Embed Size (px)
Citation preview
IPv6 Sys Admin Style
Tim Martin CCIE #2020
Solutions Architect
Spring 2016
Cisco Confidential 2 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Agenda • IPv6 Basics • IPv6 Details • IPv6 Odds & Ends • IPv6 in Windows • IPv6 in OSX • IPv6 in Linux • IPv6 in Mobile • Conclusion
IPv6 Basics
Architectural Model
Planning and coordination is required from many across the organization, including … v Network engineers & operators v Security engineers v Application developers v Desktop / Server engineers v Web hosting / content developers v Business development managers v …
v Create a project team & plan v Identify business value, requirements & impacts v Assess equipment & applications for IPv6 v Begin training & develop training plan v Develop the architectural solution v Obtain a prefix and build the address plan v Define an exception process for legacy systems v Update the security policy v Deploy IPv6 trials in the network v Test and monitor your deployment
IPv6 Planning Steps Outline
340,282,366,920,938,463,463,374,607,431,768,211,456 340 undecillion, 282 decillion, 366 nonillion, 920 octillion, 938 septillion, 463 sextillion, 463 quintillion, 374 quadrillion, 607 trillion, 431 billion, 768 million, 211 thousand, 456
So How Big Is The IPv6 Address Space?
§ Lot’s of talk about how big, it’s BIG, do NOT worry about waste
§ Theoretical vs. Practical, split the 128 bits in half
§ 64 bits will define the network topology, 64 bits define the host id
18,446,744,073,709,600,000 IPv6 addresses /64 (31,536,000 seconds/yr * 10,000,000 IPv6 addresses/second)
18,446,744,073,709,600,000 / 315,360,000,000,000
= 58,494 years - Ed Horley
IPv6 Addressing
IPv6 Address Family
Multicast Anycast Unicast
Assigned Solicited Node
Unique Local Link Local Global Special Embedded
*IPv6 does not use broadcast addressing
Well Known Temp
§ Widely used in computing and programming § Hex is a base 16 numerical system § Typicaly expressd by 0x, i.e 0x34
§ Every nibble is a Hex character § 4 bits have 16 combinations § Easier than high school algebra
Hexadecimal, it’s really not that difficult
256’s |16’s | 1’s 3 4 a c 2 4 d
100s | 10’s | 1’s 0 5 2 1 7 2 5 8 9
§ IPv6 addresses are 128 bits long (32 hex characters) § 8 groups (words, quad’s) of 16 bits separated by (:)
§ Network or topology portion is the prefix § Includes the “subnet”
IPv6 Address Format
Host Portion Network Portion
2001 : 0db8 : 0100 : 1111 : 0000 : 0000 : 0000 : 0001 16 bits 16 bits 16 bits 16 bits 16 bits 16 bits 16 bits 16 bits
Host Id Subnet Id Global Route Prefix
2001:0db8:0100:1111:0000:0000:0000:0001
§ Leading 0’s can be omitted § The double colon (::) can appear only once
Abbreviating IPv6 Addresses (RFC5952)
2001:0db8:0000: :0000:0000:0000:1e2a 00a4 Full Format
2001:db8:0: :0:0:0:1e2a a4 Abbreviated Formats
2001:db8:0: ::1e2a a4
Unicast IPv6 Address Types
Link-Local – Non routable exists on single layer 2 domain (fe80::/10) fe80:0000:0000:0000
:: xxxx:xxxx:xxxx:xxxx
fc00:gggg:gggg: xxxx:xxxx:xxxx:xxxx ssss:
fd00:gggg:gggg: xxxx:xxxx:xxxx:xxxx ssss:
Unique-Local – Routable within administrative domain (fc00::/7)
2000:NNNN:NNNN HHHH:HHHH:HHHH:HHHH
Global – Routable across the Internet (2000::/3) :SSSS:
3fff:NNNN:NNNN HHHH:HHHH:HHHH:HHHH :SSSS:
• RecommendedAlloca,ons• Consumer,SMB/56/60/64• MunicipalGovernment,Enterprise,SingleAS/40/44/48• StateGovernments,Universi,es(LIR)/32/36/40
• Addressing Plan, Site Count • IPv4 Allocation, Multi-homed ISP • 1 - 12 sites, a /44 assignment • 13 - 192 sites, a /40 assignment • 193 - 3,072 sites, a /36 assignment • 3,073 - 49,152 sites, a /32 assignment
Registries
Level Four Entity
IANA
ISP Org
PA
/48
2000::/3
/12
/32
2000::/3
/48
/12
PI
/32
/48
RIPE
Global Address Assignment
Subordinate
• PA or PI from each region you operate in • Coordination of advertised space within each RIR, policy will vary
• Most run PI from primary region
Multi-national Model
§ Anywhere a host exists /64 § Point to Point /127
§ Should not use all 0’s or 1’s § in the host portion § Nodes 1&2 are not in the § same subnet
§ Loopback or Anycast /128
§ RFC 7421 /64 is here
§ RFC 6164 /127 cache exhaust
Prefix Length Considerations
Pt 2 Pt /127
WAN
Core /64 or /127
Servers /64
Hosts /64
Loopback /128
IPv6 Details
• IPv6 has a specific Ethernet Protocol ID • IPv6 relies heavily on Multicast
IPv6 over Ethernet
Destination Ethernet Address!
Source Ethernet Address!
0x0800!!
IPv4 Header and Payload!
Destination Ethernet Address!
Source Ethernet Address!
0x86DD!!
