IPv6 on WiFi: You talk too much! NOT anymore.d2zmdbbm9feqrf.cloudfront.net/2014/eur/pdf/BRKEWN-2666.pdf · IPv6 on WiFi: You talk too much! NOT anymore. ... IPv4, as well as some

IPv6 on WiFi: You talk too much! NOT anymore. BRKEWN-2666

Andrew Yourtchenko

Technical Leader (IPv6 transition), CCIE#5323

@ayourtch

© 2014 Cisco and/or its affiliates. All rights reserved. BRKEWN-2666 Cisco Public

Abstract

3

IPv6 on the link is by default chattier than IPv4. This may discourage

IPv6 deployment in larger WiFi installations. In this session we will take a

close look at the "chatty" protocols and their interactions: MLD, ND,

mDNS. We will explore how these interactions can be controlled by

tuning the configurations on the gateways and WLC. We will cover the

emerging best practices to achieve the media usage similar to that of

IPv4, as well as some troubleshooting experiences. The intended

audience of this session is the specialists who deal with planning,

deployment and operation of the WiFi networks. This session is based on

the practical experience gained by implementation and operation of

large-scale networks like CiscoLive.


Prerequisites

Basic IPv6 knowledge (terminology)

Basic knowledge about Cisco WiFi/802.11

(Glossary is in the end of the slides)

4


What The WLAN Experts Tend To Say About IPv6…

Frankie Nord, “You talk too much”

Source: http://www.youtube.com/watch?v=bw4pnQNbBxE


Agenda

Sample WLC topology

IPv6 vs. IPv4: what’s relevant for WiFi ?

Deep dive and tuning

– Router discovery & maintenance

– Address Assignment (+ first hop)

– Neighbor Resolution & Maintenance

– Neighbor discovery and MLD interaction

– Other traffic optimizations

Security considerations

Troubleshooting IPv6 on WiFi

6


Sample WLC topology

7


IPv6 vs. IPv4: What is relevant for WiFi ?

ARP vs. ICMPv6

– Broadcast vs. multicast

– ARP is Layer 2 (ethertype 0x0806) ICMP is Layer 3.14159

Router Discovery

SLAAC & DHCPv6

– RAs are vital !

Multiple addresses per host

8


ND: Router Maintenance

9

RA

IPv6

IPv6

IPv6

RA RA RA

RA Sent

Every 200sec

+/- jitter

Lifetime--

Lifetime--

Lifetime--


ND: Router Maintenance

10

RA

IPv6

IPv6

IPv6

RA RA RA

RA Sent

Every 200sec

+/- jitter

Lifetime

Lifetime

Lifetime

Lifetime--

Lifetime--

Lifetime--


Multicast multicast mode

11


Multicast CAPWAP packet

12


PIM SSM configuration

13

ip pim rp-address 172.16.10.50

ip pim ssm default

interface GigabitEthernet1

ip address 172.17.1.1 255.255.255.0

ip pim sparse mode

ip igmp version 3


Output “show ip mroute” on the router

14

Outgoing interface flags: H - Hardware switched, A – Assert

Timers: Uptime/Expires

Interface state: Interface, Next-Hop or VCD, State/Mode

(172.17.1.20, 232.1.1.2), 00:12:36/00:02:23, flags: sTI

Incoming interface: GigabitEthernet1, RPF nbr 0.0.0.0

Outgoing interface list:

GigabitEthernet1.118, Forward/Sparse, 00:12:36/00:02:23

(*, 224.0.1.40), 00:24:39/00:02:53, RP 172.16.10.50, flags: SJCL

Incoming interface: Null, RPF nbr 0.0.0.0

Outgoing interface list:

GigabitEthernet1, Forward/Sparse, 00:24:39/00:02:53


Multicast at a glance on the AP

15

APc47a.fe34.1cc9#show capwap mcast

CAPWAP MULTICAST

Multicast Group: 232.1.1.2, Source: 172.17.1.20

V1 Rpt Sent: 0; V2 Rpt Sent: 2

V3 Rpt Sent: 189; Leave Sent: 1

V1 Query Rcvd: 0; V2 Query Rcvd: 0

V3 Query Rcvd: 188; V1 Rpt Rcvd: 0

V2 Rpt Rcvd: 0; V3 Rpt Rcvd: 0

APc47a.fe34.1cc9#


Multicast-Multicast and NAT

16

NAT => 💔


ND: Router Discovery

17

RA RS

IPv6

IPv6

IPv6


The Devil’s in the details…

18

RFC4861, 6.2.6. Processing Router Solicitations

In addition to sending periodic, unsolicited advertisements, a router

sends advertisements in response to valid solicitations received on

an advertising interface. A router MAY choose to unicast the

response directly to the soliciting host's address (if the

solicitation's source address is not the unspecified address), but

the usual case is to multicast the response to the all-nodes group.


Tcpdump on a host in a large WiFi network

19


USB battery vendors, rejoice !

20


One more reason to manage the multicast RAs …

21

APc47a.fe34.1cc9#show capwap mcast mgid all | begin RA MGID

RA MGID Information

MGID = 8341

IPv6 mc2uc Clients = 1

MGID = 8343

IPv6 mc2uc Clients = 1

APc47a.fe34.1cc9#show capwap mcast mgid id 8343

Normal Mcast Clients:

Reliable Mcast Clients:

Client: 14cf.929d.740c --- Qos User Priority: 3 State:

ADMITTED

History – Retry Pct: 0 0 0 0 Rate )500Kbps): 0 65535

65535

APc47a.fe34.1cc9#


A different approach: RA throttle

22

RA Throttle demo

23


Interaction of RA throttle and RA lifetime

Tim

e

Lifetim

e

RA RA

RA

RA RA

RA

RA

RA

RA

RA

RA

RA

RA

RA

RA

RA RA

Mind the gap!

Peri

od

1

Peri

od2


Short lifetimes and temporary addresses

RFC4941, section 3.4:

– Period: TEMP_PREFERRED_LIFETIME - REGEN_ADVANCE - DESYNC_FACTOR

– REGEN_ADVANCE -- 5 seconds

– DESYNC_FACTOR – random (0..10minutes)

– ‘ifconfig -L’ to see lifetimes

25


Short lifetimes and temporary addresses

Temporary addresses recycle quickly

Application connections break

Implementation-specific bug^H^Hehaviors

26


The best timer values ?

Initial staging

– Agility

– Ease of adjustments

– Quick reaction to configuration changes

– Not too short to avoid artifacts

Production

– With scaling in mind

– Resistance to temporary failures

27


IOS vs. NX-OS solicited RA behavior

NX-OS sends unicast solicited RA packets

Periodic RA still sent multicast as expected

Easy (Less need for RA-throttle), but may be harder to debug (ucast vs. mcast)

28


IPv6 host setup recap

29

Router Solicitation

IPv6 g.a. DAD NS

DHCPv6 inf req

DHCPv6 req

IPv6 g.a. DAD NS

DHCPv6 reply (DNS)

DHCPv6 reply (address)

IPv6 LL DAD NS Anyone with this addr ?

RtrAdv “M” Pref; “A” “O”


DHCPv6 address assignment

Centrally controlled: easy to know which user has which address

(may be) Not dependent on multicast for continuous use

Some clients do not support (Android)

DHCPv6 multicast reply filtering

30


ND-based Address Assignment (SLAAC)

On/off by “A” flag in the prefix(es) within RA

Address controlled by the host

Distributed

Network can not learn address in advance except until seeing DAD NS

Dependent on multicast to be maintained

31


Link-Local addresses: self-assigned

Behavior similar to SLAAC with fe80::/64 prefix

Addresses exist on any IPv6-capable interface

Service discovery protocols use link-locals

Even if you do not “run” IPv6, you probably do !

