IPv6 TutorialIPv6 Tutorialhttp://www.usipv6.comhttp://www.usipv6.com
12/8/0312/8/03
2
Instructors
Michael P. BrigMichael P. BrigSenior Network EngineerSenior Network EngineerEmail: [email protected]: 703-882-2435
Brian McGehee Native6, Inc. Email: [email protected]: 206-682-0275
3
Hotel
4
Agenda
1. Developing IPv6 08:30-10:15break 10:15-10:30
2. Exploring IPv6 10:30-12:00lunch 12:00-13:00
3. Integrating IPv6 13:00-14:30break 14:30-14:45
4. Advanced IPv6 Topics 14:45-16:00break 16:00-16:10
5. Deploying IPv6 16:10-17:00
5
1. Developing IPv6
• Background• IPng requirements and competition• Rational for a new IP
6
Background
0301999795939189878583817977
02009896949290888684828078
NCPIPv4
IPv6CLNS (GOSSIP)
Commerce DeptICANN
DoD
Killer Application 1: Email
Killer Application 2: Web
Apps with potential: File Xfer, Chat, VOIP, Video, Gaming, Messaging
???
Subneting(RFC950)
NAT(RFC1631)
CIDR, DHCP(RFC1519,1531)
loss of E2E Architecture
7
Registered IPv4 AddressAllocation History
0.00%
20.00%
40.00%
60.00%
80.00%
100.00%
1980 1985 1990 1995 2000 2005 2010
8
IPv4 Issues compound the Digital Divide
NATNAT
Public IPv4 Internet
Private
Intranet Private
Intranet
DHCP
Server & Client
Server & Client
Client
9
Restoring the E2E Architecture
NAT/PAT Breaks Peer-to-PeerNAT/PAT Breaks Peer-to-Peer
IPv4Internet
IPv6Internet
IPv6Internet
• Restores the “Promise”of Multimedia Collaboration– IP Telephony for Enterprise, Mobile, and Residential– IP Video Conferencing– Instant Messaging– Distributed Gaming
• “Always On” for everyone – no need to ration with IPv6.
10
IPv6 Narrows the Digital Divide
Server & Client
Server & Client
Public IPv6 Internet
11
IPv4 BGP Routing System
12
Triggers for IPng
• Class B address space exhaustion.• IPv4 address space exhaustion in
general.• Routing table growth.
13
Technical Criteria for Choosing IPng
• Complete specification• Architectural simplicity• Scale• Topological flexibility • Performance• Robust service• Transition• Media independence• Datagram service• Configuration ease
• Security• Unique names• Access to standards• Multicast support• Extensibility• Service classes• Mobility• Control protocol• Tunneling support
14
IPng Process and Competition
(RFC1550) IP: Next Generation (IPng) White Paper Solicitation(RFC1726) Technical Criteria for Choosing IP The Next Generation (IPng)(RFC1752) The Recommendation for the IP Next Generation Protocol(RFC1883) Internet Protocol, Version 6 (IPv6) Specification(RFC2460) Internet Protocol, Version 6 (IPv6) Specification
Nimrod
CNAT
IPEncaps
SimpleCLNP TUBA
(IPv9)
IPAE
SIP(IPv6)
PIP(IPv8)
TP/IX(IPv7)
SIPP
CATNIP
IPv5 =??? ST protocol
RFC2460(supersedes RFC 1883)
95
RFC1550RFC1726
969492 93
RFC1752 RFC1883
97 98
15
Rational for a new IPThe Internet must keep growing!
• Billions of new users (Japan, China, India,…)• Multiple devices per user.• Billions of new devices (mobile phones, cars,
appliances, etc…)• Always-on access (cable, xDSL, ethernet-to-the-
home, etc…)• Many applications are difficult, expensive, or
impossible to operate through NATs.• IPv6 is needed for the long-term health and viability
of the Internet… routing, multihoming, mobility
16
Expect many years with IPv4/v6
IPv4
IPv6
FY01 FY02 FY03 FY04 FY05 FY06 FY07 FY08 FY09 FY10
IPv4:
Mandatory Standard
IPv6:
Emerging Standard
IPv4:
Mandatory Standard
IPv6:
Mandatory Standard
IPv6:
Mandatory Standard
17
2. Exploring IPv6
• The IPv6 spec and related RFCs• Header format and optimizations• ICMPv6• Auto-configuration• IPv6 address architecture and
formats.• Routing Protocols
18
Impacts to the TCP/IP Model
FTPHTTP SMTPNFS DNS
Transport
Network
Physical
Application
TCP UDP
IPv6 & ICMPv6
ISDN ATM SDH Eth. WDM
Core Specification
19
The IPv6 spec and related RFCs
• IETF Draft Standards– RFC 2460: Internet Protocol, Version 6 (IPv6) Specification – RFC 2461: Neighbor Discovery for IP Version 6 (IPv6)– RFC 2462: IPv6 Stateless Address Autoconfiguration– RFC 2463: ICMPv6 Specification
• IETF Proposed Standards– RFC 1981: Path MTU Discovery for IP version 6– RFC 2028: RIPng for IPv6– RFC 2401: Security Architecture for the Internet Protocol– RFC 2428: FTP Extensions for IPv6 and NATs– RFC 2452: IP Version 6 Management Information Base for the Transmission Control Protocol– RFC 2454: IP Version 6 Management Information Base for the User Datagram Protocol– RFC 2564: Transmission of IPv6 Packets over Ethernet Networks– RFC 2565: Management Information Base for IP Version 6: Textual Conventions and General Group– RFC 2566: Management Information Base for IP Version 6: ICMPv6 Group– RFC 2567: Transmission of IPv6 Packets over FDDI Networks– RFC 2470: Transmission of IPv6 Packets over Token Ring Networks– RFC 2472: IP Version 6 over PPP– RFC 2473: Generic Packet Tunneling in IPv6 Specification– RFC 2491: IPv6 over Non-Broadcast Multiple Access (NBMA) networks– RFC 2495: IPv6 over ATM Networks– RFC 2547: Transmission of IPv6 Packets over ARCnet Networks– RFC 2626: Reserved IPv6 Subnet Anycast Addresses– RFC 2529: Transmission of IPv6 over IPv4 Domains without Explicit Tunnels– RFC 2545: Use of BGP-4 Multiprotocol Extensions for IPv6 Inter-Domain Routing
20
The IPv6 spec and related RFCs
• IETF Proposed Standards (Continued)– RFC 2590: Transmission of IPv6 Packets over Frame Relay Networks Specification– RFC 2675: IPv6 Jumbograms– RFC 2710: Multicast Listener Discovery (MLD) for IPv6– RFC 2711: IPv6 Router Alert Option– RFC 2734: Format for Literal IPv6 Addresses in URL's– RFC 2740: OSPF for IPv6– RFC 2893: Transition Mechanisms for IPv6 Hosts and Routers– RFC 2894: Router Renumbering for IPv6– RFC 3021: Privacy Extensions for Stateless Address Autoconfiguration in IPv6– RFC 3056: Connection of IPv6 Domains via IPv4 Clouds– RFC 3111: Service Location Protocol Modifications for IPv6– RFC 3122: Extensions to IPv6 Neighbor Discovery for Inverse Discovery Specification– RFC 3146: Transmission of IPv6 Packets over IEEE 1394 Networks– RFC 3162: RADIUS and IPv6– RFC 3175: Aggregation of RSVP for IPv4 and IPv6 Reservations– RFC 3226: DNSSEC and IPv6 A6 aware server/resolver message size requirements– RFC 3266: Support for IPv6 in Session Description Protocol (SDP)– RFC 3306: Unicast-Prefix-based IPv6 Multicast Addresses– RFC 3307: Allocation Guidelines for IPv6 Multicast Addresses– RFC 3315: Dynamic Host Configuration Protocol for IPv6– RFC 3484: Default Address Selection for Internet Protocol version 6 (IPv6)– RFC 3513: Internet Protocol Version 6 (IPv6) Addressing Architecture– RFC 3595: Textual Conventions for IPv6 Flow Label
• IETF Experimental RFCs– RFC 2874: DNS Extensions to Support IPv6 Address Aggregation and Renumbering.– RFC 2471: IPv6 Testing Address Allocation– RFC 1888: OSI NSAPs and IPv6
• Many many Internet Drafts and Informational RFCs
21
IPv4 Header
ver IHL TOS LengthID Flgs Frag Offset
TTL Protocol HDR Checksum
Destination AddressOptions Padding
Source Address
• Version – Indicates the format of the IP header. This field = 4 for IPv4• Internet Header Length - The length of the internet header in 32 bit words, and thus points to the beginning of
data.• Type of Service - An indication of the abstract parameters of the quality of service desired for the packet.• Length - The total length of the datagram, measured in octets, including internet header and data.• Identification - A value assigned by the sender to aid in reassembling the fragments of a datagram.• Flags – Various control flags.• Frag Offset - Field indicating where in the datagram this fragment belongs. It is measured in units of 64 bits. • Time to Live – Field indicating the maximum time the datagram is allowed to remain in the internet system.• Protocol - Field indicating the next level protocol used in the data portion of the internet datagram.• HDR Checksum - A checksum on the header only. Since some header fields are modified (e.g., time to live), this is
recomputed and verified at each point that the internet header is processed.• Source Address – 32 bit IPv4 source address.• Destination Address – 32 bit IPv4 destination address.• Options – A variable length grouping of zero or more option values.• Padding - This variable length field ensures the internet header ends on a 32 bit boundary. The padding is zero.