IPv6 Header and Payload!
xx 33 33 xx xx xx
I bit = Local Admin, L bit = Multicast/Broadcast
0000 00IL 0 = Universel/unique
1 = Local/not unique
IPv4 and IPv6 Header Comparison
Offset Flags
Total Length Type of Service IHL
Padding Options Destination Address
Source Address
Header Checksum Protocol Time to Live
Identification
Version
IPv4 Header (20-60)
Next Header Hop Limit
Flow Label Traffic Class
Destination Address
Source Address
Payload Length
Version
IPv6 Header (40)
• Length is constant in IPv6 • Fragmentation occurs in (EH 44) • Option’s occur in (EH 0,6) • UDP must have valid Checksum, unlike v4. • Upper layer checksums use the Pseudo Header format: SRC/DST Addr + Next Header
§ RFC 6437 § Flow label specification
§ RFC 6438 § ECMP & LAG , typically 2 tuple {src, dst IP} § Effiency over searching the header chain § Frags, ICMP & Crypto may causes problems
§ RFC 7098 § Flow label for Server Load Balancing § Flow label is efficient, fixed position of header § 2 or 3 tuple {src, dst IP, flow label}
§ Setting the Flow Label § Set by host must not be changed in transit § First hop router may set if host cannot
Flow Label Usage Flow Label Traffic
Class Version
4 bits 8 bits 20 bits
Servers
L3/4 Load Balancer
§ EH are daisy chained, processed in order § Length is variable, must be on 8 byte boundary
Extension Headers (~ Layer 3.5)
IPv6 Header Hop-by-Hop Destination Opt TCP Header Payload
Extension Header * Type Hop-by-Hop Options 0 Destination Options 60 Routing Header 43 Fragment Header 44 Authentication Header 51 ESP Header 50 Destination Options 60 Mobility Header 135 Experimental 253,254 No Next Header 59
ICMPv6 Error Messages
• Type – (1-127) = Error Messages • Code – More Granularity within the Type • Checksum – Computed over the entire ICMPv6 & pseudo header • Data - Original IPv6 Header, First 8 bytes of ULP, fill to Min MTU (1280)
• Destination Unreachable, type (1) • Packet Too Big, type (2) • Time Exceeded, type (3) • Parameter Problem, type (4)
Type Code Data
Checksum
IPv6 NH = 58
ICMPv6 Informational Messages
• Type – (128-255) = Informational Messages • Code – More Granularity within the Type • Checksum – Computed over the entire ICMPv6 & pseudo header • Data – Message format based on each type of informational message
• Neighbor discovery, router discovery, Type (133-137) • Multicast Listener Discovery (MLD), Type (130-132, 143) • Diagnostics using Ping or Traceroute, Type (128, 129)
Type Code Data
Checksum
IPv6 NH = 58
Path MTU Discovery
Source Destination Link
MTU 1500 MTU 1500 MTU 1400 MTU 500
Packet, MTU=1500
ICMPv6 Packet Too Big, Use MTU=1400
2 Packets | EH type 44 | Payload=1380,120
ICMPv6 Type 2 PTB, Use MTU=500
4 Packets | EH type 44 | Payload=480,480,480,60
IPv6 Host Portion Address Assignment Similar to IPv4 New in IPv6
Manually configured StateLess Address AutoConfiguration SLAAC EUI64
SLAAC Privacy Extensions
Assigned via DHCPv6
*Secure Neighbor Discovery SeND
00 90 27 ff fe 17 fc 0f
OUI Device Identifier 00 90 27 17 fc 0f
02 90 27 ff fe 17 fc 0f
0000 00U0 U= 1 = Universel/unique
0 = Local/not unique U bit must be flipped
ff fe 00 90 27 17 fc 0f
Extended Unique Identifier (EUI64)
IPv6 Privacy Extensions (RFC 4941)
• Generated on unique 802 using MD5, then stored for next iteration • Enabled by default in Windows, Android, iOS, Mac OS/X, Linux • Temporary or Ephemeral addresses for client application (web browser)
Recommendation: Good for the mobile user, but not for your organization/corporate networks (Troubleshooting and accountability)
2001 DB8
/32 /48 /64
Random Generated Interface ID 0000 1234
Stable Interface ID Generation (RFC 7217) • RID = hash (Prefix, Net_Iface, DAD_Counter, secret_key) • Generate IID’s that are Stable/Constant for Each Network Interface • IID’s Change As Hosts Move From One Network to Another
Implementation of the RID is left to the OS Vendor and MAY differ between Client and Server
2001 DB8
/32 /48 /64
Random ID 0000 1234
§ Source – fe80::1234, Destination - ff02::1:2 § Client UDP 546, Server UDP 547
§ Original Multicast Encapsulated in Unicast
§ DUID – Different from v4, used to identify clients
§ ipv6 dhcp relay destination 2001:db8::feed:1
DHCPv6
DHCPv6 Server 2001:db8::feed:1
DHCPv6 Solicit DHCPv6 Relay
DHCPv6 Relay
SOLICIT (any servers)
ADVERTISE (want this address)
REQUEST (I want that address)
REPLY (It’s yours)
§ Each device has a RSA key pair § Ultra light check for validity
Secure Neighbor Discovery – SeND (RFC 3756)
SHA-1
RSA Keys Priv Pub
Subnet Prefix
Interface Identifier
Crypto. Generated Address
Signature
SeND Messages
Modifier
Public Key Subnet Prefix CGA Params
SeND Operation
Router R host
Certificate Authority CA0 Certificate Authority Certificate C0
Router certificate request
Router certificate CR
Certificate Path Solicit (CPS): I trust CA0, who are you ?
