Internet2 IPv6 Workshop Location Date

Internet2 IPv6 Workshop Location Date

1 Internet2 IPv6 Workshop Engineering Workshops 2 Acknowledgements Larry Blunk Joe Breen Grover Browning Bill Cerveny Bruce Curtis Dale Finkelson Michael Lambert Richard Machida

Bill Manning Bill Owens Rick Summerhill Brent Sweeny Engineering Workshops 3 IPv6 Addressing Engineering Workshops 4 Overview of Addressing Historical aspects What are the types of IPv6 addresses?

How are IPv6 addresses used? Internet2 recommendations for IPv6 addressing. Engineering Workshops 5 Historical Aspects of IPv6 IPv4 address space not big enough Cant get needed addresses (particularly outside the Americas) Routing table issues Resort to private (RFC1918) addresses Competing plans to address problem Some 64-bit, some 128-bit

Current scheme unveiled at Toronto IETF (July 1994) Engineering Workshops IPv4 address space not big enough This led to the development of NAT. Increased use of NAT has had an effect on the uses the Internet may be put to. The loss of transparency has an effect on management and use of the Internet. The use of Nat will lead to an increased bifurcation of the Internet. Application rich Application poor Affects our ability to manage and diagnose

the network. Engineering Workshops 6 7 Types of IPv6 Addresses Like IPv4 Unicast An identifier for a single interface. A packet sent to a unicast address is delivered to the interface identified by that address. Multicast An identifier for a set of interfaces (typically

belonging to different nodes). A packet sent to a multicast address is delivered to all interfaces identified by that address. Anycast: An identifier for a set of interfaces (typically belonging to different nodes). A packet sent to an anycast address is delivered to one of the interfaces identified by that address (the "nearest" one, according to the routing protocols' measure of distance). Specified in the v6 address architecture RFC 4291. Engineering Workshops 8

What is not in IPv6 Broadcast There is no broadcast in IPv6. This functionality is taken over by multicast. Engineering Workshops 9 How are IPv6 addresses used? Generally they are thought of as having two distinct components. 64-bit field designated as the network portion. 64-bit field designated as the host portion.

Engineering Workshops 10 Host portion Generally called Interface Identifiers The host portion/interface id is guaranteed unique on the subnet Though it could be re-used on the same interface Essentially these are the same as EUI64 addresses See Appendix A on RFC 4291 These may be used with all forms of unicast addressing. Engineering Workshops

11 Interface Identifiers EUI-64 from Mac addresses: 00-02-2d-02-82-34 0202:2dff:fe02:8234 The rules are: Insert fffe after the first 3 octets Last 3 octets remain the same Place a 1 in the 7th leftmost bit Universal/local bit A 1 in that place indicates the mac address is unique. Engineering Workshops

12 Interface Identifiers Privacy addresses: Some concern was expressed about having ones MAC address be public - h/w identifier, persistent The response was to standardize privacy addresses (RFC 3041). These use random 64-bit numbers instead of EUI-64. May change for different connections On by default in Windows, off by default in Linux (net.ipv6.conf.all.use_tempaddr), OSX and BSD (net.inet6.ip6.use_tempaddr) Engineering Workshops

13 Interface Identifiers IPv6 addresses of all types are assigned to interfaces, not nodes. An IPv6 unicast address refers to a single interface. Since each interface belongs to a single node, any of that node's interfaces' unicast addresses may be used as an identifier for the node. Engineering Workshops 14 Interface Identifiers

A host is required to recognize the following addresses as identifying itself: A link-local address for each interface Any assigned unicast and anycast addresses Loopback address All-nodes multicast addresses Solicited-node multicast address for each of its unicast and anycast addresses Multicast addresses of all other groups to which the node belongs Engineering Workshops 15 Interface Identifiers A router is required to recognize:

All addresses it must recognize as a host, plus The subnet-router anycast addresses for the interfaces it is configured to act as a router on All other anycast addresses with which the router has been configured All-routers multicast addresses Engineering Workshops 16 Representation of Addresses All addresses are 128 bits Write as sequence of eight groups of four hex digits (16 bits each) separated by colons

E.g. 3ffe:3700:0200:00ff:0000:0000:0000:0001 More on this later. Engineering Workshops 17 Types of Unicast Addresses Unspecified address All zeros (::) Used as source address during initialization Also used in representing default Loopback address Low-order one bit (::1) Same as 127.0.0.1 in IPv4

Engineering Workshops 18 Types of Unicast Addresses Link-local address Unique on a subnet Auto configured High-order: FE80::/10 Low-order: interface identifier Routers must not forward any packets with link-local source or destination addresses. Engineering Workshops 19

Types of Unicast Addresses Unique local addresses RFC 4193 replacing site-local addresses, which were deprecated in RFC 3879 The structure is: fdUU:UUUU:UUUU:: Here fdUU:UUUU:UUUU stands for a network id that is globally unique but used locally. These are /48s. Not everyone thinks ULAs are a great idea www.nanog.org/mtg-0706/Presentations/ulananog.pdf Engineering Workshops 20

Types of Unicast Addresses Other address types have been proposed for transition purposes: We will not be using or discussing these. You should be aware of addresses like 2002:815d:f407::815d:f407 Used for 6to4 tunneling These are configured on any XP machine. General structure is: 2002::: Engineering Workshops 21

Address Deployment There have been many discussions of how to make use of the immense IPv6 address space. Suggestions included: Provider-Independent (PI) Provider-Assigned (PA) Geographical PA addressing was specified in the RFCs In this case it is important to understand the difference between allocation and assignment. PI is being used by default. Issues around multi-homing initially drove this. Registries are providing address space. Either /48s or /32s. Engineering Workshops

22 Types of Unicast Addresses Aggregatable global unicast address space. Used This come From in production IPv6 networks is where your address space will from range 2000::/3 Some examples are 2001:468 2607:f320

Internet 2 University of Nebraska Engineering Workshops 23 Internet Registry Hierarchy Regional IR - designated by IANA (ARIN, RIPE, APNIC, AfriNIC, LACNIC) Local IR - ISP, or other network provider RIR -> LIR, LIR -> customer (or smaller provider) 2001:0400::/23 ARIN Abilene

2001:0468::/32 NYSERNet 2001:0468:0900::/ 40 Columbia 2001:0468:0904::/ 48 Engineering Workshops 24 Anycast Address Interfaces (I > 1) can have the same

address. The low-order bits (typically 64 or more) are zero. A packet sent to that address will be delivered to the topologically-closest instance of the set of hosts having that address. Examples: subnet-router anycast address (RFC 4291) reserved subnet anycast address (RFC 2526) 6to4 relay anycast address (RFC 3068) Engineering Workshops 25 Multicast Address From FF00::/8 1111 1111 | flgs (4) | scope (4) | group id

(112)| Flags 000t t=0 means this is a well-known address t=1 means this is a transitory address Low-order 112 bits are group identifier, not interface identifier Scope and Flags are independent of each other Well-known and local is different from wellknown and global Engineering Workshops 26 Obtaining Addresses If you are a gigaPoP or a direct connect send a note to the Internet 2 NOC with a request.

Will set the wheels in motion If you connect to a gigaPoP you should obtain your address block from that gigaPoP talk to them first. Remember the minimum you should receive is a /48. More is OK if you can negotiate for a larger block. You could also go directly to ARIN. In that case look to get a /32 Engineering Workshops 27 Allocation Schemes CIDR representation and IPv6 allocations

Engineering Workshops 28 IPv4 Subnet Masking Originally the network size was based on the first few bits (classful addressing) Getting rid of address classes was painful! routing protocols, stacks, applications Modern IPv4 allows subnet boundaries anywhere within the address (classless addressing) But decimal addresses still make figuring out subnets unnecessarily difficult. . .

