SlideShare a Scribd company logo

Fred explains IPv6

Fred Bovy, profile picture
Fred Bovy

The document is a preface to a book by Fred Bovy that outlines his extensive experience with IPv6 and his motivations for writing about it. It highlights the need for IPv6 as a solution to address depletion and emphasizes the significance of creating a more inclusive internet. The book aims to provide comprehensive guidance for designing, configuring, and troubleshooting IPv6 networks, drawing from Bovy's nearly 25 years of experience in the networking industry.

1 of 114
Downloaded 253 times
1
2
3
4
Most read
5
6
7
8
Most read
9
10
11
12
Most read
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
First Edition Fred Explains IPv6 In-depth Fred Bovy. IPv6 For Life! 2012 ©
Preface 
 
 1 This is why I wrote this very first book and a great tribute to my CISCO Colleagues from who I learned so many things! Then it also gives a pointer to the Web server that must be used with this book and the IPv6 Certifications. Please read important information at the End of this Chapter!
Preface to support ALL applications for EVERYONE! ! 12 years ago I decided to join the community of people who are building the new Internet for everyone and for the new applications that IPv6 enables! 1 I joined the CISCO IPv6 IOS® Engineering Team to help the development of 6PE and 6VPE for about 3 years then Netflow for IPv6 and finally SeND and related IPv6 Security for about 3 years. My name is Fred Bovy, CCIE #3013, and I have been in the Networking industry for I would like to thank Eric Levy-Abegnoly, who was my IPv6 Team Leader and mentor (with Luc Revar- more than 20 years, with a focus primarily on IPv6 and Service Provider issues for del), who designed and developed 6PE, 6VPE, SeND and more, Ole Troan, another Great IPv6 Team about 10 years. Leader, who designed most of the IPv6 IOS Code, Benoit Lourdelet, who is the IPv6 Product man- ager, Patrick Grossetete before him and many other great CISCO people I have been working with. I In 1999 I joined CISCO as a Network Consultant. My initial long term project involved learned so much with them. I was a CCIE and a CCSI when I joined CISCO, but I learned more about helping a Service Provider and an enterprise deploy brand new MPLS-VPN the Networks during the 10 years working for CISCO than all I had learned before. Special thanks to backbones. Since then, I have been hooked, and have developed an expertise in Jim Guichard (my first mentor who went with me to the customers in my first 6 months within CISCO), this subject. I later joined the CISCO IPv6 IOS Engineering Team as a dev-tester. Peter Psenak (who was the NSA Engineer for EQUANT before me and also helped me a lot during the transition. He is now one of the best OSPF Engineers WorldWide. Networks are transparent for For more than 3 years, I focused on 6PE and 6VPE testing. During that time, I devel- him.), Arjen Boers (The multicast man who hired me with Valerio), JP Vasseur (CISCO Fellow Guru oped many TCL scripts to test 6PE and 6VPE functionalities, routing and switching who worked with me on the MPLS-TE Fast Re-Route project for EQUANT and such a nice guy !), performance, scalability, High Availability, all the supported network design like Inter- Francois Le Faucheur (Another Brain, the Architects of QoS in MPLS Network who invented DiffServ- TE, QoS Models in MPLS Networks), Robert Hanzl (The Customer support Engineer who helped me net Access models, Carrier’s Carrier or Hub and Spoke and more. I also got deeply on my first crisis with a customer and then became an MPLS Team Leader), Robert Rasczuk (The involved in testing Netflow for IPv6 and SeND. MPLS Deployment Engineer who helped me on my first big crisis with a customer facing a major Back- bone instability), Luc Revardel (who taught me the basics of IPv6 Testing Automation), Greg Boland, In 2009 I resumed teaching, keeping the focus on IPv6 with special attention on the Steve Glaus, Mandy Mac Diarmid, Mado Bourgoin and all my managers who helped me to focus on transition to IPv6. I believe that we have finally hit the tipping point for IPv6, given my work starting with Valerio Muzzolini, Serge Dupouy, Nick Gale.... And all the good guys and girls that all of the IPv4 addresses ran out in February. It’s time for everyone to realize, who I am forgetting, who are the CISCO Assets. before companies and individuals lose their competitive edge, that IPv6 is fast be- These 10 years were the best school, university, experience and also basis for human values, not only coming a requirement that will enable the Next Generation Internet. technical... About This was not only a matter of knowledge and people, it was also a way to manage the people that I had never found in any French companies or International companies not managed by Americans. I have written this book to help anyone who needs to design, configure and trouble- During my interviews when I got hired, someone asked me what I was expecting from my manage- ment. I answered support to keep me focused on my technical job, and I was correct! This was typi- shoot IPv6 Networks because this is the experience I have gathered in my life as an cally what I found with all my managers with an exception of the French SE (Pre Sales) Manager I got IPv6 Tester, Consultant and Trainer and also from my 20+ (almost 25) years of IP when I joined the Account Team to help the customer validation process for free as this was normally and CISCO Routers. a service charged to the customer. But except this one, I only got great managers who always sup- ported me when I was a Network Consulting and a Software Engineer. I was always supported to fo- In this first book I will cover the Fundamentals. Following books will be about Routing cus on my job and didn't have to worry about the political cases that the French really enjoy in most Protocols, Transition To IPv6, Multicast, Security and more... big companies. I had the benefit of working for a big company, but at the same time I was so free to organize my work and received awards every time I was doing something good that I had the feeling I The book must be used with the IPv6 TUTORIAL that can be found from was working for my own company. This was the first time that I was also working for a company where the technical skills were considered and you did not have to become a (often bad) manager when you http://www.ipv6forlife.com. were good in your Technical role as a reward! At last I found people like me, people working like me! Working for CISCO was my best experience in my carreer. After CISCO I resumed my trainer and consultant life and started to teach what I had learned with my CISCO masters and more! I am a self-employed IPv6 Expert working as a Fast Lane IPv6 Course Subject Matter Expert with other CISCO partners and for myself as well. 1.1 Tribute  to  C ISCO  and  to  the  U SA! IPv6 is more than a Job to me; it is a hobby and a philosophy; it is a Community. It is open, and every- body is welcome to bring something! IPv6 was designed about 20 years ago by people who thought that the Internet should be for every- body and not only for the lucky ones who can get a Class A or whatever IPv4 block... It was designed 2
