Embed Size (px)
Citation preview
©
For more information please check out my Cisco Press book and video series:
IPv6 Fundamentals: A Straightforward Approach to Understanding IPv6• By Rick Graziani• ISBN-10: 1-58714-313-5
IPv6 Fundamentals LiveLessons: A Straightforward Approach to Understanding IPv6• By Rick Graziani• ISBN-10: 1-58720-457-6
7.1: Introduction to SLAAC and ICMPv6 ND
©
Dynamic IPv6 Address Allocation
• DHCPv6 and SLAAC with DHCPv6 are discussed in Lesson 8.
Global Unicast
Manual Dynamic
StaticIPv6
unnumbered
Static + EUI 64
SLAAC DHCPv6
SLAAC + DHCPv6
Similar to IPv4 unnumbered
Stateless Stateful
DHCPv6-PD
©
DHCP Server
Dynamic IPv4 Address Allocation
DHCP Client
I need an IPv4 addressing information from a DHCP server.
Here is your IPv4 address, subnet mask,
default gateway and DNS server addresses.
©
ICMPv6Internet Control Message
Protocol for IPv6
• Described in RFC 4443• Much more robust than ICMP for IPv4• Contains new functionality and
improvements. • More than just “messaging” but “how
IPv6 conducts business”.• Including ICMPv6 Neighbor Discovery
(RFC 4861) – used in dynamic address allocation.
• Note: ICMPv6 is discussed in detail in Lesson 9, ICMPv6 ND in Lesson 10.
©
“Introducing” ICMPv6 Neighbor DiscoveryICMPv6 informational messages used by Neighbor Discovery (RFC 4861):
• Router Solicitation Message• Router Advertisement Message
• Used for dynamic address allocation.
• Neighbor Solicitation Message• Neighbor Advertisement Message
• Used with address resolution (IPv4 ARP) and with DAD
• Redirect Message (Similar to ICMPv4)
Router-Device Messaging
Device-Device Messaging
©
It Begins with the RA Message
• An ICMPv6 Router Advertisement (RA) suggests to all IPv6 devices on the link how it will receive IPv6 Address Information.
• Sent periodically by an IPv6 router or…• … when the router receives a Router Solicitation message from a host.
DHCPv6 Server
ICMPv6 Router Advertisement
ICMPv6 Router Solicitation
Multicast: To all IPv6 routers, I need
IPv6 address information
Multicast: To all IPv6 devices,
let me suggest to you how to do this …
I might not even be needed.
©
It Begins with the RA Message
Router Advertisement (RA) Message• Part of ICMPv6 (Internet Control Message Protocol for IPv6)• RA messages are sent by an “IPv6 router”• An IPv6 router (ipv6 unicast-routing command):
• Forwards IPv6 Packets• Enables IPv6 static and dynamic routing• Sends ICMPv6 Router Advertisements
• Note: Routers can be configured with IPv6 addresses without being an IPv6 router.
DHCPv6 Server
ICMPv6 Router Advertisement
Router(config)# ipv6 unicast-routing
©
Router Advertisement: 3 Options
DHCPv6 Server
RA
Router(config)# ipv6 unicast-routing
Option 1: SLAAC – No DHCPv6 (Default on Cisco routers)
“I’m everything you need (Prefix, Prefix-length, Default Gateway)”
Option 2: SLAAC + Stateless DHCPv6 for DNS address
“Here is my information but you need to get other information such as DNS addresses from a DHCPv6 server.” (DNS can be in RA)
Option 3: All addressing except default gateway use DHCPv6
“I can’t help you. Ask a DHCPv6 server for all your information.”
DHCPv6
Option 1 and 2: Stateless Address Autoconfiguration• DHCPv6 Server does not maintain state of addressesOption 3: Stateful Address Configuration• Address received from DHCPv6 Server
• Options 2 and 3 are discussed in Lesson 8.
©
RA Message Options
The type of Router Advertisement option depends on two RA flags: Other Configuration Flag and Managed Configuration Flag• Default: Both flags are set to 0 (Option 1)
• Use me (RA) for all your addressing information, no additional information available via DHCPv6.