Engineering Workshops 29 CIDR Classless Interdomain Routing In IPv4 you frequently see representations like 129.93.0.0/16 129.93.0.0 255.255.0.0 10.4.5.0/30 This notation should be familiar to everyone. Engineering Workshops 30

Reasons for CIDR To try to preserve the address space. To control the growth of the routing table. Engineering Workshops 31 IPv6 Notation In IPv6 every address is written: IPv6 address / prefix length For example: 2001:0468::/35 2001:0468::/32

At the bit level: 0010 0000 0000 0001: 0000 0100 0110 1000::/35 0010 0000 0000 0001: 0000 0100 0110 1000::/32 But these look the same except for the prefix length Engineering Workshops 32 Representation of Addresses All addresses are 128 bits Write as sequence of eight groups of four hex digits (16 bits each) separated by colons Leading zeros in group may be omitted A contiguous all-zero group may be replaced

by :: Only one such group can be replaced Engineering Workshops 33 Examples of Writing Addresses Consider 3ffe:3700:0200:00ff:0000:0000:0000:0001 This can be written as 3ffe:3700:200:ff:0:0:0:1 or 3ffe:3700:200:ff::1 Both reduction methods are used here.

Engineering Workshops 34 Examples of Writing Addresses Now why do 2001:0468::/35 2001:0468::/32 or 0010 0000 0000 0001: 0000 0100 0110 1000::/35 0010 0000 0000 0001: 0000 0100 0110 1000::/32 Look the same? It is really just a representation issue. 2001:0468::/35 is really 0010 0000 0000 0001 : 0000 0100 0110 1000 : 000

but to represent the last 3 0s we would really need to write 2001:468:0000::/35 because we have to do groups of 4 hex digits and we can in fact eliminate 0s with :: Engineering Workshops 35 Why Allocation? If we were doing provider based addressing To try to control the growth of the routing table in the default-free zone. It is a necessary consequence of using a provider-based aggregatable address scheme. It makes the address space more manageable.

Assuming Provider Independent models are used allocation is still needed Its really just subnet assignment Engineering Workshops 36 Allocation Example We wish to allocate /48s out of the / 35. Which are available: 2001:0468:0000 2001:0468:1fff through

Recall that the bit structure is: 0010 0000 0000 0001: 0000 0100 0110 1000: 000 | 0:0000:0000:0000 0010 0000 0000 0001: 0000 0100 0110 1000: 000 | 1:1111:1111:1111 So there are 8192 /48s in a /35 Engineering Workshops 37 How would allocations work? Suppose you wish to give out /40s in the /35. 2001:0468:000 | 0 0000 | or 2001:0468::/40 2001:0468:000 | 1 1111 | or 2001:0468:1f00::/40

Thus there are 32 worth /40s in the /35 5 bits If we now did /48s out of the /40s 2001:468:1f00 |00 0000 or 2001:468:1f00/48 2001:468 :1f11 |11 1111 or 2001:468:1fff/48 There are 256 /48s in each /40 8 bits worth Engineering Workshops 38

How would allocations work? The same idea holds for /41s or /42s. 2001:0468:000 | 0:0000:0 | or 2001:0468::/41 2001:0468:000 | 1:1111:1 | or 2001:0468:1f80::/41 2001:0468:000 | 0:0000:00 - :000 | 1:1111:11 2001:0468::/42 2001:0468:1fc0::/42 Engineering Workshops 39 Mixed Allocations The interesting case is how to handle mixed allocations. Some sites need a /40, others a /42. How can you handle this case?

See RFC 3531 (Marc Blanchet) A flexible method for managing the assignment of bits of an IPv6 address block A perl script is included. http://www.ipv6book.ca/allocation.html Has a working implementation of his method Engineering Workshops 40 Allocation Lab You have available a /32 say 2001:db8::/32 Design an addressing/allocation plan for the following environment: A campus with 200+ access closets in 150

buildings. Each closet is connected back to a layer 3 core. Multiple closets in one building are connected to each other. There is a separate logical infrastructure for phones Engineering Workshops 41 Router Configuration Engineering Workshops 42

Cisco Router Configuration Rule #1: What would v4 do? Enable routing ipv6 unicast-routing Configure interfaces ipv6 address Configure routing protocols Engineering Workshops 43 Cisco Configs LAN Interface interface Ethernet0/0 ip address 192.168.1.254 255.255.255.0

ipv6 address 2001:468:123:1::2/64 Engineering Workshops 44 Cisco Configs Tunnel Interface interface Tunnel1 description IPv6 to Abilene no ip address no ip redirects no ip proxy-arp ipv6 address 3FFE:3700:FF:105::2/64 tunnel source ATM2/0.1 tunnel destination 192.168.193.14 tunnel mode gre

Engineering Workshops 45 Cisco Configs IGP - OSPFv3, IS-IS, EIGRPv6 Static ipv6 route Engineering Workshops 46 Cisco Configs router BGP address-family ipv6 unicast

address-family ipv4 unicast address-family ipv4 multicast Engineering Workshops 47 Cisco Configs BGP - added to your existing IPv4 BGP config router bgp 64555 bgp router-id 192.168.2.1 neighbor 2001:468:1::2 remote-as 11537 router-id only a 32-bit number, not an IPv4 address

only has to be unique within the AS Engineering Workshops 48 Cisco Configs BGP continued. . . address-family ipv6 unicast neighbor 2001:468:2::1 activate neighbor 2001:468:2::1 soft-reconfiguration in neighbor 2001:468:2::1 prefix-list to-Abilene-v6 out network 2001:468:4ff::/48 exit-address-family Engineering Workshops 49

Cisco Configs BGP continued. . . ipv6 route 2001:468:4ff::/48 Null0 ! ipv6 prefix-list to-Abilene-v6 seq 10 permit 2001:468:4ff::/48 Engineering Workshops 50 Cisco Configs OSPF interface config ! For each internal (intra-pod) interface - including ! loopback0 interface FastEthernet0/0 ipv6 ospf area 0

process is an arbitrary number, must be consistent on the router but can be different between routers OSPF router config ipv6 router ospf ! For any external (inter-pod) interfaces passive-interface Engineering Workshops 51 Cisco Configs Securing Console Access ipv6 access-list V6VTY permit 2001:468:4ff::/48 any . . . !

line vty 0 4 ipv6 access-class V6VTY in Engineering Workshops JunOS config editor commands for Cisco users "set" command to enter configuration, e.g. set protocol bgp local-as 65500 "edit" command to change config context In Junos, the prompt is your context:

[edit]% edit protocol bgp [edit protocol bgp]% "delete" command to remove lines "run" command to execute show commands while in configuration mode "commit" command to save and execute changes "commit" check verifies config Engineering Workshops 52 53 Juniper Router Configuration Rule #1: What would v4 do? Enable routing already there. . . Configure interfaces family inet6 address

Configure routing protocols and RIBs Engineering Workshops 54 Juniper Configs Interface (physical) interfaces { fe-0/1/0 { unit 0 { family inet6 { address 2001:468:123::1/64; } } } }

Engineering Workshops 55 Juniper Configs Interface (tunnel) interfaces { gr-0/3/0 { unit 0 { tunnel { source 192.168.2.2; destination 192.168.45.2; } family inet6 { mtu 1514; /* note Cisco vs. Juniper address 2001:468:123::1/64; } }

Engineering Workshops 56 Juniper Configs Router Advertisement - not enabled by default protocols { router-advertisement { interface fe-0/3/0.0 { prefix 2001:468:123::/64; } } } Engineering Workshops