32 bits
22
IPv6 Header Streamlining
ver IHL TOS Length
Identification Flgs
TTL
FragmentOffset
Protocol Header Checksum
Destination Address
Options Padding
Source Address
IPv4
ver Flow label
Payload Length NextHeader Hop Limit
TrafficClass
IPv6
Destination Address
Source Address
32 bits
Fields retained/renamed from IPv4Fields deleted from IPv4
New fields in IPv6
23
IPv6 Header
ver Flow label
Payload Length NextHeader Hop Limit
TrafficClass
Destination Address
Source Address
• Version – 4-bit Internet Protocol version number = 6.• Traffic Class - 8-bit traffic class field. • Flow Label - 20-bit flow label.• Payload Length - 16-bit unsigned integer. Length of the
IPv6 payload, i.e., the rest of the packet following the IPv6 header, in octets.
• Next Header – 8-bit selector. Identifies the type of header immediately following the IPv6 header. Uses the same values as the IPv4 Protocol field [RFC-1700 et seq.].
• Hop Limit - 8-bit unsigned integer. Decremented by 1 by each node that forwards the packet. The packet is discarded if Hop Limit is decremented to zero.
• Source Address – 128-bit address of the originator of the packet.
• Destination Address – 128-bit address of the intended recipient of the packet (possibly not the ultimate recipient, if a Routing header is present).
24
Summary of Optimizations
• No hop-by-hop IP layer checksum.• No broadcast… only multicast.• No packet fragmentation.• 64 bit alignment vs 32 bit alignment with IPv4.• IPv6 minimum MTU of 1280 bytes up from 576
bytes with IPv4• No header options… just chains of structured
header extensions.
25
Extension Headers
Base IPv6 Header(40 bytes)
Any number of extension headers
Next Header Extension Header Length
Extension Header Data
• Processed only by node identified in IPv6 destination address field. Only exception is the Hop-by-Hop Options header
• Much lower overhead than IPv4 options
• Eliminated IPv4’s 40-octet limit on options.
– in IPv6, limit is total packet size, or Path MTU in some cases
26
Authentication Header (AH)
Authentication Data (variable)
Sequence Number Field
Security Parameter Index (SPI)
RESERVEDPayload LenNext Header
32 bits
• AH provides connectionless integrity and data origin authentication for IP datagrams, and to provide protection against replays.
• AH may be applied alone, in combination with the IP Encapsulating Security Payload, or in a nested fashion through the use of tunnel mode.
• Defined in IETF “Proposed Standard” RFC 2402• A next header value of 51 indicates the next extension header is
the AH.
27
Destination Options Header
Options
HDR Ext LenNext Header
32 bits
• DOH carries optional information that need be examined only by apacket's destination node(s).
• Defined in IETF “Draft Standard” RFC 2460• A next header value of 60 indicates the next extension header is
the DOH.
28
Encapsulating Security Payload (ESP) Header
Payload Data (variable)
Sequence Number Field
Security Parameter Index (SPI)
32 bits
Padding (0-255 bytes)
Authentication Data (variable)
Next HeaderPad Length
• ESP is used to provide confidentiality, data origin authentication, connectionless integrity, an anti-replay service, and limited traffic flow confidentiality.
• ESP may be applied alone, in combination with the Authentication Header, or in a nested fashion, e.g., through the use of tunnel mode.
• Defined in IETF “Proposed Standard” RFC 2406• A next header value of 50 indicates the next extension header is the ESP
extension header.
29
Fragment Header
Identification
Fragment OffsetRESERVEDNext Header
32 bits
RES M
• The FH is used by an IPv6 source to send a packet larger than would fit in the path MTU to its destination.
• Unlike IPv4, fragmentation in IPv6 is performed only by source nodes, not by routers along a packet's delivery path.
• Defined in IETF “Draft Standard” RFC 2460.• A next header value of 44 indicates the next extension header is
the FH.
30
Hop-by-Hop Options Header
Options
HDR Ext LenNext Header
32 bits
• The HH is used to carry optional information that must be examined by every node along a packet's delivery path.
• Defined in IETF “Draft Standard” RFC 2460• A next header value of 0 indicates the next extension header is
the DOH.
31
Routing Header
Type Specific Data
HDR Ext LenNext Header Segment LeftRouting Type
32 bits
• The RH is used by an IPv6 source to list one or more intermediate nodes to be "visited" on the way to a packet's destination.
• Defined in IETF “Draft Standard” RFC 2460• A next header value of 43 indicates the next extension header is
the RH.
32
Order of Extension Headers
• Header extensions should appear in the following order after the base IPv6 header:
– Hop-by-Hop Options header– Destination Options header (*1)– Routing header– Fragment header– Authentication header (RFC 1826)– Encapsulating Security Payload header (RFC 1827) (*2)– Destination Options header (*3)– Upper-layer header
*1 for options to be processed by the first destination that appears in the IPv6 Destination Address field plus subsequent destinations listed in the Routing header. *2 additional recommendations regarding the relative order of the Authentication and Encapsulating Security Payload headers are given in [RFC-2406].*3 for options to be processed only by the final destination of the packet.
33
Internet Control MessageProtocol v6 (ICMPv6)
ICMPv6 Type ICMPv6 Code Checksum
ICMPv6 Data
IPv6 base header
ICMPv6 packet
• ICMPv6 is used to report errors encountered in processing packets, and to perform other internet-layer functions, such as diagnostics.
• Two kinds of messages– Error– Informational
• Next header value of 58
34
ICMP Messages
Description ICMP Type (RFC792) ICMPv6 Type (RFC2463,2461)Destination unreachable
Source Quench
Packet too big
Time Exceeded
Parameter Problem
Time stamp
Timestamp Reply
Information Request
Information Reply
Echo Request
Echo Reply
Router Advertisement
Neighbor Solicitation
Neighbor Advertisement
3
Router Redirect
1
4
13
15
16
14
2
3
4
128
129
134
135
136
11
12
8
0
1375
ICMP messages common to both IPv4 and IPv6.
ICMP messages specific to IPv4.
ICMP messages specific to IPv6.