Certificate Path Advertize (CPA): I am R, this is my certificate CR
1
2
3
4
5
6 Verify CR against CA0
7 Start using R as default gateway
Router Advertisement
• Most OS’s do NOT support it (Vista, 2007/8, OSX, iOS, Android)
IPv6 Multicast Address (RFC 4291) • Prefix ff00::/8
8-bit 4-bit 4-bit 112-bit
1111 1111 0 R P T Scope Variable format
Flags
O Reserved
R = 0 R = 1
No embedded RP Embedded RP
P = 0 P = 1
Without Prefix Address based on Prefix
T = 0 T = 1
Well Known Address (IANA assigned) Temporary address (local assigned)
Scope 1 Node
2 Link
3 Realm
4 Admin
5 Site
8 Organization
E Global
Address Scope Meaning ff02::1 Link-Local All Nodes ff02::2 Link-Local All Routers ff02::5 Link-Local OSPFv3 Routers ff02::6 Link-Local OSPFv3 DR Routers ff02::9 Link-Local RIPng ff02::A Link-Local EIGRP
• ff02, is a permanent address and has link scope
• Link Operations, Routing Protocols, Streaming Services
Well Known Multicast Addresses
Multicast Mapping over Ethernet (RFC 2464)
Corresponding Ethernet Address
ff3e:0040:2001:0db8:cafe:0001:11d7:4cd3 IPv6 Temporary
Multicast Address
33 33 D7 4C D3 11
Corresponding Ethernet Address
ff02:0000:0000:0000:0000:0000:0000:0001 IPv6 Well Known
Multicast Address
33 33 00 00 01 00
Every IPv6 Multicast address (layer 3), MUST map to a corresponding Ethernet address (layer 2)
§ MLD uses LL source addresses § Hop Limit = 1
§ MLD packets use “Router Alert” in HBH § Destination is not the routers interface
§ 3 msg types: Query, Report, Done
§ MLDv1 = (*,G) shared, MLDv2 = (S,G) source
IPv6 Multicast Listener Discovery (MLD)
MLD snooping
MLD IGMP Message Type
ICMPv6 Type Function
MLDv1 (RFC2710) IGMPv2 (RFC 2236) Listener Query
Listener Report
Listener Done
130
131
132
Used to find out if there are any multicast listeners
Response to a query, joins a group
Sent by node to report it has stopped listening
MLDv2 (RFC 3810) IGMPv3 (RFC 3376) Listener Query
Listener Report
130
143
Used to find out if there are any multicast listeners
Enhanced reporting, multiple groups and sources
§ Always uses Link Local (fe80::/64) as its source § Hop Limit must be set to 255
§ Generalized TTL Security Mechanism
§ Neighbor discovery messages § Router solicitation (ICMPv6 type 133) § Router advertisement (ICMPv6 type 134) § Neighbor solicitation (ICMPv6 type 135) § Neighbor advertisement (ICMPv6 type 136) § Redirect (ICMPv6 type 137)
Neighbor Discovery Protocol – NDP (RFC 4861)
IPv4 IPv6 ARP Request Neighbor Solicitation
Broadcast Solicited Node Multicast
ARP Reply Neighbor Advertisement
Unicast Unicast
NDP
RA RS
NS NA Redirects
NUD DAD
IPv6
§ Router solicitations (RS) are sent by nodes at bootup
§ Routers forward packets as well as provide provisioning services
Router Solicitation and Advertisement
RS
ICMP Type 133 IPv6 Source fe80::a IPv6 Destination ff02::2 Opt. 1 SLLA SRC Link Layer Address
RA
ICMP Type 134 IPv6 Source fe80::2
IPv6 Destination fe80::a Data Options, subnet prefix,
lifetime, autoconfig flag
RS RA
A
RA Provisioning
• M-Flag – Stateful DHCPv6 to acquire IPv6 address • O-Flag – Stateless DHCPv6 in addition to SLAAC • Preference Bits – Low, Med, High • Router Lifetime – Must be >0 for Default • Options - Prefix Information, Length, Flags
• L bit – Only way a host get a On Link Prefix • A bit – Set to 0 for DHCP to work properly
Type: 134 (RA) Code: 0 Checksum: 0xff78 [correct] Cur hop limit: 64 ∞ Flags: 0x84 1… …. = Managed (M flag) .0.. …. = Not other (O flag) ..0. …. = Not Home (H flag) …0 1… = Router pref: High Router lifetime: (s)1800 Reachable time: (ms) 3600000 Retrans timer: (ms) 1000 ICMPv6 Option 3 (Prefix Info) Prefix length: 64 ∞ Flags: 0x80 1… …. = On link (L Bit) .1.. …. = No Auto (A Bit) Prefix: 2001:0db8:4646:1234::/64
RA
RA Message Options
RA
type = 134 code = 0 checksum hop limit M|O|H|pref router lifetime
reachable time retransmit timer
options (variable)
• ICMPv6 – Type, Code, Checksum, Data
• Data – Body of the Message Type (Required)
• Option 1 – Source MAC, Option 5 – MTU
• Option 3 – Prefix and Host Provisioning
• Option 25 – Recursive DNS Servers, DNS Search List
Address Timers
• Tentative – Address in verification process (DAD) • Preferred – Address can be used for communication • Valid – Address can be used, may be Preferred or Deprecated • Deprecated – Address can be used on existing connections • Invalid – Address is not available for use
Valid
Deprecated Preferred Tentative Invalid Preferred Lifetime
Valid Lifetime
§ Maintained for each interface connected on a host
§ Host uses the PL & DRL to work out the destination for outbound packet
§ Then it saves the result in the DC
§ The DC resolves the destination address to the next hop address
§ Hosts uses neighbor discovery to get the link address and updates the NC
Host Cache Conceptual Data Structures
Default Router List (DRL)
Prefix List (PL)
Destination Cache (DC)
Neighbor Cache (NC)
§ Prefix List – contains on link prefixes (L bit) and validation timers
§ Default Router List – must be a neighbor usable to the host (Pref bits)
§ Destination Cache – resolves next hop IPv6 address and § May contain path MTU & RTT information § Can be updated by ICMPv6 redirect message
Host Cache Conceptual Model
Prefix List (PL) Valid Timer
fe80::/10 ∞
2001:db8:4646:34::/64 322486
Destination Cache (DC) Neighbor PMTU
fe80::34:1 fe80::34:1 1500
2001:db8:4646:34::1 2001:db8:4646:34::1 9000
2001:db8:4646:555::22 fe80::34:1 1500
2001:db8:4646:717::98 fe80::34:1 1500
2001:db8:4646:34::38 2001:db8:4646:34::38 9000
Default Router List (DRL) Preference
fe80::34:1 H
fe80::34:11 M
§ Mapping of the neighbors IPv6 address to it’s link layer address
§ Includes the status of the “R” flag in the returned NA’s
§ Must not create a new entry for “gratuitous” NA
Host Neighbor Cache
Neighbor Link Layer Is Router State
fe80::34:1 00-00-0C-83-5C-3E 1 Reachable
2001:db8:4646:34::1 00-00-0C-83-5C-3E 0 Stale
2001:db8:4646:34::38 04-48-9A-16-37-FB 0 Stale
ff02::1 33-33-00-00-00-01 0 ~
§ Incomplete – Pending address resolution, NS message outstanding
§ Reachable – Recently used mapping, Can be refreshed by ULP
§ Stale – Not currently communicating, waiting for next queued packet
§ Delay –Using stale binding, awaiting (ULP) return traffic
§ Probe – Sending Unicast NS to node (after Delay timer, 3x1 sec)
Neighbor Cache State Machine
Reachable
Incomplete No Entry
Delay Stale Probe
NS
NA time expired NA
send packet ULP
§ Can be used to cycle to the next router in the DRL
§ In the case of multiple entries in the DRL, NUD should be “quick”
§ RFC 7048 adds a new definition to the state table “Unreachable” § Desires to make NUD more robust against network failures § Speed into the next state, particularly if no other entry exists in the DRL § Unreachable – Retains link layer address, switches to Multicast for resolution
Neighbor Unreachability Detection (NUD)
(DRL) Pref.