57 Juniper Configs Static Routing in Routing-Options rib inet6.0 { static { route 2001:468::/32 { reject; install; readvertise; } router-id 192.168.2.1 Engineering Workshops 58 Juniper Configs

OSPF v3 in protocols protocols { ospf3 { area 0.0.0.0 { interface fe-0/0/1.0; interface felo0.0; } } } Engineering Workshops 59 Juniper Configs BGP protocols { bgp {

group Abilene-v6 { type external; family inet6 { unicast; } export to-Abilene-v6; peer-as 11537; neighbor 2001:468:555:200::6; } } } Engineering Workshops 60 Juniper Configs BGP continued. . .

policy-options { policy-statement to-Abilene-v6 { term accept-aggregate { from { route-filter 2001:468:4ff::/48 exact; } then accept; } term reject { then reject; } } } Engineering Workshops 61

Cisco Show Commands show bgp show bgp summary show bgp ipv6 unicast neighbor routes show bgp ipv6 unicast neighbor advertised show ipv6 route show ipv6 interface show ipv6 neighbors Engineering Workshops 62 Juniper Show Commands

show show show show show show bgp summary route advert bgp route rece bgp route table inet6.0 (terse) interfaces ipv6 neighbors

Engineering Workshops 63 Lab: Router Interface Setup Work with your fellow attendees to identify how your network block will be broken up within the lab network. Assign IPv6 addresses for the pointto-point links in the pod. Confirm that opposite ends of all links are reachable. Engineering Workshops 64 IGP OSPF for IPv6 It is pretty much your

fathers OSPF! Engineering Workshops 65 OSPF for IPv6 Published as RFC 2740 (80 pages!) Protocol version 3 Link-state IGP (additive interface costs) Same basic structure as OSPF for IPv4 IPv4/IPv6 OSPF run as ships in the night Assumption: Most campuses run OSPF as their IGP Familiarity Engineering Workshops

66 Changes from OSPF for IPv4 Protocol processing per-link, not per-subnet Interfaces connect to links Nodes without common subnet can talk over link Removal of addressing semantics IP addresses only in payloads 32-bit router ID Protocol-independent core Engineering Workshops 67

Changes from OSPF for IPv4 Addition of flooding scope Link-local Area AS Support for multiple instances per link Sort of like VLAN tagging but for OSPF E.g., OSPF on shared DMZ Engineering Workshops 68 Changes from OSPF for IPv4 Use of link-local addresses Used for next hop

Link-local destination not forwarded Authentication changes Remove authentication-related fields Rely on AH, ESP Use normal IP checksum Engineering Workshops 69 Changes from OSPF for IPv4 Packet format changes R-bit, V6-bit

LSA format changes Handling unknown LSA types Stub area support Identifying neighbors by router ID Engineering Workshops 70 Cisco Interface Config interface Vlan257 ip address 128.254.1.12 255.255.255.0 load-interval 30 ipv6 address 2001:FFE8:1:1::C/64 ipv6 enable ipv6 ospf network broadcast

ipv6 ospf 1 area 0.0.0.0 Engineering Workshops 71 Cisco Routing Config ipv6 router ospf 1 log-adjacency-changes passive-interface default no passive-interface Vlan58 no passive-interface Vlan257 no passive-interface Vlan61 no passive-interface Vlan62 no passive-interface Vlan60 no passive-interface Vlan63 no passive-interface Vlan948 redistribute connected metric-type 1

Engineering Workshops 72 Cisco Commands cepheus#show ipv6 ospf neighbor Neighbor ID 128.254.1.17 128.254.1.18 Pri 1 1 State FULL/BDR FULL/DROTHER

Dead Time 00:00:33 00:00:31 Interface ID 7 7 Interface Vlan257 Vlan257 Engineering Workshops 73 Cisco Commands

cepheus#show ipv6 ospf database OSPFv3 Router with ID (128.254.58.2) (Process ID 1) ADV Router 128.254.1.17 128.254.1.18 128.254.58.2 Router Link States (Area 0.0.0.0) Age Seq# Fragment ID 1136 0x800007A9 0 1121 0x800007A7 0 138 0x8000054F 0

ADV Router 128.254.58.2 Net Link States (Area 0.0.0.0) Age Seq# Link ID 138 0x8000053C 231 ADV Router 128.254.1.17 Link (Type-8) Link States (Area 0.0.0.0) Age Seq# Link ID

Interface 1236 0x800007A2 7 Vl257 Link count 1 1 1 Bits E E E Rtr count 3

Engineering Workshops 74 Juniper Routing Config protocols { ospf3 { area 0 { interface interface-name; } } } Engineering Workshops 75 Juniper Commands

show ospf3 neighbor show ospf3 database Engineering Workshops 76 OSPF Lab Configure routing and interface addresses Bring up OSPFv3 on the internal campus pod networks Verify that the interface routes are propagated as expected Originate and redistribute a default route from router C Verify that the internal routers are seeing the proper default route

Engineering Workshops 77 Things to watch for in the BGP lab You have to be able to reach the peer's address for BGP to come up: static, OSPF, connected. Your source-address needs to be the same as the one they're trying to reach (and vice-versa). Remember that you have to have your /48 in your IGP. IOS: network statement and static-route-to-Null or aggregate-address ... summary-only JunOS: routing-options static Advertise your upstream's originating address into your IGP for your downstreams to be able to reach it, or set nexthop-self. iBGP members don't send iBGP-learned prefixes to other iBGP peers: they expect mesh. So, you should iBGP among all of A,

B, and C. Best practice is to send only your aggregated prefix upstream. Engineering Workshops 78 BGP Lab

Configure iBGP peerings between routers A, B and C, using loopback addresses Configure eBGP between pods, using interface addresses agreed to between each pair of pods Advertise your aggregate to the other pods Verify intra-pod and inter-pod connectivity with ping and traceroute Can you see the other pods' BGP advertisements? Configure eBGP between router A and the external connection to the twenty-first router Verify receipt of BGP routes from the outside Verify external connectivity with ping6 and traceroute6 to ipv6.google.com Connect to http://www.kame.net and see the swimming turtle! Engineering Workshops Configuring eBGP between router A and the external

connection to the twenty-first router On the Juniper set fe-0/0/3 with the address in the pod diagram (2001:468:1100:z::1) Create an eBGP peer to AS 65500, neighbor is 2001:468:1100:z::2 Create appropriate prefix filters (advertise your /48 only to the external uplink, readvertise your neighbors to your other neighbors) Engineering Workshops 79 80

IPv6 Under the Hood Engineering Workshops 81 Basic Headers IPv6 IPv4 Engineering Workshops 82 Basic Headers Fields Version (4 bits) only field to keep same

position and name Class (8 bits) was Type of Service (TOS), renamed Flow Label (20 bits) new field Payload Length (16 bits) length of data, slightly different from total length Next Header (8 bits) type of the next header, new idea Hop Limit (8 bits) was time-to-live, renamed Source address (128 bits) Destination address (128 bits) Engineering Workshops 83 Basic Headers Simplifications

Fixed length of all fields, not like old options field IHL, or header length irrelevant Remove Header Checksum rely on checksums at other layers No hop-by-hop fragmentation fragment offset irrelevant MTU discovery Add extension headers next header type (sort of a protocol type, or replacement for options) Basic principle: Routers along the way should do minimal processing Engineering Workshops 84 Extension Headers

Extension Header Types Routing Header Fragmentation Header Hop-by-Hop Options Header Destinations Options Header Authentication Header Encrypted Security Payload Header Engineering Workshops 85 Extension Headers Routing Header Engineering Workshops 86