35
Router Advertisement
RA RA
ICMP Type = 134 RA
Src = Router Link-local Address
Dst = All-nodes multicast address (FF02::2)
Data= options, prefix, lifetime, autoconfig flag
• Routers send periodic Router Advertisements (RA) to the all-nodes multicast address.
• Hosts may also request with a router solicitation message.
36
Path MTU DiscoverySource
Destination
MTU = 1500
MTU = 1500
MTU = 1300
MTU = 1400
Packet with MTU=1500
ICMP error: packet too big. Use MTU = 1400
Packet with MTU=1400
ICMP error: packet too big. Use MTU = 1300
Packet with MTU=1300
Packet received
Path MTU = 1300
37
Neighbor Discovery
A B
ICMP type = 136 NASrc = BDst = AData = link-layer address of B
ICMP type = 135 NSSrc = ADst = Solicited-node multicast of BData = link-layer address of AQuery = what is your link level address?
A and B can now exchange packets on this link
• Solicited Node Multicast is prefix: ff02:0:0:0:0:1:ff00/104 + the low order 24 bits of the IPv6 address.
• All hosts listen to their SNM Address.
38
Duplicate Address Detection
A B
ICMP type = 135 NSSrc = ::Dst = Solicited-node multicast of AData = link-layer address of AQuery = what is your link local address?
• Duplicate Address Detection (DAD) uses neighbor solicitation to verify the uniqueness of an IPv6 address before an interface configures an address.
• All addresses are verified before use.
39
Router Redirect
Redirect:Src = R2Dst = AData = good router = R13FFE:B00:C18:2::/64
R1
A B R2
Src = A Dst IP = 3FFE:B00:C18:2::1 Dst Ethernet = R2 (default router)
• Redirect is used by a router to signal the re-route of a packet to a better router.
40
Host Auto-Configuration
RA Indicates Site/Subnet PREFIX
SUBNET PREFIX + MAC ADDRESS
SUBNET PREFIX + MAC ADDRESS
Site/Subnet PREFIX + MAC ADDRESS
Site/Subnet PREFIX + MAC ADDRESS
SUBNET PREFIX + MAC ADDRESS
SUBNET PREFIX + MAC ADDRESS
Site/Subnet PREFIX + MAC ADDRESS
Site/Subnet PREFIX + MAC ADDRESS• IETF “Draft Standard” RFC2462
– Host autonomously configures its own Link-Local address.– Router solicitation is sent by host requesting RA for configuring the global
address of its interface.– Host performs Duplicate Address Detection (DAD).
• Host Renumbering– Host renumbering is done by modifying the RA to announce the old prefix
with a shorter lifetime than the new prefix.
Link-LocalSite-LocalGlobal
41
IPv6 Address Representations
• Preferred Form• Compressed Form• Mixed Forms
42
Preferred Form
x:x:x:x:x:x:x:x
• 'x's are the hexadecimal values of the eight 16-bit pieces of the address.
• It is not necessary to place leading zeros in a field.
• Examples:
FEDC:BA98:7654:3210:FEDC:BA98:7654:32101080:0:0:0:8:800:200C:417A
43
Compressed Form
x:x::x:x
• The use of "::" indicates one or more groups of 16 bits of zeros.
• The "::" can only appear once in an address.
• Examples:
1080:0:0:0:8:800:200C:417A = 1080::8:800:200C:417A0:0:0:0:0:0:0:1 = ::1
44
Mixed Form
x:x:x:x:x:x:d.d.d.d
• ‘x’s are the hexadecimal values of the six high-order 16-bit pieces of the address.
• ‘d’s are the decimal values of the four low-order 8-bit pieces of the address (standard IPv4 representation).
• Examples:
0:0:0:0:0:0:13.1.68.30:0:0:0:0:FFFF:129.144.52.38
45
IPv6 Address Types
• Unicast (One to One)
• Multicast (One to a Many)
• Anycast (One to Nearest)
46
Unicast Addresses
• IPv6 unicast addresses identify interfaces and sub-interfaces.
• An interface may be assigned one or more IPv6 unicast addresses. This is also true for IPv6 multicast and anycast addresses.
• An IPv6 unicast address on any interface of a node may be used to identify that node.
47
Unspecified andLoopback Addresses
• Unspecified Address 00…00 (::)– Indicates the absence of permanent IPv6 address; therefore, must never be
permanently assigned to any interface of a host.– Typically used during the initialization phase of auto-configuration.
The unspecified address must not be used as the destination address of IPv6 packets or in IPv6 Routing Headers.An IPv6 packet with an unspecified source address must never be forwarded by an IPv6 router.
• Loopback Address 00…01(::1)– Used by a host to send an IPv6 packet to itself.– Is considered a “logical” interface; therefore, must never be assigned to any physical
interface or sub-interface.
The loopback address must not be used as the source address in IPv6 packets that are sent outside of a single host. An IPv6 packet with a destination address of loopback must never be sent outside of a single host and must never be forwarded by an IPv6 router.A packet received on an interface with destination address of loopback must be dropped.
48
Link-Local andSite-Local Addresses
• Link-Local IPv6 Addresses (FE80…)
– Used for automatic address configuration, neighbor discovery, or when no routers are present .
– Routers must not forward any packets with link-local source or destination addresses to other links.
• Site-Local IPv6 Addresses (FE8C…)
– Used for addressing inside of a site without the need for a global prefix. Although a subnet ID may be up to 54-bits long, it is expected that globally-connected sites will use the same 16-bit subnet IDs for site-local and global prefixes.
– Routers must not forward any packets with site-local source or destination addresses outside of the site.
1111111011 subnet ID interface ID
10 54 64
1111111010 00000000000000 interface ID
10 54 64
49
Global Unicast Addresses
• Global Unicast Addresses
– The global routing prefix is a (typically hierarchically-structured) value assigned to a site.
– The subnet ID is an identifier of a link within the site.– Global unicast addresses starting with binary 000 have no constraint on
the size or structure of the interface ID field. Those not starting with binary 000 have a 64-bit interface ID field which is constructed in modified EUI-64 format.
Global Routing Prefix subnet ID interface ID
n bits m bits 128–m–n bits
50
IPv4 Addr within IPv6 Addr
• IPv4-compatible IPv6 Addresses
– A coexistence mechanism for hosts and routers to dynamically tunnel IPv6 packets over IPv4 routing infrastructure.
– The IPv4 address must be globally unique.
• IPv4-mapped IPv6 Addresses
– This address type is used to represent the address of an IPv4 node as an IPv6 address.
– The IPv4 address must be globally unique.
00000000000000000000 0000 IPv4 Address
80 bits 16 bits 32 bits
00000000000000000000 FFFF IPv4 Address
80 bits 16 bits 32 bits
51
Interface IDs
• Administratively assigned• Randomly assigned• Auto-Configured
52
IEEE 802 Addresses
24 bits 24 bits
ccccccug cccccccc cccccccc xxxxxxxx xxxxxxxx xxxxxxxx
• The first 24 bits is the IEEE assigned manufacturer ID.
• The last 24 bits is the Board ID assigned by the manufacturer.
• Universal/Local bit (U/L)– Determines if the address is globally or locally administered. When set to
0, the IEEE designates a unique company ID. When set to 1, the address is assigned by local administration.
• Individual/Group (I/G)– Determines if the address is a unicast or multicast address. When set to
0, it is a unicast address. When set to 1, it is a multicast address.
53
Modified EUI-64 Identifier
24 bits 24 bits
ccccccug cccccccc cccccccc xxxxxxxx xxxxxxxx xxxxxxxx
ccccccug cccccccc cccccccc xxxxxxxx xxxxxxxx xxxxxxxx11111111 11111110
ccccccug cccccccc cccccccc 11111111 11111110 xxxxxxxx xxxxxxxx xxxxxxxx
Step 2. complement U/L bit
64 bits
Step 1. Insert FFFE
IEEE 802 address
EUI-64 address
IPv6 InterfaceID
54
IPv6 Anycast Addresses
• A packet sent to an anycast address is routed to the "nearest" interface having that address.