fe80::34:1 H
fe80::34:11 M
Neighbor Link Layer R State
fe80::34:1 00-00-0C-83-5C-3E 1 Probe
fe80::34:11 00-03-7A-16-37-FB 1 Stale
§ Unspecified Source (::), No Option 1 SLLA
§ Probing the Local Link to Verify Address Uniqueness
§ An NA Indicates Address in Use, Administrative Intervention Required
Duplicate Address Detection (DAD)
Node A can start using address A
B A C
ICMP Type 135 NS IPv6 Source UNSPEC = :: IPv6 Dest. A Solicited Node Multicast
ff02::1:ff00:a Query Anyone Using “a”
NS
ICMP Type 136 NA IPv6 Source fe80::a IPv6 Dest. ff02::1 Flags S = 0
O = 1
NA
§ Unicast address MUST build corresponding solicited-node multicast § Solicited-node multicast consists of § ff02::1:ff/104 {lower 24 bits from IPv6 Unicast}
Solicited-Node Multicast Address
ff02 0000 0000 0000 0000 0001 ffbc fc0f
fe80 0000 0000 0000 1234 5678 9abc fc0f
33 33 BC FC 0F FF
R1#sh ipv6 int e0 Ethernet0 is up, line protocol is up
IPv6 is enabled, link-local address is FE80::200:CFF:FE3A:8B18 Global unicast address(es):
2001:DB8:0:1234::1 subnet is 2001:DB8:0:1234::/64 Joined group address(es): FF02::1 FF02::2 FF02::1:FF00:1 FF02::1:FF3A:8B18 MTU is 1500 bytes ICMP error messages limited to one every 100 milliseconds ICMP redirects are enabled ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds ND router advertisements are sent every 200 seconds *If EUI format is used then the 1rst solicited node mcast addr is used for both the LL & GU
IPv6 Interface Example
Solicited-Node Multicast Address*
Neighbor Solicitation & Advertisement
A! B!
ICMP Type 135 NS IPv6 Source fe80::a IPv6 Destination ff02::1:ff00:b Hop Limit 255 Target Address 2001:db8:1:46::b Query What is B link layer address? Opt. 1 SLLA A’s Link Layer Address
ICMP Type 136 NA IPv6 Source fe80::b
IPv6 Destination fe80::a Target Address 2001:db8:1:46::b Option 2 TLLA B’s Link Layer Address
*Flags R = Router S = Response to Solicitation O = Override cache information
NS NA
• ARP replacement, Map’s L3 to L2.
• Node B will add node A to it’s neighbor cache during this process w/o sending NS
• Multicast for resolution (new), Unicast for reachability (cache)
DfGW
Viewing Neighbors in the Cache
Neighbors are only considered “reachable” for 30-seconds. “Stale” indicates that, we MAY need to send a NS packet.
§ Cannot be used if destination is multicast
§ Hosts should not send redirects, Should be turned off on routed links
§ IPv6 Hosts Don’t Use Bitwise Masking, TLLA Avoids ND Round
ICMPv6 Redirect
R2 A B
Packet
IPv6 Source 2001:db8:4646:1::b IPv6 Dest. 2001:db8:4646:1::a ULP variable
Redirect 137
IPv6 Source fe80::2 IPv6 Dest. 2001:db8:4646:1::b ICMPv6 Type 137 Target Addr. 2001:db8:4636:1::a
Opt. 2 TLLA 001C.2D3E.00AA
Redirect Packet
§ Loopback § 0:0:0:0:0:0:0:1=> ::1
§ Unspecified address § 0:0:0:0:0:0:0:0=> 0::0 => :: => ::/128
§ Documentation Prefix § 2001:0db8::/32
§ Discard Prefix § 0100::/64
§ 6to4 Automatic Tunneling § 2002::/16
§ Default Route § ::/0
Special Use Addresses (RFC 5156)
IPv6 Odd & Ends
Windows 7, Mac OSX use pseudo random by default. iPad & iPhone generate a new temporary address per association
C:\Documents and Settings\>netsh netsh>interface ipv6 netsh interface ipv6>show address Querying active state... Interface 5: Local Area Connection Addr Type DAD State Valid Life Pref. Life Address --------- ---------- ------------ ------------ ----------------------------- Public Preferred 29d23h58m25s 6d23h58m25s 2001:0db8:2301:1:202:8a49:41ad:a136 Temporary Preferred 6d21h48m47s 21h46m 2001:0db8:2301:1:bd86:eac2:f5f1:39c1 Link Preferred infinite infinite fe80::202:8a49:41ad:a136 netsh interface ipv6>show route Querying active state... Publish Type Met Prefix Idx Gateway/Interface Name ------- -------- ---- ------------------------ --- --------------------- no Autoconf 8 2001:0db8:2301:1::/64 5 Local Area Connection no Autoconf 256 ::/0 5 fe80::20d:bdff:fe87:f6f9
IPv6 During Boot
RFC 6724 – Default Address Selection
• Scope, Preferred over Deprecated, Native over Transitional, Temporary over Public • Must support application override API, Choice of v6 over v4 is application dependent • RFC 7078 defines override using DHCPv6, option
Public Preferred 2001:0db8:2301:1:202:8a34:bead:a136 Temporary Preferred 2001:0db8:2301:1:bd86:ea49:41f1:39c1 Link Preferred fe80::202:8a34:bead:a136
IPv6 Prefix Range Precedence Label ::1/128 50 0 ::/0 40 1 2002::/16 30 2 ::/96 20 3 ::ffff:0:0/96 10 4
DNS Server!