Extension Headers General Routing Header Routing Header Type 0 (RH0) deprecated by RFC 5095 Engineering Workshops 87 Extension Headers Fragmentation Header I thought we dont fragment? Can fragment at the sending host PathMTU discovery Insert fragment headers Engineering Workshops

88 Extension Headers Options headers in general The usual next header and length Any options that might be defined Engineering Workshops 89 Extension Headers Destinations Options Header Act The Action to take if unknown option 00 Skip Over 01 Discard, no ICMP report 10 Discard, send ICMP report even if

multicast 11 Discard, send ICMP report only if unicast C Can change in route Number is the option number itself Engineering Workshops 90 Extension Headers Hop-by-Hop Extension Header The usual format of an options header An example is the jumbo packet Payload length encoded Cant be less than 65,535 Cant be used with fragmentation header

Engineering Workshops 91 Extension Headers Extension Header Order Hop-by-Hop options Header Destination options Header (1) Routing Header Fragment Header Authentication Header Destination Options Header (2) Upper Layer Header, e.g. TCP, UDP How do we know whether or not we have an upper layer header, or an extension header? Both are combined into header types

Engineering Workshops 92 Header Types Look in packet for next header Can be extension header Can be something like ICMP, TCP, UDP, or other normal types Engineering Workshops 93 Header Types Decimal

Keyword 0 Header Type Reserved (IPv4) 0 HBH Hop-By-Hop options (IPv6) 1 ICMP Internet Control Message (IPv4)

2 IGMP Internet Group Management (IPv4) 2 ICMP Internet Control Message (IPv6) 3 GGP Gateway-to-Gateway Protocol

4 IP IP in IP (IPv4 encapsulation) 5 ST Stream 6 TCP Transmission Control

--- --- --------------------------------------- 17 UDP User Datagram Engineering Workshops 94 Header Types

Decimal Keyword Header Type 29 ISO-TP4 ISO Transport Protocol Class --- --- ---------------------------------------

43 RH Routing Header (IPv6) 44 FH Fragmentation Header (IPv6) 45 IDRP Inter-domain Routing Protocol

--- --- --------------------------------------- 51 AH Authentication Header 52 ESP Encrypted Security Payload

--- --- --------------------------------------- 59 NULL No next header (IPv6) --- --- ---------------------------------------

Engineering Workshops 95 Header Types Decimal Keyword Header Type 80 ISO ISO Internet Protocol (CLNP) ---

--- --------------------------------------- 88 IGRP IGRP 89 OSPF OSPF ---

--- --------------------------------------- 255 Reserved Engineering Workshops 96 ICMP Completely changed note new header type Now includes IGMP Types organized as follows

1 128 130 133 4 Error messages 129 Ping 132 Group membership 137 Neighbor discovery

General format: Engineering Workshops 97 ICMP Type Description 1 Destination Unreachable 2

Packet Too Big 3 Time Exceeded 4 Parameter Problem 128 Echo Request 129 Echo Reply

130 Group Membership Query 131 Group Membership Report 132 Group Membership Reduction 133 Router Solicitation 134

Router Advertisement 135 Neighbor Solicitation 136 Neighbor Advertisement 137 Redirect Engineering Workshops 98

ICMP Error messages (Types 1 4) some examples: Destination unreachable Code 0 No route to destination Code 1 Cant get to destination for administrative reasons Code 2 Beyond scope of source address Code 3 Address unreachable Code 4 Port unreachable Code 5 Source address failed ingress/egress policy Code 6 Reject route to destination Packet too big Code 0, parameter is set to MTU of next hop

Allows for MTU determination General format: Engineering Workshops 99 ICMP Ping Similar to IPv4 Echo request, set code to 0 Echo reply sent back General format Engineering Workshops 100

Multicast Multicast (and Anycast) built in from the beginning Scope more well-defined 4-bit integer Doesnt Value influence well-defined groups Scope 0 Reserved 1 Node Local 2

Link Local 5 Site Local 8 Organization Local E Global Local F Reserved

Others Unassigned Engineering Workshops 101 Multicast A Few Well-Defined Groups Note all begin with ff, the multicast addresses Much of IGMP is from IPv4, but is in ICMP now Value Scope

FF02::0 Reserved FF02::1 All Nodes Address FF02::2 All Routers Address FF02::4 DVMRP Routers FF02::5

OSPF FF02::6 OSPF Designated Routers FF02::9 RIP Routers FF02::D All PIM Routers ETC Engineering Workshops Summary:

Changes from IPv4 to IPv6 Expanded addressing capabilities Header format simplification Improved support for extensions and options Flow labeling capability Authentication and privacy capabilities Engineering Workshops 102 103 Neighbor Solicitation Engineering Workshops

104 Neighbor Solicitation This protocol solves a set of problems related to the interaction between nodes attached to the same link. It defines mechanisms for solving each of the following problems... Engineering Workshops Problems Solved by Neighbor Solicitation Router Discovery: How hosts locate routers that reside on an attached link. Prefix Discovery: How hosts discover the set of

address prefixes that define which destinations are on-link for an attached link. (Nodes use prefixes to distinguish destinations that reside on-link from those only reachable through a router.) Parameter Discovery: How a node learns such link parameters as the link MTU or such Internet parameters as the hop limit value to place in outgoing packets. Engineering Workshops 105 Problems Solved by Neighbor Solicitation Address Autoconfiguration: How nodes automatically configure an address for an interface. Address resolution: How nodes determine the linklayer address of an on-link destination (e.g., a

neighbor) given only the destination's IP address. Next-hop determination: The algorithm for mapping an IP destination address into the IP address of the neighbor to which traffic for the destination should be sent. The next hop can be a router or the destination itself. Engineering Workshops 106 Problems Solved by Neighbor Solicitation Neighbor unreachability detection (NUD): How nodes determine that a neighbor is no longer reachable. For neighbors used as routers, alternate default routers can be tried. For both routers and hosts, address resolution can be performed again.

Duplicate address detection (DAD): How a node determines that an address it wishes to use is not already in use by another node. Redirect: How a router informs a host of a better first-hop node to reach a particular destination. Engineering Workshops 107 108 ICMP Packet Types Neighbor discovery defines five different ICMP packet types: a pair of router solicitation and router advertisement messages, a pair of neighbor solicitation and neighbor advertisement messages, and a

redirect message. The messages serve the following purposes... Engineering Workshops 109 ICMP Packet Types Router solicitation: When an interface becomes enabled, hosts may send out router solicitations that request routers to generate router advertisements immediately rather than at their next scheduled time. Router advertisement (RA): Routers advertise their presence together with various link and Internet parameters either periodically, or in response to a Router solicitation message. Router advertisements contain prefixes that are used for on-link determination and/or address configuration, a suggested hop limit

value, etc. Engineering Workshops 110 ICMP Packet Types Neighbor solicitation: Sent by a node to determine the link-layer address of a neighbor, or to verify that a neighbor is still reachable via a cached link-layer address. Neighbor solicitations are also used for duplicate address detection. Neighbor advertisement: A response to a neighbor solicitation message. A node may also send unsolicited neighbor advertisements to announce a link-layer address change. Redirect: Used by routers to inform hosts of a better first hop for a destination.