• Assigned from the unicast address space.• Subnet Router anycast address (only currently
required)
• There is little operational experience with anycast addresses– An anycast address must not be used as the source
address of an IPv6 packet.– An anycast address must not be assigned to an IPv6
host, that is, it may be assigned to an IPv6 router only.
n bits 128-n bits
00000000000000000000Subnet ID
55
Multicast IPv6 Addresses
Group ID
8 bits
scopflgs11111111
4 bits 4 bits 112 bits
• An identifier for a group of interfaces (typically on different nodes).• An interface may belong to any number of multicast groups.• Flags [000T]
– The high-order 3 flags are reserved, and must currently be initialized to 0s. – T = 0; a permanently-assigned multicast address assigned by IANA.– T = 1; indicates a transient multicast address.
• Scope – [xxxx]– 0 reserved– 1 interface-local scope– 2 link-local scope– 3 reserved– 4 admin-local scope– 5 site-local scope– 6 (unassigned)– 7 (unassigned)– "unassigned" scopes are available for administrators to define additional
multicast regions.
– 8 organization-local scope– 9 (unassigned)– A (unassigned)– B (unassigned)– C (unassigned)– D (unassigned)– E global scope– F reserved
56
Reserved Multicast Addresses
Address Meaning ScopeFF01::1 All Nodes Node-local (loopback)
FF02::1 All Nodes Link-local
FF01::2 All Routers Node-local
FF02::2 All Routers Link-local
FF05::2 All Routers Site-local
FF02::1:FFXX:XXXX Solicited-Node Link-local
• These multicast addresses are reserved and shall never be assigned to any multicast group.
– FF00:0:0:0:0:0:0:0 => FF0F:0:0:0:0:0:0:0
57
A Host Must Recognize
• Link-Local Addresses for each of the host's interfaces.• Any additional Unicast and Anycast Addresses that have
been configured for the host's interfaces (manually or automatically).
• The loopback address.• The All-Nodes Multicast Addresses.• The Solicited-Node Multicast Address for each of the
host's unicast and anycast addresses.• Multicast Addresses of all other groups to which the host
belongs.
58
A Router Must Recognize
• All addresses that a host is required to recognize plus: • The Subnet-Router Anycast Addresses for all interfaces
for which it is configured to act as a router.• All other Anycast Addresses with which the router has
been configured.• The All-Routers Multicast Addresses.
59
Routing Protocols
• As with IPv4, IPv6 has 2 families of routing protocols: IGRP and EGRP.
• IPv6 still uses the longest-prefix match routing algorithm.
•• EGPEGP : MPMP--BGP4BGP4•• IGPIGP
–– RIPngRIPng–– OSPFv3OSPFv3–– Integrated ISIntegrated IS--ISIS
60
MP-BGP4
• IETF “Proposed Standard” RFC 2858 defines BGP4 extensions to enable it to carry routing information for multiple Network Layer protocols (e.g., IPv6, IPX, etc...).
• IETF “Proposed Standard” RFC 2545 defines MP-BGP4 extension attributes for IPv6 Inter-domain Routing.
• MP-BGP4 routes are configurable.– IPv4 routes only.– IPv6 routes only.– Both IPv4 and IPv6 routes.
• MP-BGP4 transport is configurable over IPv4 or IPv6
61
RIPng
• IETF “Proposed Standard” RFC 2080 describes the minimum changes to the Routing Information Protocol (RIP), as specified in RFC 1058 and RFC 1723, necessary for operation with IPv6.
• Based on RIPv2 with IPv6 specific updates– IPv6 prefix, next-hop IPv6 address– Uses the multicast group FF02::9, the all-rip-routers multicast group,
as the destination address for RIP updates.– Uses IPv6 for transport
• RIPng routes are IPv6 only.• RIPng transport is over IPv6 only.
62
OSPFv3
• IETF “Proposed Standard” RFC 2740 describes the the modifications to OSPF to support IPv6.
• Based on OSPFv2 with IPv6 updates• OSPFv3 routes are IPv6 only.• OSPFv3 transport is over IPv6 only.
63
Integrated ISIS
• IETF Internet Draft-ietf-isis-ipv6-05 describes the changes to ISIS necessary for operation with IPv6.
• Integrated ISIS routes are configurable.– IPv4 routes only.– IPv6 routes only.– OSI routes only.– IPv4, IPv6, and OSI routes or combinations.
• Integrated ISIS transport is configurable over IPv4, IPv6, or OSI.
64
3. Integrating IPv6
DNSApplicationsCoexistence mechanisms
65
Domain Name System (DNS)
• DNS is critical to the success of the IPv6 transition!
• IETF “Draft Standards” RFC 3596– New AAAA resource record for IPv6– Common forward DNS lookup tree for IPv4 and IPv6.
• Roots of forward tree may or may not be the same.– A resource record retained for IPv4– Reverse lookup tree in-addr.arpa retained for IPv4.
• IETF “Best Current Practice” RFC 3152– New reverse lookup tree ip6.arpa for IPv6.
• IETF “Experimental”RFC 2874 (Deprecated)– A6 resource records.
66
Domain Name System (DNS)
• Most DNS Server implementations, such as BIND, have support for IPv6 resource records and can respond to forward and reverse DNS queries over IPv6.
• Many DNS Client implementations can perform forward and reverse IPv6 queries and transport these queries over IPv6.
67
Applications
“Old” Application
TCP UDP
IPv4 IPv6
Data Link (Ethernet)
0x0800 0x086dd
“New” Application
TCP UDP
IPv4 IPv6
Data Link (Ethernet)
0x0800 0x086dd
•Dual stack node means:Both IPv4 and IPv6 stacks enabled and applications talk to both.Choice of the IP version in use is based upon name lookup andapplication preference.
68
Components of Applications Impacted by IPv6 Porting
•Data structures.•New network function calls•Hard-coded IPv4 addresses•Some user interfaces•Some underlying protocols such as RPC.•New decision logic/code must be added.
69
Coexistence Mechanisms
• Dual Stack (Dual IP)– Complete support for both Internet protocols, IPv4 and IPv6, in hosts
and routers.– Most preferred mechanism.
• Tunneling Techniques– The encapsulation of packets of one IP version number within
packets of a second IP version number in order to traverse clouds of the second IP version number.
• Translation Techniques– Enables IPv6-only devices to communicate with IPv4-only devices
and vice versa.– Least desirable set of mechanisms.
70
Tunneling Techniques
• 6over4• ISATAP • 6to4• Configured
Tunnels• DSTM• Teredo• Tunnel Broker• BGP Tunnel
71
6over4
• Mechanism to automatically interconnect IPv6 hosts over an IPv4 multicast enabled network.
• Defined in IETF “Proposed Standard” RFC 2893• IPv4 multicast emulates the layer 2 functionality of IEEE 802
networks for IPv6 ND and RS/RA.• The local IPv4 network appears as a single IPv6 subnet.• Once IPv6 neighbours are known, hosts automatically tunnel
IPv6 to each other through the IPv4 network.• Not widely deployed due to the lack of IPv4 multicast enabled
networks.• Does not solve the problem of connecting hosts to the global
IPv6 Internet.• Utilizes IPv4-compatible IPv6 addresses
00000000000000000000 0000 IPv4 Address
80 bits 16 bits 32 bits
72
6over4
IPv4/v6 hostsIPv4/v6 hosts
IPv4 InternetIPv4 Internet
IPv4 multicast enabled network
IPv6 within IPv4 tunnels
73
6to4
• Mechanism to automatically interconnect IPv6 sites via an IPv4 transport network.