2001:db8:1::1!
IPv4
IPv6
192.168.0.3!
www IN A 192.168.0.3 www IN AAAA 2001:db8:1::1
RFC 6555 § In a dual stack case, an application can:
§ Query DNS for IPv4 and/or IPv6 records § Parallel connection request vs. serial § Winner makes the “eyes” happy
• Give IPv6 300ms Head Start. Lookup & Connect Retrieve and Display
Dual Stack OS Considerations
What is this about?
§ BYOD: Massive influx of consumer devices to be placed on Enterprise networks
§ Consumer devices are typically located within a single Layer 2 domain in the home
§ Users may expect to have the same type of services in the Enterprise / Campus but also across L3 boundaries
§ Device types include mobile devices (iOS, Android), printers, cameras, PCs etc.
§ FF02::FB – Multicast DNS – mDNS (Apple Bonjour) (Chromecast)
§ FF02::2:FF/104 – Node Information Query (FreeBSD)
§ FF02::C – Simple Service Discovery Protocol – SSDP, UPnP (Microsoft)
§ FF02::1:3 – Link Local Multicast Name Resolution – LLMNR (File Sharing)
Zeroconf over IPv6
Personal Computer Operating Systems • Windows • Mac OS X • Linux
Appliances & Networking • Printers • Access Points • Switches • Routers
AV Equipment • Speakers • Cameras • Displays • AV Receivers
§ Hosts are ready § Windows enabled by default, disabling it = no more support from Microsoft § Mac OS X, iOS, Android, Linux, */BSD: enabled by default
§ File & Print § No WINS or NetBios over IPv6 § SMB on TCP 445
§ SQL Server § IPv6 preferred § Watch for v4 socket calls
§ Server 2008/R2 § Needs Unified Access Server
§ Server 2012 § Includes UAS, NAT64/DNS64
IPv6 Readiness: Servers
• Inconsistent API’s use of IPv6 Addresses • Data types, Headers, Structures, Sockets, oh my
• Home grown App’s may only support IPv4 • Pressure vendors to move to protocol agnostic framework
• RFC 3493 – Open Socket Call, 64 bit structure align to HW • RFC 3542 – Raw Socket, ping, Traceroute, r commands
Migrating Applications to IPv6
198.51.100.44:8080 à [2001:db8:café:64::26]:8080
§ RFC 4038 - http://tools.ietf.org/html/rfc4038 § Covers Application Aspects of IPv6 Transition
§ RFC 5014 - http://tools.ietf.org/html/rfc5014 § Covers IPv6 Socket API for Source Address Selection
§ If you have developers trying to figure out how to port their applications § https://www.arin.net/knowledge/preparing_apps_for_v6.pdf § https://www.getipv6.info/display/IPv6/Porting+Applications
IPv6 Application Porting
Client Provisioning DHCPv6 & SLAAC
A!
• How about both.. Reality for the foreseable future
• SLAAC address tracking, Radius Accounting, Syslog, CAM table Scrapes • MicroSoft wont support RDNSS in RA’s
• DHCPv6 Challenges, MAC Address for Reservations, Inventory, Tracking • Android doesn’t support DHCPv6
• Understand the Implications of Switching Methods • Inconsistent amongst the OS’s
DfGW
B! C!
Internet DHCPv6 Server
• Msg-type – relay-forw(12), relay-repl(13) • Hop-count, set to 0, +1 for every relay
• Link-address - used by server to identify which link the client is located
• Peer-address - original client or relay agent address
• Options - must include a "Relay Message option"
§ ipv6 dhcp relay destination 2001:db8::feed:1
DHCPv6 Relay
DHCPv6 Server 2001:db8::feed:1 DHCPv6 Solicit DHCPv6 Relay
DHCPv6 Relay
Msg-type Hop-count
Link-address
Peer-address Options
Link-address
IPv4 IPv6
A record:
• AAAA = easy, PTR = messy
• Add IPv6 address, create AAAA record in DNS zone
• Repeat for every name server from sub zones to parent zone
• Glue records, add an entry in DNS for the IP’s of your domains name servers
IPv6 and DNS
Function IPv4 IPv6
Hostname to
IP Address
A Record www.abc.test. A 192.168.30.1
AAAA Record (Quad A) www.abc.test AAAA 2001:db8:C18:1::2
IP Address To
Hostname
PTR Record 1.30.168.192.in-addr.arpa. PTR www.abc.test.
PTR Record 2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.0.8.1.c.0.8.b.d.0.1.0.0.2.ip6.arpa PTR www.abc.test.
Resilient DDI Design • Anycast Address for Client Access to DHCP/DNS • Uses the same address in multiple locations • Simple, Scalable and Reliable Solution • Global Unicast Address (GUA) for Service Uptime • DNS server injects /128 via OSPF DDI2
2001:db8:aa::21
2001:db8:aa::21
2001:db8:aa:: Cost 10
I pick DNS1 closest metric
2001:db8:aa:: Cost 30
2001:db8:aa:: Cost 20
DDI3 2001:db8:aa::21
DDI4 2001:db8:aa::21
Command &
Control
GUA
GUA
DDI1 2001:db8:aa::21
IPv6 In Windows
IPv6 is enabled by default and is preferred in Windows (this has been the case since Windows Vista and Server 2008) If you are running Windows you have likely already deployed IPv6 You just didn’t know it – oops By default Windows is dual-stacked Windows has built in transition technologies in the operating system – but I recommend that you turn them off Microsoft considers turning off IPv6 to be an unsupported configuration All current software solutions from Microsoft can run on IPv6 only or dual-stack networks w/ little to no modification
IPv6 in Windows, Let’s Get Started
Windows Networking
Since Windows Vista and Server 2008 there has been a new networking stack in the Windows Operating System
Network Interface Layer
Transport Layer (TCP/UDP)
Application Layer
Network Interface Layer
Application Layer
TCP/UDP TCP/UDP
IPv6 IPv4 IPv6 IPv4
Older TCP/IP Networking Stack (Dual-Stack) New TCP/IP Networking Stack (Dual IP Layer)
Yes, this is confusing as heck, the older OS versions of Windows call their
IPv6 solution dual-stack. It is not the same dual-stack as when we refer in the generic way to running IPv4 and
IPv6 on the same network.