32


DHCP-

server H1 H2 H3

DAD NS [IP source=UNSPEC, target=A1, SMAC=MACH1]

REPLY[XID, IPA21, IPA22]

REQUEST [XID, SMAC = MACH2]

data [IP source=A3, SMAC=MACH3]

NA [IP source=A3, LLA=MACH3]

DAD NS [IP source=UNSPEC, target = A3] DHCP LEASEQUERY

DHCP LEASEQUERY_REPLY

Binding table

ADR MAC VLAN IF

A1 MACH1 100 P1

A21 MACH2 100 P2

A22 MACH2 100 P2

A3 MACH3 100 P3

Preference

X

Y

Y

Z

Address Glean (Binding Table)

33


Device Tracking (Binding Table)

34

Address glean

DAD NS [IP source=UNSPEC, target = A1]


NA [target = A1LLA=MACH1]

– Keep track of device state

– Probe devices when becoming stale

– Remove inactive devices from the binding table

– Record binding creation/deletion/changes

Binding table

ADR MAC VLAN IF

A1 MACH1 100 P1

A21 MACH2 100 P2

A22 MACH2 100 P2

A3 MACH3 100 P3

H1 H2 H3


Neighbor Binding Timer configuration: defaults

35


Simplified Binding table state diagram

36

REACHABLE STALE

DOWN

NS/NA exchange for host, DAD probe success

REACHABLE

timer expire

Link is DOWN

(client disassociated)


Binding table maintenance example

37


Binding table maintenance example

38


Traffic to node can trigger NUD on the node

39


Entry is refreshed due to NUD (NS) traffic from host

40


Host ND: Neighbor Maintenance with NUD

41

REACHABLE

STALE

INCOMPLETE

DELAY

PROBE

REACHABLE timer expires

(~30 sec default)

Traffic to the host Traffic to the host,

No confirmation from ULP

Received NA reply

to unicast NS

Received NA reply

to multicast NS

ULP confirm

reachable


Increase the reachable time on the IPv6 Router

Less load on the media + first hop router packet processing

Postponing NUD = bigger neighbor table on the first hop router

NUD triggered after RAND(0.5 .. 1.5 * reachable-time)

42

csr1k-ayhome(config)#interface gig1.103

csr1k-ayhome(config-subif)# ipv6 nd reachable-time ?

<0-3600000> Reachability time in milliseconds

csr1k-ayhome(config-subif)# ipv6 nd reachable-time 600000

csr1k-ayhome(config-subif)#^Z

csr1k-ayhome#


Impact of ND reachable timers on first hop router

Long timers cause accumulation of the entries

– Hardware forwarding tables may overflow

43

ipv6 nd cache expire <14400?> refresh


REACHABLE expires on WLC (No 30-sec NUD)

IPv6 host stack does not trigger NUD thanks to the longer REACHABLE timer

The data traffic by itself does not alter the state of the binding table entries

44


Let’s initiate some ND traffic

45

Ping to a non-existent link-local address creates NS to resolve that address


ND traffic from hosts refreshes the entry

46


Neighbor maintenance & binding interactions

Discuss: What about shorter reachable value on the host than on WLC ?

47

DEMO: privacy addresses


Less Simplified Binding table state diagram

49

REACHABLE STALE

UNKNOWN(*)

DOWN INCOMPLETE(*)

NS/NA traffic

Timer expiry

Seen LLA

TENTATIVE(*)

VERIFY

Details: RFC6620


H1

Binding table

IPv6 MAC VLAN IF

A1 MACA1 100 P1

A21 MACA21 100 P2

A22 MACA22 100 P2

A3 MACA3 100 P3

H2 H3

Address glean

– Allow traffic sourced with known IP/SMAC

– Deny traffic sources with unknown IP/SMAC and triggers

address glean process

P1:: data, src= A1, SMAC = MACA1

P2:: data src= A21, SMAC = MACA21

P3:: data src= A3, SMAC = MACA3

P3 ::A3, MACA3


NA [target = A1LLA=MACA3]

DHCP LEASEQUERY

DHCP LEASEQUERY_REPLY

What happens if the address not in table ?

50


Initiate some traffic with entry not in table

51

More granular for

production !


Binding table prepopulated by data plane

52


Binding table entry verified using DAD NS exchange

53


L2 address resolution with IPv6

54

NS: B ?