About the book You need to have a host connected to the Internet to do the proposed exer- cises and to validate that you were able to provide the correct answers. 2 This is Free and very interesting certification. 2.1 IPv6  Fundamentals 2.2.3 CISCO  C CIE  Rou5ng  &  Switching IPv6 cannot be understood if the Fundamentals are not. That's why the first Module of this book is Cisco has one main 5 days training course and a derivated training from this essential. one I have designed for CISCO which is aimed at the SP Market You can find some help in the "IPv6 For Life!" Tutorial from the home page: http://www.ipv6forlife.com. This Tutorial has several chapters for the Fundamental Module: Fundamentals #1. Introduction and IPv6 Addressing 2.3 Important  informa5on Fundamentals #2. More about IPv6 Addressing. ICMPv6 and an Intro about Neighbor Discovery Fundamentals #3. DHCPv6, DNS, MOBILE IPV6 and derived applications THIS BOOK CAN BE READ COVER TO COVER OR YOU CAN PICK UP ANY PAGE FROM ANY CHAPTER WHEN NEEDED. Our first chapter will introduce the IPv6 basics. Then we will study the IPv6 Addressing which is the main reason why IPv6 was developed, to provide THIS E-BOOK IS ALIVE. MANY VIDEO LINKS ARE FLASH PRESENTATIONS an addressing which will match the requirements of the Internet for the next century. AND YOU WILL NEED A LARGE SCREEN AND FLASH® (ADOBE) SOFTWARE There was a day one missed requirement which was the Multihoming requirement. This should have ENABLED BROWSER. PLEASE CHECK http://www.adobe.com. been managed by the IPv6 Stack as a service like Mobile IPv6, but the Engineers just missed to ad- I AM ADDING NEW PRESENTATIONS ON A REGULAR BASIS AND I WILL UP- dress this issue which is still not completely resolved with a long term solution commonly accepted. DATE THE LINKS IN THIS BOOK. WHEN YOU GET A NEW VERSION OF THIS The next chapter will be about the IPv6 header, the long addresses, the Extension Headers and other E-BOOK YOU WILL GET PLENTY OF NEW PRESENTATIONS. interesting improvements for more efficiency. Then ICMPv6 basics, quite close to IPv4 and more interesting, the Neighbor Discovery Protocol which FOR ALL THE LINKS YOU WILL NEED To ACCESS IPv6 FOR LIFE® WEB is described in two separate RFCs. Many solutions are provided by ND like Autoconfiguration or SERVER: http://www.ipv6forlife.com Router Discovery and more. Despite I am based in France I have been speaking and writing more in English Finally we will describe all the most important Services which are not implemented for all platforms. than French for the last 25 years but I still may do some mistakes that I need Linux is the best platform to test and support all the IPv6 Services. you to forgive me if it happens in this book! 2.2 IPv6  Cer5fica5ons The IPv6 Internet belongs to everybody. Thanks for reading me! 2.2.1 IPv6  Forum  Cer5fica5on There are many certifications at the IPv6 Forum with 2 levels, Silver and Gold for 
 Engineer and Trainer. The Trainer is more advanced than the Engineers. Kindest Regards, For the moment, all you need is to apply on the IPv6 Forum Web Server and provide a few proof of achievements to get certified. Fred Bovy 2.2.2 Hurricane  Electric Hurricane Electric propose a very challenging certification with multiple levels up to Sage Level. Each step requires both theory and practical exercise. 3
Introduction to IPv6 2 This chapter how we arrived to IPv6 in 2012 and the long path we walked by since the 80s! Address depletion is not a new issue and IPv4 was never intended to scale a Global Public Internet!
Chapter 2 Introduction to IPv6 1 Introduction to IPv6 1.1 History IPv4 was developed in the 80s for a military network with a few thousands hosts maximum by the DoD of the USA. There was no need for security as it was a private network in the DoD Buildings. There was no need for Autoconfiguration or Mobility and many things. IPv4 Addresses were widely distributed until they were no more enough for everyone. In the early 90s, IPv4 Address depletion started to be a problem. Digital Equipment thought that OSI would replace IPv4 and that DecNET Phase V was actually OSI I posted something about it in my blog about this history: Protocols. http://ipv6forlife.net/wordpress/?p=61 1.1.1 OSI  Protocols 1.1.2 ATM  and  Frame-­‐relay   The first serious candidate to replace TCP/IP was the OSI Protocols. The Open Systems Interconnec- But at the same time the convergence of Data and Voice Networks had started since the middle of the tion (OSI) protocols are a family of information exchange standards developed jointly by the ISO and 80s, and we were looking for a network which could manage both Real Time (Voice, Video) and Non- the ITU-T starting in 1977. Real Time data with multiple levels of Precedence as IPv4 was already doing. Some people were working very hard for a converged network and they came up with a new protocol called ATM (Asyn- OSI defined a Layered Model with 7 Layers while TCP/IP just had 5 since OSI Layers 5, 6 and 7 were chronous Transfer Mode). actually managed by the TCP/IP Application Layer. ATM could manage any kind of Traffic: Voice, Video, Business Data, Bulk Data. ATM was really a Net- OSI Protocols was providing a Datagram Service like IP called Connectionless Network Service work Scientist Protocol Architecture, its routing protocol PNNI was able to react in Real-Time to any (CLNS) with an address of up to 20 bytes (160 bits) long. change in the Network to find paths which could match any Class of Service Traffic. Its routing protocol, ISIS, very close to OSPF immediately interested many service providers since it ATM was based on 53 bytes cells at the Physical Level for Real-Time and Non Real-Time traffic to be was an Integrated routing protocol which could support IPv4 as well (RFC1195). Actually it was more interleaved. SP Oriented and could support many more routers in the same area. It is also a much easier protocol to troubleshoot. A simple look at its Database will convince any Network Engineer in 5 minutes. ATM was designed for 155 Mbps Sonet SDH Fiber links minimum, and this was not really widely avail- able at this time. Also, the ASICS to manage the 53 Bytes Cells were not yet available or very expen- sive as it was not made at a sufficient large scale to get a reasonable price. So, an interim technology 5
