650 likes | 1.15k Views
IPv6 Deployment. Rocky Mountain Cisco User’s Group December, 2003. Scott Hogg CCIE #5133, CISSP, FCNE, CIPTSS. Agenda. Motivation for IPv6 IPv6 Protocol Specifics IPv6 Header and IPv6 Addressing ICMPv6 QoS, Security DNS for IPv6 IPv6 Routing Protocols IPv6 Transition Mechanisms
E N D
IPv6 Deployment Rocky Mountain Cisco User’s GroupDecember, 2003 Scott Hogg CCIE #5133, CISSP, FCNE, CIPTSS
Agenda • Motivation for IPv6 • IPv6 Protocol Specifics • IPv6 Header and IPv6 Addressing • ICMPv6 • QoS, Security • DNS for IPv6 • IPv6 Routing Protocols • IPv6 Transition Mechanisms • IPv6 6Bone and Research Projects • Vendor Support for IPv6 – Configuration Examples • Cisco, Microsoft, Sun, Linux • Live IPv6 Technology Demonstration • Questions and Answers • References and Resources
IPv4 Deficiencies • Address Space Limitations • Inadequate address aggregation mechanisms • Ballooning BGP databases • Router memory exhaustion • Increased forwarding table look up time • NAT is not an optimal solution – lack of peer-to-peer model • Broadcast is inefficient • Uncontrolled packet fragmentation • No inherent security • Inadequate support for mobility
IPv4 Address Growth • Percentage IPv4 Addresses Allocated Source of graph: Tony Hain – Technical Leader - Cisco Systems North America Global IPv6 Summit 2003 presentation , Technology Director - IPv6 Forum Technical Directorate
IPng IPv7 (Ullman) TP/IX Jan 92 CATNIP TUBA (Callon) ENCAPS (Hinden) IPAE SIP (Deering) SIPP PIP (Francis) Jul 92 Jan 93 Jul 93 Jan 94 Jul 94
IPv6 Features • Expanded addressing capability • Efficient and hierarchical addressing and routing • Auto-configuration mechanisms • Simplification of header format • Improved support for extensions and options • Extensions for authentication and privacy • Flow label capability • Mobility • Extensibility – future proof • Flexible transition mechanisms
Removed IPv6 Header bit 0 bit 0 8 16 24 31 4 12 16 24 31 Version IHL Service Type Total Length Class Flow Label Version Identifier Flags Fragment Offset Next Header Payload Length Hop Limit Time to Live Protocol Header Checksum 32 bit Source Address 128 bit Source Address 32 bit Destination Address Options and Padding IPv4 Header 20 octets, 12 fields, including 3 flag bits + fixed max number of options 128 bit Destination Address Changed IPv6 Header 40 octets, 8 fields + Unlimited Chained Extension (options) Header
IPv6 Header Fields • Version: • Bits 0-3 (0110 equals 6) • Traffic Class: (DiffServ RFC 2472) • Bits 4-11 = relative to other packets from the same source – like IPv4 TOS bits (8 bits) • Flow Label: (currently experimental) • Bits 12-31 = Flow label (20 bits) identifies a packet flow that may require special handling • Payload Length: • Bits 32-47 – length (16 bits) of the rest of the packet following the IPv6 header in octets • Payload up to 64KB (Jumbograms RFC 2675)
IPv6 Header Fields • Next Header: similar to the IPv4 ‘protocol’ field • Bits 48-55 Next header (8 bits) – identifies the header following the IPv6 header (optional headers) • Indicates what type of header follows the IPv6 header • Hop Limit: similar to the IPv4 TTL field • Bits 56-63 Hop limit (8 bits) - decremented by one each hop – discarded when reaches 0 • TTL name changed since it has nothing to do with time • Source Address • Bits 64-191 Source address (128 bits) • Destination Address • Bits 192-319 Destination address (128 bits)
