Embed Size (px)
Citation preview
©
For more information please check out my Cisco Press book and video series:
IPv6 Fundamentals: A Straightforward Approach to Understanding IPv6• By Rick Graziani• ISBN-10: 1-58714-313-5
IPv6 Fundamentals LiveLessons: A Straightforward Approach to Understanding IPv6• By Rick Graziani• ISBN-10: 1-58720-457-6
5.1: Purpose and Format of Link-Local Addresses
©
IPv6 Address TypesIPv6 Addresses
FF00::/8 FF02::1:FF00:0000/104
::/128::1/1282000::/3 FE80::/10 FC00::/7 ::/80
Unicast Multicast Anycast
Assigned Solicited Node
Global Unicast
Link-Local Loopback UnspecifiedUnique Local
Embedded IPv4
IPv6 does not have a “broadcast” address.
©
Link-Local Unicast Range
• Link – Network segment• Link-local means, local to that
link or network.
Remaining 54 bits 64-bit Interface ID1111 1110 10xx xxxx
1111 1110 1000 0000 :1111 1110 1011 1111 :
Range: FE80: FEBF:
Link-local Unicast
First 10 bits
First hextet
©
Link-Local Unicast Address
• IPv6 Source – Always a unicast• IPv6 Destination – Unicast,
multicast, or anycast.• Unicast, including a link-local
address
IPv4
IPv6
©
• Used to communicate with other devices on the link.• Are NOT routable off the link (network).• Only have to be unique on the link.• Not included in the IPv6 routing table.• An IPv6 device must have at least a link-local address.
Link-Local Communications
Link-Local Unicast Address
©
PC> ipconfigWindows IP ConfigurationEthernet adapter Local Area Connection: Connection-specific DNS Suffix : Link-local IPv6 Address . . . . : fe80::50a5:8a35:a5bb:66e1 IPv4 Address. . . . . . . . . . : 192.168.1.101 Subnet Mask . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . : 192.168.1.1
Most Networks Are Already Running IPv6
• IPv6 is automatically enabled with Windows, MAC and Linux operating systems.• Can communicate with other devices on the link, including the router.
I’m not running IPv6… or am I?
I can now communicate with you and give you a GUA and be your default gateway using SLAAC.
But I am really a bad guy and I can do a DoS
or MITM attack.
Even if IPv6 is not deployed, must understand and secure IPv6.
People Icon: Occupations set 5 © Copyright Fredy Sujono
©
I will use your link-
local as my default
gateway,
• Used as a source IPv6 address before a device gets one dynamically (SLAAC and DHCPv6).• Router’s link-local address is used by devices as the default gateway.
• Routers exchange routing messages.• Router use the link-local address as the next-hop address in the routing
table: via link-local address.
An Important Role in IPv6
ICMPv6 Router Solicitation
From: Link-local or unspecified addressTo: Multicast
ICMPv6 Router Advertisement
From: Link-localTo: Multicast
Routing Protocol Messaging
From: Link-localTo: Multicast
5.2: Automatically Created Link-Local Addresses
©
Link-Local Unicast Address
Link-local addresses are created • Automatically :
• FE80 (usually) – First 10 bits• Interface ID
• EUI-64 (Cisco routers)• Random 64 bits (many host operating systems)
• Static (manual) configuration – Common practice for routers.
Remaining 54 bits 64-bit Interface ID1111 1110 10xx xxxx
FE80::Interface ID
First 10 bits
©
R1
G0/0
G0/1
S0/0/0
R1# show interface gigabitethernet 0/0GigabitEthernet0/0 is up, line protocol is up Hardware is CN Gigabit Ethernet, address is fc99.4775.c3e0 (bia fc99.4775.c3e0)<Output Omitted>
Automatic Link-Local Address Using EUI-64
Link-local address: FE80:: 64-bit Interface IDA 64-bit Interface ID is created with EUI-64 using: • 48-bit MAC address • Inserting 16 bits: FF-FE• Flipping the U/L (Universal/Local) bit
©
Modified EUI-64 Format (Extended Unique Identifier–64)
FC 99 47 75 C3 E0
OUI (24 bits) Device Identifier (24 bits)
FC 99 47 75 C3 E0FF FE
99 47 75 C3 E0FF FE1111 1100FC
U/L bit flipped
1111 1110
FE 99 47 75 C3 E0FF FE
Insert FF-FE
©
R1
G0/0
G0/1
S0/0/0
R1# show interface gigabitethernet 0/0GigabitEthernet0/0 is up, line protocol is up Hardware is CN Gigabit Ethernet, address is fc99.4775.c3e0 (bia fc99.4775.c3e0)<Output Omitted>
R1#show ipv6 interface briefGigabitEthernet0/0 [up/up] FE80::FE99:47FF:FE75:C3E0 2001:DB8:CAFE:1::1GigabitEthernet0/1 [up/up] FE80::FE99:47FF:FE75:C3E1 2001:DB8:CAFE:2::1Serial0/0/0 [up/up] FE80::FE99:47FF:FE75:C3E0 2001:DB8:CAFE:3::1R1#
EUI-64
Serial interfaces will use a MAC address of an Ethernet interface.