was also created to transport Data and Voice while ATM was growing. This was Frame-Relay, a stripped down version of X.25 with PVC only. SVCs came later, but they were never as popular as PVC. In the mid 90s ATM was the only serious candidate to support these converged Networks, and VoIP was not an option in the networking business world. At the end of the 90s, most people realized that ATM would not scale with MultiGigabit Links, which were arriving slowly. Also, some ATM Protocols like LAN Emulations collapsed under traffic as the Node dedicated to replicate the Broadcast and Multicast was too much solicited. ATM, which was great on paper, proved to be not scalable, and a complex and expensive solution, so VoIP came back as a viable solution. But all this work made for ATM was not thrashed, and many protocols built for ATM are still in use in many solutions. A lot of of the QoS, a protocol like NHRP, which was developed for ATM Classical IP, is now used for CISCO DMVPN. 1.1.3 MPLS   And also, there was the idea to replace a long address by a label that was already used by the old X.25, then ATM networks gave the idea of replacing the IPv4 header with a short label! Epsilon's IP Switching, Cisco's tag switching and many other Vendors provided such a solution with an initial moti- vation to make faster routers. Then CISCO also saw that with Tag Switching it was possible to add some services which were not possible with IP like Tag-VPN. Tag-VPN permitted providing each connected customer with a Virtual Private Network having its own IPv4 Addresses. Tag-VPN was based on a Multi-Protocol BGP Extension with a new BGP vpnv4 address family as it was adding a 32 bit prefix to the the IPv4 address, called a Route Distinguisher (RD) for the BGP pre- ! fix to be unique in the Service Provider Backbone BGP Table. In addition to the RD, an Extended Community BGP Attribute was added to the BGP Prefix before it 1.1.4   was advertised to a remote BGP Router. This Extended Attribute was then used to recognize a prefix IPv6   and import it into the Customer Virtual Routing Table. Later, in the early Y2Ks when IPv6 became the next version approved by the IETF and more and The Benefits of Tag-VPN on the previous Layer 3 VPN based on IP were that: more requested by the Customers, CISCO's reply was to provide an IPv6 Service over IPv4/MPLS The Backbone routers (P) did not have to know any of the the Customers Route. Only the BGP Next- without any need to upgrade the backbone. Hop, the exit point host route for each Provider Edge (PE) Router which was connecting to the Cus- They invented 6PE designed and developed in the South of France from an Architecture (RFC) of tomer Edge (CE) Router was enough. Francois Le Faucheur and other companies and then designed and coded by Eric Levy-Abegnoly. Before Tag-VPN, in the SP Point of Presence, each Customers needed to have a dedicated router In the early Y2K, the first large scale IPv6 offers from SPs were mostly brought by 6PE in Asia and in which was importing all the BGP Routes with a given Community Attribute. With Tag-VPN. the same the USA. PE could be shared by all the customers with each customer having its own Virtual Route. Later came 6VPE which was actually 6PE in the VRF, allowing the customers to have a dual-stack Customers could have overlapping addresses without any problem. VPN supporting both IPv4 and IPv6. The provisoning and the management of the VPN were very much simplified. We will cover 6PE and 6VPE later with all details... Traffic Engineering was another great service of Tag-VPN, allowing the SP to use more than the best route links in their backbone to use all the available bandwidth of the core. Tag-Switching was then standardised by the IETF to MPLS, So in the late 90s and in the early y2k, most service providers were upgrading their backbone to 1.2  I Pv4  Address  Deple5on MPLS! As we have seen earlier, the IPv4 address Depletion started to be a problem in the 90s, and while some people were working on new protocols to replace IPv4, some others were working on a work- around to keep on working longer with IPv4. 6
They came up with NAT and Private Addresses (RFC1918). Before RFC1918, some people were already doing some private addressing, but it was at their own risk if they were choosing an address already in use, and they could need one day to join like for instance 7.0.0.0/8 or 9.0.0.0/8. One of these was used in my company in the early 90s with Proxies to reach the Internet for http or ftp protocols. Now with RFC1918, some block were reserved for private address- ing, and with NATPT aka PAT, it was possible to use one public ad- dress for a whole building or all the PCs of a residential user. Let's take a shortcut and call NAT: NAT, NATPT or PAT. NAT immediately solved the problem for many years, but at the same time, it killed some concepts which created the popularity of the Inter- net like the End-to-End Addressing or peer to peer capabilities. In the 90s, this was the time for Downsizing and Client-Server Applica- tions. Many companies moved to TCP/IP for this reason. Downsizing was the migration of Applications from Mainframes to Servers running on RISC Workstations, Mini Computers (AS/400) or even PCs and PS/2s. Client-Server Applications was the migration from hierarchical Applica- tions runnning on a Mainframe and accessed by dumb terminals to Applications on Servers accessed by smart Clients, mostly micro com- puters or Unix Plaforms, PCs or RISC based. To keep on working with NAT, now we have to provision a public ad- dress for each server and configure a Static NAT Translation for each Server. This can become tedious when you have a lot of servers to manage. And we cannot save anymore addresses. Still each server requires a Public Address. ! NAT introduced many states in the IP Network, which was a datagram best-effort model, and this has many Architectural Implications. Just And even if the Service Provider was running NAT a second time in the SP Backbone to share an make a search in the IETF Server for all the RFCs about NAT or PAT IPv4 Address among multiple Customers (NAT444), this could not give enough addresses to match or NAPT, and you will find more than 80 documents explaining the the need of all the emerging countries, the need for more than one IPv4 address per user. We must limitations, how to workaround NAT to support most of the Network now support plenty of new connected devices which did not exist in the 90s: Smartphones, iPADs, Applications. and so on... NAT seems an easy and cheap solution, but when you look into it, So today the question is no more if we need to move to IPv6 but when! you find that it actually cost a fortune in hidden costs and thousands of lines of code to support it! To support Voice application, Skype workaround is to use a Server in the middle of your connection, and your Smartphone must send keepalive on a regular basis to keep the NAT States up draining your batteries. 1.3 The  Current  Market  Needs Skype makes it with the cost of a server and keepalives, but many voice applications are still impossi- We have seen that IPv4 even with double NAT could not provide enough addresses for all the Emerg- ble because of NAT! ing Countries, new devices and new applications which require more and more addresses and even more and more ports (Ajax)! A 10.0.0/8 block looks like a big block for the needs of most companies, but it is still too small for some very large companies or some Service Providers. That's why the Cable SPs requested that The Cable Networks Operators have requested that the last DOCSIS Cable standard MUST support DOCSIS 3.0 supports IPv6! IPv6. Today, even with the use of NAT, we are now running out of IPv4 Addresses in most regions of the Voice Applications suffer more and more from the NAT limitations and Mobile IPv6 or Proxy Mobile World! IPv6 can bring solutions impossible to solve for IPv4. 7
