:6000::/52
interface Vlan4 description Data VLAN for Access ipv6 address foo-acc ::4:d63/64 ipv6 eigrp 10 ! interface Vlan6 description Data VLAN for Access ipv6 address foo-acc ::6:d63/64 ipv6 eigrp 10 ! ipv6 router eigrp 10 no shutdown router-id 10.122.10.10 passive-interface Vlan4 passive-interface Vlan6 passive-interface Loopback0
© 2012 Cisco and/or its affiliates. All rights reserved. 139
• IGP’s use Link Local Address’s • Redistribution needs GUA or ULA
• Routing Protocols may need “Multi-Hop”
• Static can be tragic, no auto update
Ipv6 unicast-routing ! !direct Ipv6 route 2001:db8:2::/48 ethernet 1/0 ! !recursive Ipv6 route 2001:db8:5::/48 2001:db8:4::1
© 2012 Cisco and/or its affiliates. All rights reserved. 140
• RIPng – UDP 521, 15 hops • FE80::/64 Source à FF02::9 Destination
• Distance Vector, Hop Count (1-15)
• Split Horizon, Poison Reverse
• Beuller, Bueller, anyone?
Ipv6 unicast-routing ! Interface loopback 0 Ipv6 address 2001:db8:1000::1/128 Ipv6 rip CISCO enable ! Interface ethernet 0/0 Ipv6 address 2001:db8:5000:31::1/64 Ipv6 rip CISCO enable ! Ipv6 router rip CISCO
© 2012 Cisco and/or its affiliates. All rights reserved. 141
Ipv6 unicast-routing ! Interface ethernet 0/0 Ipv6 address 2001:db8:5000:31::1/64 Ipv6 router isis CISCO Isis circuit-type level-1 Isis ipv6 metric 10000 ! Router isis CISCO Net 49.0001.2222.2222.222.00 Metric style wide ! Address-family ipv6 Multi-topology
• IS-IS – (RFC5308) CLNS • IPv4 & IPv6
• Link State • 2 New TLV’s Added
• Topology Support • Single Topology • Multi Topology (preferred in DS) • Multi Instance
© 2012 Cisco and/or its affiliates. All rights reserved. 142
Ipv6 unicast-routing ! Interface loopback0 Ipv6 address 2001:db8:1000::1/128 Ipv6 eigrp 11 ! Interface ethernet 0/0 Ipv6 address 2001:db8:5000:31::1/64 Ipv6 eigrp 11 ! Ipv6 router eigrp 11 Passive-interface loopback0 Eigrp router-id 10.10.10.10
• EIGRP – IP 88
• FE80::/64 Source à FF02::A Destination
• 2 New TLV’s – internal-type & external-type
• No Split Horizon, Auto Summary Disabled
• Stub reduces topology & queries • EIGRP can perform better in large scale
hub and spoke environments
© 2012 Cisco and/or its affiliates. All rights reserved. 143
Ipv6 unicast-routing ! Interface loopback0 Ipv6 address 2001:db8:1000::1/128 Ipv6 ospf 8 area 0 ! Interface ethernet 0/0 Ipv6 address 2001:db8:5000:31::1/64 Ipv6 ospf 8 area 0 ! Ipv6 router ospf 8 router-id 10.10.10.10 passive-interface loopback0
• OSPFv3 – IP 89 • FE80::/64 Source à FF02::5, FF02::6 (DR’s) • Link-LSA (8) – Local Scope, NH • Intra-Area-LSA (9) – Routers Prefix’s • Use Inter-Area-Prefix (3) – Between ABR’s
• Can converge quickly to a point of scale, initial database build and discovery takes some time
• Link state protocols perform better in full mesh environments, if tuned correctly
RFC 5838 (AF), RFC 7166 (AT)
© 2012 Cisco and/or its affiliates. All rights reserved. 144
• Every OSPF packet contains standard header
• Header size reduced from 24 to16 bytes
• Authenticaion fields have been removed
• Instance ID – Multiple processes per link. - Address family independence
- Default 0-IPv6, 64-IPv4
• Router ID – 32 bit “number” - Does not have to be an active address
• Checksum – IPv6 pseudo header format
Version Type
Authentication
Area IDChecksum Autype
Authentication
Packet LengthRouter ID
Version Type
Instance ID 0
Router IDArea ID
Packet Length
Checksum
OSPFv2
OSPFv3 Standard Header
© 2012 Cisco and/or its affiliates. All rights reserved. 145
Options LS typeLS ageLink State ID
Advertising RouterLS sequence numer
LS checksum Length
OSPFv2
• All LSA’s use common 20 byte header
• Options field has moved to the LSA body
• Type field expanded, contains flood scope - Link 0,0 - Area 0,1 - AS 1,0
• U bit added for unkown or new LSA’s
LS sequence numerLS checksum Length
LS age LS type
Advertising RouterLink State ID
OSPFv3 LSA Header
© 2012 Cisco and/or its affiliates. All rights reserved. 146 146
© 2012 Cisco and/or its affiliates. All rights reserved. 147
• AH for authentication (RFC4552) - Manual key process - Dynamic keying is 1-to-1 - OSPF design is 1-to-many - ESP could be used for confidentiality - Needed security license for IPSec
• RFC7166 Authentication Trailers - Updates RFC 6506 - Anti-replay - HMAC-SHA-1, 256, 384, 512 - IOS 15.4S/M/T
key chain AUTH key 1 key-string RFC cryptographic-algorithm hmac-sha-512 ! address-family ipv6 unicast authentication mode strict area 0 authentication key-chain AUTH exit-address-family
© 2012 Cisco and/or its affiliates. All rights reserved. 148
© 2012 Cisco and/or its affiliates. All rights reserved. 149
• Private Circuit – Business as usual, Routing Protocols
• Internet Circuit – DMVPN for scalability and resiliency
• Local Internet “hop off” is Multi homing
Branch
WAN
::1 ::2
::3 ::1
::2
::3
::4 ::1 ::2
::3 ::5
::2 ::3
Main Site
© 2012 Cisco and/or its affiliates. All rights reserved. 150
• Utilizes Existing IPv4 Transport • Dual Stack on the PE • MP-BGP Next Hop ::ffff:192.0.2.210 • LDP Next Hop 192.0.2.210 • SAFI type 4, labled IPv6
2001:db8:babe::/48 2001:db8:d00d::/48
R1 R4
IPv6 MP-BGP LDPv4
router bgp 192 no bgp default ipv4-unicast neighbor 192.0.2.3 remote-as 192 neighbor 129.0.2.3 update-source L0 ! address-family ipv6 redistribute connected no synchronization neighbor 192.0.2.3 activate neighbor 192.0.2.3 send-label ! ipv6 route 2001:db8:babe::/48 2001:db8:1:1::2
© 2012 Cisco and/or its affiliates. All rights reserved. 151
• 6PE (RFC 4798) Utilizes Existing IPv4 Transport MP-BGP Next Hop ::ffff:A.B.C.D/96
• 6PE (RFC 4659) • Utilizes Address Family (AF) in VRF Context • Allows for VPN Functionality
• LDPv6 (RFC 7552) LDP session ove IPv6 Peer discovery TTL security VRF VRF
© 2012 Cisco and/or its affiliates. All rights reserved. 152
• Utilizes Address Family (AF) in VRF Context • Allows for VPN Functionality • Subsequent Address Family Identifiers (SAFI) ‒ MP-BGP Address-family SAFI = 2 (IPv6) ‒ VRF Address-family SAFI = 128 (VPN)