• Defined in IETF “Proposed Standard” RFC 3056• 48 bit IPv6 site prefix is built using the 6to4 gateway
routers public IPv4 address.• 6to4 gateway routers initiate a tunnel to the IPv4
address of the 6to4 relay router6to4 relay router on the public Internet. The 6to4 relay router responds by building a reverse 6to4 relay router responds by building a reverse tunnel with the information provided.tunnel with the information provided.
interface ID
16 bits
IPv4 Address2002
32 bits 64 bits
subnet ID
16 bits
74
6to4
IPv6 InternetIPv6 Internet
IPv4 InternetIPv4 Internet
6to4 gateway 6to4 gateway routersrouters
6to4 relay router6to4 relay router
IPv6 within IPv4 tunnels
75
ISATAP
• Intra-Site Automatic Tunnel Addressing Protocol (ISATAP)
• Mechanism to automatically interconnect IPv6 hosts over an IPv4 network.
• Defined in Internet Draft draft-ietf-ngtrans-isatap-16• The local IPv4 network appears as a single IPv6
subnet.• IPv6 hosts can communicate by tunneling IPv6
packets to the IPv4 address in the IPv6 address suffix.• Can utilize public or private IPv4 addresses.
– When a public IPv4 address, 00025EFE. – When a private IPv4 address, 00005EFE.
IPv4 addressSubnet Prefix
64 bits 32 bits
000[0/2]5EFE
32 bits
76
ISATAP
IPv6 InternetIPv6 Internet IPv4/v6 hostsIPv4/v6 hosts
IPv4 InternetIPv4 Internet
IPv4/v6 ISATAP routerIPv4/v6 ISATAP router
IPv6 within IPv4 tunnels
IPv4 network
77
Configured Tunnels
• Mechanism to interconnect IPv6 sites over an IPv4 transport network.
• Defined in IETF “Proposed Standard” RFC 2893• Tunnels are manually configured on each device with
a tunnel endpoint.• Configuration is static and therefore cannot change
dynamically as the network needs and routing change.
• Utilized extensively by the 6bone.
78
Configured Tunnels
IPv6 InternetIPv6 Internet
IPv4 InternetIPv4 Internetstatic IPv6 in IPv4 tunnels
IPv4 network
79
DSTM
• Dual Stack Transition Mechanism (DSTM)• Mechanism that utilizes IPv4-over-IPv6 tunnels to carry
IPv4 traffic within an IPv6 dominant network• Defined in IETF ID draft-bound-dstm-exp-00• Provides a method to allocate a temporary IPv4 address
to Dual IP Layer IPv6/IPv4 capable nodes. • Intended to reduce the need for IPv4 NAT for certain early
IPv6 adopters.• Utilizes IPv4-mapped IPv6 addresses.
80 bits 16 bits 32 bits
00000000000000000000 FFFF IPv4 Address
80
DSTM
IPv4 InternetIPv4 Internet IPv4/v6 hostsIPv4/v6 hosts
DSTM border routerDSTM border router
IPv4 in IPv6 tunnel
A IPv4 hostIPv4 host
IPv6 dominant network
DHCPv6 server B
81
Teredo
• Mechanism to automatically interconnect IPv6 hosts over an IPv4 network with NAT.
• AKA IPv4 NAT traversal for IPv6.• Defined in Internet Draft draft-huitema-v6ops-teredo-
00.• Utilizes IPv6/UDP/IPv4 tunneling.
Obs Ext pt Obs. Ext. IPv4 Address
16 bits 32 bits
Teredo Prefix T Server IPv4 Address Flags
16 bits32 bits32 bits
82
Teredo
IPv4 InternetIPv4 Internet
IPv6 InternetIPv6 Internet
TeredoTeredo RelayRelay
TeredoTeredo ServerServer
TeredoTeredo RelayRelay
TeredoTeredo ClientClientIPv4/v6 hostsIPv4/v6 hosts
TeredoTeredo ClientClient
83
Tunnel Broker
• Mechanism to automatically interconnect IPv6 hosts and small sites over an IPv4 network.
• Allows intuitive web based setup of configured tunnels.
• IETF “Informational” RFC 3053.• A Tunnel Broker is a server that a user connects with
to register and activate tunnels. It manages tunnel creation, modification and deletion on one or more dual-stacked tunnel servers on the behalf of the user.
84
Tunnel Broker
Tunnel BrokerTunnel Broker
IPv4 InternetIPv4 Internet
IPv6 InternetIPv6 Internet IPv4/v6 hostIPv4/v6 host
Tunnel ServersTunnel Servers
85
BGP Tunnel
• Mechanism to interconnect IPv6 sites over an IPv4 transport network.
• IETF Internet Draft draft-ooms-v6ops-bgp-tunnel-00• A dual stack multi-protocol BGP edge router is required per IPv6
island.• MP-BGP information is utilized to configure tunnel endpoints.• Two Approachs
– MP-BGP over IPv4, relies on identification of MP-BGP-speaking edge routers by their IPv4 address and uses a trivial tunneling mechanism without any explicit tunnel configuration.
– MP-BGP over IPv6 relies on existing ngtrans tunneling mechanisms to tunnel packets.
86
BGP Tunnel
IPv6 InternetIPv6 Internet
IPv4 InternetIPv4 Internet
Dual stacked MP BGP speaking routers
IPv4 network
87
Translation Techniques
• SIIT• BIA• BIS• SOCKS• TRT• NAT-PT
88
Stateless IP/ICMP Translation Algorithm (SIIT)
• Mechanism defining IPv4 to IPv6 header conversion and vice versa.
• Mechanism also defines ICMP to ICMPv6 header conversion and vice versa.
• Defined in IETF “Proposed Standard” RFC 2765.• SIIT neither specifies address assignment nor routing to
and from the IPv6 hosts when they communicate with the IPv4-only hosts.
89
Bump in the API (BIA)
• Mechanism allows dual stacked hosts to communicate with other IPv6 hosts using existing IPv4 applications.
• Defined in IETF “Informational” RFC 3338• BIA utilizes an API SW translator which is inserted
between the TCP/IP module and network card driver. • API translator relies on a SIIT based IP conversion
mechanism.• BIAs implementation is also dependent upon the network
interface driver.
90
BIA
IPv6 InternetIPv4 Internet
Network Card Drivers
API Translator
IPv4 Applications
Network card drivers
name resolver addressmapper
Network cards
Socket API (IPv4,IPv6)
functionmapper
TCP(UDP)/IPv4 TCP(UDP)/IPv6
91
Bump in the Stack (BIS)
• Mechanism allows dual stacked hosts to communicate with other IPv6 hosts using existing IPv4 applications.
• Defined in IETF “Informational” RFC 2767• BIS utilizes a SW translation module inserted between the
TCP/IPv4 stack and network card driver.• SW translation module relies on a SIIT based IP
conversion mechanism.
92
BIS
Network Card DriversTCP/IPv4
IPv4 Applications
Network card drivers
extensionname resolver
addressmapper
translator
IPv6
Network cards
IPv6 InternetIPv4 Internet
93
SOCKS
• Mechanism relays two "terminated" IPv4 and IPv6 connections at an application layer gateway.
• Defined in IETF “Informational” RFC 3089.• Based upon the SOCKSv5 protocol.• SOCKS requires modification to some hosts.• SOCKS does not utilize SIITS.
94
SOCKS
Client
TCP/IPv4
SOCKS Application Layer Gateway
Socket DNS
Network IF
TCP/IPv6
Application
TCP/IPv6
Network IF
Socket DNSSocket DNS
SOCKS Library
TCP/IPv4
Network IF
Application Destination
Network IF
IPv4 Internet IPv6 Internet
95
Transport Relay Translator (TRT)
• A TRT system, which is located between IPv6-only and IPv4-only hosts, translates TCP/IPv6 to TCP/IPv4 or UDP/IPv6 to UDP/IPv4, and vice versa.
• Defined in IETF “Informational” RFC 3142.• TRT is designed to require no extra modification on hosts.• TRT is a stateful translation method and does not utilize
SIIT.• Support bi-directional traffic only.