All IPv6 Addresses of a building Xlate to one IPv4 Addresses: 2001:DB8:678:1000::/48 -> IP 10.12.13.2/24 2001:DB8:678:1000::/48 -> IP 10.12.13.3/24 We 2001:DB8:678:1000::/48 -> IP 10.12.13.4/24 need NAT44 (CGN/LSN) NAT44 10.0.0.0 -> 202.45.3.0 172.19.0.0 -> 10.0.0.0 1 IPv4 Only Host IPv4 172.19.0.0/12 2001:db8:678::1/64 (SLAAC) STATEFUL 2 Internet DHCPv6 Client DHCPv6-PD Client Use LL for the p2p Link Address to SP NAT64 ISP Control IPv6 RFC 1918 Internet 172.16.0.0/12 101.12.13.1/24 ISP NAT44 First Subnet 172.17.0.0/12 IPv4 Private 2001:db8:678::/64 2001:db8:678:3::/56 8 bits for Subnets Network 10.0.0.0/8 IPv6 Private 2001:db8:678:1::/56 8 bits for Subnets Network 10.12.13.3/24 NAT44 2001:db8:658::/48 2001:db8:678:30::/64 2001:db8:678:31::/64 10.12.13.1/24 2001:db8:678:2::/56 ... 8 bits for Subnets 2001:db8:678:10::/64 172.18.0.0/12 2001:db8:678:11::/64 2001:db8:678:20::/64 ... 2001:db8:678:21::/64 ... autono- 10.12.13.2/24 mous devices which not only do autoconfiguration, but also can form Networks dynamically after they automatically discover neighbors. This is Wireless Sensors Networks (6LowPAN) applications. The current solutions to address this problem are the Stateful Carrier Grade NAT (CGN) aka 1.4 Transi5on  Richness Large Scale NAT (LSN) and the Stateless dIVI-pd or A+P Solutions. Since the IPv6 introduction, tools for a soft transition were provided. They have evolved with the time and the demand. • SPs with IPv4 Backbones need to provide IPv6 Access to the IPv6 Internet or among IPv6 customers. This is based on 6PE or 6VPE for MPLS/IPv4 or 6RD for IPv4 Backbone. 
 In 1996, IPv6 was shipped with a dual-stack and static tunnels. While the Internet is still growing very fast with more connected devices every day, the available IPv4 • SPs with IPv6 Backbone need to provide IPv4 Access to the IPv4 Internet or among IPv4 Cus- addresses have declined and IANA has been completely depleted since February 2011. As IPv6 has tomers. been now implemented for more than 15 years and available on most Operating Systems and Net- work vendors, most Service Providers and even more companies have not yet switched to the next This is based on DS-Lite or 4RD based Solutions. generation Internet protocol. As a consequence we still need to buy some time to allow a smooth tran- • To Provide access to IPv4 Resources for IPv6 ONLY Customers. sition to IPv6. It is planned that we will need to support mixed IPv4 and IPv6 networks. This is based on Address Family Translators with NAT64 and DNS64 as currently the best solu- Clearly, maximum performances, security and other benefits we can think about with running IPv6 will tions. These translators permit to translate IPv6 to IPv4 packets originating from the IPv6 side. be achieved when the transition is complete. With Stateless it is a One-to-One translation using a reserved IPv6 prefix.
 During the transition we will need to compromise features, performances and security for the With Stateful NAT64, multiple IPv6 addresses can be translated to one IPv4 addresses benefit of supporting old IPv4 nodes and applications. . We have to address the four following problems: There is a Stateless implementation on Linux called TAYGA. They say on theire Web site that to get a • To Support a maximum of new IPv4 customers with the few remaining IPv4 Public Addresses. stateful NAT64 one just needs to combine their TAYGA with a Statefull NAT44 also available on Linux. This implies more sharing of the remaining addresses. 8
This will be more developed in the next book with a module or a full book about Translation to IPv6. 1.5.3 More  Efficient  Packets  Switching There are so many possibilies and so many technologies being tested if we really want to cover all the experience currently or lately performed. No more Header Checksum in IPv6. This field has been completely removed. SP are not very happy with the CGN or LSN based solutions since they have to run a stateful protocol Header aligned on 64 bits for more efficient access. in their backbone. The Capacity Planning is almost impossible in most cases so they may have to over provision the NAT64 or NAT444 with big CPU and a lot of RAM just in case you have to manage Routers are no more responsible for fragmentation. If fragmentation must be done, it must be twice more translation for an occasion like a global sport event like the Olympic Games. If TV is not done by the source. The fragmentation information are no more carried in each packet but in working for the Olympic Games or a Mundial soccer event it would be a reason for many users to an Extension Header if needed. move to a competitor! Protocol like 4RD, dIVI-PD. With CGN/LSN the SP must keep the logs which represent some Tera Bytes of Data each month. Transition protocols are expensive and as all SPs are transitioning to IPv6, I have serious doubts now that dual-stack will be supported for a long time. The "Good" Internet User who complies with IPv6 will not want to pay the bill of the one who is doing nothing for 15 years? 1.5 What  are  the  I Pv6  improvements? 1.5.1 128  bits  Addresses 1.5.1.1 IPv6  addresses  -­‐  how  many  is  that  in  numbers? IPv6 is our Word of the Day today. The big difference between it and IPv4 is the increase in address space. IPv4 addresses are 32 bits; IPv6 addresses are 128 bits. That’s a lot more, for sure, but what does it look like in numbers? What could we compare it to in real-world terms? DevDevin did the math: How many IP addresses does IPv6 support? Well, without knowing the exact implementation details, we can get a rough estimate based on the fact that it uses 128 bits. So 2 to the power of 128 ends up being 340,282,366,920,938,000,000,000,000,000,000,000,000 unique IP addresses. How do you say that, though? 340 trillion, 282 billion, 366 million, 920 thousand, 938 — followed by 24 zeroes. There’s no short way to say it in numbers without resorting to math. Here’s how Wikipedia expresses it: The very large IPv6 address space supports a total of 2128 (about 3.4×1038) addresses - or approxi- mately 5×1028 (roughly 295) addresses for each of the roughly 6.5 billion (6.5×109) people alive to- day. In a different perspective, this is 252 addresses for every observable star in the known universe. Steve Leibson takes a shot at putting it in real world terms. It’s big — grains of sand don’t even enter into it. No, he’s got to take it to the atomic level. Here’s his conclusion: So we could assign an IPv6 address to EVERY ATOM ON THE SURFACE OF THE EARTH, and still have enough addresses left to do another 100+ earths. It isn’t remotely likely that we’ll run out of IPV6 addresses at any time in the future. 1.5.2 Extension  Headers In IPv4 we had a limited amount of Option which could not provide for any new Extension. In IPv6 we have Extension Headers instead. These Extension Headers can be daisy chained so it is now possi- ble to put as many Options as we want in an IPv6 packet to support any new IPv6 Level Applications. The first great example of what we can do with Extension Headers is Mobile IPv6 and all derived appli- cations: Mobile router (NEMO), MANET, Wireless Sensors Networks (6LowPAN), PMIPv6. As we can tweak Addresses at the Network Layer it becomes transparent for the Transport or Application Level. 9
IPv6 Addresses Addresses 3 This chapter introduces the key feature of IPv6 which is an address that scales the Internet requirements of 2012 until we all die!