IPv6 Extension Headers Next Header Field: 0 – Hop-by-Hop Options 60 – Destination Options (If Routing header is used) 43 – Routing 44 – Fragment 51 – AH 50 – ESP 60 – Destination Options 6 – TCP 17 – UDP 58 – ICMPv6 59 – None (no next header) IPv6 Header Next Header = 6 TCP TCP Header + Data IPv6 Header Next Header = 43 Routing Routing Header Next Header = 6 TCP TCP Header + Data IPv6 Header Next Header = 43 Routing Routing Header Next Header = 44 Fragment Fragment Header Next Header = 6 TCP Fragment of TCP Header + Data 8-bits 8-bits Option Type (Next) Option Data Length Option Data (Variable Length)
IPv6 Address Types • Unicast – (Provider Based, Local Use, future definable...) (1:1) • Provider Based Unicast Addresses • Local Use Addresses • IPv4 Compatible IPv6 Addresses • IPv4 Mapped IPv6 Addresses (new style regular IPv4) • Anycast – assigned to more than one interface (1:Nearest) • When used as part of a route sequence can allow for load balancing – source selected policies • Allocated from the unicast space – indistinguishable from unicast addresses • When assigned then the nodes must be explicitly configured to know it’s an anycast interface/address • Router only – not used for source address • Multicast (1:Many) • Including scope fields and transient/well know flag • The good old ‘broadcast’ addresses are not used anymore
Increased IPv6 Addresses • IPv6 Increased Src/Dst Address to 128 bits • 2^128 = 34X1037 340,282,366,920,938,463,463,374,607,431,768,211,456 addresses • If each IP address equaled one gram • IPv4 would be 1/76th the weight of the Empire State Building • IPv6 would be 56.7 billion X the Earth’s weight • 67 billion billion (6.65 X 1023) addresses per cm2 of the Earth’s surface • 1246 IPv6 addresses per square meter of the area of the Milky Way galaxy • That ought to be enough!
IPv6 Addressing Notation • 128 bits get converted into more readable form • 0011 1111 1111 1110 1001 0000 1110 0000 0000 0000 0000 0011 0000 0000 0000 0000 / 0000 0000 0000 0000 0000 0000 0101 0000 0000 0000 0000 0000 0000 0000 0000 0000 • Convert bits to hex • 3FFE:90E0:0003:0000:0000:0050:0000:0000 • Reduce by removing leading zeros • 3FFE:90E0:3:0:0:50:0:0 • Use :: to consolidate multiple zeros – only once • 3FFE:90E0:3::50:0:0 • or • 3FFE:90E0:3:0:0:50:: • Prefix format/notation • 3FFE:90E0:3::/64
IPv6 Addressing : Format Prefix • Reserved (::0/128) 0000 0000 • Unassigned 0000 0001 • Reserved for NSAP Allocation 0000 001 • Reserved for IPX Allocation – later deprecated 0000 010 • Unassigned 0000 011 • Unassigned 0000 1 • Unassigned 0001 • Aggregatable Global Unicast Addresses (2001::/16)001 • Provider-Based Unicast Address 010 • Unassigned 011 • Reserved for Neutral-Interconnect-Based Unicast Addresses 100 • Unassigned 101 • Unassigned 110 • Unassigned 1110 • Unassigned 1111 0 • Unassigned 1111 10 • Unassigned 1111 110 • Unassigned 1111 1110 0 • Link Local Use Addresses (FE80::/10)1111 1110 10 • Site Local Use Addresses (FEC0::/10)1111 1110 11 • Multicast Addresses (FF00:/8)1111 1111
Site and Link Local Addresses • Link Local • Single Link Address – Never Routed • Used for autoconfiguration and neighbor discovery • Site Local • Similar to RFC 1918 addresses • Can be divided into subnets