2001:db8:café:1::/64
2001:db8:babe:1::/64
2001:db8:d00d:1::/64
2001db8:café:4::/64
2001:db8:babe:4::/64
2001:db8:dood:4::/64
R1
R4
vrf definition 6vpe rd 192:1 route-target export 192:1 route-target import 192:3 ! router bgp 192 address-family vpnv6 neighbor 192.0.2.3 activate neighbor 192.0.2.3 send-community both ! address-family ipv6 vrf 6vpe redistribute connected no synchronization
© 2012 Cisco and/or its affiliates. All rights reserved. 153
§ Adding TTL Security (for both IPv4 and IPv6) § Adding the ability to form LDP session over IPv6, including peer discovery § Modifying the Forwarding Equivalence Class to support both IPv4 and IPv6 § Modifying how the LDP Identifier is used; still 32 bit § Link local address will NOT get labels generated or passed
2001:db8:café:1::/64
2001:db8:babe:1::/64
2001:db8:d00d:1::/64
2001db8:café:4::/64
2001:db8:babe:4::/64
2001:db8:dood:4::/64
R1
R4
© 2012 Cisco and/or its affiliates. All rights reserved. 154
• Scaling IPSec VPN’s
• Simple GRE tunneling
• NHRP for dynamic site discovery
WAN HE2
HE1
BR1-2
BR1-1
interface Tunnel2 description to HUB no ip address ipv6 address 2001:DB8:CAFE:C5C0::B/127 ipv6 mtu 1400 no ipv6 redirects ipv6 nhrp authentication CISCO ipv6 nhrp network-id 100 ipv6 nhrp holdtime 300 ipv6 nhrp nhs 2001:DB8:CAFE:C5C0::A nbma 2001:DB8:CAFE:37::B multicast ipv6 nhrp shortcut ipv6 eigrp 10 tunnel source GigabitEthernet0/0 tunnel mode gre multipoint ipv6 tunnel key 100 tunnel protection ipsec profile SPOKE
IPv6 Transport
© 2012 Cisco and/or its affiliates. All rights reserved. 155
• Hub Configuration Example
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
!
crypto isakmp key CISCO address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set HUB esp-aes 256 esp-sha-hmac
!
crypto ipsec profile HUB
set transform-set HUB
interface Tunnel0 description DMVPN Tunnel 1 ip address 10.126.1.1 255.255.255.0 ipv6 address 2001:DB8:CAFE:20A::1/64 ipv6 mtu 1416 ipv6 eigrp 10 ipv6 hold-time eigrp 10 35 no ipv6 next-hop-self eigrp 10 no ipv6 split-horizon eigrp 10 ipv6 nhrp authentication CISCO ipv6 nhrp map multicast dynamic ipv6 nhrp network-id 10 ipv6 nhrp holdtime 600 ipv6 nhrp redirect tunnel source Serial1/0 tunnel mode gre multipoint tunnel key 10 tunnel protection ipsec profile HUB
Primary DMVPN Tunnel 2001:DB8:CAFE:20A::/64 Backup DMVPN Tunnel
2001:DB8:CAFE:20B::/64
WAN HE2
HE1
BR1-2
BR1-1
© 2012 Cisco and/or its affiliates. All rights reserved. 156
• Spoke Configuration Example
crypto isakmp policy 1 encr aes 256 authentication pre-share group 2 ! crypto isakmp key CISCO address 0.0.0.0 0.0.0.0 ! crypto ipsec transform-set SPOKE esp-aes 256 esp-sha-hmac ! crypto ipsec profile SPOKE set transform-set SPOKE
interface Tunnel0 description to HUB ip address 10.126.1.2 255.255.255.0 ipv6 address 2001:DB8:CAFE:20A::2/64 ipv6 mtu 1416 ipv6 eigrp 10 ipv6 hold-time eigrp 10 35 no ipv6 next-hop-self eigrp 10 no ipv6 split-horizon eigrp 10 ipv6 nhrp authentication CISCO ipv6 nhrp map 2001:DB8:CAFE:20A::1/64 172.16.1.1 ipv6 nhrp map multicast 172.16.1.1 ipv6 nhrp network-id 10 ipv6 nhrp holdtime 600 ipv6 nhrp nhs 2001:DB8:CAFE:20A::1 ipv6 nhrp shortcut tunnel source Serial1/0 tunnel mode gre multipoint tunnel key 10 tunnel protection ipsec profile SPOKE
Primary DMVPN Tunnel 2001:DB8:CAFE:20A::/64 Backup DMVPN Tunnel
2001:DB8:CAFE:20B::/64
WAN HE2
HE1
BR1-2
BR1-1
© 2012 Cisco and/or its affiliates. All rights reserved. 157
• Spoke Configuration Example
157
interface Tunnel2 description to HUB no ip address ipv6 address 2001:DB8:CAFE:C5C0::B/127 ipv6 mtu 1400 no ipv6 redirects ipv6 nhrp authentication CISCO ipv6 nhrp network-id 100 ipv6 nhrp holdtime 300 ipv6 nhrp nhs 2001:DB8:CAFE:C5C0::A nbma 2001:DB8:CAFE:37::B multicast ipv6 nhrp shortcut ipv6 eigrp 10 tunnel source GigabitEthernet0/0 tunnel mode gre multipoint ipv6 tunnel key 100 tunnel protection ipsec profile SPOKE
© 2012 Cisco and/or its affiliates. All rights reserved. 158
IPv4 + IPv6
IPv4 + IPv6 IPv4 + IPv6
Native IPv6 Infrastructure CE BR
MAP MAP
Ingress IPv4 Traffic
Egress IPv4 Traffic
• IPv4 follows IPv6 routing within a domain (traffic destined to another subscriber does not traverse the BR)
• All other traffic sent via anycast to any MAP BR • Forwarding is handled either by double translation (MAP-T) or
encapsulation (MAP-E)
© 2012 Cisco and/or its affiliates. All rights reserved. 159
• Segment Routing Header: Segment List describes the path of the packet: list of segments (IPv6 addresses) Next Segment: a pointer to the segment list element identifying the next segment HMAC & Flags fields
• The Active Segment is set as the DA of the packet, using the “Next Segment”
• Segments are identified by IPv6 addresses, no specific signaling is needed An SR node can be a router, a server, any appliance, application, …
X A
F
C B
E
Y
G
D
PAYLOADIPv6Hdr:DA=Y,SA=X
H
IPv6Hdr:DA=C,SA=XSRHdr:SL=C,F,H,YPAYLOAD
IPv6Hdr:DA=F,SA=XSRHdr:SL=C,F,H,YPAYLOAD
IPv6Hdr:DA=H,SA=XSRHdr:SL=C,F,H,YPAYLOAD
PAYLOADIPv6Hdr:DA=Y,SA=X
© 2012 Cisco and/or its affiliates. All rights reserved. 160
• The notion of a “segment” is not new in IPv6 Segments can be used for service chaining or forwarding
• Segment Routing leverages RFC 2460 Routing Header by defining a new type Improves Routing Header Enhance the source routing model Introduces security
• Segment Routing does NOT require a forklift upgrade of the network SR and non-SR nodes can co-exist Gradual deployment Full interoperability Backward compatibility
H A G
D
F
C B
E
IPv6Hdr
PAYLOAD
SRHeaderSegments:C,F,H
SR-IPv6
© 2012 Cisco and/or its affiliates. All rights reserved. 161
© 2012 Cisco and/or its affiliates. All rights reserved. 162
• IPv4 Only Data Center • IPv6 Translation on the Front End
• Dual Stack • Both IPv4 & IPv6 Into the Data Center
• IPv6 Only Data Center • IPv4 Translation on the Front End
• What is the Cost of Each Stage?