RFC 6724 – Default Address Selection
• Scope, Preferred over Deprecated, Native over Transitional, Temporary over Public • Must support application override API, Choice of v6 over v4 is application dependent • RFC 7078 defines override using DHCPv6, option
Public Preferred 2001:0db8:2301:1:202:8a34:bead:a136 Temporary Preferred 2001:0db8:2301:1:bd86:ea49:41f1:39c1 Link Preferred fe80::202:8a34:bead:a136
IPv6 Prefix Range Precedence Label ::1/128 50 0 ::/0 40 1 2002::/16 30 2 ::/96 20 3 ::ffff:0:0/96 10 4
Network Connectivity Status Indicator
• Probes for IPv4 and IPv6 connectivity every time a network event occurs,
• Cache of already known networks, 30 days unless an interface status changes
• Need to spoof NCSI in lab environment
IPv4 IPv6 DNS query to dns.msftncsi.com 131.107.255.255 fd3e:4f5a:5b81::1
HTTP GET http://www.msftncsi.com/ncsi.txt http://ipv6.msftncsi.com/ncsi.txt
Content of ncsi.txt Microsoft NCSI Microsoft NCSI
DHCPv6 w/ O and M Flags (like DHCP)
2001:470:4801:a3:5c07:2212:a5dc:e68e is from DHCPv6 There are no other Global IPv6 addresses on the host Notice the last 64 do NOT match Link-local which was locally generated and the Global was given via DHCPv6
Why Do We Need Zone/Scope ID?
Because we can have ambiguity on link-local addresses, Scope ID is used to link neighbors table to a specific interface
fe80::cd87:5dd6:cf39:dd08 fe80::80d4:29c9:2b3c:a0e2 %12 %13
Transitional Adapters
C:\ >ipconfig Tunnel adapter ISATAP Adapter Media State : Media disconnected Connection DNS Suffix : foo.com Tunnel adapter Teredo Adapter Media State : Media disconnected Connection-specific DNS Suffix : Tunnel adapter 6TO4 Adapter: Media State : Media disconnected Connection-specific DNS Suffix : Can be disabled via Registry, GPO, Powershell, etc.
ß Used within administrative domain (IP41) ::0:5efe:w.x.y.z/96 – Private v4 ::200:5efe:w.x.y.z/96 – Global v4
ß Used with RFC 1918 address’s (UDP3544) 2001:0:{srvr v4}:{flags}:{udp}:{nat v4}
ß Used with global IPv4 address’s (IP41) 2002:xw.x.y.z::
§ RFC 4429 - http://tools.ietf.org/html/rfc4429 § OS starts using the IPv6 address immediately (assuming it good)
§ DAD process still happens to confirm that is the case
§ What happens when a node is using an address? § NA sent to ff02::1 § S flag = 0 in the NA
Windows IPv6 Optimistic DAD
AD Sites and Services/Sites/Subnets
Don’t forget to specify IPv6 subnets in Active Directory • And map them to the appropriate Sites
§ Beginning with Windows Server 2012 default to IPv6 for the cluster failover link
§ Failover heartbeat communicates using link-local IPv6 addresses
§ Clustering in a cloud service that does not support IPv6 § you must convert the failover heartbeat link to IPv4
§ Pay attention when you P2V a cluster – it will NOT covert the failover link
Microsoft Clustering and IPv6
IPv6 In OSX
OSX Networking
Since Mac OS X v10.2 (Jaguar – May 2002) Apple has had IPv6 support in some form in the OS • Older versions likely have unpredictable behavior
IPv6 support was viable until 10.6.7 (Snow Leopard – August 2009) • Essentially the first “usable” and “predictable” OS version with IPv6
Relatively solid support in the Geography releases • Kernel fix finally addresses ICMPv6 rate limiting
OSX IPv6 Address Configuration
DHCPv6 client support was added in 10.7 (Lion – July, 2011)
IPv6 privacy addresses are enabled by default in 10.7
SLAAC and manual address configuration are supported
OSX Manual IPv6 Address Configuration
• Choose Apple menu > System Preferences, and then click Network • If the Network Preference is locked, click on the lock icon and enter your Admin password to make
further changes • Choose the network service you want to use with IPv6, such as Ethernet or AirPort. • Click Advanced, and then click TCP/IP • Click on the Configure IPv6 pop-up menu (typically set to Automatically) and select Manually • Enter the IPv6 address, router address, and prefix length you received from your network administrator
or Internet service provider. Your router address may be referred to as your gateway address by some ISPs
• Reference: http://support.apple.com/kb/HT4667
(2001:db8:46:1::)
2001:db8:46:1::/64
2001:db8:46:1::
Router Advertisement
tmartin# ifconfig -L en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
ether b8:e8:56:19:f3:8a inet6 fe80::bae8:56ff:fe19:f38a%en0 prefixlen 64 scopeid 0x4 inet6 2001:db8:46:1:bae8:56ff:fe19:f38a prefixlen 64 autoconf pltime 267 vltime 267 inet6 2001:db8:46:1:883e:b6a2:863:e31b prefixlen 64 autoconf temp pltime 267
vltime 267 nd6 options=1<PERFORMNUD>
Address Timer Details & DNS
DNS server updated via option (25) from the previous RA
Preferred/Valid lifetimes updated via option (3) from the previous RA
tmartin$ netstat -rnf inet6 Routing tables Internet6: Destination Gateway Flags Netif Expire default fe80::250:f1ff:fe00:0%en0 UGc en0 ::1 ::1 UHL lo0 2001:db8:46:1::/64 link#4 UCS en0 2001:db8:46:1:883e:b6a2:8863:e31b b8:e8:56:19:f3:8a UHL lo0 2001:db8:46:1:bae8:56ff:fe19:f38a b8:e8:56:19:f3:8a UHL lo0 fe80::%lo0/64 fe80::1%lo0 UcI lo0 fe80::1%lo0 link#1 UHLI lo0 fe80::250:f1ff:fe00:0%en0 0:50:f1:0:0:0 UHLIr en0 fe80::bae8:56ff:fe19:f38a%en0 b8:e8:56:19:f3:8a UHLI lo0 ff01::%lo0/32 ::1 UmCI lo0 ff01::%en0/32 link#4 UmCSI en0 ff02::%lo0/32 ::1 UmCI lo0 ff02::%en0/32 link#4 UmCI en0
Displaying the Routing Table
tmartin# ndp -a Neighbor Linklayer Address Netif Expire St Flgs Prbs 2001:db8:46:1:654:53ff:fe12:f103 4:54:53:12:f1:3 en0 23h44m39s S 2001:db8:46:1:883e:b6a2:8863:e31b b8:e8:56:19:f3:8a en0 permanent R 2001:db8:46:1:bae8:56ff:fe19:f38a b8:e8:56:19:f3:8a en0 permanent R localhost (incomplete) lo0 permanent R fe80::250:f1ff:fe00:0%en0 0:50:f1:0:0:0 en0 13s R R Homework.local 4:54:53:12:f1:3 en0 23h44m33s S tmartin-m-90a6.local b8:e8:56:19:f3:8a en0 permanent R