Interface ID – EUI-64 • IEEE Extended Unique Identifier (EUI-64) • MAC address mapped with FFFE • MAC = 00:08:74:9b:3c:f4 • EUI-64 link-local = FE80::208:74FF:FE9B:3CF4 • Privacy Addresses (RFC3041) • Randomly generated
Aggregatable Global Unicast • Provider-based addresses changed name to Aggregatable Global Unicast • Format Prefix (FP) = 001 • Top-Level Aggregation ID – 8192 assigned to registries • Next-Level Aggregation ID – Network access providers • Site-Level Aggregation ID – Internal Organizational – subnets • Sub-TLA assignments: (RFC 2450) • 2001:0400::/23 ARIN • 2001:0200::/23 APNIC • 2001:0600::/23 RIPE NCC • 2002::/16 6to4 (RFC 3056) • 3FFE::/16 6Bone (RFC 2471)
Multicast Addresses • Flags Field: • Bit 0-3 = reserved must be zero • Bit 4 = 0 if it is a well-known multicast address – Permanently assigned • Bit 4 = 1 if this is a temporary multicast address – Temporary assigned • Scope Field: • 1 – Node Local (Interface Local) – FF01 • 2 – Link Local – FF02 • 5 – Site Local – FF05 • FF01:0:0:0:0:0:0:1 - All Nodes Address • FF01:0:0:0:0:0:0:2 - All Routers Address • FF02:0:0:0:0:0:0:1 - All Nodes Address • FF02:0:0:0:0:0:0:2 - All Routers Address • FF02:0:0:0:0:0:0:5 - OSPFIGP • FF02:0:0:0:0:0:0:6 - OSPFIGP DR • FF02:0:0:0:0:0:0:9 - RIP Routers
Anycast Addresses • Same range as aggregatable global unicast addresses • Router interfaces have “subnet-router anycast addresses” • For Anycast addresses required to have a EUI-64 interface ID • For all other IPv6 anycast address types
ICMPv6 • More powerful than ICMPv4 • ICMPv6 uses IPv6 extension header # 58 (RFC 2463) • Type Description • 1 Destination Unreachable • 2 Packet to Big • 3 Time exceeded • 4 Parameter problem • 128 Echo Request • 129 Echo Reply • 130 Multicast Listener Query – sent to ff02::1 (all nodes) • 131 Multicast Listener Report • 132 Multicast Listener Done – sent to ff02::2 (all routers) • 133 Router Solicitation (RS) – sent to ff01::2 (all routers) • 134 Router Advertisement (RA) – sent to ff01::1 (all nodes) • 135 Neighbor Solicitation (NS) – sent to ff02:0:0:0:0:1:ff00::/104 • 136 Neighbor Advertisement (NA) • 137 Redirect
IPv6 Auto-Configuration • IPv4 Configuration (Bootstrap/DHCP/ARP) • IPv4 Address, Subnet Mask, Default Gateway • Domain Name, Resolver • IPv6 Configuration • Neighbor Discovery (stateless configuration) • DHCPv6 (stateful configuration) • Duplicate Address Detection (DAD) • Router/Prefix Discovery, Next-Hop Detection • Parameters discovery (link MTU, hop limit, …) • Redirect, Neighbor Unreachability Detection (NUD) (useful for default routers) • Advertises 6to4 site router prefixes • Router Renumbering (RR) Protocol
IPv6 Quality of Service • QoS is required for real time services 1) Need for lower latency and jitter 3) Improved tolerance to lost packets 2) Less emphasis on re-transmission of lost data 3) More emphasis on timing relationships (time-stamping) • 24-bit Flow Label - IDs of traffic flows • Drop Priority field to manage conflicts • RSVP used by routers to deal with requests
IPv6 Security • IPv4 Security Problems 1) Denial of service attacks 2) Address spoofing 3) Use of source routing defeats address authentication • IPv6 Security 1) Mandated at the OS level (IPSEC) 2) Authentication Header (Default to MD5) 3) Encryption (Default to DES-CBC) 4) Security Parameter Index 5) Repudiation features