• Other Configuration Flag when set to “1” (Option 2)• Use me (RA) for your address but you need to get OTHER information from a
stateless DHCPv6 server.• Managed Configuration Flag when set to “1” (Option 3)
• The client needs to get ALL of it’s MANAGED information from a stateful DHCPv6 server, except default gateway.
• Note: Two other flags include the autonomous address-configuration flag and on-link flag. (“A” Flag discussed in lesson 8, “L” Flag beyond the scope of this video.)
DHCPv6 Server
ICMPv6 Router AdvertisementOption 1, 2, or 3
©
RA Message Options
DHCPv6 Server
ICMPv6 Router AdvertisementOption 1, 2, or 3
Option Other Configuration (“O”) Flag
Managed Configuration (“M”) Flag
Option 1: SLAAC – No DHCPv6 (Default on Cisco routers)
0 0
Option 2: SLAAC + Stateless DHCPv6 for DNS address
1 0
Option 3: All addressing except default gateway use DHCPv6
0 1
• Configuring Flags discussed in Lesson 8.
©
SLAAC: Stateless Address Autoconfiguration
DHCPv6 Server
Router(config)# ipv6 unicast-routing
ICMPv6 Router Advertisement• Prefix and other information
SLAAC (Stateless Address Autoconfiguration)• Allows a device to create its own IPv6 global unicast
address without the services of a DHCPv6 server.• Prefix: From the Router Advertisement (RA).• Interface ID:
• EUI-64• Random 64-bit value
2001:DB8:CAFE:1::/64
I know the network prefix from the RA.
I just need to come up with my own Interface ID for my
GUA!
©
DHCPv6
DHCPv6 Server
Ignoring the RA Message?
• The ICMPv6 Router Advertisement suggests to the host how to get its address automatically.
• Can a host ignore an ICMPv6 Router Advertisement?• Host operating systems can include the option of ignoring the
Router Advertisement from the router and only use the stateful services of a DHCPv6 server (or what ever it wants to do).
• However, hosts can’t ignore the default gateway (source of RA) unless manually configured.
ICMPv6 Router Advertisement
Link-local address
7.2: Creating the Interface ID: EUI-64 or Random Value
©
Obtaining an IPv6 Address Automatically
©
Note: Domain name and DNS server list may be included if router (and end system) support RFC 6106 IPv6 RA Options for DNS Configuration.
SLAAC Option 1 – RA Message
To: FF02::1 (All-IPv6 devices)
From: FE80::1 (Link-local address)
Prefix: 2001:DB8:CAFE:1::
Prefix-length: /64
RA
1
MAC: 00-19-D2-8C-E0-4C
Prefix: 2001:DB8:CAFE:1::
Prefix-length: /64
Default Gateway: FE80::1
Global Unicast Address:
2001:DB8:CAFE:1: + Interface ID
2001:DB8:CAFE:1::/64
EUI-64 Process or Random 64-bit value
2
DHCPv6 Server
3
SLAAC: Stateless Address Autoconfiguration
©
SLAAC: Interface ID
Global Routing Prefix 64-bit Interface ID16-bit Subnet ID
/64/48
EUI-64 Process Randomly Generated Number(Privacy Extension)
SLAACOperating System
EUI-64 Random 64-bit
Windows XP, Server 2003 ✔Windows Vista and newer ✔MAC OSX ✔Linux ✔
DHCPv6 Server
Default OS behavior can be changed.
Known instead of unknown © Copyright DOC RABE Media Man in paper bag on head © Copyright binik
©
Note: Domain name and DNS server list may be included if router (and end system) support RFC 6106 IPv6 RA Options for DNS Configuration.