A=me

Solicited mcast B

NA: B=me

Unicast GW

A B


Neighbor solicitation and solicited node address

55


Solicited-Node Multicast Address

For each Unicast and Anycast address configured there is a corresponding solicited-node multicast (Layer 3 address)

Used in neighbor solicitation (NS) messages

Multicast address with a link-local scope

Solicited-node multicast consists of

– FF02::1:FF & {lower 24 bits from IPv6 Unicast interface ID}

High 40 Bits 64 Bits Low 24 bits

Interface ID

0000 Low 24 0001 0000 FF 0000 0000 FF02

Routing Prefix

104 Bits


Host Joins Solicited Node Multicast Group

57

Different IIDs =

different multicast

groups


Global multicast enable/disable

58

Basic IPv6 support does NOT

Need this checkbox checked


Turning global multicast on …

59


MLD / IGMP packets sent per client

60

Many IPv6 addresses -> many solicited node multicast groups

One MLD query -> many MLD reports.


MLD/IGMP query timing and timer values tuning

61


Turned Multicast On ? Meet mDNS !

62

Total Packet quantity ~ NumAdvertisers * NumListeners * k


Brute-force approach to mDNS overload: create ACL…

63


Brute-force approach to mDNS overload: …and apply it!

64


Bonjour Gateway: a kinder, gentler, flexible way

65


What about LLMR ?

Link-local Multicast Name Resolution

– Used to resolve the names of hosts on the local link

Defined in RFC4795

Used by Windows Vista, Windows Server 2008, Windows 7 and Windows 8

Run over multicast UDP to port 5355

Practical experience: Mostly harmless

66

Security considerations

67


Address Stealing: taken care of

68

See also: BRKSEC-3003


P2P blocking: good for security, bad for P2P

69


IPv6 “Off-link clients”: communicate via the router

70


IPv6 “Off-link clients”: router configuration

71

Interface GigabitEthernet1.103

encapsulation dot1Q 103

ipv6 address 2001:470:73CD:DF03::1/64

ipv6 nd reachable-time 3600000

ipv6 nd prefix 2001:470:73CD:DF03::/64 86400 1800 off-link

ipv6 nd ra dns server 2001:4860:4860::8888

no ipv6 redirects

csr1k-ayhome# sh run | inc route 2001:470:73CD:DF03::/64

ipv6 route 2001:470:73CD:DF03::/64 GigabitEthernet1.103

csr1k-ayhome#


Off-link prefix effect on the client

72

Before:

After (need reconnect!):

Troubleshooting

73


Troubleshooting strategies for “No IPv6 Address”

RA received Client stack issue

Firewall on the client

DAD failure ?

Intermittent loss of RAs

– Multicast-unicast & microbursts ?

– Multicast-multicast and too much multicast traffic ?

No RA received

– Multicast on CAPWAP ?

74


Strategies for debugging client connectivity issues

Usually falls back to IPv4 if total IPv6 blackhole

Define the IPv6 source address being used

Tools to use on the clients allow selection of address family

75


Connectivity issues: verify the binding table

Client doing DaD too early, client having too many addresses too quickly

76


Troubleshoot “wrong address”

RA leakage ?

Stack not deleting the old addresses ?

Most of the time: wireshark on the client or “near” client

77


Troubleshoot in the roaming scenario

Multicontroller config needs to be in sync

Use AP groups

– Isolate a “debug” AP

– AP-group manipulations cause SSID flip, do only off-hours!

Use multi-channel sniffers

Capture CAPWAP traffic on the wire

– If not encrypted

78


Capture packets on iOS devices

79


Conclusions

You can control IPv6 chattiness quite well

Use the WLC features

Complement with IPv6 protocol tuning

80


IPv6 on WiFi: You talk too much ?

81


Maximize your Cisco Live experience with your

free Cisco Live 365 account. Download session

PDFs, view sessions on-demand and participate in

live activities throughout the year. Click the Enter

Cisco Live 365 button in your Cisco Live portal to

log in.

Complete Your Online Session Evaluation

Give us your feedback and you could win fabulous prizes. Winners announced daily.