Other IPv6 Features • IPv6 requires every network link be capable of MTU of at least 576, min MTU is 1280 • IPv6 routers don’t fragment packets • Hosts perform their own Path MTU Discovery • Provider selection (based on policy, performance, cost, …) • Host mobility (route to current location) • Auto-readdressing (route to new address) • (Use IPv6’s routing extension header)
IPv6 Routing Protocols • Key to scalable routing is to use hierarchical addressing • RIPng (RFC 2080) • OSPFv3 (RFC 2740) • Integrated IS-ISv6 (draft-ietf-isis-ipv6-02.txt) • EIGRPv6 (available in 2002!) • MP-BGP (RFC 2858 and RFC 2545) • IDRPv6 – InterDomain Routing Protocol (ISO) • IPv6 still uses longest-prefix matching
RIPng • Distance vector, classless, hop-based routing by rumor ipv6 unicast-routing interface Loopback0 ipv6 address FEC0:0:0:8::8/128 ! interface Ethernet0/0 ipv6 address 2001:88::8/64 ipv6 enable ipv6 rip RIPNG enable ipv6 rip RIPNG default-information originate ! interface Serial0/1 ipv6 address 2001:68::8/64 ipv6 address FEC0:68::8/64 ipv6 enable ipv6 rip RIPNG enable ! ipv6 router rip RIPNG
OSPFv3 • Highly scalable link-state IGP • Fundamental OSPF mechanisms and algorithms unchanged • Packet and LSA formats are different • Runs per-link rather than per-subnet • Interfaces can have multiple IPv6 addresses • Uses FF02::5, and FF02::6 • Neighbor Authentication done with IPSec • IPv4 RIDs, Area IDs, and LSA IDs
OSPFv3 Configuration interface Ethernet 0 description backbone interface ipv6 address 2001:100:1::1/64 ipv6 enable ipv6 ospf 100 area 0 interface Ethernet 1 description Area 1 interface ipv6 address 2001:200:2::1/64 ipv6 enable ipv6 ospf 100 area 1 ipv6 router ospf 100 router-id 10.1.1.1 area 1 range 2001:200:FFFF:1::1/64
Multiprotocol BGP-4, BGP4+ • Multiprotocol Extensions for BGP-4 (RFC 2858) • Use of BGP-4 Multiprotocol Extensions for IPv6 Inter-Domain Routing (RFC 2545) • Multiprotocol Reach/Unreach NLRIs • Address Family Identifier (AFI=2) tells which NLRIs are used • BGP TCP port 179 sessions can be over IPv4 or IPv6 • BGP4+ still relies upon a stable IGP • Next-Hop attribute must be link-local or aggregatable global unicast IPv6 address • Configured a lot like BGP-4 for IPv4 on Cisco routers
BGP-4+ Configuration interface Ethernet0 ipv6 address 5f00:0100:0:0:1::1 80 ! router bgp 100 no bgp default ipv4-unicast neighbor 5f00:0100:0:0:2::1 remote-as 101 aggregate-address 2001:420:2000::/42 summary-only ! address-family ipv6 neighbor 5f00:0100:0:0:2::1 activate neighbor 5f00:0100:0:0:2::1 prefix-list BGP-IN in neighbor 5f00:0100:0:0:2::1 prefix-list AGGREGATE out network 5f00:0100:0:0:1::/40 exit-address-family ! ipv6 prefix-list AGGREGATE seq 5 deny 3FFE:C00::/24 ge 25 ipv6 prefix-list AGGREGATE seq 10 permit ::/0 le 48 ! ipv6 prefix-list BGP-IN seq 5 deny 5F00::/8 le 128 ipv6 prefix-list BGP-IN seq 10 deny ::/0 ipv6 prefix-list BGP-IN seq 15 deny ::/1 ipv6 prefix-list BGP-IN seq 20 deny ::/2 ipv6 prefix-list BGP-IN n seq 25 deny ::/3 ge 4 ipv6 prefix-list BGP-IN seq 30 permit ::/0 le 128
IPv6 Security • IPv6 Access Control Lists • ipv6 access-list <ACL-NAME> [permit|deny] <src-prefix[*]> | any | host <hostip> … <dest-prefix[*]> | any | host <hostip> … [log | log-input] • Router(config-if)# ipv6 traffic-filter <ACL-NAME> [in | out] • IPv6 Access Classes • ipv6 access-list IPV6AC permit 2001:100:400::/48 any • line vty 0 4 • ipv6 access-class IPV6VAC in