Chapter 2 IPv6 Addresses 1 IPv6 Addresses 1.1 Introduc5on IPv6 not only makes longer addresses, but also makes a better use of addresses and how to manage them. For instance if you have a small LAN without any routers, the workstations will be able to pick up an address automatically, which will only be valid on this LAN (Link-local) and will permit the Node to be automatically configured with a local address. Then if a router comes up, new prefixes will be advertised by the router, and the Workstation will automatically configure addresses derived from these prefixes. The most important things are: There is no more Broadcast, only Multicast! • Link-Local addresses only valid on the link where it is configured. This leads to the concept of Topics Zone. This Link-local address belongs to a zone with its own routing table. • Anycast Addresses which is an address to the nearest Service. This was already existing in IPv4 but now it is fully managed. • Routers are discovered Automatically 1. Introduction • ARP has been dramatically improved in the Neighbor Discovery protocol. There is no more just a TImeout for the MAC to IP Address cache, but the Neighbors are Managed in the cache by a Finite State Machine. Useless entries of dead neighbors are cleared. When a Timer ex- 2. What does 128 bit represent? pires, a few probes are sent to the neighbor (About 35 seconds with default). • The concept of zone is also important in IPv6. For the moment it mostly applies to Multicast and Link-local Addresses, but it could be used to creat VPN. Still each zone has its own Rout- 3. All types of IPv6 Addresses: ing Table (Please see RFC4007 "Scoped Zone Architecture" for more details). See RFC4291 for IPv6 Address Architecture 1. Unicast 1.2 What  does  128  bit  represent? 1. Unique Local Unicast We could assign an IPv6 address to EVERY ATOM ON THE SURFACE OF THE EARTH, and still 2. Global Unicast Addresses have enough addresses left to do another 100+ earths. It isn’t remotely likely that we’ll run out of IPV6 addresses at any time in the future! 3. Special Addresses So we must change the way we design networks and stop trying to save IP Addresses! We must give large blocks when needed as wasting IPv6 Addresses is not to use the huge amount of available address to make scalable Networks rather than saving each single bit of Address! Wasting 2. Multicast Addresses does not mean the same thing in IPv6 as in IPv4! 3. Anycast 1.3 How  to  write  an  I Pv6  Address? The 128 bits Address is written as 8 16 bits digits written in Hexa and separated by a colon :. Leading zeros can be ignored. You can write: 11
2001:db8:1:459d:f123:98ab:d0:e1 IPv6 addresses are made of 128 bits, but we still find the same 3 parts that we have in an IPv4 Address: instead of: 9 bits 36 bits 16 Bits Host. 64 bits 2001:0db8:0001:459d:f123:98ab:00d0:00e1. 3 Once in the address you can replace a long list of zeroes with double colons :: 001 ARIN RIR or ISP Subnet ID Interface ID You can write: 16bits 2001:db8::1 IPv6 Unicast Addresses instead of: 2001:db8:0:0:0:0:0:1 1.4.1.1 Global  Rou>ng  Prefix An ISP Customer Prefix used to route the packet to the customer. This Prefix itself is built of a com- 1.3.1 The  I Pv6  Addresses  are: mon prefix for all the Global Unicast Addresses 0010 or 2000::/3. Then you have a prefix matching a Regional Internet Registry, a RIR and then the part of the Address which addresses the customer. The • Unicast: One to One most common prefixes are typically a /48 Prefix for each site. This may seem overkill, but we do not waste addresses if we use them. We waste them if we don't! • Global Unicast Addresses (Public) 2001:db8::/16 is reserved for documentation and labs! • Unique Local Addresses (Private) • Link-Local Address 1.4.1.2 The  Subnets  bits These bits can be used by the customer to address many subnets for each site. We may find that us- • Special addresses: loopback, unspecified, IPv4 Mapped ing a /48 prefix for each site may be a waste of Addresses with our IPv4 reflexes, but this is actually • Anycast: One to Any the other way around as we have so many addresses available that it would be wasting addresses if we were trying to save addresses instead of using them generously to maximize the scalability of the • Multicast: One to Many addressing and allow easy growing of the sites. 1.4.1.3 The  Interface  I D 1.4 IPv6  Unicast  Addresses The Interface ID is similar to the IPv4 Host Address. It is used to identify the Host itself. 1.4.1.3.1EUI-­‐64  or  Modified  E UI-­‐64 1.4.1 Global  Unicast  Addresses  (Public) This address is generally derived from the Interface MAC Address which is 48 bit. 0xFFFFE is added in the middle of the MAC address to make a 64 bits address: The Global Unicast Addresses are similar to the Public IPv4 addresses and are routable in the IPv6 Internet. Provider . 48 bits Site . 16 bits Host. 64 bits 00 90 59 02 E0 F9 Global Routing Prefix SLA Interface ID Global Unicast Address 00 90 59 FF FE 02 E0 F9 In the Internet 2000::/3 (binary 0010) is reserved by IANA for the global unicast address. You will find more details on the Internet here and RFC4291 for IPv6 Address Architecture: ThAs the Global Routing Prefix contains the IANA prefix for Global Unicast Adddress, a prefix which identifies the Regional Internet Registries (RIPE in Europe for instance) and eventually another prefix which identifies the ISP: 000000X0 http://www.iana.org/assignments/ipv6-unicast-address-assignments/ipv6-unicast-address-assignments.xml EUI-64 Address In this example, the MAC Address is 00-90-59-02-E0-F9. http://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xml The EUI-64 Address will be: 90:59ff:ff02:e0f9 And the Modified EUI-64 Address will be: 290:59ff:fe02:e0f9 12
