Upload
kellie-shaw
View
216
Download
0
Embed Size (px)
Citation preview
IPv6 (Hard)coreNetworking Services
Daniel SörlövSenior Consultant, Trainer & SpeakerSvensk IT Funktion AB
WSV312
History of IP
Around 1980 IP was definedIPv6 started in the 1990s as IPNGFirst IPv6 RFC published in 1995Primary definition today is RFC 2640
IPv4 problems
Complicated headers (checksum calculations)Limited address spaceSlow option handlingNo QoS, Encryption, IntegrityNAT
Why should we care about IPv4 exhaustion?
32-bits4 294 967 296 addresses256 /8 blocks
”There is still reserved space”
Current IPv4 Situation & Projections
IANA: Exhausted
APNIC: 19-apr-2011 (!)RIPENCC: 14-aug-2012ARIN: 20-jun-2013LACNIC: 29-jan-2014AFRINIC: 05-nov-2014
Two routes to escape exhaustion
Decrease LIR allocation policyMore administrative work, complicates delegations
Use NAT, NAPTBreaks communications (?)Negative effect on old protocols (?)Perceived as a security measure (?)
Solving the problem without magic tricks (NAT)
128-bits or340282366920938463263274607431768211456 addresses2^64 nodes per subnetFixed subnet size
Network ID Interface ID
128 bits
64 bits 64 bits
IPv6 Address:
Perspective to that scale
Total earth surface is about 198 million sq. miles
You end up with: 4.28^1020 addresses per sq. inch!
Dividing the address
001
routing prefix subnet id interface id
45 bits 16 bits 64 bits
/48 assigned to customerRIR->LIRIANA->RIR
3 bits
Will this be enough?
RIRs requesting new blocks every 18 months
The current block assigned by IETF will run out 2158
1/8th of the total is assigned!
More than 5/8th will still be available000/3 and 111/3 are reserved!
Terminology
Node Equipment handling IPv6 in any wayRouter Equipment doing IPv6 routingHost Equipment that does NOT route packagesLink A LAN or WAN networkNeighbor A node in the same linkPacket Header + Data
IPv4 to IPv6 changes
Simplified headersScalabilityBetter option handlingQoS support built inEncryption (ESP, Encapsulating Security Payload)Authentication (AH, Authentication Header)Integrity (AH+ESP)Self-configuring
IPv6 Address format
FE80:0:0:0:0290:27FF:0077:DE97
Zero group compressionFE80:0:0:0:0290:27FF:0077:DE97
Leading zero trimingFE80::0290:27FF:0077:DE97
FE80::290:27FF:77:DE97
IPv6 Allocations
This is about 15% of the total address spaceIf you heard of ”Site Local” (FEC0) that is deprecated
Address Type Binary Prefix Prefix Part of Total
Reserved by IETF 0000 0000 /8 1/256
Global Unicast 001 2000::/3 1/8
Link Local 1111 1110 10 FE80::/7 1/1024
Multicast 1111 1111 FF::/8 1/15
Unique Local Unicast 1111 1100 FC0::/7 1/1024
Source: http://www.iana.org/assignments/ipv6-address-space/ipv6-address-space.txt
Very important about FEC0
Microsoft still uses the deprecated range for DNS-servers
fec0:0:0:ffff::1fec0:0:0:ffff::2fec0:0:0:ffff::3
As a last resort only!
Common addresses
Loopback0:0:0:0:0:0:0:1 or ::1 was 127.0.01
Unspecified0:0:0:0:0:0:0:0 or :: was 0.0.0.0
Link Local Addresses
FE80 prefixSimilar to IPv4 APIPA (169.254.0.0/16)Only for on-link communication, not routableUsed for
Auto configured addressesNeighbor discovery process
1111 1110 10
00 00 .. 00
Interface id
54 bits 64 bits10 bits
Multicast Addresses
1111 1111
flags scope reserve
64 bits8 bits
plen group prefixnet prefix
8 bits 8 bits4 bits4 bits 32 bits
Flags0: well known address, 1: transient address
Scope1: Node Local, 2: Link Local, 14: Global Internet
Group ID1: All nodes, 2: All routers, 101: all NTP servers
Global Unicast
001
routing prefix subnet id interface id
45 bits 16 bits 64 bits3 bits
Address Type Binary Prefix Prefix
Unspecified 000…0 ::/128
Loopback 0000…01 ::1/128
ULA 1111 110 FC00::/7
Assigned to RIRs 001 2003:/3
Global Unicast Everything else!!
Unique Local Addresses (ULA)
1111 110 L global subnet
7 bits
interface id
8 bits 64 bits40 bits1 bit
L=1FC00::/7 prefixLocal or site local communicationsMost likely will be unique and not expected to be routableWell known, somewhat like the RFC1918
Windows and IPv6
IPv6 is Preferred
Nameserver queryTry to reach IPv6Try to reach IPv4Timeout
PING & NSLOOKUP
Same tools and same syntax.