96
TRT
TCP/IPv4
TRT
Network IF
TCP/IPv6
Application
TCP/IPv6
Network IF
Socket DNS
Network IF
Application
TCP/IPv6
Network IF
Socket DNS
IPv4 Internet IPv6 Internet
97
Network Address Translation –Protocol Translator (NAT-PT)
• This mechanism provides transparent routing to and from the IPv4 and IPv6 realms as well as translation. This is achieved using a combination of Network Address Translation and Protocol Translation.
• Defined in IETF “Proposed Standard” RFC 2766.• Utilizes a SIIT based IP conversion mechanism.• Uses a pool of globally unique IPv4 addresses for
assignment to IPv6 nodes on a dynamic basis as sessions are initiated.
• Suffers from the similar shortcomings as IPv4 NAT.
98
NAT-PT
TCP/IPv4
NAT-pt
Network IF
TCP/IPv6
Application
TCP/IPv6
Network IF
Socket DNS
Network IF
Application
TCP/IPv6
Network IF
Socket DNS
IPv4 Internet IPv6 Internet
99
Advanced IPv6 Topics
• Mobility• Quality of Service• Security and IPsec
100
IPv6 Mobility Introduction
• What is IPv6 mobility?– Allows mobile computers (nodes) the ability
to maintain transport and upper-layer connections while the mobile node changes its location, connectivity to a network, and layer 3 address.
101
IPv6 Mobility Terminology
– Home Agent - a router on a mobile node's home network that maintains information about the device's current location
– Home Address – An IP address assigned to a mobile node within its home link.
– Home network(link) – The link on which a mobile nodes home subnet prefix is defined. Providing for IP routing.
102
IPv6 Mobility Terminology
– Mobile node – A node that can change its point of attachment from one link to another, while still being reachable via it’s home address.
– Movement – A change in a mobile node’s point of attachment to the Internet such that it is no longer connected to the same link as it was previously.
103
IPv6 Mobility Terminology
– Correspondent node – A peer node with which a mobile node is communicating. The correspondent node may be either mobile or stationary.
104
IPv6 Mobility Terminology
• Foreign link - Any link other than the mobile node’s home link
• Foreign agent - A router serving as a mobility agent for a mobile node
105
IPv6 Mobility Terminology
• Care-of address – An IP address associated with a mobile node while visiting a foreign link.
• Among the multiple care-of addresses that a mobile node may have at a time, the one registered with the mobile node’s home agent is called its “primary” care-of address.
106
IPv6 Mobility Introduction
The role of Mobile IP in current wireless networks:
Source: Martin Dunmore Mobile IPv6 Activities Mobile IPv6 Activities at Lancaster University
107
IPv6 Mobility Introduction
The role of Mobile IP in current wireless networks:
MOBILE IP
GSM WCDMA CDMA WIFI/L2
GPRS CN(GTP) CDMA2000
IP Network
Core
Source: Karim El Malki IPv6 mobility presentation June 2003 San Diego
108
IPv6 Mobility Introduction
• Mobility in IPv4– 1. MN discovers Foreign Agent (FA)– 2. MN obtains COA (FA - Care Of Address)– 3. MN registers with FA which relays
registration to HA– 4. HA tunnels packets from CN to MN
through FA– 5. FA forwards packets from MN to CN or
reverse tunnels through HA (rfc3024)
109
IPv6 Mobility Introduction
• How IPv6 Mobility varies from today’s IPv4 mobile model– No Foreign Agents– Use IPv6 auto-config– No Triangle routing– Mobile node can route directly to a
Corresponding node (and visa versa)
110
IPv6 Mobility Introduction
• Mobile IPv6 allows a mobile node to move from one link to another without changing the mobile node’s IP address
• A mobile node is always addressable by it’s “Home Address”
• A home address is assigned to a mobile node from it’s home subnet prefix on it’s home link
• Packets will be routed to the mobile node using this address regardless of the mobile node’s current point of attachment to the Internet.
111
IPv6 Mobility Introduction
• Features and Mechanisms of Mobile IPv6– Bi-directional movement detection mechanism– Uses IPv6 Routing header (type 2)– A “home agent” intercepts and delivers packets
destined for the mobile node– The home agent uses IPv6 anycast address rfc2526– Mobile IPv6 defines one new destination option, the
Home Address destination option – A new mobility extension header
112
IPv6 Mobility Introduction
• The Mobile IPv6 protocol is just as suitable for mobility across homogeneous media as for mobility across heterogeneous media
• The Mobile IPv6 protocol solves network-layer mobility management problems
• Transparently routes packets to and from mobile nodes while away from home
113
IPv6 Mobility Introduction
• Mobile IPv6 does not attempt to deal with– Links with partial reachability or unidirectional
connectivity– Access control on a link being visited by a mobile
node– Mobile routers– Service Discovery– Distinguishing between errors versus network
congestion
114
IPv6 Mobility Introduction
• Mobile IPv6 makes use of IPv6 features– Neighbor Discovery– Address Autoconfiguration– Extension Headers
115
IPv6 Mobility Introduction
• HMIPv6 - Hierarchical Mobile IPv6 mobility management – draft 8– Extends Mobile IPv6 and IPv6 ND
• Local mobile handling• Reduces the amount of signalling• Improves handoff speed
116
IPv6 Mobility Overview
• When mobile node is attached to home link standard IP routing is used for delivery
HomeAgent
home subnet prefix
mobile node
home address
117
IPv6 Mobility Overview
• When mobile node experiences movement it’s care-of address changes
ForeignAgent
HomeAgent
home subnet prefix
mobile node
Proxy "listen"home address
Internet
Wireless
118
IPv6 Mobility Overview
Internet
Corresponding NodeComm. Tower
MobilePDA
Home Agent
A correspondingnode (CN), on the Internet,wants to communicate witha mobile node (MN)
01
CN sendsa packet to theMNs "HomeAddress"
02
The HomeAgent proxy listensto the MNs HomeAddress
03 The home agentencapsulates the data andforwards to the MNs currentCare-of-Address (COA)
04
The MNuncapsulates thereceived data
05
The MN directlyresponds to the CNusing the MN's HomeAddress for the source
06
This triangle routing continues.The MN usings "binding updates" toinform the Home Agent or it's new COA
07
119
IPv6 Mobility Overview
Internet
Corresponding NodeComm. Tower
MobilePDA
Home Agent
A correspondingnode (CN), on the Internet,wants to communicate witha mobile node (MN)
01
CN sendsa packet to theMNs "HomeAddress"
02
The HomeAgent proxy listensto the MNs HomeAddress
03 The home agentencapsulates the data andforwards to the MNs currentCare-of-Address (COA)
04
The MNuncapsulates thereceived data
05
The MN directlyresponds to the CN usingthe MN's COA addressand includes a bindingupdate
06
The CN can now communicatedirectly w/ the MN using it's COA.Binding updates keep this connectionalive as movement occurs
07
120
IPv6 Mobility – Return routability
• Securing Bindings between MN and CN– Uses Return Routability Procedure
Internet
Corresponding Node
MobilePDA
Home Agent
Initiate test for HoA/CoA
Test for HoA/CoA
Authenticated Binding
121
IPv6 Mobility Introduction
• MANET – Mobile Ad Hoc Networks– AODV – Ad Hoc On-Demand Distance
Vector routing protocol – draft 13– DSR – Dynamic Source Routing protocol –
draft 9– TBRPF - Topology Dissemination Based on
Reverse-Path Forwarding – draft 11– OLSR – Optimized Link State Routing – rfc3626
122
Quality of Service
• What is QOS and why is it needed– IP network's ability to successfully transport