© 2012 Cisco and/or its affiliates. All rights reserved. 163
• Legacy
• Load Balancer inline
• No translation in this design
• Services are Firewalled
Internet Firewall Edge Router Load Balancer Switch Web, Email, Etc.
IPv4
© 2012 Cisco and/or its affiliates. All rights reserved. 164
• Dual Stack Front End
• Translation via NAT/Proxy/SLB
• Easy to Turn Up
• Hard to Move Forward
• False Sense of Accomplishment
Firewall Edge Router Load Balancer Switch Web, Email, Etc.
NAT/Proxy/SLB
IPv4/IPv6 IPv4
Internet
© 2012 Cisco and/or its affiliates. All rights reserved. 165
• IPv4 & IPv6 Addressing on All Devices
• Incremental Operational Cost (~20%)
• Double Everything (ACL’s, SLA’s, etc.)
• Two Data Planes, Two Control Planes
• Recommended Approach
Firewall Edge Router Load Balancer Switch Web, Email, Etc.
IPv4/IPv6
Internet
© 2012 Cisco and/or its affiliates. All rights reserved. 166
• Dual Stack Front End
• Translation via NAT/Proxy/SLB
• Forces Developers to use IPv6
• Reduces Operational Costs
• Eliminates Complexity within the DC
Load Balancer Switch Web, Email, Etc.
NAT/Proxy/SLB
IPv6 IPv4/IPv6
© 2012 Cisco and/or its affiliates. All rights reserved. 167
• Inconsistent API’s use of IPv6 Addresses • Data types, Headers, Structures, Sockets, oh my
• Home grown App’s may only support IPv4 • Pressure vendors to move to protocol agnostic framework
• RFC 3493 – Open Socket Call, 64 bit structure align to HW • RFC 3542 – Raw Socket, ping, Traceroute, r commands
198.51.100.44:8080 à [2001:db8:café:64::26]:8080
© 2012 Cisco and/or its affiliates. All rights reserved. 168
• RFC 4038 - http://tools.ietf.org/html/rfc4038 Covers Application Aspects of IPv6 Transition
• RFC 5014 - http://tools.ietf.org/html/rfc5014 Covers IPv6 Socket API for Source Address Selection
• If you have developers trying to figure out how to port their applications https://www.arin.net/knowledge/preparing_apps_for_v6.pdf https://www.getipv6.info/display/IPv6/Porting+Applications
© 2012 Cisco and/or its affiliates. All rights reserved. 169
• Large DCs with very dense hosts populations can cause severe performance problems on the control plane of switches due to IPv4 and IPv6 ‘control’ traffic
• One size will not fit all, tuning will require experimentation
169
• NUD Reachable Time: ipv6 nd reachable-time time-in-milliseconds
• When using an FHRP, move from 30 sec (default) to 10 minutes • Scavenge and Refresh Timer: ipv6 nd cache expire time-in-seconds
• When using an FHRP, Use refresh in conjunction with NA glean
• Unsolicited NA Glean: ipv6 nd na glean • Create neighbor entries from unsolicited NA’s received from hosts
• Router Advertisements: ipv6 nd ra interval • IOS = 200 Sec, NXOS = 600 Sec, router lifetime = 3x RA interval
© 2012 Cisco and/or its affiliates. All rights reserved. 170
• Networks with dense hosts populations may have performance problems with the control plane (switches) due to IPv4 and IPv6 ‘control’ traffic
• One size will not fit all, tuning will require experimentation
170
• ND cache sizing - ipv6 nd cache interface-limit size [ log rate ] - Limit the number of ND cache entries - Don’t forget link-local addresses
• NUD Reachable Time: ipv6 nd reachable-time time-in-milliseconds - When using an FHRP, move from 30 sec (default) to 10 minutes
• Scavenge and Refresh Timer: ipv6 nd cache expire time-in-seconds - When using an FHRP, Use refresh in conjunction with NA glean
• Unsolicited NA Glean: ipv6 nd na glean - Create neighbor entries from unsolicited NA’s received from hosts
• Router Advertisements: ipv6 nd ra interval - IOS = 200 Sec, NXOS = 600 Sec, router lifetime = 3x RA interval
© 2012 Cisco and/or its affiliates. All rights reserved. 171
• Same configuration requirements and operation as with IPv4
• Configure VRRP address to be the same as physical interface of “primary”
© 2012 Cisco and/or its affiliates. All rights reserved. 172
• Tunnel Protocol for Fiber Channel over an IP infrastructure • RFC 4404 – Entity Address Size IPv4 (4) or IPv6 (16) • MDS 9x00 Series
– out-of-order delivery, jumbo frames, traffic shaping, TCP optimization
© 2012 Cisco and/or its affiliates. All rights reserved. 173
• Replication Services, Disaster Recovery • Shared Assets and Resources • Overlay Transport Virtualization (OTV) – L2 Technologies Encapsulated in L3 – IPv6 Within OTV over IPv4 – Disable Optimized Multicast Forwarding (OMF) in IGMP snooping on OTV edge devices for IPv6 Solicited Node Multicast traffic to flow.
OTV Global Cloud
© 2012 Cisco and/or its affiliates. All rights reserved. 174
• Hosts are ready Windows enabled by default, disabling it = no more support from Microsoft Mac OS X, iOS, Android, Linux, */BSD: enabled by default
• File & Print No WINS or NetBios over IPv6 SMB on TCP 445
• SQL Server IPv6 preferred Watch for v4 socket calls
• Server 2008/R2 Needs Unified Access Server
• Server 2012 Includes UAS, NAT64/DNS64
© 2012 Cisco and/or its affiliates. All rights reserved. 175
• May Need Radical Change – Disabling IPv4 Forces IPv6 Development
• Open Stack – Havana – Limited IPv6 Support, WP – Ice House – Neutron L3 Extension
• Application Centric Infrastructure (ACI) – Automates Network Resource Provisioning – On Demand Scale of Applications
© 2012 Cisco and/or its affiliates. All rights reserved. 176
• IPv6 enabled cloud services
© 2012 Cisco and/or its affiliates. All rights reserved. 177
IPv4 IPv6
A record:
Function IPv4 IPv6
Hostname to
IP Address
A Record www.abc.test. A 192.168.30.1
AAAA Record (Quad A) www.abc.test AAAA 2001:db8:C18:1::2
IP Address To
Hostname
PTR Record 1.30.168.192.in-addr.arpa. PTR www.abc.test.
PTR Record 2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.0.8.1.c.0.8.b.d.0.1.0.0.2.ip6.arpa PTR www.abc.test.