Engineering Workshops 111 Stateless Address Autoconfiguration Engineering Workshops 112 Why does this matter? Manual configuration of individual machines before connecting them to the network should not be required. Address autoconfiguration assumes that each

interface can provide a unique identifier for that interface (i.e., an "interface token") Plug-and-play communication is achieved through the use of link-local addresses Small sites should not need stateful servers A large site with multiple networks and routers should not require the presence of a stateful address configuration server. Address configuration should facilitate the graceful renumbering of a site's machines Engineering Workshops 113 Stateless Autoconfiguration Generate a link local address Verify this tentative address

is OK. Use a neighbor solicitation with the tentative address as the target. ICMP type 135 If the address is in use a neighbor advertisement message will be returned. ICMP type 136 If no response, assign the address to the interface. At this point the node can communicate on-link. Fail and go to manual configuration or choose a different interface token. Engineering Workshops

114 Stateless Autoconfiguration Assign address to interface. Node joins the All Routers multicast group. FF02::2 Router responds with a router advertisement. ICMP type 134 Sends out a router solicitation message to that group. ICMP type 133 Engineering Workshops

115 Stateless Autoconfiguration Look at the managed address configuration" flag If M = 0 proceed with stateless configuration If M = 1 stop and do stateful config If O = 1 use stateful configuration for other information Look at "other stateful configuration" flag If O = 0 finish

Engineering Workshops 116 Router Solicitation Type = 133 Code = 0 Checksum Reserved Possible option: Source Link Layer Address Engineering Workshops

117 Router Advertisement Type = 134 Code = 0 Cur. Hop Limit M O Reserved Checksum Router Lifetime Reachable Time Retransmission Timer Possible options: -Source Link Layer Address -MTU -Prefix Information

Engineering Workshops 118 Neighbor Solicitation Type = 135 Code = 0 Checksum Reserved Target Address Possible option: Source Link Layer Address

Engineering Workshops 119 Neighbor Advertisement Type = 136 Code = 0 Checksum RSO Reserved Target Address

Possible option: Source Link Layer Address Engineering Workshops 120 Prefix Option Type Length Prefix Length L A Reserved Valid Lifetime Preferred Lifetime Reserved

Prefix List Engineering Workshops Router Solicitation Options Prefix Information This should include all prefixes the router is aware of Flag bits: On-link = 1 Prefix is specific to the local site Autonomous Configuration bit = 1 Use the prefix to create an autonomous address Engineering Workshops

121 Router Solicitation Options Prefix Information Valid & preferred lifetime values in routeradvertisements can be used for address renumbering. Valid Lifetime 32-bit unsigned integer. The length of time in seconds before an address is invalidated. During a prefixs valid life, existing connections can be used, but new connections may not be opened. Preferred Lifetime 32-bit unsigned integer. The length of time in seconds before an address is deprecated. During a prefixs preferred life, new

connections can be opened at will. Engineering Workshops 122 123 Stateless Autoconfig Routers are to send out router advertisements at regular intervals to the all-hosts address. This should update lifetimes. Note that stateless autoconfiguration will only configure addresses. It will not do all the host configuration you may want to do.

RFC 4862 defines IPv6 Stateless Autoconfig Engineering Workshops 124 Stateful Configuration When you do not wish to have stateless configuration done you will need to provide a configuration server (DHCP most likely) to provide configuration information to the hosts as they come up. RFC 3315 defines DHCP, updated by RFC 4361 Dibbler DHCPv6 implementation http://sourceforge.net/projects/dibbler

Engineering Workshops 125 Cisco SLAAC/ND Options advertisement-interval in RA's dad config-flag Hosts config ns-interval interval other-config-flag config prefix Advertisement ra-interval

ra-lifetime reachable-time suppress-ra Send an advertisement interval option Duplicate Address Detection managedshould use DHCP for address Set advertised NS retransmission Hosts should use DHCP for non-address Configure IPv6 Routing Prefix Set IPv6 Router Advertisement Interval Set IPv6 Router Advertisement Lifetime Set advertised reachability time Suppress IPv6 Router Advertisements Engineering Workshops 126

Address Configuration Lab Disable IPv6 on router D interface FastEth 1/0 (remove ipv6 address line) Start Wireshark running on computer Disconnect and reconnect the Ethernet cable between computer and switch Observe the neighbor discovery and attempted address configuration packets Log in to router D Restore IPv6 on the interface: interface f1/0 ipv6 address 2001:468:0c0d:xxxx::/64 Disconnect and reconnect the Ethernet, and observe the address autoconfiguration process Verify the address with ifconfig Engineering Workshops

127 DHCP Lite Used in combination with stateless address configuration, to provide other information: DNS resolver domain suffix ipv6 dhcp pool v6lite dns-server 2001:4::1 domain-name example.com ! interface FastEthernet0/1 ipv6 address 2001:4:1::1/64 ipv6 nd other-config-flag ipv6 dhcp server v6lite Engineering Workshops

128 Cisco DHCPv6 Configuration r5(config)#ipv6 dhcp ? database Configure IPv6 DHCP database agents pool Configure IPv6 DHCP pool Engineering Workshops 129 Cisco DHCPv6 Configuration r5(config-subif)#ipv6 dhcp ? client Act as an IPv6 DHCP

client relay Act as an IPv6 DHCP relay agent server Act as an IPv6 DHCP server Engineering Workshops 130 Cisco DHCPv6 Configuration r5(config)#ipv6 dhcp pool v6-test r5(config-dhcp)#? IPv6 DHCP configuration commands: default Set a command to its defaults

dns-server DNS servers domain-name Domain name to complete unqualified host names exit Exit from DHCPv6 configuration mode no Negate a command or set its defaults prefix-delegation IPv6 prefix delegation sip SIP Servers options Engineering Workshops

131 Cisco DHCPv6 Snippets ipv6 dhcp pool v6-eeee dns-server 2001:DB8:AAAA::3 domain-name tb.foo.net [snip] interface GigabitEthernet0/1.19 [snip] ipv6 address 2001:DB8:EEEE::1/64 ipv6 nd ra-interval 60 ipv6 nd ra-lifetime 600 ipv6 nd other-config-flag ipv6 dhcp server v6-eeee Engineering Workshops 132

DHCPv6 Clients Windows Vista - built into OS Windows XP- dibbler Linux - dibbler, ISC DHCPv6 *BSD - ISC DHCPv6 Solaris - ISC DHCPv6 MacOS X - None Engineering Workshops

133 Lab - DHCPv6 (This lab assumes computer has a DHCPv6 client installed on it) Set the neighbor discovery option other-config on the router interface attached to LAN switch with interface command ipv6 nd other-config-flag Configure DHCPv6 options for DNS server and DNS domain on same router as LAN switch with something similar to: ipv6 dhcp pool lab-dhcpv6 dns-server domain-name v6lab.maxgigapop.net Refer to above DHCPv6 configuration with interface command ipv6 dhcp server lab-dhcpv6 While running wireshark, disconnect and reconnect Ethernet cable for computer (This can also be observed from the router with appropriate debug commands)

Check computers domain name and DNS server list to confirm that DHCPv6 worked. Engineering Workshops 134 DNS Engineering Workshops 135 DNS Issues BIND Versions All modern versions of BIND support AAAA BIND9 can use IPv6 transport for queries

An IPv6 root test project is underway; see www.rs.net for details. ip6.int vs. ip6.arpa ip6.arpa is in the root servers ip6.int has been deprecated and dropped Some registrars and registries are now supporting IPv6 NS records. Engineering Workshops 136 Basic Ideas DNS in IPv6 is much like DNS in IPv4. It is impossible to remember IPv6 addresses DNS is the only way to remain sane. Keep files and delegations as simple as possible.