DNS for IPv6 • Upgrade DNS servers first • DNS for IPv6 – RFC 1886 • Bind v9 supports IPv6 • AAAA (“quad-A” = 4 X 32 = 128) simple format • A6 format – more complex format for business deployments • Use IPv6 else use IPv4 format – if both types are returned then the decision is left up to the requesting host • Respond based on the version number of the request packet
DNS for IPv6 • Nodes can have both IPv4 and IPv6 A records in forward lookup files • www.example.org IN A 192.0.2.1 • www.example.org IN AAAA 3ffe:b00:1::1 • Reverse lookup files • .ipv6.int is deprecated, so use .ipv6.arpa, or both • 1.2.0.192.in-addr.arpa IN PTR www.example.org. • 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.0.0.0.b.0.e.f.f.3.ip6.arpa. IN PTR www.example.org. • named.conf • listen-on {192.0.2.1;}; • listen-on-v6 {3ffe:b00:1::1; }; • masters {3ffe:b00:1::1;}; • allow-transfer {3ffe:b00:1::1;}; • Client’s /etc/resolv.conf • nameserver 3ffe:b00:1:1::2
IPv6 Transition Techniques • Dual Stack • Tunnel/Encapsulation • Configured Tunnels • Automatic Tunnels • 6to4 • ISATAP • Tunnel Broker with TSP • Teredo • Application Layer Gateways • Proxy
Dual IP Stacks Architecture • Dual-Stack Architecture – RFC 1933 • 4 different possibilities • Ships in the night Application TCP UDP IPv4 IPv6 0x86dd 0x0800 Data Link (EthernetII)
Sample Cisco Configurations Dual-Stack Router: ipv6 unicast-routing interface Loopback0 ip address 200.100.1.3 255.255.255.255 ipv6 address FEC0:0:0:8::8/128 interface Ethernet 0 ip address 192.168.100.1 255.255.255.0 ipv6 address 2001:100:1:1::1/64 ipv6 enable ipv6 route ::/0 2001:150:1::4
IPv4 IPv6 IPv6 IPv6 DATA DATA IPv6 Tunneling • Manually configured or Automatic • IPv6 PDUs encapsulated in IPv4 protocol 41 Router-to-Router Tunnel v4 v4 v4 IPv4 v4/v6 v4/v6 Dual-Stack Node Dual-Stack Node DATA Node-to-Node Tunnel
Cisco Tunnel Configuration hostname Router1 interface Tunnel 0 ipv6 address 3ffe:b00:c18:1::3/127 tunnel source 192.168.100.1 tunnel destination 192.168.200.2 tunnel mode ipv6ip hostname Router2 interface Tunnel 0 ipv6 address 3ffe:b00:c18:1::2/127 tunnel source 192.168.200.2 tunnel destination 192.168.100.1 tunnel mode ipv6ip
IPv4-to-IPv6 Addresses • IPv4-Compatible IPv6 addresses • IPv4-Mapped IPv6 addresses
IPv6 Tunneling – 6to4 • Connection of Isolated IPv6 Domains via IPv4 Clouds Without Explicit Tunnels • Inter-domain tunneling using IPv4 address as IPv6 site prefix IPv6 using IPv4 as a virtual link-layer • IPv6 VPN over IPv4 Internet (2002::/16 prefix) • Automatic tunneling approach - Minimal manual configuration • Uses globally unique prefix comprised of the unique 6to4 TLA and the globally unique IPv4 address of the exit router. • 6to4 Relay is the gateway between the IPv6 and IPv4 worlds • No NAT can exist in the path • 6to4 Relay may be far away from end node • Security issues related to an open relay
6-to-4 Configuration hostname Router1 interface Ethernet 0 ip adderess 200.168.100.1 255.255.255.0 ipv6 address 2002:c8a8:6401:1::1/64 interface Tunnel 0 no ip address ipv6 unnumbered Ethernet 0 tunnel source Ethernet 0 tunnel mode ipv6ip 6to4 ipv6 route 2002::/16 Tunnel0 hostname Router2 interface Ethernet 0 ip adderess 200.168.200.2 255.255.255.0 ipv6 address 2002:c8a8:c802:2::2/64 interface Tunnel 0 no ip address ipv6 unnumbered Ethernet 0 tunnel source Ethernet 0 tunnel mode ipv6ip 6to4 ipv6 route 2002::/16 Tunnel0