SLAAC Option 1 – RA Message
To: FF02::1 (All-IPv6 devices)
From: FE80::1 (Link-local address)
Prefix: 2001:DB8:CAFE:1::
Prefix-length: /64
RA
1
MAC: 00-19-D2-8C-E0-4C
Prefix: 2001:DB8:CAFE:1::
Prefix-length: /64
Default Gateway: FE80::1
Global Unicast Address:
2001:DB8:CAFE:1: + Interface ID
2001:DB8:CAFE:1::/64
EUI-64 Process or Random 64-bit value
2
DHCPv6 Server
3
SLAAC: EUI-64 Option
©
Modified EUI-64 Format (Extended Unique Identifier–64)
00 19 D2 8C E0 4C
OUI (24 bits) Device Identifier (24 bits)
00 19 D2 8C E0 4CFF FE
19 D2 8C E0 4CFF FE0000 000000
U/L bit flipped
0000 0010
02 19 D2 8C E0 4CFF FE
Insert FF-FE
©
PC> ipconfigWindows IP ConfigurationEthernet adapter Local Area Connection: IPv6 Address. . . . . . . . : 2001:db8:cafe:1:0219:d2ff:fe8c:e04c Link-local IPv6 Address . . : fe80::0219:d2ff:fe8c:e04c Default Gateway . . . . . : fe80::1
Router Advertisement EUI-64
A 64-bit Interface ID and the EUI-64 process accommodates:• The IEEE specification for a 64-bit MAC address• 64-bit boundary processing
Verifying SLAAC on the PC Using
EUI-64
Why. The Dude looking at the red question mark © Copyright jojje11
©
SLAAC: Random 64-bit Interface ID
Global Routing Prefix 64-bit Interface ID16-bit Subnet ID
/64/48
EUI-64 Process Randomly Generated Number(Privacy Extension)
SLAACOperating System
EUI-64 Random 64-bit
Windows XP, Server 2003 ✔Windows Vista and newer ✔MAC OSX ✔Linux ✔
DHCPv6 Server
Known instead of unknown © Copyright DOC RABE Media Man in paper bag on head © Copyright binik
©
PC-Windows7> ipconfigWindows IP ConfigurationEthernet adapter Local Area Connection: IPv6 Address. . . . . . . . : 2001:db8:cafe:1:50a5:8a35:a5bb:66e1 Link-local IPv6 Address . . : fe80::50a5:8a35:a5bb:66e1 Default Gateway . . . . . : fe80::1
Router Advertisement EUI-64
Verifying SLAAC on the PC Using
Privacy Extension
No FF-FE
©
SLAAC: Including the DNS Server in the RA *
DNS Server
Router(config)# ipv6 unicast-routing
ICMPv6 Router Advertisement• Prefix and other information
G0/12001:DB8:CAFE:1::/64
Router(config)# ipv6 unicast-routingRouter(config)# interface gigabitethernet 0/1Router(config-if)# ipv6 nd ra dns server 2001:db8:cafe:1::99 600
2001:DB8:CAFE:1::99
Configures a DNS server with an IPv6 address of 2001:DB8::CAFE:1::1 to be advertised in an RA with a lifetime of 600 seconds.
©
Global Unicast - 2001:db8:cafe:1:0219:d2ff:fe8c:e04cLink-local - fe80::50a5:8a35:a5bb:66e1
Neighbor Advertisement?
Neighbor Solicitation
Ensuring Unique Unicast Addresses
Not received = unique addressReceived = duplicate address
• SLAAC is stateless, no entity (DHCPv6 server) maintaining a state address-to-device mappings.
• How can we guarantee the address is unique?• Duplicate Address Detection (DAD)
• Once required for all unicast addresses (static or dynamic), RFC was updated that DAD is only recommended.
• /64 Interface IDs!
7.3: Configuring a Router as a SLAAC Client
©
Routers versus IPv6 Routers
• A router (not enabled as an IPv6 router):• Configure IPv6 addresses• Member of All-IPv6 devices multicast group
• An IPv6 router:• Same as a non-IPv6 router• Member of All-IPv6 routers multicast group• Sends ICMPv6 Router Advertisement messages• Can enable IPv6 routing protocols• Forward IPv6 packets (transiting the router)
Router IPv6 Router
2001:DB8:CAFE:1::1/64FE80::1
2001:DB8:CAFE:1::1/64FE80::1
FF02::1 (All-IPv6 devices) FF02::1 (All-IPv6 devices)FF02::2 (All-IPv6 routers)
ICMPv6 Router Advertisement
Forward IPv6 Packets
RIPng OSPFv3 EIGRP for IPv6
Router(config)# ipv6 unicast-routing
©
R1 Client
Client(config)# interface gig 0/1Client(config-if)# ipv6 enable ! Not neededClient(config-if)# ipv6 address autoconfig defaultClient(config-if)# no shutdown
Gig 0/1Gig 0/1
R1(config)# interface gig 0/1R1(config-if)# ipv6 address 2001:db8:cafe:1::1/64R1(config-if)# ipv6 address fe80::1 link-localR1(config-if)# no shutdownR1(config-if)# exitR1(config)# ipv6 unicast-routing
Configuring the Router as a Client
2001:DB8:CAFE:1::/64
ICMPv6 Router Advertisement
“IPv6 Router” Link-local address created
Now I can accept RA messages and
get a GUA automatically!