Can use IPv4 or IPv6 as transport for DNS traffic. Modern versions of BIND will work. BIND 9 is stable and works with IPv6 transport. There is work on dynamic DNS in progress, but we dont need to worry about that for now. Engineering Workshops 137 Forward Lookups Uses AAAA records to assign IPv6 addresses to names. Multiple addresses possible for any given name for example, in a multihomed situation. Can assign A records and AAAA records to a given name/domain. Can also assign separate domains for

IPv6 and IPv4. Dont be afraid to experiment! Engineering Workshops 138 Sample Forward Lookup File ;; domain.edu (use your favorite naming scheme) $TTL 86400 @ IN SOA ns1.domain.edu. root.domain.edu. ( 2002093000 ; serial - YYYYMMDDXX 21600 ; refresh - 6 hours

1200 ; retry - 20 minutes 3600000 ; expire - long time 86400) ; minimum TTL - 24 hours ;; Nameservers IN NS ns1.domain.edu. IN NS ns2.domain.edu. ;; Hosts with just A records host1 IN A 1.0.0.1

;; Hosts with both A and AAAA records host2 IN A 1.0.0.2 IN AAAA 2001:468:100::2 :: Separate domain $ORIGIN ip6.domain.edu host1 IN AAAA 2001:468:100::1 Engineering Workshops 139

Reverse Lookups Reverses should be put in for the ip6.arpa domain. File uses nibble format see examples on next slide. Engineering Workshops 140 Sample Reverse Lookup File ;; 0.0.0.0.0.0.1.0.8.6.4.0.1.0.0.2.rev (use your favorite naming scheme ;; These are reverses for 2001:468:100::/64) ;; File can be used for ip6.arpa $TTL 86400

@ IN SOA ns1.domain.edu. root.domain.edu. ( 2002093000 ; serial - YYYYMMDDXX 21600 ; refresh - 6 hours 1200 ; retry - 20 minutes 3600000 ; expire - long time 86400) ; minimum TTL - 24 hours ;; Nameservers IN NS ns1.domain.edu.

IN NS ns2.domain.edu. ; This is the forward analog for address: ; host1.ip6.domain.edu. In aaaa 2001:468:100::1 ; 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR 2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR ;; ;; Can delegate to other nameservers in the usual way ;; host1.ip6.domain.edu. host2.domain.edu.

Engineering Workshops 141 Sample Configuration File // named.conf (use your favorite naming scheme) zone domain.edu { type master; file master/domain.edu; } zone 0.0.0.0.0.0.1.0.8.6.4.0.1.0.0.2.ip6.arpa" { type master; file "master/0.0.0.0.0.0.1.0.8.6.4.0.1.0.0.2.rev"; };

Engineering Workshops 142 DNS Notes Bind 8 can return a AAAA record using IPv4 transport. Bind 9 can use IPv6 transport. When the same name returns both an A and AAAA record, the AAAA is preferred. At least one application, Safari, explicitly does not follow this behavior. Engineering Workshops Lab - DNS IPv4/IPv6

Reachability 1. 2. 3. 4. 5. 6. 7. Start wireshark/tcpdump on your laptop computer Open a browser and attempt to access a destination/web page that has both A and AAAA DNS records (one such destination is ipv6.google.com). Analyze tcpdump/wireshark dump and identify how the browser and operating system behaves in accessing the dual-stack host. Restart wireshark/tcpdump Disable IPv6 on a network segment between your laptop

and a dual-stack host with A and AAAA DNS records. Open browser and attempt to access the dual-stack host. Analyze tcpdump/wireshark dump and identify how browser and operating system behaves when the destination is unreachable via IPv6. Record and compare results with other operating systems and browsers. Engineering Workshops 143 144 Campus IPv6 Addressing, Software Versions, Topology Issues,

DNS Support, Traffic Engineering Workshops 145 Campus Addressing Sites that are allocated space from Internet2 block will receive /48 assignments: Network address (48 bits) 16 bits EUI host address (64 bits) 16 bits left for subnetting - what to do with them?

Engineering Workshops 146 Campus Addressing 1. Sequentially, e.g. 0000 0001 FFFF 16 bits = 65535 subnets Engineering Workshops 147 Campus Addressing

1. Sequentially 2. Following existing IPv4: Subnets or combinations of nets & subnets, or VLANs, etc., e.g. 1. 128.8.60.0/24 003c 2. 128.8.91.0/24 005b 3. 128.8.156.0/24 009c 4. 156.56.60.0/24 vs. 129.79.60.0/24? 013c or 383c or 9c3c vs. 023c or 4f3c or 813c Engineering Workshops 148 Campus Addressing

1. Sequentially 2. Following existing IPv4 3. Topological/aggregating reflecting wiring plants, supernets, large broadcast domains, etc. Main library = 0010/60 Floor in library = 001a/64 Computing center = 0020/55 Student servers = 002c/64 Medical school = 00c0/50 and so on. . . Engineering Workshops 149

New Things to Think About You can use all 0s and all 1s! (0000, ffff) Youre not limited to 254 hosts per subnet! Switch-rich LANs allow for larger broadcast domains (with tiny collision domains), perhaps thousands of hosts/LAN No secondary subnets (though >1 address/interface) No tiny subnets either (no /126, /127, /128)

plan for what you need for backbone blocks, loopbacks, etc. Subnet anycast Cisco supports it Juniper doesn't Engineering Workshops 150 New Things to Think About Every /64 subnet has far more than enough addresses to contain all of the computers on the planet, and with a /48 you have 65536 of those subnets - use this power wisely! With so many subnets, your IGP may end up carrying thousands of routes

consider internal topology and aggregation to avoid future problems. Engineering Workshops 151 New Things to Think About Renumbering will likely be a fact of life. Although v6 may make it easier, its still not pretty. . . Avoid using numeric addresses at all costs Avoid hard-configured addresses on hosts except for servers Anticipate that changing ISPs will mean renumbering unless site has

provider-independent address block. Engineering Workshops 152 Router Software Versions JUNOS 5.1 and up Line Rate v6 (watch for IPv6 support licensing issues) IOS Use Feature Navigator to find a version (generally an IP Plus release): http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp IOS 12.2T and 12.3(6a)(LD) IOS 12.0(22)S6 and up GSR only 6500 with IOS 12.2(17a)SX 7600 with SUP720 card 12.2(17d)SXB Engineering Workshops

153 Routing Protocols iBGP and IGP (RIPng/IS-IS) IPv6 iBGP sessions in parallel with IPv4 (multiprotocol BGP or mBGP) Static Routing all the obvious scaling problems, but works OK to get started, especially using a trunked v6 VLAN. OSPFv3 is available in IOS 12.3 and JUNOS. It runs in a ships-in-the-night mode relative to OSPFv2 for IPv4 neither knows about the other. For all Cisco shops, EIGRP now supports IPv6 Engineering Workshops 154

DNS Issues BIND Versions All modern versions of BIND support AAAA BIND9 can use IPv6 transport for queries An IPv6 root test project is underway; see www.rs.net for details. ip6.int vs. ip6.arpa ip6.arpa is in the roots Some registrars and registries are now supporting IPv6 NS records. Management front-ends to BIND9 or turnkey DNS servers need to support AAAA records and IPv6 in general. Engineering Workshops

155 Future Needs Routers: more platform support, new features, speed, management, measurement Servers: dual-stack, application support Workstations: application support, address selection Topology: multihoming Engineering Workshops 156 Multihoming A Discussion

Engineering Workshops 157 Multihoming Issues Many sites are multihomed in the current Internet reliability stability which provider will stay in business? competition AUP commodity vs. R&E In IPv4 we can use provider-independent addresses, or poke holes in the aggregation But IPv6 addresses are provider-assigned!