• AAAA = easy, PTR = messy • Add IPv6 address, create AAAA record in DNS zone • Repeat for every name server from sub zones to parent zone • Glue records, add an entry in DNS for the IP’s of your domains name servers
© 2012 Cisco and/or its affiliates. All rights reserved. 178
© 2012 Cisco and/or its affiliates. All rights reserved. 179
IPv6 is enabled by default and is preferred in Windows (this has been the case since Windows Vista and Server 2008)
If you are running Windows you have likely already deployed IPv6 You just didn’t know it – oops
By default Windows is dual-stacked
Windows has built in transition technologies in the operating system – but I recommend that you turn them off
Microsoft considers turning off IPv6 to be an unsupported configuration
All current software solutions from Microsoft can run on IPv6 only or dual-stack networks w/ little to no modification
179
© 2012 Cisco and/or its affiliates. All rights reserved. 180
Since Windows Vista and Server 2008 there has been a new networking stack in the Windows Operating System
Network Interface Layer
Transport Layer (TCP/UDP)
Application Layer
Network Interface Layer
Application Layer
TCP/UDP TCP/UDP
IPv6 IPv4 IPv6 IPv4
Older TCP/IP Networking Stack (Dual-Stack) New TCP/IP Networking Stack (Dual IP Layer)
Yes, this is confusing as heck, the older OS versions of Windows call their IPv6 solution dual-stack. It is not the same
dual-stack as when we refer in the generic way to running IPv4 and IPv6 on
the same network.
180
© 2012 Cisco and/or its affiliates. All rights reserved. 181
C:\Documents and Settings\>netsh netsh>interface ipv6 netsh interface ipv6>show address Querying active state... Interface 5: Local Area Connection Addr Type DAD State Valid Life Pref. Life Address --------- ---------- ------------ ------------ ----------------------------- Public Preferred 29d23h58m25s 6d23h58m25s 2001:0db8:2301:1:202:8a49:41ad:a136 Temporary Preferred 6d21h48m47s 21h46m 2001:0db8:2301:1:bd86:eac2:f5f1:39c1 Link Preferred infinite infinite fe80::202:8a49:41ad:a136 netsh interface ipv6>show route Querying active state... Publish Type Met Prefix Idx Gateway/Interface Name ------- -------- ---- ------------------------ --- --------------------- no Autoconf 8 2001:0db8:2301:1::/64 5 Local Area Connection no Autoconf 256 ::/0 5 fe80::20d:bdff:fe87:f6f9
© 2012 Cisco and/or its affiliates. All rights reserved. 182
• Scope, Preferred over Deprecated, Native over Transitional, Temporary over Public • Must support application override API, Choice of v6 over v4 is application dependent • RFC 7078 defines override using DHCPv6, option
Public Preferred 2001:0db8:2301:1:202:8a34:bead:a136 Temporary Preferred 2001:0db8:2301:1:bd86:ea49:41f1:39c1 Link Preferred fe80::202:8a34:bead:a136
IPv6 Prefix Range Precedence Label ::1/128 50 0 ::/0 40 1 2002::/16 30 2 ::/96 20 3 ::ffff:0:0/96 10 4
© 2012 Cisco and/or its affiliates. All rights reserved. 183 183
DNS Server!
2001:db8:1::1!
IPv4
IPv6
192.168.0.3!
www IN A 192.168.0.3 www IN AAAA 2001:db8:1::1
• In a dual stack case, an application can: Query DNS for IPv4 and/or IPv6 records Parallel connection request vs. serial Winner makes the “eyes” happy
• Give IPv6 300ms Head Start. Lookup & Connect Retrieve and Display
RFC 6555
© 2012 Cisco and/or its affiliates. All rights reserved. 184
• Probes for IPv4 and IPv6 connectivity every time a network event occurs,
• Cache of already known networks, 30 days unless an interface status changes
• Need to spoof NCSI in lab environment
IPv4 IPv6 DNS query to dns.msftncsi.com 131.107.255.255 fd3e:4f5a:5b81::1
HTTP GET http://www.msftncsi.com/ncsi.txt http://ipv6.msftncsi.com/ncsi.txt
Content of ncsi.txt Microsoft NCSI Microsoft NCSI
184
© 2012 Cisco and/or its affiliates. All rights reserved. 185
2001:470:4801:a3:5c07:2212:a5dc:e68e is from DHCPv6 There are no other Global IPv6 addresses on the host Notice the last 64 do NOT match Link-local which was locally generated and the Global was given via DHCPv6
185
© 2012 Cisco and/or its affiliates. All rights reserved. 186
Because we can have ambiguity on link-local addresses, Scope ID is used to link neighbors table to a specific interface
fe80::cd87:5dd6:cf39:dd08 fe80::80d4:29c9:2b3c:a0e2 %12 %13
186
© 2012 Cisco and/or its affiliates. All rights reserved. 187
C:\ >ipconfig Tunnel adapter ISATAP Adapter Media State : Media disconnected Connection DNS Suffix : foo.com Tunnel adapter Teredo Adapter Media State : Media disconnected Connection-specific DNS Suffix : Tunnel adapter 6TO4 Adapter: Media State : Media disconnected Connection-specific DNS Suffix :
Can be disabled via Registry, GPO, Powershell, etc.
ß Used within administrative domain (IP41) ::0:5efe:w.x.y.z/96 – Private v4 ::200:5efe:w.x.y.z/96 – Global v4
ß Used with RFC 1918 address’s (UDP3544) 2001:0:{srvr v4}:{flags}:{udp}:{nat v4}
ß Used with global IPv4 address’s (IP41) 2002:xw.x.y.z::
© 2012 Cisco and/or its affiliates. All rights reserved. 188
RFC 4429 - http://tools.ietf.org/html/rfc4429
Was designed to make the process of DAD faster
It does this by Removing the RetransTimer delay when doing address configuration Interoperability w/ hosts doing non-optimistic DAD Not increasing the address collision probability Improving the resolution for address collisions Minimizing disruption in the case of collisions
Basically, the OS starts using the IPv6 address immediately (assumes it is good)
And the DAD process still happens to confirm that is the case
188
© 2012 Cisco and/or its affiliates. All rights reserved. 189
Don’t forget to specify IPv6 subnets in Active Directory And map them to the appropriate Sites
189
© 2012 Cisco and/or its affiliates. All rights reserved. 190
When building out a server cluster in Windows Server 2012 and newer it will default to IPv6 for the cluster failover link
It will establish its failover heartbeat communications using link-local IPv6 addresses
If you need a cluster to run in a cloud service that does not support IPv6 you must convert the failover heartbeat link to IPv4
Pay attention when you P2V a cluster – it will NOT covert the failover link
190
© 2012 Cisco and/or its affiliates. All rights reserved. 191
Microsoft no longer tests software with IPv4 ONLY networks
Microsoft has standardized on dual stack support
There are only four products that have limited IPv6 support
Azure – In the works but no timeline has been given Forefront TMG – EOS and it won’t get IPv6 support Lync (update – now has IPv6 support)* Windows Phone 7 (but 8 w/ updates has IPv6 support)*
http://aka.ms/ipv6compat
191
© 2012 Cisco and/or its affiliates. All rights reserved. 192
© 2012 Cisco and/or its affiliates. All rights reserved. 193