For the Modified EUI-64 address X=1 which means that the address is a Locally Administratively Man- aged Address. Global ID 40 bits Subnet ID Interface ID 1.4.1.3.2Temporary  Random  Prefix  (RFC4941) As NAT is no more used and the Interface ID of a Laptop may not change, a user may be tracked by its address. To avoid this possible problem it is possible to use a Random Temporary Interface ID and 1111 1100 1111 1101 change it everyday! This is configurable on all the available platforms (Windows, MAC OS, Linux). FC00::/7 FD00::/8 1.4.1.3.3Manually  Configured Unique local Address On Routers or some servers, it may be better to assign static addresses instead of a EUI or Random Interface ID. The big benefits of ULA other RFC1918 in IPv4 is that you have 40 bits to make your Prefix Unique. So in case one day you need to merge two Private Networks using ULA Addresses you may not have For instance, in a Datacenter your router HSRPv6 Group could be 2001:db8:a01::1 and you may con- to renumber your Network. figure a static default route on all your Servers. Actually there are two kinds of ULA, the Locally Managed and the Centrally Managed. If you make a You make sure that your system will not waste anytime or receive any Rogue information! Reservation and use the Centrally Managed Addresses, there is absolutely no risk of finding a dupli- cate subnet. With Locally Managed, the risk exist. IPv6 Global unicast address Format (RFC 3587) You can make a reservation at this URL: http://www.sixxs.net/tools/grh/ula/ IPv6 Global Unicast Address Format (RFC 3587) At the beginning of IPv6, they was no ULA but a prefix for site-local addresses: fec0::/10. But with this approach we had the same problem as with RFC1928 IPv4 Addresses so this prefix is no more re- served for Site-Local Addresses, which are deprecated and replaced by ULA. Initial Format Provider . n bits 64 .n bits To access the Internet from a ULA Address you may need Proxies. For instance, if your internal Serv- Host. 64 bits ers only need http or ftp access to the Internet for SW Updates at night, ULA + Proxy may be the right approach. Global Routing Prefix Subnet ID Interface ID IETF assigned 001 for Global Unicast, 2620::/12 assigned to American 1.4.3 Link-­‐local  Addresses Registry for Internet Numbers 36 bits 16 Bits Host. 64 bits Link-local Addresses are the Only Mandatories Addresses for each interface. When an IPv6 interface 3 9 bits is coming up, the first step is to validate that its Link-local address is unique (Valid). If not, the IPv6 00 Interface is disabled. The interface could be used for other protocols but not IPv6! ARIN RIR or ISP Subnet ID Interface ID 1 IPv6 Link-local addresses are only valid on the interface where they are configured. If you have many interfaces on a host or a router, it is no problem to use the same address for all the interfaces. RFC 2374: Aggregatable Global Unicast Address Structure They all start with the prefix fe80::/10. Public Topology Site Topology Interface Identifier 128bits 3 13 8 24 16 64 bits 11111 Tout à 0 Interface ID FP TLA ID RES NLA ID SLA ID Interface ID 1010 © Frédéric Bovy - October 2011 - 37 64 bits FE80::/10 1.4.2 Unique  Local  Addresses  (Private.  R FC4193) Link-local Address When you are using a Link-local address in a command, you must specify the Outgoing interface by The ULA are Private Unicast Addresses not routable on the Internet. its name or its index with the % sign in between like: fe80::34f:a011:2:d78%FastEthernet1 on Cisco Router or 13
fe80::34f:a011:2:d78%15 on Microsoft Windows, 15 is the interface index. These addresses do not have any reserved prefix so you cannot recognize an Anycast Address from a Unicast. In IPv4 it is similar to the 169.254.0.0/16 address (RFC 3927). All the Next Hop but recursive static or BGP routes use a Link-local address. 1.4.4 Special  Addresses 1.6  I Pv6  Mul5cast  Addresses 1.4.4.1 Unspecified  Address  is  ::/0 This is a one to many addressing. The Unspecified is only used as a source address when a node is booting, and it is verifying its Link- local Address. There is no Broadcast in IPv6 only Multicast. But you have an address for all IPv6 nodes (ff02::1) as in IPv4 an address for all IPv4 nodes (224.0.0.1). The prefix ff02:: is reserved just like 224.0.0.x for IPv4. A router MUST NOT route a packet with an unspecified source address. Multicast Addresses are used like in IPv4, when a source needs to send a packet to a Group of Re- 1.4.4.2 Loopback  Address  is  ::1 ceivers. The loopback address is a Link-local address to the node itself. It must not be assigned to any physi- cal interface. It is similar to the IPv4 127.0.0.1 address. 1.4.4.3 IPv4  Mapped  Address This is used when you need to code an IPv4 address in the IPv6 format. For instance with 6PE or 6VPE, the destination IPv6 Address will have the Egress PE IPv4 Loopback interface. This is illegal for BGP to advertise a destination with a next hop of another Address Family. So the Next Hop is coded as an IPv4 Mapped Address. The Flags are used for the Embedded RP Address. This is new in IPv6 and allows the RP Address to be embedded in the Group Address. We will study You got 80 bit set to 0, then 16 bits set to ffff and then the 32 bits of your IPv4 address: the Flags when we cover the Multicast in detail. If the next hop was 192.9.0.1, it would be coded: The Scope is also new in IPv6 and allowed to set the Scope of the Mul- 0:0:0:0:0:ffff:<32 bits IPv4 Address> ticast Group: ::ffff:192.9.0.1 or ::ffff:c009:1 1 is Node Local 2 is Link-local scope. Example:ff02::1 4 is Admin-local 1.4.4.4 Encapsula>on  of  I Pv6  in  Ethernet 5 is Site-local 8 is Organization-local IPv6 Protocol is 0x86dd E is a Global Group Example: Dest Ethernet Source Ethernet Adress Adress 0x86DD IPv6 Header and charge ff02::1:2 All DHCP Servers and Relay. Link-local Scope ff05::1:3 All DHCP Servers. Site-local Scope (used by Relays) IPv6 in Ethernet ff02::2 All IPv6 Routers. Link-local Scope ff02::5 All IPv6 OSPFv3 Routers. Link-local Scope 1.5  I Pv6  Anycast  Addresses ff02::6 All IPv6 OSPFv3 DR Routers. Link-local Scope This is a one to any addressing. ff02::9 All IPv6 RIPng Routers. Link-local Scope Anycast Addresses are like duplicated Unicast Addresses. The goal is to find the nearest server imple- ff02::A All IPv6 EIGRP Routers. Link-local Scope menting a function. It was already existing in IPv4 for the DNS Root Servers. We have only 13 addresses, which repre- Only the Link-local Scope is automatically filtered and not forwarded by Routers. All the other Scopes sent more than 200 physical servers. must be implemented with ACLs. In IPv4 it was also used by Anycast RP to find the nearest RP in a redundant RP mode using MSDP to make the RPs communicate with each other. 14