Engineering Workshops 158 Multihoming 2001:897::/32 2001:468::/32 ISP1 (UUNET) ISP2 (Abilene) 2001:897:0456::/48 University of

Smallville 2001:468:1210::/48 Engineering Workshops Problems With Multiple Addresses If the host or app chooses from several global addresses, that choice overrides policy, may conflict with routing intentions and can break connectivity Address selection rules are complex and controversial; see RFC 3484 Other informational RFCs are RFC 3582, RFC 4116, RFC 4218, RFC 4219

Engineering Workshops 159 160 Problems With PI Addressing Current protocols can only control routing table growth if routes are aggregated. Multihoming is becoming increasingly important to service providers and enduser organizations, and the number of multihomed sites is constantly increasing. The address space is so large that routing table growth could easily exceed the capability of the hardware and protocols.

Engineering Workshops 161 What To Do? IPv6 cant be deployed on a large scale without multihoming support nobody is disputing this. It seems likely that there will be short-term fixes to allow v6 deployment, and long-term solutions. IETF multi6 and shim6 working groups recent IAB workshop http://www.1-4-5.net/~dmm/draft-iab-raws-report-00.txt three mailing lists that are discussing IPv6 multihoming options http://psg.com/lists/rrg https://www1.ietf.org/mailman/listinfo/ram https://www1.ietf.org/mailman/listinfo/architecture-discuss

see also http://www3.tools.ietf.org/group/irtf/trac/wiki/ RoutingResearchGroup http://www.space.net/~gert/RIPE/ipv6-filters.html Engineering Workshops 162 Get PI Space The RIRs have revised their rules for allocating PI space; the key is that you must plan to assign 200 /48s within 2 years. This isnt as hard as it sounds, but it is probably something only gigaPoPs or large university systems can do (exercise in creativity). This breaks when commodity providers start offering

IPv6 (unless the gigaPoP aggregates all the commodity providers as well as R&E). Also, ARIN has started providing /48s to end-user organizations. from 2620:0::/23 see http://www.arin.net/policy/nrpm.html#six58 Engineering Workshops 163 Poke Holes The standard practice in IPv4 is to get addresses from one ISP, and advertise that space to all of our providers, effectively making it a PI address. In the v6 world, most providers probably wont advertise a foreign prefix to their peers, but will carry it within their own network.

Requires that one ISP be designated as the transit provider, and others are effectively peers. Engineering Workshops 164 Poke Holes 2001:897::/32 2001:468::/32 ISP1 (Transit) ISP2...N (Peers)

2001:897:0456::/48 2001:897:0456::/48 University of Smallville Engineering Workshops 165 Transition and Tunnels Engineering Workshops 166 Transition There are really two types of cases

that need to be addressed. Network layer How can we get v6/v4 packets across v4/v6 networks? Host layer How can a v6/v4 host access content on a v4/v6 host? Engineering Workshops 167 Network layer transition Tunnels Dual Stack Engineering Workshops

168 Tunnels Information from one protocol is encapsulated inside the frame of another protocol. This enables the original data to be carried over a second non-native architecture. 3 steps in creating a tunnel Encapsulation Decapsulation Management Engineering Workshops 169

Tunnels There are at least 4 tunnel configurations: Router to router Host to router Host to host Router to host How the addresses are known determines the type of tunnel. Configured tunnel Automatic tunnel Engineering Workshops 170 Configured Tunnels

Typically, configured tunnels connect IPv4/IPv6 dual-stack hosts or networks across IPv4-only networks to other dualstack networks. Local network administrators arrange for a tunnel between IPv6 networks across IPv4only networks. This was default dual-stack architecture on Abilene until 2002; there are still some configured tunnels supported by the Abilene NOC. Engineering Workshops 171 Automatic IPv6-in-IPv4 tunnel A dual-stack host or network automatically creates a tunnel across an IPv4-only network Common Tunnel Types

6to4: Most commonly deployed automatic tunnel format. Available with Windows XP ISATAP: Intranet automatic tunnel format; not designed for public networks Teredo: Designed to traverse NATs Engineering Workshops 172 Tunnel Security Issues See: RFC 3964 Security Considerations for 6 to 4 www.ietf.org/rfc/rfc3964.txt draft-ietf-v6ops-teredo-securityconcerns-02.txt - Teredo Security Concerns Engineering Workshops

173 Dual Stack This is likely to be the predominant network-layer transition tool. It appears that when all the tools using tunnel mechanisms were being developed, no one thought viable dual-stack routers would show up as quickly as they in fact have. Most backbones could be dual-stack very easily, and will be when there is a demand. Engineering Workshops 174

Transition Tunnels will remain useful as a tool for connecting isolated hosts in home networks to v6 nets Earthlink secure IPv6 in IPv4 tunnel using open-source Linux on Linksys 54G/GS www.research.earthlink.net/ipv6/ Engineering Workshops 175 Host level transition This is where transition could bog down. How do you make web and other servers transparently accessible to either v6

or v4 hosts? There are several approaches. Dual stack Bump-in-the-stack NAT-like devices Translators Engineering Workshops 176 Translators Within Linux variants there is a tool called Faithd. This is a transport layer translator. There are also header translators out there: SIIT

Nat-PT (historical) Socks Various application specific translators Engineering Workshops 177 IPv6 Security Engineering Workshops 178 Security Considerations Sit down and think, What do I do for IPv4? Go through your best security practices

Create campus/department best security practices if necessary Check off each practice for IPv6 as well as IPv4 Most host OS implementations have IPv6 on by default Firewalls (host or router) Do they support IPv6? Are they on for IPv6 by default? Mimic rules for IPv6!!! Know your services! Scan all hosts and routers for IPv6 services Nmap supports IPv6 does NOT support subnet sweeps for IPv6 (approx. 28 years+ for 1 subnet) Engineering Workshops

Security Considerations (continued) Check status of IPv6 support for your security tools Use Netflow v9 for IPv6 flow support on Cisco IDS/IPS support? Firewall support? Vulnerability scanner support? Etc. Dont allow mission critical areas to bring up IPv6 without audit/scan of devices by security group Human resources department Credit card department HIPAA, FERPA, etc. Engineering Workshops

179 Security Considerations (continued) out for router/application access control Watch lists and various IPv6 address types IPv6 mapped addresses can cause problems if application uses them and you dont allow them IPv6 multicast groups are necessary for basic network connectivity Routers will use link-local addresses for routing Be careful with stateless autoconfig Hosts are live on the net with no administrative interaction Potential for DoS attacks using RH0

www.secdev.org/conf/IPv6_RH_security-csw07.pdf www.sixxs.net/faq/connectivity/?faq=filters RH0 deprecated by RFC 5095 Engineering Workshops 180 Security Considerations (continued) Automatic IPv6 tunneling can enable hosts to be on IPv6 network without realizing it Can also skew traffic delay results Prevent hosts on your networks from spoofing IPv6 addresses Use access lists Or, on Cisco platforms that support it, use ipv6 verify unicast reverse-path

Also goes a long way toward blocking the RH0 threats IPsec inherent to IPv6 IPv6 Security Threats whitepaper www.seanconvery.com/v6-v4-threats.pdf Engineering Workshops 181 182 IPv6 Flow Engineering Workshops 183 IPv6 Flow Options

Netflow v9 (aka cflow/jflow) Sflow IPFix Engineering Workshops 184 Common Netflow versions Netflow v5 - Fixed record format, no support for IPv6 Supported by Cisco, Juniper, Alcatel Netflow v9 - Variable record format/ template, supports IPv6 Supported by Cisco and Juniper although Juniper doesnt yet support IPv6 traffic reporting in cflowd v9

Engineering Workshops Cisco IPv6 Netflow v9 Configuration General Configuration ipv6 flow-export version 9 Ipv6 flow-export destination Ipv6 flow-export template refreshrate Ipv6 flow-export template timeout Engineering Workshops 185 186