Receive 20 Cisco Daily Challenge points for each session evaluation you complete.

Complete your session evaluation online now through either the mobile app or internet kiosk stations.

82

83

Glossary And Bonus Slides


Glossary

RA

– Router Advertisement: periodically sent by any IPv6 router on a segment.

– Can be Periodic (default: 200s +/- jitter) and Solicited (triggered by RS)

– More info: RFC4861

RS

– Router Solicitation: a packet sent by the host to trigger Solicited RA


NUD

– Neighbor Unreachability Detection: part of Neighbor Discovery protocol, uses NS/NA exchange + state machine and feedback from upper layer protocols to verify the bidirectional reachability of the neighbor


85


Glossary

NA

– Neighbor Advertisement: an ICMPv6 message containing the Link Layer address for a given IPv6 address. Can be solicited by Neighbor Solicitation or sent gratuitously.


NS

– Neighbor Solicitation: a packet sent to the Solicited Node Multicast address derived from the target address in order to resolve the Link-Layer address corresponding to the target IPv6 address


DAD

– Duplicate Address Detection: a check performed by an IPv6 stack before using an IPv6 address to ensure an this address is not already used by another node on the link.


86


Blocking attempts of directed Link-Local traffic (1/2)

87

Set the last 3 bytes of the interface ID of the link-local address to the known value

If you can not do P2P

blocking


Blocking attempts of directed Link-Local traffic (2/2)

88

Permit solicited node multicast for the default router (this example is for fe80::1)

Deny solicited node multicast for everything else

If you can not do P2P

blocking


Capturing and triggering router advertisements

89

CiscoLive2014 wireless LAN considerations

90


CiscoLive 2014 dualstack SSID config (high level)

91

Internet North South User vlan 4 User vlan 204

Main Backup


Configuration design goals

Must allow any distribution of access points between the two controllers

– All access points on North, all access points on South, split between the two

L3 roaming of clients while between North and South, on IPv4 and IPv6

– The client keeps their original link, the data is sent in/out the anchor controller

Minimize the amount of chatter – save batteries

– Use RA Throttler on WLC with 30 minute timer.

Minimize the size of the neighbor caches on the devices

– Very large link, many small devices

Allow for possible full reassociation vs of L3 roaming

– Prefix does change but the connectivity must be recovered quickly

92


South SVI configuration

interface Vlan4

description !!! WIRELESS CLIENTS !!! CiscoLive2014 !!!

.. IPv4 configuration omitted ..

ipv6 address FE80::1 link-local

ipv6 address 2001:4D38:A:400::1/64


ipv6 nd prefix default 86400 9000 off-link no-autoconfig

ipv6 nd prefix 2001:4D38:A:400::/64 604800 86400 off-link


ipv6 nd router-preference High

ipv6 nd ra lifetime 9000

no ipv6 redirects

no ipv6 unreachables

ipv6 verify unicast source reachable-via rx

ipv6 ospf network point-to-point

ipv6 ospf flood-reduction

ipv6 ospf 1 area 0

End

ipv6 route 2001:4D38:A:400::/64 vlan4


North SVI configuration

94

interface Vlan204

description !!! WIRELESS CLIENTS !!! CiscoLive2014 !!! DO NOT USE VLAN4 on NORTH !!!

.. IPv4 configuration omitted ..

ipv6 address FE80::1 link-local

ipv6 address 2001:4D38:A:6800::1/64


ipv6 nd prefix default 86400 9000 off-link no-autoconfig



ipv6 nd router-preference High

ipv6 nd ra lifetime 9000

no ipv6 redirects

no ipv6 unreachables

ipv6 verify unicast source reachable-via rx

ipv6 ospf network point-to-point

ipv6 ospf flood-reduction

ipv6 ospf 1 area 0

End

Ipv6 route 2001:4D38:A:6800::/64 Vlan204

Documents

IPv6 on WiFi: You talk too much! NOT anymore.d2zmdbbm9feqrf.cloudfront.net/2014/eur/pdf/BRKEWN-2666.pdf · IPv6 on WiFi: You talk too much! NOT anymore. ... IPv4, as well as some