For each unicast or anycast address configured, the IPv6 node automatically configures a Solicited Node Multicast Address derived address. This address is setup with a common Multicast Prefix and the last 24 bits of the Unicast Address. Example: Unicast Address 2001:DB8:DC28::FC57:D4C8:1FFF Solicited Node Multicast Prefix FF02:0:0:0:0:1:FF Solicited-node multicast address FF02:0:0:0:0:1:FFC8:1FFF The solicited node multicast address derived from the unicast Préfixe Interface Identifier FF02 O 0001 FF 24 bits 128 bits IPv6 Address Plan Example 1.7 IPv6  Address  Plan  Example 2001:db8:abcd::/48 has been assigned for the USA offices of this company. Each Regional largest office aggregates the traffic for the area as a /52 route. In the address 2001:db8:abcd::/48 has been assigned for the USA offices of this company. 2001:db8:abcd:9000::/52, 9 identifies the West Coast. Each Regional largest office aggregates the traffic for the area as a /52 route. In the address Each office has a /56 prefix. In the address 2001:db8:abcd:9100::/56, 91 identifies the San Francisco 2001:db8:abcd:9000::/52, 9 identifies the West Coast. Office. Each office has a /56 prefix. In the address 2001:db8:abcd:9100::/56, 91 identifies San Francisco Of- Then 2001:db8:abcd:9101::/64 may be the first LAN in SF. fice. Then 2001:db8:abcd:9101::/64 may be the first LAN in SF. 15
Internet Admin hierarchy 1.8 The  Mul5homing  Issue http://www.ripe.net/ripe/docs/ripe-512 1.8.1 IPv6  Addressing  Hierarchy Regional Internet Registries EU/ISP (ARIN, APNIC, RIPE, NCC) Cust1 ISP/ RIR 21ae:db8:1::/48 ISP1 LIR EU 21ae:db8::/32 RIR1 IANA 21ae::/8 ISP/ RIR NIR EU Cust2 ISP2 LIR 21ae:db9:1::/48 National 21ae:db9::/32 IANA Internet Local Internet End Users 2000::/3 Registries Registries Cust3 2001:db8:1::/48 RIR2 1.8.2 Mul5homing  Issue  and  solu5ons ISP3 2001::/8 Cust4 2001:db8::/32 This works very well as long as a customer does not want to use more than one SP for Redundancy 2001:db8:2::/48 or other reasons like best price in different regions of the world for instance. In this case, the customer will have to deal with multiple Prefixes. This is not a problem again as any IPv6 Addressing Aggregation IPv6 interface can be configured with multiple Prefixes. Having an address 4 times bigger, the IPv6 designers didn't want to need 4 times more memory! So The problem is for resiliency and load-balancing. they designed a model to maximize Aggregation. There is a Flash animation in my Free On-Line Tutorial Fundamentals #2. IANA has allocated the block 2000::/3 for Global Unicast Addresses. Then in your address you will have a Prefix which identifies each Regional Internet Registry: RIPE-NCC, ARIN, APNIC, AfricNIC, LACNIC. And a Prefix for each SP ISP2 ISP1 2001:db9::/32 The end user does not own a Prefix, and if he changes the SP, he will have to renumber its Network 2001::db8::/32 2001:db9:100::/48 with a new Prefix. 2001:db8:1::/48 The goal is to maximize route Aggregation, allowing each SP to summarize all its client with one or a few Prefixes. This is what we call Provider Assigned (PA) Prefixes. 2001:db8:1::/48 2001:db9:100::/48 2001:db8:1::/48 2001:db9:100::/48 Provider Assigned Address 16
1.8.3 Provider  Independant  Addresses   Dest thru ISP2 is no longer reachable   The session fails ISP1 ISP2 ISP1 ISP2 2001:db8:100::/48 2001:db8:1::/48 2001:db8:66::/48 2001:db8:66::/48 2001:db8:1::/48 2001:db8:1::/48 2001:db8:100::/48 2001:db9:100::/48 2001:db9:100:99:42:345F:1:1/64 2001:db8:66::/48 2001:db8:1:99:42:345F:1:1/64 2001:db8:1::/48 2001:db8:100::/48 2001:db8:66::/48 In this case your RIR will allocate a Prefix to the end-user who is authorized to advertise its own prefix to multiple SPs. Below is an example. 2001:678:e01::/48 has been assigned to this company and the same prefix is advertised to SP ACME and The best solution, which may be expensive in some regions, is the P ABC! So each of these SPs will have to advertise this Prefix in the IPv6 Internet if it does not fall under Provider Indendant (PI) Prefixes. the summaries of each SP. They have been available since 2009, and we can see that the number of IPv6 prefixes has started to It is seen as a short term solution as a long term solution should permit maximum aggregation and increase tremendously since this date. First, because there was no solution to this problem before and must be managed by Hosts or Routers. then because we cannot Aggregate the PI PRefix since it punched a hole in the summary address for each SP where it does not fall into one of its summary and must be advertised independantly.   A new session must be started   Better route from ISP2   A session is started ISP2 ISP1 ISP1 ISP2 2001:db8:1::/48 2001:db9:100::/48 2001:db8:1::/48 2001:db9:100::/ 48 2001:db9:100:99:42:345F:1:1/64 2001:db8:1:99:42:345F:1:1/64 2001:db9:100:99:42:345F:1:1/64 2001:db8:1:99:42:345F:1:1/64 17