Cisco IPv6 Netflow Interface specific commands Ipv6 flow ingress Ipv6 flow egress Engineering Workshops 187 CLI Management Commands Show ip cache flow Clear ip flow stats Engineering Workshops 188 IPFix

IETF working group effort Improves on Ciscos Netflow v9 See: http://www.nanog.org/meetings/nanog4 1/presentations/nanog41-ipfix.pdf Engineering Workshops 189 Sflow Includes packet header information Used by Extreme, Force10, Foundry Engineering Workshops 190

Things to Watch For Simultaneous IPv6 and flow support Impact of IPv6 flow on router or switch performance Sampling limitations Corner case behavior: MPLS Multicast Engineering Workshops 191 Netflow Lab Configure an interface on the D router to report IPv6 Netflow v9 traffic to one of the pod laptops (or an attendee laptop)

Open wireshark/tcpdump Send IPv6 traffic across interface that has IPv6 Netflow v9 enabled Confirm that Netflow v9 traffic is received on laptop -- examine Netflow v9 packets. Engineering Workshops 192 IPv6 Applications Engineering Workshops 193 Operating Systems - Windows Windows XP Supported since initial

release Type ipv6 install on XP (no service pack) Type netsh interface ipv6 install for SP1 or SP2 or use control panel to add network protocol Advanced networking service pack adds support for Teredo Internet Explorer and Firefox web browsers IPv6-enabled 6to4, ISATAP and Teredo supported www.microsoft.com/ipv6/ Engineering Workshops 194 Operating Systems - Windows IPv6 is on by default in Windows Vista, and will be

supported across all Microsoft products eventually Active DNS supports AAAA but not transport Firewall in Windows 2003 server with SP1 supports IPv6 Firewall in Windows XP with SP2 supports IPv6 Ping, tracert, telnet, ftp, netstat and netsh commands all support IPv6 In Windows Vista, some P2P and/or collaboration tools are IPv6-only e.g. Windows Meeting Space; see http://technet.microsoft.com/en-us/windowsvista/aa905 083.aspx If the two hosts communicating with these tools don't have native IPv6 connectivity, the IPv6 traffic will be encapsulated in tunnels

Engineering Workshops 195 Operating Systems MacOS X IPv6 is enabled by default on all interfaces, and can be manually configured through the network preferences panel 6to4 can be configured, and will track IPv4 address changes The security panel configures both v4 and v6 firewalls (ipfw and ip6fw) No DHCPv6 support yet; talking about supporting RFC 5006 (IPv6 Router Advertisement Option for DNS) Engineering Workshops

196 Operating Systems MacOS X IPv6 support has been added for: AppleShare ssh and sshd ftp and ftpd Safari (uses v6 for sites without v4 addresses) DNS queries multicast DNS many other system utilities (telnet, ping, traceroute, syslog, xinetd, etc.) Firefox in MacOS X disabled IPv6 DNS resolution by default Engineering Workshops

197 Operating Systems - Linux www.linux-ipv6.org USAGI Project (WIDE) www.tldp.org/HOWTO/Linux+IPv6-HOWTO/ www.deepspace6.net "the Linux IPv6 Portal" Most major open source applications support IPv6 Red Hat / Fedora enable IPv6 by default but do NOT install ip6tables by default! Debian IPv6 Developers List: http://lists.debian.org/debian-ipv6/ Engineering Workshops 198 Operating Systems - UNIX

www.kame.net WIDEs FreeBSD IPv6 site wwws.sun.com/software/solaris/ipv6/ IPv6 is standard in Solaris since version 8 Engineering Workshops 199 IPv6-ready hardware and software www.ipv6ready.org Focuses mostly on routers, network equipment and operating systems at present Includes participation by WIDE, IPv6 Forum, University of New Hampshire Interoperability Lab

www.ipv6-to-standard.org Presentations by Ron Broersma of DREN http://events.internet2.edu/speakers/ speakers.php?go=people&id=1141 http://winmedia.internet2.edu/jointtechs-w07/ jt-w07-day3-3.wmv Engineering Workshops 200 DVTS DVTS Digital Video Transport System www.sfc.wide.ad.jp/DVTS/ www.dvts.jp A product of the WIDE Project, DVTS is openly available software which

encapsulates DV video in IPv4 or IPv6 packets. Supports IPv4 and IPv6, unicast and multicast Good for smoke testing networks Engineering Workshops 201 Apache v.2 IPv6 support built-in (no patches or other modifications needed) Engineering Workshops 202 Resources

http://www.ipv6book.ca http://www.ipv6book.ca/allocation.html http://ipv6gate.sixxs.net http://www.sixxs.net http://www.ipv6forum.com http://www.ipv6tf.org http://go6.net http://www.hexago.com

http://lists.cluenet.de/mailman/listinfo/ipv6-ops Engineering Workshops 203 Contacts Internet2 IPv6 Working Group http://ipv6.internet2.edu/ Internet2 Network NOC [email protected] Engineering Workshops

Recently Viewed Presentations

  • mscerdasenglish.weebly.com

    mscerdasenglish.weebly.com

    Evaluating Arguments and Claims. In an argument, an author tries to convince readers to agree with his or her position on a particular issue or topic.. For example, an author might have a strong position regarding the amount of waste...
  • www.csueastbay.edu

    www.csueastbay.edu

    Faculty Ad Hoc Senate Sustainability Group. CSU Sustainability Policy Updates. CSU Single-Use Plastics Policy. CSU Sustainability Policy Update Draft v.4. CSUEB Sustainability Updates. Sustainability Tracking, Assessment & Rating System (STARS) Zero Waste Task Force: Contamination. CAP Milestones & Kudos. Solar...
  • Physics

    Physics

    If the economy relies only on capital deepening, while remaining at the technology level shown by the Technology 1 line, then it would face diminishing marginal returns as it moved from point R to point U to point W. However,...
  • Bellwork: take 10 min to make sure you are ready for notebook ...

    Bellwork: take 10 min to make sure you are ready for notebook ...

    3-point review (notebook p. 23) with a partner, create a trianglefor each text below as shown Green Book Texts: Beowulf p. 41. Sir Gawain and the Green Knight p. 171. Pardoner's Tale p. 125. Wife of Bath's Tale p. 139
  • Network (Reticulate) Evolution: Biology, Models, and Algorithms

    Network (Reticulate) Evolution: Biology, Models, and Algorithms

    Network (Reticulate) Evolution: Biology, Models, and Algorithms C. Randal Linder*, Bernard M.E. Moret† *University of Texas at Austin (currently the Program for Evolutionary Dynamics, Harvard University)
  • Armidale Secondary College - Year 12 - 2019

    Armidale Secondary College - Year 12 - 2019

    SRS offers will be made via UAC on Thursday 14 November 2019. SRS is automatically linked to your course preferences in your UAC application. CHECK if you have been successful VIA UAC on Thursday 14 November 2019. Follow instructions. Conditional...
  • Women's Imaging

    Women's Imaging

    Arial Garamond Times New Roman Wingdings Times Monotype Corsiva Stream IRIA Women's Imaging Quiz Case 1 Slide 3 Slide 4 Slide 5 Case 3 Slide 7 Case 4 Slide 9 Case 6 Case 7 Slide 12 Case 8 Slide 14...
  • Elementary Science Science Focus Lesson SC.5.L.14.1 Body Organs

    Elementary Science Science Focus Lesson SC.5.L.14.1 Body Organs

    organ-groups of tissues that function to keep you alive and healthy. digestion-the process of breaking down food into nutrients. nutrients-a substance that an organism needs in order to survive and grow. waste-material no longer useful or required