IP packet within requirements of an application
– Ability to ensure delivery of packet– Ability to reserve resources in the network
for transport of packet– End-to-end QOS is important
123
QOS
• What is QOS and why is it needed– Network applications require guaranteed
delivery• VOIP versus “average” HTTP• Hierarchical requirements (Military chain of
command)
124
QOS
• TCP-applications– Packet loss causes retransmissions
• Longer times to transfer the files, images, web pages, etc…
• Extra packets that increase congestion
• UDP applications:– Delay sensitive
• packet becomes obsolete with long transfer delays– Packet loss sensitive
• application retransmissions or decreased performance of application
– In the worst case application does not work at all
125
QOS
• For QOS to work it should be– Scalable– Flexible– Robust– Ubiquitous
• QOS is only as strong as it’s weakest point
• Public Internet is “Best effort” IP delivery for ALL packets
126
QOS
• QOS mechanisms “today” remain the same in IPv6 as they exist in IPv4– Some work through translation mechanisms– RSVP, intserv, diffserv, etc.– QOS services that use the IPv4 TOS (type of
service) are compatible with IPv6
127
QOS – IPv4
Version=4 IHL Type of ServiceIdentifier Fragment OffsetFlags
Source AddressDestination Address
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1Total Length
Time to Live Protocol Header Checksum
Options + Padding
1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
128
QOS – IPv6
Version=6 Traffic Class Flow LabelPayload Length Hop LimitNext Header
Source Address 128 bits
Destination Address 128 bits
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 11 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
129
QOS – IPv6 – Flow Label
Version=6 Traffic Class Flow LabelPayload Length Hop LimitNext Header
Source Address 128 bits
Destination Address 128 bits
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 11 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3
130
QOS – Future – IPv6 Flow Label
• Currently no “standard” exists that defines usage of Flow Label for any function
• Lots of discussion and ideas on how to apply– When and how to use flow label– How many bits should be defined– Can source apps use multiple flow labels for same
application
131
QOS – Future – IPv6 Flow Label
• Some example uses of flow label– Code upper layer information
• Difficult for nodes in transit to determine upper layer info due to encryption, fragmentation, etc…
• Provides Class of Service.– Use similar labeling as in 20 bit MPLS
• Different concepts not equally mapped– ISP use for creating billing tags of packets
• Allow ISP to correctly bill for multicasting
132
QOS – Future – IPv6 Flow Label
• Reference–draft-ietf-ipv6-flow-label-08.txt
133
Security and IPsec
– Current Solutions• Internet adoption grew
• Applications were designed and operated “ad hoc” security solutions
• Provides semi-trusted and semi-secure Internet access
• Don’t address fundamental issues• Mostly concerned with fighting symptoms
134
Security in IPv6
– Current Solutions• Packet Filters and Firewalls
• Filters traffic based on predefined rules• IP address• port numbers• virus patterns
• May determine “unusual” behavior
135
Security in IPv6 - example
136
Security in IPv6
• Basic Security Requirements and Techniques– Confidentiality
• The property that stored or transmitted information cannot be read or altered by an unauthorized party
– Integrity• The property that any alteration of transmitted or
stored information can be detected
137
Security in IPv6
– The IPSEC framework• A formally defined standard (RFC 2401)• Contains 6 distinct elements
• Description of security requirements and mechanisms on the network layer
• Security element for encryption (RFC 2406)• Security element for authentication (RFC 2402)• Concrete cryptographic algorithms for encryption and
authentication• Definition of Security policy and Security associations
between partners• IPSEC key management
• ISAKMP - RFC 2408 - Internet Security Association and Key Management Protocol
138
Security in IPv6
Source: “IPv6 Essentials”, O’Reilly Press, 2002The IPSEC framework
139
Security in IPv6
– Authentication in IPv6• Extension Header type 51 provides integrity and
authentication for end to end data
140
Security in IPv6
– Authentication in IPv6• Cryptographical checksum is also known as a message
digest or hash. Uses rules• IP Header, version, class, and flow label are excluded from
the computation. Hop Limit is assumed to contain zero• All Extension Headers that change en-route are computed as
a sequence of zero• If Routing Extension Header is present the IPv6 destination
address is set to the final destination• IPv6 implementations MUST support
• Keyed message digest No. 5 (MD5)• requires “key”• considered theoretically breakable• Secure Hash Algorithm No. 1 (SHA-1)
141
Security in IPv6
– Authentication in IPv6• Payload Authentication (Transport Mode)
• Transport mode authenticates all end to end payload plus selected headers (described previously)
• Payload Length• Next Header• Extension headers (not listed previously)• Upper layer headers and data• Some IP header fields are not protected• Will not work with NAT environment
142
Security in IPv6
– Authentication in IPv6• Header and Payload Authentication (Tunnel
Mode)• Accomplished by creating a tunnel between 2 gateways
• Gateway may be a router• May be a VPN implementation
• Wraps the original packet in a new packet• Applies checksum to entire packet
143
Security in IPv6
– Encryption in IPv6• Extension Header type 50 provides integrity and
confidentiality
144
Security in IPv6
– Encryption in IPv6• Support for Authentication• IPv6 specification contains one encryption
algorithm that must be supported by every implementation
• DES-CBC (Data Encryption Standard in Cipher Block Chaining Mode)
• Other stronger algorithms may be negotiated using corresponding SA and SPI
• Government export controls
145
Security in IPv6
– Encryption in IPv6• Payload encryption (Transport Mode)
• Transport mode encrypts all end to end extension headers and payload
• Extension headers must not be looked at in path
146
Security in IPv6
– Encryption in IPv6• Header and Payload encryption (Tunnel Mode)
• Accomplished by creating a tunnel between 2 gateways• Gateway may be a router• May be a VPN implementation
• Wraps the original packet in a new packet• Applies checksum to entire packet
147
Security in IPv6
– Encryption in IPv6• Combining Authentication and Encryption
• It was originally intended to use both extension headers• But increased IPv6 packet size was not good• Included AH functionality in ESP
148
Security in IPv6
– Deploying security• Requires Security Policy Database (SPD)
• Configures Security Associations (SA)
Node A Node B
SPDA -> B ESP keyB -> A ESP key
Security Associations
SPDA -> B ESP keyB -> A ESP key
149
Security in IPv6
– IPSEC may solve many issues on the Internet
• FTP, Telnet, DNS, and SNMP– However other issues exist
• IPSEC tunnels break through firewalls or NAT• Tunneled IPSEC traffic may contain malicious
data• QOS doesn’t work in IPSEC• Mobility issues
• Dynamic IP addresses cause IPSEC to fail
150
Security in IPv6
– IPv6 deployment slowed due to IPv4 workarounds• NAT and CIDR• SSL• SSH• S/MIME, PGP
– IPSEC deployment issues• lack of public key infrastructure• lack of vendor/IPv6 adoption
151