FF:FE = EUI-64 (most likely)
Wait! Two Link-locals
are the same!
Verifying the Router’s Link-Local Address
Link-local addresses
only have to be unique on the link.
Mystery © Copyright sato00
©
PC> ipconfigWindows IP ConfigurationEthernet adapter Local Area Connection: Connection-specific DNS Suffix .: IPv6 Address. . . . . . . . . : 2001:db8:acad:1:3496:1c51:3f57:fe89 Link-local IPv6 Address . . . : fe80::3496:1c51:3f57:fe89 Default Gateway . . . . . . . : fe80::1
• Many operating systems will use a random 64-bit Interface IDs for GUA and Link-Local IPv6 Addresses.
Verifying the PC’s Link-Local Address
EUI-64 or random 64-bit value
5.3: Manually Created Link-Local Addresses
©
Link-Local Unicast Address
Link-local addresses are created • Automatically :
• FE80 (usually) – First 10 bits• Interface ID
• EUI-64 (Cisco routers)• Random 64 bits (many host operating systems)
• Static (manual) configuration• Only needed on devices where it helps the network
administrator remember the address… routers, default gateways.
Remaining 54 bits 64-bit Interface ID1111 1110 10xx xxxx
FE80::Interface ID
First 10 bits
©
R1
G0/0 FE80::1
G0/1FE80::1
S0/0/0FE80::1
R1(config)#interface gigabitethernet 0/0R1(config-if)#ipv6 address fe80::1 ? link-local Use link-local address
R1(config-if)#ipv6 address fe80::1 link-localR1(config-if)#exitR1(config)#interface gigabitethernet 0/1R1(config-if)#ipv6 address fe80::1 link-localR1(config-if)#exitR1(config)#interface serial 0/0/0R1(config-if)#ipv6 address fe80::1 link-localR1(config-if)#
Link-Local Addresses have to be unique only on the link!
Static addresses are more easily remembered and recognizable.
Static Link-Local Addresses
©
R1
G0/0 FE80::1
G0/1FE80::1
S0/0/0FE80::1
Link-Local Addresses: Local and Unique
R2S0/0/0
FE80::2
• Link-local addresses have to be unique only on the link but …• Link-local addresses must be unique on the link!• Hosts don’t need to their link-local address statically configured –
automatically created is fine.
FE80::2
FE80::2
5.4: Verifying Link-Local Addresses
©
Verifying Router’s Link-Local Address
R1#show ipv6 interface briefGigabitEthernet0/0 [up/up] FE80::FE99:47FF:FE75:C3E0 2001:DB8:CAFE:1::1<output omitted>R1#R1# show ipv6 interface gigabitethernet 0/0GigabitEthernet0/0 is up, line protocol is up IPv6 is enabled, link-local address is FE80::FE99:47FF:FE75:C3E0 Global unicast address(es): 2001:DB8:CAFE:1::1, subnet is 2001:DB8:CAFE:1::/64<output omitted>R1#
©
Router(config)# interface gigabitethernet 0/1Router(config-if)# ipv6 enableRouter(config-if)# endRouter# show ipv6 interface briefGigabitEthernet0/1 [up/up] FE80::20C:30FF:FE10:92E1Router#
• Link-local addresses are automatically created whenever a global unicast address is configured on the interface.
• The ipv6 enable command will:• Automatically create a link-local address when there is no global unicast address
or static link-local address• Maintain the link-local address even when the global unicast address is removed
Link-local unicast address only
Do I Need to Use the ipv6 enable Command?
©
R1# ping fe80::2Output Interface: ser 0/0/0% Invalid interface. Use full interface name without spaces
(e.g. Serial0/1)Output Interface: serial0/0/0Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to FE80::2, timeout is 2 secs:!!!!!
Must include exit-interface
G0/0
FE80::1
2001:DB8:CAFE:2::/64
Ser 0/0/0:1
Ser 0/0/0 :2
R2R1
FE80::1 FE80::2
2001:0DB8:ACAD:1::/64
FE80::2?
Pinging a Link-Local Address
©
R1# show ipv6 route ospf
O 2001:DB8:CAFE:2::/64 [110/657] via FE80::2, Serial0/0/0O 2001:DB8:CAFE:3::/64 [110/1304] via FE80::2, Serial0/0/0O 2001:DB8:CAFE:A002::/64 [110/1294] via FE80::2, Serial0/0/0R1#
Link-local addresses are used as next hop addresses
IPv6 Routing Table and Link-Local Addresses
• IPv6 dynamic routing protocols like OSPFv3 and EIGRP form neighbor adjacencies and exchange messages using their link-local address as the source address.
©
For more information please check out my Cisco Press book and video series:
IPv6 Fundamentals: A Straightforward Approach to Understanding IPv6• By Rick Graziani• ISBN-10: 1-58714-313-5
IPv6 Fundamentals LiveLessons: A Straightforward Approach to Understanding IPv6• By Rick Graziani• ISBN-10: 1-58720-457-6