Since Mac OS X v10.2 (Jaguar – May 2002) Apple has had IPv6 support in some form in the OS
Older versions likely have unpredictable behavior
IPv6 support was viable until 10.6.7 (Snow Leopard – August 2009) Essentially the first “usable” and “predictable” OS version with IPv6
Relatively solid support in the Geography releases Kernel fix finally addresses ICMPv6 rate limiting
193
© 2012 Cisco and/or its affiliates. All rights reserved. 194
DHCPv6 client support was added in 10.7 (Lion – July, 2011)
IPv6 privacy addresses are enabled by default in 10.7
SLAAC and manual address configuration are supported
194
© 2012 Cisco and/or its affiliates. All rights reserved. 195
Choose Apple menu > System Preferences, and then click Network If the Network Preference is locked, click on the lock icon and enter your Admin password to make further changes Choose the network service you want to use with IPv6, such as Ethernet or AirPort. Click Advanced, and then click TCP/IP Click on the Configure IPv6 pop-up menu (typically set to Automatically) and select Manually Enter the IPv6 address, router address, and prefix length you received from your network administrator or Internet service provider. Your router address may be referred to as your gateway address by some ISPs Reference: http://support.apple.com/kb/HT4667
195
© 2012 Cisco and/or its affiliates. All rights reserved. 196
(2001:db8:46:1::)
2001:db8:46:1::/64
2001:db8:46:1::
196
© 2012 Cisco and/or its affiliates. All rights reserved. 197
tmartin# ifconfig -L en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
ether b8:e8:56:19:f3:8a inet6 fe80::bae8:56ff:fe19:f38a%en0 prefixlen 64 scopeid 0x4 inet6 2001:db8:46:1:bae8:56ff:fe19:f38a prefixlen 64 autoconf pltime 267 vltime 267 inet6 2001:db8:46:1:883e:b6a2:863:e31b prefixlen 64 autoconf temp pltime 267 vltime 267 nd6 options=1<PERFORMNUD>
DNS server updated via option (25) from the previous RA
Preferred/Valid lifetimes updated via option (3) from the previous RA
197
© 2012 Cisco and/or its affiliates. All rights reserved. 198
tmartin$ netstat -rnf inet6 Routing tables Internet6: Destination Gateway Flags Netif Expire default fe80::250:f1ff:fe00:0%en0 UGc en0 ::1 ::1 UHL lo0 2001:db8:46:1::/64 link#4 UCS en0 2001:db8:46:1:883e:b6a2:8863:e31b b8:e8:56:19:f3:8a UHL lo0 2001:db8:46:1:bae8:56ff:fe19:f38a b8:e8:56:19:f3:8a UHL lo0 fe80::%lo0/64 fe80::1%lo0 UcI lo0 fe80::1%lo0 link#1 UHLI lo0 fe80::250:f1ff:fe00:0%en0 0:50:f1:0:0:0 UHLIr en0 fe80::bae8:56ff:fe19:f38a%en0 b8:e8:56:19:f3:8a UHLI lo0 ff01::%lo0/32 ::1 UmCI lo0 ff01::%en0/32 link#4 UmCSI en0 ff02::%lo0/32 ::1 UmCI lo0 ff02::%en0/32 link#4 UmCI en0
198
© 2012 Cisco and/or its affiliates. All rights reserved. 199
tmartin# ndp -a Neighbor Linklayer Address Netif Expire St Flgs Prbs 2001:db8:46:1:654:53ff:fe12:f103 4:54:53:12:f1:3 en0 23h44m39s S 2001:db8:46:1:883e:b6a2:8863:e31b b8:e8:56:19:f3:8a en0 permanent R 2001:db8:46:1:bae8:56ff:fe19:f38a b8:e8:56:19:f3:8a en0 permanent R localhost (incomplete) lo0 permanent R fe80::250:f1ff:fe00:0%en0 0:50:f1:0:0:0 en0 13s R R Homework.local 4:54:53:12:f1:3 en0 23h44m33s S tmartin-m-90a6.local b8:e8:56:19:f3:8a en0 permanent R
199
© 2012 Cisco and/or its affiliates. All rights reserved. 200
tmartin# netstat -f inet6 Active Internet connections Proto Recv-Q Send-Q Local Address Foreign Address (state) tcp6 0 0 2001:db8:46:1:.62472 edge-star6-shv-1.https ESTABLISHED tcp6 0 0 2001:db8:46:1:.62469 edge-star6-shv-0.https ESTABLISHED tcp6 0 0 2001:db8:46:1:.62468 2001:559:0:41::1.https ESTABLISHED tcp6 0 0 2001:db8:46:1:.62467 2001:559:0:56::b.https ESTABLISHED tcp6 0 0 2001:db8:46:1:.62458 2600:1404:a::174.https ESTABLISHED tcp6 0 0 2001:db8:46:1:.62457 xx-fbcdn6-shv-04.https ESTABLISHED tcp6 0 0 2001:db8:46:1:.62456 2600:1404:a::174.https ESTABLISHED tcp6 0 0 2001:db8:46:1:.62442 2607:f8b0:400f:8.https ESTABLISHED tcp6 0 0 2001:db8:46:1:.62337 edge-star6-shv-1.https ESTABLISHED udp6 0 0 *.55815 *.* udp6 0 0 *.58881 *.* udp6 0 0 *.52460 *.* udp6 0 0 *.64250 *.*
200
© 2012 Cisco and/or its affiliates. All rights reserved. 201
Apple utilizes mDNS (ff02::fb) for name resolution
AirPlay, AirPrint, File share and other Bonjour services by default
mDNS works for both IPv4 and IPv6
RFC 6762 - http://tools.ietf.org/html/rfc6762
Details at http://en.wikipedia.org/wiki/Multicast_DNS
Bonjour browser free, mDNS browser paid app
201
© 2012 Cisco and/or its affiliates. All rights reserved. 202
tmartin# netstat -g Link-layer Multicast Group Memberships Group Link-layer Address Netif 33:33:ff:63:e3:1b <none> en0 33:33:0:0:0:1 <none> en0 33:33:ff:19:f3:8a <none> en0 33:33:0:0:0:fb <none> en0 IPv6 Multicast Group Memberships Group Link-layer Address Netif ff02::fb%lo0 <none> lo0 ff02::2:ffb8:7d5b%lo0 <none> lo0 ff01::1%lo0 <none> lo0 ff02::1%lo0 <none> lo0 ff02::1:ff00:1%lo0 <none> lo0 ff02::1:ff63:e31b%en0 33:33:ff:63:e3:1b en0 ff02::1%en0 33:33:0:0:0:1 en0 ff02::1:ff19:f38a%en0 33:33:ff:19:f3:8a en0 ff02::fb%en0 33:33:0:0:0:fb en0
202
© 2012 Cisco and/or its affiliates. All rights reserved. 203
• Provides cloud based file and screen sharing services • IPv6 must be enabled, ULA (0xFD) is configured with EUI-64 host id • Dynamic DNS Service Discovery, NAT traversal using Port Map Protocol • IPSec for integrity, Kerberos for authentication • RFC 6281
IPv4 Header UDP Header ESP Header IPv6 Header
203
© 2012 Cisco and/or its affiliates. All rights reserved. 204
Apple applications uses multiple methods getaddrinfo (Chrome, ~Firefox) CFSocketStream (Safari)
OSX often results in looking at RTT of cached destinations Uses that table to make connection call Can have varied results
Possible that the legacy protocol is chosen when IPv6 is working Approximately 50% of the time, largely because no head start Hampering the experience
204
© 2012 Cisco and/or its affiliates. All rights reserved. 205
© 2012 Cisco and/or its affiliates. All rights reserved. 206
• Since Kernel version 2.6.12 (2005) Linux has had IPv6 support If you are using older versions of Linux you will likely have unpredictable behavior
• DHCPv6 client support is mixed for different versions – mileage will vary
edit /etc/dhcp/dhclient.conf to modify behavior or turn off DHCPv6 client
• IPv6 temporary addresses are enabled by default Ubuntu server and client in 12.04 and 14.04 LTS
206
© 2012 Cisco and/or its affiliates. All rights reserved. 207
Ubuntu – check for an IPv6 address: ip -6 addr show dev eth0 cat /proc/net/if_inet6
Ubuntu – check for IPv6 temporary addresses: sudo sysctl –a | grep tempaddr
Ubuntu – check for your IPv6 address Ifconfig eth0 | grep “inet6 addr:”
Ubuntu – check for IPv6 neighbors: ip -6 neigh show
207
© 2012 Cisco and/or its affiliates. All rights reserved. 208