IPv6 Header Format
Ver Traffic Class Flow Label
Payload Length Next Header Hop Limit
128-bits source address
128-bits destination address
4 12 16 24 320
Total 40 bytes
IPv6 Header Format gains
Fixed lengthExtension headersIs not protected by checksumPayload length and not total lengthHop-Limit introduced
Extension Headers
IPv6 HeaderNext-header:Hop-by-hop
Hop-by-hop Header
Next-header:Destination
OptionsDestination
HeaderNext-header:
Routing header
Fragment Header
Next-header:AH
Routing HeaderNext header:
Fragment Header
AHNext-header:ESP Header
Extension Header Handling
Only processed by the destination nodeExcept for Hop-By-Hop Header
Packet voided if unrecognized headers foundRecommended ordering
Next header value 59: ”No more headers”
Traffic Class & Flow Label
Traffic Class (8-bit)Similar to TOS in IPv4RFC 2460
Flow labelReal-time applicationsRFC 3697 obsoleted by RFC 643
Both are still considered experimental!
Control Protocols
IPv4ICMP, ARP etc..
IPv6ICMPv6
ICMPv6
Type field0-127 is errors128-255 is informational
Body includes start of invoking packetMust not be fragmentedMust not be originated in reply to ICMPv6 error or redirects
type code checksum message
8 bits 8 bits 16 bits
Broadcast is dead – long live multicast
Multicast replaces BroadcastAll IPv6 nodes must support multicastYou must enable IGMP snooping
”All nodes on-link” multicast group
NodesNode-local is FF01::1Link-local is FF02::1
RoutersNode-local is FF01::2Link-local is FF02::2
Solicited-node multicast groups
Nodes with similar addresses will joinGlobally assigned FF02::1:FF00:0:/104Low order 24 bits of node address
Example:Node 2001:db8::2:20ef:345f:3254:d851Joins FF02::1:FF00:0:3254:d851
Neighbor Discovery (ND)
Relies on ICMPv6Uses multicast
Requests link-layer address by usingneighbor solicitation (NS) query
Neighbor Advertisement (NA)(flag S1=in response to NS, S2=unsolicited NA)
Neighbor information stored inNeighbor cache (NC)Destination cache (DC)
Neighbor Discovery Proxy (ND-Proxy)
Can reply to NS-queries
Must not be preferred from nodes
Flags in response0=Reachable and stale1=Reachable and updated
ND is the new ARP!
ARP is dependent on broadcastReduces network loadImproved robustness
Neighbor unreachability detectionHalf-link failure detectionNotification to upper-layer
Anycast
Same unicast assigned to multiple nodesDelivered to the ”nearest” interface matchingIncreases service availability and reliabilityAllocated from normal unicast pool
IPv6 Node Configuration
IPv6 AddressInterface ID
ManualAuto (statefull or stateless)
Network IDManualAuto (statefull or stateless)Pre-defined well-known prefix (FE80..)
Additional parametersRouters
Interface Identifier Configuration
Manual configurationAuto configuration (EUI-64)Auto configuration (Randomization)DHCPv6
Pseudo-random IDCryptographically generated ID
Extended Unique Identifier (EUI-64)
22 1F 74 C5 16 51
22 1F 74 FF FE 16C5 51
20 1F 74 FF FE 16C5 51
0001 0110
0001 0100
MAC
EUI-64
MEUI-64
Interface Auto configuration
Modified EUI-64 derived from MAC (not windows!!)Collisions/duplicate addresses
Duplicate MAC-AddressesDuplicate Interface ID (manual configuration)
Neighbor Discovery (ND) locates owner to addressDAD based on ND
DAD – Duplicate Address Detection
Node X starts and will assign address Y on interface IInterface I joins multicast groups
FF02::1 (all hosts)FF02::1:FF00:0:Y (solicited node multicast)
Is there any NS queries (dst FF02::1:FF00:0:Y, src ::)X sends NS (dst FF02::1:FF00:0:Y, src ::)Is there a NA (flag=S0) sent to FF02::1
Must be performed for all Unicast, but not Anycast
SLAAC – StateLess Address Auto Configuration
Link-local is already ”configured”well-known network id (FE80)Interface id (MEUI-64)DAD resolved any conflicts
Neighbor communication establishedNext is to find routers, networks etc.
