IPv6 (Hard)core Networking Services Daniel Sörlöv Senior Consultant, Trainer & Speaker Svensk...

IPv6 (Hard)coreNetworking Services

Daniel SörlövSenior Consultant, Trainer & SpeakerSvensk IT Funktion AB

WSV312

History of IP

Around 1980 IP was definedIPv6 started in the 1990s as IPNGFirst IPv6 RFC published in 1995Primary definition today is RFC 2640

IPv4 problems

Complicated headers (checksum calculations)Limited address spaceSlow option handlingNo QoS, Encryption, IntegrityNAT

Why should we care about IPv4 exhaustion?

32-bits4 294 967 296 addresses256 /8 blocks

”There is still reserved space”

Current IPv4 Situation & Projections

IANA: Exhausted

APNIC: 19-apr-2011 (!)RIPENCC: 14-aug-2012ARIN: 20-jun-2013LACNIC: 29-jan-2014AFRINIC: 05-nov-2014

Two routes to escape exhaustion

Decrease LIR allocation policyMore administrative work, complicates delegations

Use NAT, NAPTBreaks communications (?)Negative effect on old protocols (?)Perceived as a security measure (?)

Solving the problem without magic tricks (NAT)

128-bits or340282366920938463263274607431768211456 addresses2^64 nodes per subnetFixed subnet size

Network ID Interface ID

128 bits

64 bits 64 bits

IPv6 Address:

Perspective to that scale

Total earth surface is about 198 million sq. miles

You end up with: 4.28^1020 addresses per sq. inch!

Dividing the address

001

routing prefix subnet id interface id

45 bits 16 bits 64 bits

/48 assigned to customerRIR->LIRIANA->RIR

3 bits

Will this be enough?

RIRs requesting new blocks every 18 months

The current block assigned by IETF will run out 2158

1/8th of the total is assigned!

More than 5/8th will still be available000/3 and 111/3 are reserved!

Terminology

Node Equipment handling IPv6 in any wayRouter Equipment doing IPv6 routingHost Equipment that does NOT route packagesLink A LAN or WAN networkNeighbor A node in the same linkPacket Header + Data

IPv4 to IPv6 changes

Simplified headersScalabilityBetter option handlingQoS support built inEncryption (ESP, Encapsulating Security Payload)Authentication (AH, Authentication Header)Integrity (AH+ESP)Self-configuring

IPv6 Address format

FE80:0:0:0:0290:27FF:0077:DE97

Zero group compressionFE80:0:0:0:0290:27FF:0077:DE97

Leading zero trimingFE80::0290:27FF:0077:DE97

FE80::290:27FF:77:DE97

IPv6 Allocations

This is about 15% of the total address spaceIf you heard of ”Site Local” (FEC0) that is deprecated

Address Type Binary Prefix Prefix Part of Total

Reserved by IETF 0000 0000 /8 1/256

Global Unicast 001 2000::/3 1/8

Link Local 1111 1110 10 FE80::/7 1/1024

Multicast 1111 1111 FF::/8 1/15

Unique Local Unicast 1111 1100 FC0::/7 1/1024

Source: http://www.iana.org/assignments/ipv6-address-space/ipv6-address-space.txt

Very important about FEC0

Microsoft still uses the deprecated range for DNS-servers

fec0:0:0:ffff::1fec0:0:0:ffff::2fec0:0:0:ffff::3

As a last resort only!

Common addresses

Loopback0:0:0:0:0:0:0:1 or ::1 was 127.0.01

Unspecified0:0:0:0:0:0:0:0 or :: was 0.0.0.0

Link Local Addresses

FE80 prefixSimilar to IPv4 APIPA (169.254.0.0/16)Only for on-link communication, not routableUsed for

Auto configured addressesNeighbor discovery process

1111 1110 10

00 00 .. 00

Interface id

54 bits 64 bits10 bits

Multicast Addresses

1111 1111

flags scope reserve

64 bits8 bits

plen group prefixnet prefix

8 bits 8 bits4 bits4 bits 32 bits

Flags0: well known address, 1: transient address

Scope1: Node Local, 2: Link Local, 14: Global Internet

Group ID1: All nodes, 2: All routers, 101: all NTP servers

Global Unicast

001

routing prefix subnet id interface id

45 bits 16 bits 64 bits3 bits

Address Type Binary Prefix Prefix

Unspecified 000…0 ::/128

Loopback 0000…01 ::1/128

ULA 1111 110 FC00::/7

Assigned to RIRs 001 2003:/3

Global Unicast Everything else!!

Unique Local Addresses (ULA)

1111 110 L global subnet

7 bits

interface id

8 bits 64 bits40 bits1 bit

L=1FC00::/7 prefixLocal or site local communicationsMost likely will be unique and not expected to be routableWell known, somewhat like the RFC1918

Windows and IPv6

IPv6 is Preferred

Nameserver queryTry to reach IPv6Try to reach IPv4Timeout

PING & NSLOOKUP

Same tools and same syntax.