Linux still just uses route to manage everything: Route –A inet6 –n
Linux will use the link-local IPv6 address as the next hop with SLAAC and DHCPv6
If you set up things Manually double check your default gateway
208
© 2012 Cisco and/or its affiliates. All rights reserved. 209
Edit the /etc/sysctl.conf file to change host behavior: #turn on IPv6 forwarding (not routing per say) net.ipv6.conf.all.forwarding=1 #turn off auto configuration (SLAAC) net.ipv6.conf.all.autoconf=0 #turn off RA learning – don’t recommend net.ipv6.conf.all.accept_ra=1
For manual configuration use the above settings
The default /etc/sysctl.conf file will do the right IPv6 behavior for a client
209
© 2012 Cisco and/or its affiliates. All rights reserved. 210
Ubuntu - Turning off privacy addressing: # Disable IPv6 Privacy Extensions net.ipv6.conf.all.use_tempaddr = 0 net.ipv6.conf.default.use_tempaddr = 0
Turning it back on: # Enable IPv6 Privacy Extensions net.ipv6.conf.all.use_tempaddr = 2 net.ipv6.conf.default.use_tempaddr = 2
210
© 2012 Cisco and/or its affiliates. All rights reserved. 211
Basic commands ping6 ifconfig traceroute6 route –A inet6 netstat -nr –A inet6 dig @ 2001:470:1f05:9a4::1 www.cav6tf.org AAAA ssh root@fe80::<lower64>%eth0 or ssh root@<prefix:address>
Remember try the [2001:db8:cafe::1] format if the command fails
Howto reference: http://tldp.org/HOWTO/html_single/Linux+IPv6-HOWTO/ https://wiki.kubuntu.org/IPv6
211
© 2012 Cisco and/or its affiliates. All rights reserved. 212
Ubuntu and REHL default behaviors are similar
The Linux OS does standard RFC 6724
It is up to applications if they implement and use RFC 6555
Chrome and Firefox both have Happy Eyeballs support
There is no specific OS build support for RFC 6555 like OSX or Windows
212
© 2012 Cisco and/or its affiliates. All rights reserved. 213
© 2012 Cisco and/or its affiliates. All rights reserved. 214
Android has some limitations on Wi-Fi due to the fact it does not have a DHCPv6 client included in the base build by default
Therefore, on Wi-Fi networks, SLAAC must be enabled for an Android handset or tablet to obtain an IPv6 address
Android supports RFC 6106 so it can learn the IPv6 address of the DNS resolver via the RA
Android supports 464xlat allowing it to operate on an IPv6 only mobile network
Tablet and phones should have the same behavior and supported functions
214
© 2012 Cisco and/or its affiliates. All rights reserved. 215
Kindle Fire supports IPv6 because it is based on Android and has Wi-Fi IPv6 support via SLAAC
The Kindle Paperwhite and other Kindle e-readers not based on Android do not have IPv6 support
This may be due to the experimental browser support in the e-reader and not the OS but I know of no tools to be able to test to determine if that is the case
Because some models of the Kindle Fire have a 4G cellular option it has the same potential for 464xlat allowing it to operate on an IPv6 only mobile network – I have not had the chance to test and validate this behavior
215
© 2012 Cisco and/or its affiliates. All rights reserved. 216
Apple iOS has a DHCPv6 client for Wi-Fi and can display IPv6 information in the settings | Wi-Fi
Unfortunately there are sometimes display issues with getting the full IPv6 address to display along with the full DNS name resolver IPv6 addresses
iOS supports both SLAAC and DHCPv6
At this time iOS 8 does not support 464xlat
Therefore, iOS currently is not able to run on an IPv6 only mobile network
216
© 2012 Cisco and/or its affiliates. All rights reserved. 217
• As of iOS 9, all iPhone/iPad apps will support IPv6! • Use the networking frameworks (for example, “NSURLSession”) • Avoid use of IPv4-specific APIs • Avoid hard-coded IP addresses
“If your application doesn’t work properly with IPv6, it will simply not function on those networks, those carriers and for those customers.”
- Sebastien Marineau VP Core OS
© 2012 Cisco and/or its affiliates. All rights reserved. 218
© 2012 Cisco and/or its affiliates. All rights reserved. 219
Application Support
Server Load Balancer
IPv6
IPv4
IPv6 Internet
Stateful NAT64
Client Visibility
IPv6
IPv4
IPv6 Internet
SW = Poor Performance
Proxy
IPv6
IPv4
IPv6 Internet
© 2012 Cisco and/or its affiliates. All rights reserved. 220 220
• Translation Algorithms RFC 6052 (Implementation Details)
• Framework for Translation RFC 6144 (Implementation Scenarios)
• Stateless NAT64 RFC 6145 (IP/ICMP Translation Algorithm) Maps the Entire IPv4 Internet into IPv6 Prefix
• Stateful NAT64 RFC 6146 (State Table for IPv4/IPv6 Translation) Used mainly where IPv6-only clients need to access IPv4 servers
• DNS64 RFC 6147 (IPv6 Client to IPv4 Server)
Version IHL Type of Service Total Length
Identification Flags Fragment Offset
Time to Live Protocol Header Checksum
Source Address
Destination Address
Version Traffic Class Flow Label
Payload Length Next Header Hop Limit
Source Address
Destination Address
© 2012 Cisco and/or its affiliates. All rights reserved. 221
• RFC 6144 8 Total Scenarios (4, 7, 8 are NA) 1, 2, 3 Involve Internet Connectivity 5 & 6 Are Focused on Intranet Connectivity
• Stateless Translation Algorithmic Mapping Address Information & Translator Configuration Initiation from IPv4 or IPv6
• Stateful Translation Uses a State Table for Translation Based on L3/L4 Tuples Generally Initiation is from IPv6
Scenarios Defined Version IHL Type of Service Total Length
Identification Flags Fragment Offset
Time to Live Protocol Header Checksum
Source Address
Destination Address
Version Traffic Class Flow Label
Payload Length Next Header Hop Limit
Source Address
Destination Address
IPv4 Internet
IPv4 Internet
IPv4 Network
IPv6 Network
IPv6 Network
IPv6 Internet
IPv6 Network
IPv4 Network
IPv4 Network
IPv6 Network
1
2
3
5
6
© 2012 Cisco and/or its affiliates. All rights reserved. 222
• RFC 6145 1:1 Address Mapping
• IP Header Fields Copy ToS to/from Traffic Class Id, Flags & Offset to/from EH 44 TTL to/from Hop Limit and Decrement Protocol to/from Next Header Checksum Computed IPv6 to IPv4
• ICMP Header Fields Type Translated (IPv4 8, 0 to IPv6 128, 129) Pseudo Checksum for IPv6 (UDP as well)
Ideal for IPv6 Only Data Center
222
Version IHL Type of Service Total Length
Identification Flags Fragment Offset
Time to Live Protocol Header Checksum
Source Address
Destination Address
Version Traffic Class Flow Label
Payload Length Next Header Hop Limit
Source Address
Destination Address
IPv4 Internet
IPv6 Network
IPv6 Network
IPv6 Network
IPv4 Network
IPv4 Network
IPv6 Network
1
2
5
6
IPv4 Internet
© 2012 Cisco and/or its affiliates. All rights reserved. 223
• RFC 6146 Overload Address Mapping
• TCP/UDP/ICMP Headers Form L4 Portion of State Tuple Pseudo Checksum for IPv6 Portion No Multicast, IPSec, etc.