IPv6 Tunneling – ISATAP • Intra-Site Automatic Tunnel Addressing Protocol • Automatic tunneling inside an enterprise • Creates a virtual IPv6 link over an IPv4 network • Uses 5EFE just before the 32 bit IPv4 address bits – converted to hex • Can use private address space
IPv6 Tunneling – ISATAP interface Ethernet 0 ip address 192.168.12.1 255.255.255.0 interface tunnel 0 ipv6 address 3ffe:b00:ffff:3::/64 eui-64 tunnel source Ethernet 0 tunnel mode ipv6ip isatap no ipv6 nd suppress-ra IPv4 ISATAP Dual-Stack Node IPv6 v4/v6 ISATAP Tunnel 192.168.12.1 FE80::5EfE:C0A6:0C01 192.168.3.3 FE80::5EfE:C0A6:0303
IPv6 Tunneling – Tunnel Broker • Tunnel Brokers use a web-based service to create a tunnel • Connects an isolated host to IPv6 net of provider operating the tunnel broker • Tunnel information is sent via http-ipv4 • Tunnel managed by ISP • Sends scripts/configs to Dual Stack Router Tunnel Broker Tunnel Configuration Tunnel Request IPv4 v4 IPv6 v4/v6 Configured Tunnel Dual-Stack Node
IPv6 Tunneling - Tunnel Broker • Automation of configured tunnels • Tunnel Setup Protocol (TSP) • Client sends request for tunnel • Broker is based on policies • Broker sends tunnel infromation • Broker configures its tunnel endpoint • Client then configures its tunnel endpoint • Client receives stable IPv6 address and prefix • Well known free services Freenet6, Hurricane Electric, XS26, among others • 20 different tunnel brokers exist • Clients for Windows, BSD, Linux, Solaris, etc • 6Bone access
IPv6 Tunneling – Teredo • Called Shipworm in earlier IETF drafts • IPv4/UDP encapsulated IPv6 packets • Works behind an IPv4 NAT • Reduces MTU because of UDP encap. • Uses Teredo server, Teredo relay, and a Teredo client • External mapping of IPv4 address and port are discovered by the Teredo server (on the external side of the NAT)
Other Transition Techniques • Translation • NAT-PT (RFC 2766) • TCP-UDP Relay (RFC 3142) • DSTM (Dual Stack Transition Mechanism) • Stateless IP/ICMP Translator (SIIT) • API • BIS (Bump-In-the-Stack) • BIA (Bump-In-the-API) • ALG • SOCKS-based Gateway • Microsoft PortProxy
IPv6 Transition Techniques • “It’s like rebuilding a car engine when the car is traveling 100 mph” • Service interruptions, performance degradation, longer provisioning times • Upgrade all hosts one at a time • Not likely/plausible • Enable host address autoconfiguration • Allows for graceful renumbering • Dual-stack, tunneling to be used in combination • Translation is a last resort • Start IPv6 at the edge and then move toward the core • No Flag Day!
Wireless • Third Generation Partnership Project (3GPP) mandated use of IPv6 for next generation wireless networks • Universal Mobile Telecommunications System (UMTS) – Europe’s brand name for 3G • CDMA-2000 in North America • IDC says there will be 1.4 Billion wireless users by end of 2004 • By 2005 there could 2 billion IP addresses required for wireless, PDAs, etc. • IPv4 theoretical limit is 4 Billion • Mobile IPv6 (persistent IP address vs. persistent services)
Mobile IPv4 Mobile Host Correspondent Host Foreign Agent Home Agent Home location of mobile host