Displaying the Neighbor Cache
tmartin# netstat -f inet6 Active Internet connections Proto Recv-Q Send-Q Local Address Foreign Address (state) tcp6 0 0 2001:db8:46:1:.62472 edge-star6-shv-1.https ESTABLISHED tcp6 0 0 2001:db8:46:1:.62469 edge-star6-shv-0.https ESTABLISHED tcp6 0 0 2001:db8:46:1:.62468 2001:559:0:41::1.https ESTABLISHED tcp6 0 0 2001:db8:46:1:.62467 2001:559:0:56::b.https ESTABLISHED tcp6 0 0 2001:db8:46:1:.62458 2600:1404:a::174.https ESTABLISHED tcp6 0 0 2001:db8:46:1:.62457 xx-fbcdn6-shv-04.https ESTABLISHED tcp6 0 0 2001:db8:46:1:.62456 2600:1404:a::174.https ESTABLISHED tcp6 0 0 2001:db8:46:1:.62442 2607:f8b0:400f:8.https ESTABLISHED tcp6 0 0 2001:db8:46:1:.62337 edge-star6-shv-1.https ESTABLISHED udp6 0 0 *.55815 *.* udp6 0 0 *.58881 *.* udp6 0 0 *.52460 *.* udp6 0 0 *.64250 *.*
Display IPv6 Network Connections
OSX Multicast
Apple utilizes mDNS (ff02::fb) for name resolution
AirPlay, AirPrint, File share and other Bonjour services by default
mDNS works for both IPv4 and IPv6
RFC 6762 - http://tools.ietf.org/html/rfc6762
Details at http://en.wikipedia.org/wiki/Multicast_DNS
Bonjour browser free, mDNS browser paid app
tmartin# netstat -g Link-layer Multicast Group Memberships Group Link-layer Address Netif 33:33:ff:63:e3:1b <none> en0 33:33:0:0:0:1 <none> en0 33:33:ff:19:f3:8a <none> en0 33:33:0:0:0:fb <none> en0 IPv6 Multicast Group Memberships Group Link-layer Address Netif ff02::fb%lo0 <none> lo0 ff02::2:ffb8:7d5b%lo0 <none> lo0 ff01::1%lo0 <none> lo0 ff02::1%lo0 <none> lo0 ff02::1:ff00:1%lo0 <none> lo0 ff02::1:ff63:e31b%en0 33:33:ff:63:e3:1b en0 ff02::1%en0 33:33:0:0:0:1 en0 ff02::1:ff19:f38a%en0 33:33:ff:19:f3:8a en0 ff02::fb%en0 33:33:0:0:0:fb en0
Display Multicast Groups
Back To My Mac (BTMM)
• Provides cloud based file and screen sharing services
• IPv6 must be enabled, ULA (0xFD) is configured with EUI-64 host id
• Dynamic DNS Service Discovery, NAT traversal using Port Map Protocol
• IPSec for integrity, Kerberos for authentication
• RFC 6281
IPv4 Header UDP Header ESP Header IPv6 Header
OSX IPv6 & Happy Eyeballs
Apple applications uses multiple methods • getaddrinfo (Chrome, ~Firefox) • CFSocketStream (Safari)
OSX often results in looking at RTT of cached destinations • Uses that table to make connection call • Can have varied results
Possible that the legacy protocol is chosen when IPv6 is working • Approximately 50% of the time, largely because no head start • Hampering the experience
IPv6 In Linux
Linux Networking
• Since Kernel version 2.6.12 (2005) Linux has had IPv6 support • If you are using older versions of Linux you will likely have unpredictable behavior
• DHCPv6 client support is mixed for different versions – mileage will vary
edit /etc/dhcp/dhclient.conf to modify behavior or turn off DHCPv6 client
• IPv6 temporary addresses are enabled by default • Ubuntu server and client in 12.04 and 14.04 LTS
Linux IPv6 Basics
Ubuntu – check for an IPv6 address: • ip -6 addr show dev eth0 • cat /proc/net/if_inet6
Ubuntu – check for IPv6 temporary addresses: • sudo sysctl –a | grep tempaddr
Ubuntu – check for your IPv6 address • Ifconfig eth0 | grep “inet6 addr:”
Ubuntu – check for IPv6 neighbors: • ip -6 neigh show
Linux IPv6 Prefix Behavior
Linux still just uses route to manage everything: • Route –A inet6 –n
Linux will use the link-local IPv6 address as the next hop with SLAAC and DHCPv6
If you set up things Manually double check your default gateway
Linux IPv6 Host Behavior Configuration
Edit the /etc/sysctl.conf file to change host behavior: • #turn on IPv6 forwarding (not routing per say) • net.ipv6.conf.all.forwarding=1 • #turn off auto configuration (SLAAC) • net.ipv6.conf.all.autoconf=0 • #turn off RA learning – don’t recommend • net.ipv6.conf.all.accept_ra=1
For manual configuration use the above settings
The default /etc/sysctl.conf file will do the right IPv6 behavior for a client
Linux IPv6 Behavior Continued
Ubuntu - Turning off privacy addressing: • # Disable IPv6 Privacy Extensions • net.ipv6.conf.all.use_tempaddr = 0 • net.ipv6.conf.default.use_tempaddr = 0
Turning it back on: • # Enable IPv6 Privacy Extensions • net.ipv6.conf.all.use_tempaddr = 2 • net.ipv6.conf.default.use_tempaddr = 2
Linux Commands for IPv6 Address
Basic commands • ping6 • ifconfig • traceroute6 • route –A inet6 • netstat -nr –A inet6 • dig @ 2001:470:1f05:9a4::1 www.cav6tf.org AAAA • ssh root@fe80::<lower64>%eth0 or ssh root@<prefix:address>
Remember try the [2001:db8:cafe::1] format if the command fails
Howto reference: • http://tldp.org/HOWTO/html_single/Linux+IPv6-HOWTO/ • https://wiki.kubuntu.org/IPv6
Linux and Happy Eyeballs
Ubuntu and REHL default behaviors are similar
The Linux OS does standard RFC 6724
It is up to applications if they implement and use RFC 6555
Chrome and Firefox both have Happy Eyeballs support
There is no specific OS build support for RFC 6555 like OSX or Windows
§ FreeBSD scope/zone embedded in Link Local § fe80:1::200:cd32:56ef:291d § Syntactical reference, removed before transmitting
§ FreeBSD CVE causes Kernel panic § Malformed ICMPv6/SCTP packet, patch coming
§ Debian, Ubuntu, Raspbian Distributions § Default NTP servers leak addresses to scanning collective
§ (radvd) suffers multiple issues related to ULA § In documentation, as a “global” or DFGW § Be advised, I work for Cisco..