• MUST use DNS64 RFC 6147 Synthesis DNS Records AAAA to A
• ALG’s May be Required
• MTU Issues Possible
Ideal for IPv6 Only Networks Accessing IPv4
223
Version IHL Type of Service Total Length
Identification Flags Fragment Offset
Time to Live Protocol Header Checksum
Source Address
Destination Address
Version Traffic Class Flow Label
Payload Length Next Header Hop Limit
Source Address
Destination Address
IPv4 Internet
IPv4 Internet
IPv4 Network
IPv6 Network
IPv6 Network
IPv6 Internet
IPv6 Network
IPv4 Network
IPv4 Network
IPv6 Network
1
2*
3
5
6*
*Use Static IPv6 to IPv4 Mappings
© 2012 Cisco and/or its affiliates. All rights reserved. 224 224
Step 1à IPv6 PC queries AAAA Record for v4 Server
2001:db8:122:344::6 DNS Server
192.168.90.101
192.0.2.0/24 2001:db8:122:344::/64
DNS64
DNS46
IPv6 PC
.1 ::2
ßStep 5 Translates it to a AAAA Record
AAAA Record A Record
AAAA Record
A Record
Network-Specific Prefix 3001::/96
Step 3à Translator Sends A Record for v4Server ßStep 2 DNS responds “empty” AAAA Record
ßStep 4 DNS Server responds A Record for IPv4Server
© 2012 Cisco and/or its affiliates. All rights reserved. 225
ßSource IPv6 3001::c000:221 Dest. IPv6 2001:db8:122:344::6
ßSource IPv4 192.0.2.33 Dest. IPv4 192.0.2.1
à Source IPv6 2001:db8:122:344::6 Dest. IPv6 3001::c000:221
Network-Specific Prefix 3001::/96
2001:db8:122:344::6 IPv4 Server 192.0.2.33
2001:db8:122:344::/64
Dynamic NAT64
Static NAT46
IPv6 PC
.1 ::2 192.0.2.0/24
àSource IPv4 192.0.2.1 Dest. IPv4 192.0.2.33
© 2012 Cisco and/or its affiliates. All rights reserved. 226
Citrix NetScaler
• Virtual IP (VIP), SNAT Pool • Publish Appropriate AAAA Record • IPv6 to IPv4, Similar to NAT64 • Translation & SLB are done on same platform
• OS/App dictate design parameters • Rapid Time to Deploy
ISP-A
Servers WWW
ISP-B
UCS Servers
Dual Stack
IPv4 Only
© 2012 Cisco and/or its affiliates. All rights reserved. 227
• Web Server Logging for Geo Location, Analytics, Security, etc..
• Source IP of client requests will be logged as the SNAT or other NAT’d address
• Packet may go through multiple proxies X-Forwarded-For: client, proxy1, proxy2
GET / HTTP/1.1 Host: www.foo.org User-Agent: Mozilla Firefox/3.0.3 Accept: text/html,application/xhtml+xml,application/xml Accept-Language: en-us,en Keep-Alive: 300 x-forward-for: 2001:db8:ea5e:1:49fa:b11a:aaf8:91a5 Connection: keep-alive Servers
WWW
Global IPv6 Address ---Translation--- Source NAT Pool
© 2012 Cisco and/or its affiliates. All rights reserved. 228
© 2012 Cisco and/or its affiliates. All rights reserved. 229
• Need WCCPv2 for IPv6 support
• Configure separate group instances for dual stack operation
ipv6 wccp 91 redirect-list lookat6 ! interface vlan10 ipv6 address 2001:db8:babe:10::1/64 ipv6 wccp 91 redirect in ! ipv6 access-list lookat6 permit tcp 2001:db8:babe:10::/64 any eq www permit tcp 2001:db8:babe:10::/64 any eq 443
2001:db8:babe:10::/64
Internet
© 2012 Cisco and/or its affiliates. All rights reserved. 230
Dual Links Dual Provider
ISP1
ISP2
Medium Enterprise
NPTv6 LISP
Multi-Homed Multi-Prefix
Large Enterprise
ISP2
ISP4
ISP3
ISP 1
BGP LISP
Single Link Single ISP
Small Enterprise
ISP 1
Default Route ::/0
© 2012 Cisco and/or its affiliates. All rights reserved. 231
• Do you support dual stack peering?
• Do you have a separate (SLA) for IPv6?
• Do you support BGP peering over IPv6?
• Do you have a FULL IPV6 route table?
• What is the maximum prefix length?
• What about DNS… Hosted Cloud Service
• Maximum prefix length offered by the cloud provider? • Access to provisioning and billing portal over IPv6? • Global IPv6 addressing for VM’s in your environment?
ISP-A ISP-B
Routing
Switching
Services
© 2012 Cisco and/or its affiliates. All rights reserved. 232
• Peer over IPv6 for IPv6 prefixes
• Solve for Ingress & Egress separately
• MD5 shared secret’s, IPSec could be used
• Controlling TTL, accepting >254 only (allow -1)
• Prefix Size Filtering, /32 - /48 router bgp 200
bgp router-id 4.6.4.6
neighbor 2001:db8:café:102::2 remote-as 2014
neighbor 2001:db8:café:102::2 ttl-security hops 1
neighbor 2001:db8:café:102::2 password cisco4646
ISP A ISP B
Internet
© 2012 Cisco and/or its affiliates. All rights reserved. 233
• Avoid Over Tuning BGP Longest Match, Highest Local-Pref, Shortest AS-Path Peer with IPv6, “no bgp default ipv4-unicast”
• Split Your Allocation /44 = (2) /45’s AS Path prepend to prefer one ISP over the other
• iBGP link Between Edge Routers is Required To avoid black hole. GRE, L3 VPN, MAN/WAN
• Dynamic Routing Protocol or HSRP at FW When more than one Edge Router is used
• eBGP Multi-hop to Core thru FW Increase Metrics, so that DCI Link is not Preferred
2
33
ISP A ISP B
AS 64498
EIGRP 10
Subnets X,Y,Z Subnets A,B,C
AS 65535 AS 65534
Internet
© 2012 Cisco and/or its affiliates. All rights reserved. 234
• Small to Medium Enterprise
• Swaps Left Most Bits of Address • Equal length Prefix’s
• Modification of RFC 6724 API or RFC 7078 • Site scoped ULA connecting to GUA
• No Protocol “fixups”, Unless ALG’s are Supported
• “IETF does not recommend NAT technology for IPv6”
ISP-A ISP-B
fd07:18:403e::/48
2001:db8:11::/48 2001:db8:55::/48
© 2012 Cisco and/or its affiliates. All rights reserved. 235
• Small to Medium Enterprise
• Tunneling the PA IPv6 over LISP Provider Allocated /48 Hosted by PxTR Provider
• Avoids Multi Prefix PA Issues
• Possibly an ISP that is IPv4 Only
• SHIM6, HIP, ILNP etc. OS Mods, Code Change
Dual Stack Internet
MR/MS PxTR MR/MS PxTR
Client 172.16.99.100 2001:db8:ea5e:1::/64
2001:db8:cafe::/48
xTRs
192.168.1.x/30
2001:db8:cafe:103::/64
2001:db8:cafe::/48
© 2012 Cisco and/or its affiliates. All rights reserved. 236
• Challenges Arise ‒ Upstream Address Filters ‒ Asymmetric Routing ‒ Default GW & NH Selection ‒ Provider Allocated ‒ Primary Provider & ASP Stream ‒ SOHO Tunneling, VPN
§ Medium to Large Enterprise ‒ Provider Independent ‒ BGP
ISP-A ASP-B
© 2012 Cisco and/or its affiliates. All rights reserved. 237
• Potential DoS with poor IPv6 stack implementations • PadN in DO, covert channeling – RFC 2460 states a max of 5 bytes (0x00) • IPv6 Inspection – Only known EH, strict order, granular filtering • What constitutes an acceptable EH maximum?