Finding a router
All routers must join multicast group All Routers (FF02::2)
Clients send a Router Solicitation (RS) query
Routers send out a Router Advertisement (RA) message
PeriodicallyIn response to RS queries
Router advertisements
M=Address via DHCPv6O=Options via DHCPv6
type (134)
code (0) checksum
ttl M O res
router lifetime
reachable time
retransmit time
variable length options
8 bits 8 bits 16 bits
RA-options
Prefix informationPrefix ID and it’s lengthLifetime for the prefix
Maximum Transmission Unit (MTU)Link-layer address of source
DEATH BY RA
Music by Martin MinorTraffic dumps by Hasain Alshakarti
Death by RA
Do NOT route RA
Filter RA from ports that shouldn’t send them!
All clients MUST process all RA!
Secure ND
On-link only!
Do NOT route ND
Filter RA with TTL < 255
Generalized TTL Security Mecanism (GTSM, RFC5082)
Fragmentation notes
Problems with fragmentationInefficient use of resourcesDegraded performanceReassembly is hard
Reasons to fragmentPath MTU (PMTU) mismatchThe TCP/IP Stack
Fragmentation deep-dive
“Fragmentation” by source only!No more ”Don’t fragment”-flagMinimum MTU set to 1280 bytesIf packet is above MTU a ICMP error is returned
Detecting PMTUSending packets increasingly from 1280 bytesWhen hitting limit somewhere, store into DC (Destination Cache)
IPv6 & DNS
New (?) resource record type introducedwww.gurka.se IN AAAA 2001:ac8:ac2::1
Reverse records (PTR)Arranged in ”nibbles” (4bits in hex)Domain namespace is ipv6.arpa.2001:db8::20:219f:bd8c:17af is now:
f.a.7.1.c.8.d.b.f.9.2.1.0.2.0.0.0.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ipv6.arpa.
LLMNR – Link-Local Multicast Name Resolution
Very similar to DNS queries and responsesSends query on UDP port 5355 on FF02::1:3Responses are sent by authorative machines via unicastDefined in RFC 4795Separate cache, not same as DNS-resolver or NetBTOnly for very small networks
Name resolution ordering
DNSLLMNR (if not FQDN, IPv6 & IPv4)NetBT (if not FQDN, IPv4)
Migration & Stacks
Dual stack mode (IPv4+IPv6)Most workstations are in this mode
Windows prefers IPv6
Make sure you have control!!Tunneling IPv6 over IPv4NAT64 to translate between versions
Tunneling
6to4 (RFC 3056)Requires public IPv4 endpoints
Teredo (RFC 4380)NAT-T SupportedEnabled by default (teredo.ipv6.microsoft.com)
ISATAP (RFC 4212)Relies on host ISATAPBlacklisted by default in domain
Routing principles
No big changes in routingFirst Host (128 bits)Longest prefix (up to 64 bits)Last resort is Default
RIPng, BGP4+, OSPFv3
Routing protocols
RIPng Still have same problems (big networks, >15 hops)RFC 2080
BGP4+IDRP (Inter-Domain Routing Protocol) was planned but replaced via RFC 2545 (Multiprotocol extensions for BGP4)
OSPFv3Routers still identified by 32-bit numbers, notated as ”ipv4”-addressesRFC 2740
Main advantages summarized
More efficient address space allocationEnd-to-end addressingNo more fragmentationRouters do not need to make header checksumsMulticasting instead of broadcastingOne control protocol (ICMPv6)Auto-configurationModular headersSecurity built-in
DHCP, DNS, IPAM, IPCONFIG
Again the same tools, only with some new menues.
Learning more!
www.tunnelbroker.netLearning based reward systemPretty good hands on experience
www.gogo6.comVery good free tunnelingForumsReference materials
Myth: Cannot remember addresses!
Use DNSManual configuration gives easy addressesUse compact notation
Example2001:2ac:f000::ff01 (18 chars) or 192.168.10.50 (13 chars)
Myth: I do not need it!
IPv6 is already hereUncontrolled IPv6 is a security risk
Related Content
WCL324: IPv6 Bootcamp: Get up to speed quickly
WSV06-TLC: Windows Server 2008 Networking
Windows Server 2012 Networking @ Tuesday 12:30 PM - 3:30 PM
Windows Server 2012 Networking @ Thursday 10:30 AM - 12:30 PM
SIA, WSV, and VIR Track Resources
DOWNLOAD Windows Server 2012 Release Candidate
microsoft.com/windowsserver
#TEWSV410 DOWNLOAD Microsoft System Center 2012 Evaluation
microsoft.com/systemcenterHands-On Labs
Talk to our Experts at the TLC
Resources
Connect. Share. Discuss.
http://europe.msteched.com
Learning
Microsoft Certification & Training Resources
www.microsoft.com/learning
TechNet
Resources for IT Professionals
http://microsoft.com/technet
Resources for Developers
http://microsoft.com/msdn
Evaluations
http://europe.msteched.com/sessions
Submit your evals online
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to
be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS
PRESENTATION.