§ Server side issues seen when bind system call executes before DAD
Unix Odds & Ends
IPv6 In Mobile OS’s
§ Some limitations due to the fact it does not have a DHCPv6 client § Fairphone being the exception
§ On Wi-Fi networks, SLAAC must be enabled for an Android handset or tablet to obtain an IPv6 address
§ Android supports RFC 6106 so it can learn the IPv6 address of the DNS resolver via the RA
§ Android supports 464xlat allowing it to operate on an IPv6 only mobile network
§ Long term issue with “droid” in IPv6 only networks receiving IPv6 DNS § Huge delays with images loading, Difficult for non tech end users
Android and IPv6
§ Legacy applications using embeded literals in their code § RFC6877 464xLAT, “fixes” broken code for now
Mobile Provider Using IPv6 Only
Legacy Application
Intelligent Application
4 CLAT
6
4 PLAT
6
IPv4
Edge Services
IPv6
Internet Handset Carrier Network
IPv6 only
§ Apple iOS has a DHCPv6 client for Wi-Fi and can display IPv6 information in the settings | Wi-Fi
§ iOS supports SLAAC, Stateful & Stateless DHCPv6
§ At this time iOS 8 does not support 464xlat
§ Therefore, iOS 8 is not able to run on an IPv6 only mobile network
§ Unfortunately there are sometimes display issues with getting the full IPv6 address to display along with the full DNS name resolver IPv6 addresses
iOS and IPv6
• As of iOS 9, all iPhone/iPad apps will support IPv6! • Use the networking frameworks (for example, “NSURLSession”) • Avoid use of IPv4-specific APIs • Avoid hard-coded IP addresses
Next big thing? iOSv9 and IPv6
“If your application doesn’t work properly with IPv6, it will simply not function on those networks, those carriers and for those customers.”
- Sebastien Marineau VP Core OS
§ Kindle Fire supports IPv6 because it is based on Android and has Wi-Fi IPv6 support via SLAAC
§ The Kindle Paperwhite and other Kindle e-readers not based on Android do not have IPv6 support
§ This may be due to the experimental browser support in the e-reader and not the OS but I know of no tools to be able to test to determine if that is the case
• Because some models of the Kindle Fire have a 4G cellular option it has the same potential for 464xlat allowing it to operate on an IPv6 only mobile network
• To my knowledge this has not been tested
Kindle and IPv6
Conclusion
M=0, O=0, A=1, Opt 25 DHCP available
M=0, O=1, A=1, Opt 25 DHCP available
M=1, O=1, A=1, Opt 25 DHCP available
M=0, O=0, A=0, Opt 25 DHCP available
Win7 Address
DNS
RA NA
RA
DHCPv6
Both
DHCPV6
NA NA
Win8.1 Address
DNS
Both
DHCPv6
RA
DHCPv6
Both
DHCPV6
DHCPv6 DHCPv6
OSX Address
DNS
RA RA
RA
Both
Both Both
NA RA
iOS8 Address
DNS
RA RA
RA
Both
Both Both
NA RA
Android 5.0 Address
DNS
RA RA
RA RA
RA RA
NA RA
Ubuntu14 Address
DNS
RA RA
RA RA
RA RA
NA RA
Centos Address
DNS
RA RA
RA
Both
Both Both
NA RA
Fedora21 Address
DNS
RA RA
RA
Both
Both Both
NA RA
Provisioning Aquired info
§ https://www.ernw.de/download/ERNW_Whitepaper_IPv6_RAs_RDNSS_DHCPv6_Conflicting_Parameters.pdf
§ DHCPv6/SLAAC Interaction Problems on Address and DNS Configuration draft-ietf-v6ops-dhcpv6-slaac-problem-05
§ Examines the behavior of host OS’s under differing provision mechanisms
§ Provides insightful comments and understanding
§ OS specific papers describe security implications and makes recommendations
§ Thanks Enno, Antonios, Chris & Team
A Detailed Analysis of Host Provisioning
Recommended Reading
Cisco IPv6 Services
A Phased-Plan Approach for Successful IPv6 Adoption
IPv6 Assessment Service • Determine how your network needs to change to support your IPv6 strategy
IPv6 Discovery Service • Guidance in the early stages of considering a transition to IPv6
IPv6 Planning and Design Service • Designs, transition strategy, and support to enable a smooth migration
IPv6 Implementation Service • Validation testing and implementation consulting services
Network Optimization Service • Absorb, manage, and scale IPv6 in your environment
§ Gain Operational Experience now § IPv6 is already here and running well
§ Control IPv6 traffic as you would IPv4
§ “Poke” your Provider’s
§ Lead your OT/LOB’s into the Internet
Key Take Away