IPv6 Header Format

Ver Traffic Class Flow Label

Payload Length Next Header Hop Limit

128-bits source address

128-bits destination address

4 12 16 24 320

Total 40 bytes

IPv6 Header Format gains

Fixed lengthExtension headersIs not protected by checksumPayload length and not total lengthHop-Limit introduced

Extension Headers

IPv6 HeaderNext-header:Hop-by-hop

Hop-by-hop Header

Next-header:Destination

OptionsDestination

HeaderNext-header:

Routing header

Fragment Header

Next-header:AH

Routing HeaderNext header:

Fragment Header

AHNext-header:ESP Header

Extension Header Handling

Only processed by the destination nodeExcept for Hop-By-Hop Header

Packet voided if unrecognized headers foundRecommended ordering

Next header value 59: ”No more headers”

Traffic Class & Flow Label

Traffic Class (8-bit)Similar to TOS in IPv4RFC 2460

Flow labelReal-time applicationsRFC 3697 obsoleted by RFC 643

Both are still considered experimental!

Control Protocols

IPv4ICMP, ARP etc..

IPv6ICMPv6

ICMPv6

Type field0-127 is errors128-255 is informational

Body includes start of invoking packetMust not be fragmentedMust not be originated in reply to ICMPv6 error or redirects

type code checksum message

8 bits 8 bits 16 bits

Broadcast is dead – long live multicast

Multicast replaces BroadcastAll IPv6 nodes must support multicastYou must enable IGMP snooping

”All nodes on-link” multicast group

NodesNode-local is FF01::1Link-local is FF02::1

RoutersNode-local is FF01::2Link-local is FF02::2

Solicited-node multicast groups

Nodes with similar addresses will joinGlobally assigned FF02::1:FF00:0:/104Low order 24 bits of node address

Example:Node 2001:db8::2:20ef:345f:3254:d851Joins FF02::1:FF00:0:3254:d851

Neighbor Discovery (ND)

Relies on ICMPv6Uses multicast

Requests link-layer address by usingneighbor solicitation (NS) query

Neighbor Advertisement (NA)(flag S1=in response to NS, S2=unsolicited NA)

Neighbor information stored inNeighbor cache (NC)Destination cache (DC)

Neighbor Discovery Proxy (ND-Proxy)

Can reply to NS-queries

Must not be preferred from nodes

Flags in response0=Reachable and stale1=Reachable and updated

ND is the new ARP!

ARP is dependent on broadcastReduces network loadImproved robustness

Neighbor unreachability detectionHalf-link failure detectionNotification to upper-layer

Anycast

Same unicast assigned to multiple nodesDelivered to the ”nearest” interface matchingIncreases service availability and reliabilityAllocated from normal unicast pool

IPv6 Node Configuration

IPv6 AddressInterface ID

ManualAuto (statefull or stateless)

Network IDManualAuto (statefull or stateless)Pre-defined well-known prefix (FE80..)

Additional parametersRouters

Interface Identifier Configuration

Manual configurationAuto configuration (EUI-64)Auto configuration (Randomization)DHCPv6

Pseudo-random IDCryptographically generated ID

Extended Unique Identifier (EUI-64)

22 1F 74 C5 16 51

22 1F 74 FF FE 16C5 51

20 1F 74 FF FE 16C5 51

0001 0110

0001 0100

MAC

EUI-64

MEUI-64

Interface Auto configuration

Modified EUI-64 derived from MAC (not windows!!)Collisions/duplicate addresses

Duplicate MAC-AddressesDuplicate Interface ID (manual configuration)

Neighbor Discovery (ND) locates owner to addressDAD based on ND

DAD – Duplicate Address Detection

Node X starts and will assign address Y on interface IInterface I joins multicast groups

FF02::1 (all hosts)FF02::1:FF00:0:Y (solicited node multicast)

Is there any NS queries (dst FF02::1:FF00:0:Y, src ::)X sends NS (dst FF02::1:FF00:0:Y, src ::)Is there a NA (flag=S0) sent to FF02::1

Must be performed for all Unicast, but not Anycast

SLAAC – StateLess Address Auto Configuration

Link-local is already ”configured”well-known network id (FE80)Interface id (MEUI-64)DAD resolved any conflicts

Neighbor communication establishedNext is to find routers, networks etc.