©
R1 ClientGig 0/1Gig 0/1::1
R1# show ipv6 interface gigabitethernet 0/1GigabitEthernet0/1 is up, line protocol is up IPv6 is enabled, link-local address is FE80::1 Global unicast address(es): 2001:DB8:CAFE:1::1, subnet is 2001:DB8:CAFE:1::/64 Joined group address(es): FF02::1 FF02::2 FF02::FB FF02::1:FF00:1 ND router advertisements are sent every 200 seconds Hosts use stateless autoconfig for addresses.
Verifying the RA Message
2001:DB8:CAFE:1::/64
ICMPv6 Router Advertisement
Partial output
FE80::1
©
R1 ClientGig 0/1Gig 0/1::1
Client# show ipv6 interface briefGigabitEthernet0/1 [up/up] FE80::8A5A:92FF:FE3B:29E1 2001:DB8:CAFE:1:8A5A:92FF:FE3B:29E1<Rest of output omitted>
Client# show interface gigabitethernet 0/1GigabitEthernet0/1 is up, line protocol is up Hardware is CN Gigabit Ethernet, address is 885a.923b.29e1 (bia
885a.923b.29e1)<Rest of output omitted>
Verifying the Client (Router) Is Using SLAAC/EUI-642001:DB8:CAFE:1::/64
ICMPv6 Router AdvertisementFE80::1
EUI-64
©
R1 ClientGig 0/1Gig 0/1::1
Client# show ipv6 routeIPv6 Routing Table - default - 4 entriesCodes: C - Connected, L - Local, S - Static, U - Per-user Static route IA - ISIS interarea, IS - ISIS summary, D - EIGRP, EX - EIGRP external ND - ND Default, NDp - ND Prefix, DCE - Destination, NDr - Redirect O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2ND ::/0 [2/0] via FE80::1, GigabitEthernet0/1NDp 2001:DB8:CAFE:1::/64 [2/0] via GigabitEthernet0/1, directly connected<Rest of output omitted>
Router versus “IPv6 Router”
2001:DB8:CAFE:1::/64
ICMPv6 Router Advertisement
Partial output
FE80::1
Default route learned via Neighbor Discovery (SLAAC)
Prefix learned via Neighbor Discovery (SLAAC)
7.4: IPv6 Enabled Clients and Your Network
©
You Are Probably Already Running IPv6
• Windows Vista or later, Mac OSX, Linux already running IPv6• Potential DoS or MITM attack, even if the router is not IPv6 enabled.• Even if the router is not IPv6 enabled, your clients are mostly like are!• I can still do a DoS attack on clients or perhaps even still to a MITM
attack.• There are mitigation techniques such as RA Guard.
R1
Rogue RA
RSIPv4IPv6IPv4
IPv6
IPv4IPv6
I need an IPv6 prefix
Here is an IPv6 prefix
and gateway
People Icon: Occupations set 5 © Copyright Fredy Sujono
©
SLAAC with DHCPv6
Global Unicast
Manual
StaticIPv6
unnumbered
Static + EUI 64
SLAAC DHCPv6
SLAAC + DHCPv6
Similar to IPv4 unnumbered
Stateless Stateful
DHCPv6-PD
Dynamic
Stateful
Lesson 8
©
For more information please check out my Cisco Press book and video series:
IPv6 Fundamentals: A Straightforward Approach to Understanding IPv6• By Rick Graziani• ISBN-10: 1-58714-313-5
IPv6 Fundamentals LiveLessons: A Straightforward Approach to Understanding IPv6• By Rick Graziani• ISBN-10: 1-58720-457-6