Perfectly Valid IPv6 Packet According to the Sniffer
Routing Header out of order. DH should be last
Header Should Only Appear Once
Destination Header Which Should Occur at Most Twice
237
© 2012 Cisco and/or its affiliates. All rights reserved. 238
• Bogon filtering (data plane & BGP route-map): http://www.cymru.com/Bogons/ipv6.txt
• Anti-spoofing (RFC2827, BCP38), Multi homed filtering (RFC3704, BCP 84)
• uRPF – Unicast Reverse Path Forwarding
Enterprise Internet
B2B
© 2012 Cisco and/or its affiliates. All rights reserved. 239
• Address Range - Source of 2000::/3 at minimum vs. “any”, permit assigned space
• ICMPv6 - Error types thru, NDP to, RFC4890
• Extension Headers - Allow Fragmentation, others as needed. Block HBH & RH type 0
• IPv6 ACL’s - IPv6 traffic-filter – to apply ACL to an interface
permit icmp any any nd-na
permit icmp any any nd-ns
deny ipv6 any any log
© 2012 Cisco and/or its affiliates. All rights reserved. 240
© 2012 Cisco and/or its affiliates. All rights reserved. 241
• Anycast Address for Client Access to DHCP/DNS • Uses the same address in multiple locations • Simple, Scalable and Reliable Solution • Global Unicast Address (GUA) for Service Uptime • DNS server injects /128 via OSPF DDI2
2001:db8:aa::21
2001:db8:aa::21
2001:db8:aa:: Cost 10
I pick DNS1 closest metric
2001:db8:aa:: Cost 30
2001:db8:aa:: Cost 20
DDI3 2001:db8:aa::21
DDI4 2001:db8:aa::21
Command &
Control
GUA
GUA
DDI1 2001:db8:aa::21
© 2012 Cisco and/or its affiliates. All rights reserved. 242
• Address Planning
• Introduction of extended IP services • DHCPv6, DNSv6, IPAM
• Managing security infrastructures • Firewall, IDS, AAA
• Instrumentation • Netflow, IP SLA, SNMP MIB, CLI
• Dual Stack Interfaces and reporting • MRTG reporting combined v4 and V6 traffic statistics.
• Troubleshooting • IPv4-IPv6 interaction
• Requires support in • Instrumentation (MIB , Netflow records, etc.) • NMS tools and systems
242 242
© 2012 Cisco and/or its affiliates. All rights reserved. 243
policy-map COPP
class FRAGMENTS
drop
class ICMPv6
police 500000
conform-action transmit
exceed-action drop
violate-action drop
control-plane
service-policy input COPP
• Separation of Data and Control planes • Data sent to “fast” path, switched in hardware (ASICs) • Control done in software on general processors • Drop fragments • Rate limit ICMPv6 (NDP) • Permit network operations – SNMP, SSH, NTP, Radius, etc. – Routing protocols
© 2012 Cisco and/or its affiliates. All rights reserved. 244
Stop probing the wrong path with “ping”
Trace the live traffic: Detect the flaky link!
!
Debug ECMP Networks
Simplify Operations
Always on app visibility
Enhance Applications
Charge level for battery-operated devices (sensors) included in data traffic: No need to drain
battery for OAM
R1
R2
R4
R5
R3 R6
Derive IPv6 Traffic Matrix
Optimize Planning
Delay Trend Analysis
Enhance Visibility
A trip-recorder for your traffic, inline at rate performance Uses iOAM extension header
© 2012 Cisco and/or its affiliates. All rights reserved. 245
A record AAAA record
ARP request
RA DHCP reply DNS reply
© 2012 Cisco and/or its affiliates. All rights reserved. 246
IPv6 toolkit HE.net Netalyzr LanDroid Netstat
© 2012 Cisco and/or its affiliates. All rights reserved. 247
© 2012 Cisco and/or its affiliates. All rights reserved. 248
• Address Spoofing (-> uRPF, ACLs) [IOS, ASA]
• Neighbor Discovery Attacks (NS,NA,RS,RA,REDIR..) (-> First Hop Security, RA Guard, ND Inspection, SeND, ACL, IPv6 Inspects) [Catalyst, ASA]
• Routing Header (RH0) source routing like attacks (-> no ipv6 source route (before 12.4.(15)T, blocked on ASA by default ) [IOS, ASA]
• Extention Header (e.g. Fragmentation) Games (-> ACLs e.g. deny ip any any undetermined-transport) [IOS, ASA, Catalyst]
• DHCP Attacks (-> DHCP Authentication, PACL) [IOS, ASA, Catalyst]
• Transition Technologies (6to4, Teredo, ISATAP, etc) Attacks (-> ACL, disabled on device, enable IPv6 ) [IOS, ASA, IPS]
• Smurf Attack (-> uRPF) [IOS, ASA]
• Routing Protocol Attacks (-> Authentication) [IOS,ASA]
• … and more. To be continued… have fun defending them. J
© 2012 Cisco and/or its affiliates. All rights reserved. 249
© 2012 Cisco and/or its affiliates. All rights reserved. 250 A Phased-Plan Approach for Successful IPv6 Adoption
IPv6 Assessment Service • Determine how your network needs to change to support your IPv6 strategy
IPv6 Discovery Service • Guidance in the early stages of considering a transition to IPv6
IPv6 Planning and Design Service • Designs, transition strategy, and support to enable a smooth migration
IPv6 Implementation Service • Validation testing and implementation consulting services
Network Optimization Service • Absorb, manage, and scale IPv6 in your environment
© 2012 Cisco and/or its affiliates. All rights reserved. 251
• Gain Operational Experience now
• IPv6 is already here and running well
• Control IPv6 traffic as you would IPv4
• “Poke” your Provider’s
• Lead your OT/LOB’s into the Internet
© 2012 Cisco and/or its affiliates. All rights reserved. 252