Finding a router

All routers must join multicast group All Routers (FF02::2)

Clients send a Router Solicitation (RS) query

Routers send out a Router Advertisement (RA) message

PeriodicallyIn response to RS queries

Router advertisements

M=Address via DHCPv6O=Options via DHCPv6

type (134)

code (0) checksum

ttl M O res

router lifetime

reachable time

retransmit time

variable length options

8 bits 8 bits 16 bits

RA-options

Prefix informationPrefix ID and it’s lengthLifetime for the prefix

Maximum Transmission Unit (MTU)Link-layer address of source

DEATH BY RA

Music by Martin MinorTraffic dumps by Hasain Alshakarti

Death by RA

Do NOT route RA

Filter RA from ports that shouldn’t send them!

All clients MUST process all RA!

Secure ND

On-link only!

Do NOT route ND

Filter RA with TTL < 255

Generalized TTL Security Mecanism (GTSM, RFC5082)

Fragmentation notes

Problems with fragmentationInefficient use of resourcesDegraded performanceReassembly is hard

Reasons to fragmentPath MTU (PMTU) mismatchThe TCP/IP Stack

Fragmentation deep-dive

“Fragmentation” by source only!No more ”Don’t fragment”-flagMinimum MTU set to 1280 bytesIf packet is above MTU a ICMP error is returned

Detecting PMTUSending packets increasingly from 1280 bytesWhen hitting limit somewhere, store into DC (Destination Cache)

IPv6 & DNS

New (?) resource record type introducedwww.gurka.se IN AAAA 2001:ac8:ac2::1

Reverse records (PTR)Arranged in ”nibbles” (4bits in hex)Domain namespace is ipv6.arpa.2001:db8::20:219f:bd8c:17af is now:

f.a.7.1.c.8.d.b.f.9.2.1.0.2.0.0.0.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ipv6.arpa.

LLMNR – Link-Local Multicast Name Resolution

Very similar to DNS queries and responsesSends query on UDP port 5355 on FF02::1:3Responses are sent by authorative machines via unicastDefined in RFC 4795Separate cache, not same as DNS-resolver or NetBTOnly for very small networks

Name resolution ordering

DNSLLMNR (if not FQDN, IPv6 & IPv4)NetBT (if not FQDN, IPv4)

Migration & Stacks

Dual stack mode (IPv4+IPv6)Most workstations are in this mode

Windows prefers IPv6

Make sure you have control!!Tunneling IPv6 over IPv4NAT64 to translate between versions

Tunneling

6to4 (RFC 3056)Requires public IPv4 endpoints

Teredo (RFC 4380)NAT-T SupportedEnabled by default (teredo.ipv6.microsoft.com)

ISATAP (RFC 4212)Relies on host ISATAPBlacklisted by default in domain

Routing principles

No big changes in routingFirst Host (128 bits)Longest prefix (up to 64 bits)Last resort is Default

RIPng, BGP4+, OSPFv3

Routing protocols

RIPng Still have same problems (big networks, >15 hops)RFC 2080

BGP4+IDRP (Inter-Domain Routing Protocol) was planned but replaced via RFC 2545 (Multiprotocol extensions for BGP4)

OSPFv3Routers still identified by 32-bit numbers, notated as ”ipv4”-addressesRFC 2740

Main advantages summarized

More efficient address space allocationEnd-to-end addressingNo more fragmentationRouters do not need to make header checksumsMulticasting instead of broadcastingOne control protocol (ICMPv6)Auto-configurationModular headersSecurity built-in

DHCP, DNS, IPAM, IPCONFIG

Again the same tools, only with some new menues.

Learning more!

www.tunnelbroker.netLearning based reward systemPretty good hands on experience

www.gogo6.comVery good free tunnelingForumsReference materials

Myth: Cannot remember addresses!

Use DNSManual configuration gives easy addressesUse compact notation

Example2001:2ac:f000::ff01 (18 chars) or 192.168.10.50 (13 chars)

Myth: I do not need it!

IPv6 is already hereUncontrolled IPv6 is a security risk

Related Content

WCL324: IPv6 Bootcamp: Get up to speed quickly

WSV06-TLC: Windows Server 2008 Networking

Windows Server 2012 Networking @ Tuesday 12:30 PM - 3:30 PM

Windows Server 2012 Networking @ Thursday 10:30 AM - 12:30 PM

SIA, WSV, and VIR Track Resources

DOWNLOAD Windows Server 2012 Release Candidate

microsoft.com/windowsserver

#TEWSV410 DOWNLOAD Microsoft System Center 2012 Evaluation

microsoft.com/systemcenterHands-On Labs

Talk to our Experts at the TLC

Resources

Connect. Share. Discuss.

http://europe.msteched.com

Learning

Microsoft Certification & Training Resources

www.microsoft.com/learning

TechNet

Resources for IT Professionals

http://microsoft.com/technet

Resources for Developers

http://microsoft.com/msdn

Evaluations

http://europe.msteched.com/sessions

Submit your evals online

© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to

be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS

PRESENTATION.