New - IPsec deployment pushes end-node firewall deployment
– By definition, end-to-end encryption makes intermediate packet inspection by firewalls and IDS devices impossible
– AH-secured packets – protected from tampering and source address spoofing can still be inspected
– Look for increased migration of network firewalls to host-based (centrally managed) solutions
152
New - IPsec deployment pushes end-node firewall deployment
IPv6 InternetIPv4 Internet
intranet
Firewall
encapsulatedIPv6 packets
153
New - ICMP Traffic Needs Increase
• “Protected” nodes need ICMPv6 from intermediary nodes (i.e. routers)– Cannot block all ICMPv6 at edge of – Inbound ICMP (specific types) must be
allowed– Increases opportunity for DoS attacks
154
New – ICMPTraffic Needs Increase
• New advanced use of ICMPv6 opens up new DoS attacks– Neighbor Discovery– Router advertisements
155
New - Privacy Extensions
• Privacy extensions– allow end-node to create randomly
generated IPv6 Identifier– Changes periodically
• IPv6 prefix still “ISP” Based
156
New - Security not really “fixed” in IPv6
• Required IPsec is an improvement to Internet security
• Only secures “network” layer (Transport)
• Attacks against host services (buffer overflow) or computer users (eMail viruses) are not resolved by secure transport layer
157
New - Disuse of NAT really only an issue in home networks
• Enterprise network administrators can secure environment without NAT using stateful firewalls and other packet filters
• End-to-end reachability utopia of IPv6 will probably not be embraced by enterprise soon – NAT or no NAT
158
Transition Security
• Basic Security Element– IPv4 network secure
• Behind firewall• Using NAT
159
Security - example
160
Transition Security
• Introduction of various transition mechanisms may compromise network– IPv6 connectivity point– Tunnel– UDP NAT traversal– Other…
161
Transition Security
– IPv6 connectivity point
IPv6 InternetIPv4 Internet
intranet
Firewall
162
Transition Security
– Tunnel– UDP NAT traversal
IPv6 InternetIPv4 Internet
intranet
Firewall
encapsulatedIPv6 packets
163
Transition Security
– Other
ISATAPnetwork
IPv4 Internet IPv6 Internet
6to4relay
ISATAP & 6to4router
164
Transition Security
– Other– BIA IPv4 Applications
Socket API (IPv4, IPv6)
API Translatorname
resolveraddressmapper
functonmapper
TCP(UDP)/IPv4 TCP(UDP)/IPv6
165
5. Deploying IPv6
• Current deployment and trends• IPv6 capable products and services• Early lessons learned
166
Countries on the IPv6 Internet
0
20
40
60
Jul-99
Oct-99
Jan-00
Apr-00
Jul-00
Oct-00
Jan-01
Apr-01
Jul-01
Oct-01
Jan-02
Apr-02
Jul-02
Oct-02
Jan-03
Apr-03
Jul-03
Oct-03
Linear Growth averaging 1 country
per month
54 Countries
167
IPv6 ISPs per country
# Country ISPs
1 Japan 65
2 US 64
6 Sweden 17
7 France 17
11 Taiwan 12
17 China 8
12 Finland 11
16 Switzerland 8
3 Germany 51
4 Netherlands 28
5 UK 22
9 Italy 15
15 Portugal 8
10 Austria 13
13 Canada 10
14 Spain 9
8 South Korea 17
# Country ISPs
52 N. Guinea 1
53 India 1
54 Philippines 1
# Country ISPs
35 Lithuania 2
39 Yugoslavia 2
36 Turkey 2
40 Indonesia 2
41 Chile 1
37 Romania 2
38 Iran 2
42 Dom. Republic 1
49 Israel 1
50 Slovenia 1
43 Greece 1
46 UAE 1
51 Saudi Arabia 1
44 Hungary 1
45 Cyprus 1
48 Croatia 1
47 Tunisia 1
# Country ISPs
18 Czech Rep. 7
31 Belgium 3
34 Brazil 2
19 Mexico 7
22 Australia 6
25 South Africa 4
20 Poland 7
24 Singapore 5
28 Luxembourg 4
21 Europe 6
26 Denmark 4
27 Estonia 4
23 Norway 5
30 Ireland 3
32 Thailand 3
29 Russia 3
33 Malaysia 3
168
IPv6 ISPs verses time
0
100
200
300
400
500
Jul-99
Oct-99
Jan-00
Apr-00
Jul-00
Oct-00
Jan-01
Apr-01
Jul-01
Oct-01
Jan-02
Apr-02
Jul-02
Oct-02
Jan-03
Apr-03
Jul-03
Oct-03
June 30, 00 - 36
June 30, 01 - 84
June 30, 02 - 154
June 30, 03 - 399
December 3, 03 - 482
169
Future ISP Growth Trends
0
2000
4000
6000
8000
Jul-9
9Ju
l-00
Jul-0
1Ju
l-02
Jul-0
3Ju
l-04
Jul-0
5Ju
l-06
Jul-0
7Ju
l-08
Jul-0
9
Doubles 6 months Doubles annually
Doubles bi-annually
170
IPv6 ISPs per Region
56%26%
17%1%
Eurasia
Asia-Pacific
NorthAmericaLatinAmerica
171
IPv6 ISPs per Function
Commercial
Research & Education
Government
0102030405060708090
100
Aug-99Nov-99Feb
-00May
-00Aug-00Nov-00Feb
-01May
-01Aug-01Nov-01Feb
-02May
-02Aug-02Nov-02Feb
-03May
-03Aug-03Nov-03
Percent
Time
Commercial Sector is driving the deployment of IPv6.
172
IPv6 CapableOperating Systems
Vendor Versions More Info
Microsoft W2003 ServerXP (SP1) and .NETCE .NET (Pocket PC 4.1)
http://www.microsoft.com/ipv6
Sun Solaris 8 and 9 http://wwws.sun.com/software/solaris/ipv6/IBM z/OS Rel. 4
AIX 4.3 - >OS/390 V2R6 eNCS
http://www-1.ibm.com/servers/eserver/ zseries/zos/unix/release/bpxa1zr4.htmlhttp://www-3.ibm.com/software/network/ commserver/library/publications/ipv6.html
BSD FreeBSD 4.0 - >OpenBSD 2.7 - >NetBSD 1.5 - >BSD/OS 4.2 - >
http://www.kame.net/
Linux RH 6.2 - >Mandrake 8.0 - >SuSE 7.1 - >Debian 2.2 - >
http://www.bieringer.de/linux/IPv6/status/IPv6+Linux-status-distributions.html
HP/Compaq HP-UX 11iTru64 UNIX V5.1OpenVMS V5.1
http://www.compaq.com/ipv6/next_gen.html
Apple MAC OS X 10.2 - > http://developer.apple.com/macosx/
173
IPv6 Capable Routers
Vendor Versions More Info
6WIND 6100, 6200, Windedge http://www.6wind.com
Nortel BayRS routers https://www.nortel.com
Cisco Nearly all router products http://www.cisco.com/ipv6
Ericsson RXI 820 http://www.ericsson.comExtreme Networks 4GNSS http://www.extremenetworks.comHitachi GR2000-2S, GR2000-4S, GR2000-
6H, GR2000-10H, GR2000-20Hhttp://www.hitachi.com
Juniper M5, M10, M20, M40, M160 http://www.juniper.net/solutions/enabling_tech/ipv6
Nokia 100, 300, 400, 500, 600700 http://www.nokia.com/nokia/0,1522,,00.html?orig=/IPv6
Sumitomo Electric 3700 http://seusa.sumitomo.com/htmls/randd/ipv6/ipv6.html
Zebra Zebra-0.94 http://www.zebra.orgTeledat Nearly all router products http://www.teledat.es
174
Early lessons learned
• There is great long term potential for IPv6 to generate additional revenue and reduce costs for enterprises. In the short term, enterprises should expect increased costs, complexity, IA, and interoperability issues during the transition.
• Enterprises should strongly consider top-down, centrally coordinated IPv6 transition efforts to reduce costs, minimize IA vulnerabilities, and minimize interoperability issues.
• Enterprise policies, processes, procedures, and databases will need to be examined and upgraded to dual IPv4/v6.
• Enterprise network services will need to be examined, engineered, and upgraded to dual IPv4/v6.
• Enterprise network infrastructure will need to be examined, engineered, and upgraded to dual IPv4/v6.
• Enterprise custom and COTS SW applications will need to be examined, engineered, and upgraded to dual IPv4/v6.
• Enterprise products and services will need to be examined, engineered, and upgraded to dual IPv4/v6..
• The IPv6 transition may heavily impact ongoing and future enterprise IT acquisitions.
175
Early lessons learned -Security
• Many resources will be shared during the transition. These become a means for an IPv6 attack to disrupt IPv4 communications and vice-versa.
• The new features of IPv6 will add new vulnerabilities.
• IPv6 coexistence mechanisms have their own set of new vulnerabilities.
• Engineering and Operations personnel must be properly trained to minimize the impact of new vulnerabilities.
176
Factors impacting coexistence mechanisms used.
• Policy• Cost• Security• Performance• Operational Complexity