Internet 2001:678:e01:3000::/52 2001:678:e01::/48 2001:db8:1001:f000::/52 Campus 3 BB Router Campus 1 Backbone Router ISP ABC ISP ACME Bldg 3-2 2001:678:e01::/48 2001:678:e01:3200::/52 2001:db8:1001:f1000::/52 2001:678:1001:f000::/52 Campus 2 BB Router Bldg 3-2 2001:678:1001:f100::/56 2001:678:1001:f1000::/52 2001:678:e01:3100::/52 255 user /64 LANs per Building 2001:678:1001:f101::/64 Bldg 2-2 Bldg 2-1 2001:678:1001:f1200::/52 2001:678:1001:f1100::/52 Bldg B 1-1 2001:678:1001:f102::/64 1.8.4 Other  Solu5ons There are some host based and routers based solutions to solve this problem without losing the maxi- mum Aggregation of the PA Prefixes. Some solutions are host based like shim6 or HIP, which also managed Mobility, and some others are managed by the routers like LISP. "The basic idea behind the Loc/ID split is that the current Internet routing and addressing architecture combines two functions: Routing Locators (RLOCs), which describe how a device is attached to the network, and Endpoint Identifiers (EIDs), which define 'who' the device is, in a single numbering space, the IP address. Proponents of the Loc/ID split argue that this "overloading" of functions makes it virtually impossible to build an efficient routing system without forcing unacceptable constraints on end-system use of addresses. Splitting these functions apart by using different numbering spaces for EIDs and RLOCs yields several advantages, including improved scalability of the routing system through greater aggregation of RLOCs. To achieve this aggregation, we must allocate RLOCs in a way that is congruent with the topology of the network ("Rekhter's Law"). Today's 'provider-allocated' IP address space is an example of such an allocation scheme. EIDs, on the other hand, are typically allocated along organizational boundaries. Because the network topology and organizational hierarchies are rarely congruent, it is difficult (if not impossible) to make a single numbering space efficiently serve both purposes without imposing unacceptable constraints (such as requiring renumbering upon provider changes) on the use of that space. LISP, as a specific instance of the Loc/ID split, aims to decouple location and identity. This decoupling will facilitate improved aggregation of the RLOC space, implement persistent identity in the EID space, and, in some cases, increase the security and efficiency of network mobility." http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_11-1/111_lisp.html 18
IPv6 Header 4 To summarize the IPv6 Header we could say: longer addresses and a simple efficient versatile, flexible, powerful Network Layer! The daisy chained IPv6 Extension header is a major important step for any application in the future! Mobile IPv6 is the first example of this power!
Section 1 IPv6 Header Topics 1. IPv6 versus IPv4 headers 2. Path MTU discovery 3. Extension Headers 4. Encapsulations of Packets in Layer 2 20
.1 IPv6  vs  I Pv4  Headers • No more Fragmentation fields (Fragment ID, Frag Offset, Flags). Fragmentation is no longer performed by Routers but only the source of the Traffic and an Extension Header will be used for the Fragmentation information • No more Header Checksum as it was redundant with the Link Layer and Transport Check- sum • Other fields have been renamed with more explicit names like Hop Limit instead of TTL • The Traffic Class used instead of ToS/Precedence but still transports a DSCP for QoS • IPv6 Addresses are 4 times larger. • The Protocol field is replaced with a Next Header as now the Headers can be daisy chained to add several options to a packet! • A new field pretty much unused so far: the Flow Label. It should be used to identify a flow with the Source and Destination Addresses. It is not used for two reasons: There is no common agreement to use it in a standard way. People are scared that a non default Flow Label (0) would give information to hackers about the sensi- tive traffic! The data are aligned on 64 bits for better memory access .2 Path  M TU  Discovery Fragmentation is expensive as it consumes resources on the Router or the Host which fragments the packet, and it also consumes resources on the destination host which reassembles the packets. The biggest improvement which really gives IPv6 more Flexibility and Versatility is the use of daisy Some Firewall or NAT devices do the reassembly as they need the information contained in the first chained Extension Headers. Now, it becomes possible to push many headers in an IPv6 packet and fragment like the Port numbers. as these Headers are TLV (Type, Length, Value) you can add a new Header Extension to support a Fragmentation is also a very easy to initiate DoS Attack, as a station sending traffic requiring a lot of new Network Layer Application. Fragmentation or Reassembly can kill this station overwhelming its CPU! The first great example of what we can do will be introduced in a later Module. This is for Mobile IPv6 So Fragmentation is avoided in IPv4 already systematically for all TCP Traffic with a protocol called and the derived applications. Path MTU Discovery! An IPv6 router is not allowed to fragment a packet, only a source of a connection can, including a The Extension Headers are the following and SHOULD follow this order: router is it is the head-end of a tunnel and it encapsulates IPv6 in IPv6 but this is a special case. • Hop-by-hop. This Option MUST be checked by each router in the path. In IPv4 we had the The principle is that the station starts sending at the maximum MTU, and every time a Router cannot Router Alert to do the same, and this Router Alert is transported in this Option when needed. route the packet because of MTU it drops the packet rather than fragmenting and sends an ICMP Re- It is used by Multicast (IGMP or PIM), RSVP and other applications. port providing the next Link MTU. The source sends the next packet at this MTU, and the operation may eventually be repeated. Router Alert Option MINIMUM MTU FOR IPv6 IS 1280 BYTES The Router Alert Option (RFC2711) tells the router that it must take a look at the packet. It is car- ried in an hop-by-hop option. Example : Frame 3836 (90 bytes on wire, 90 bytes captured) .3 Extension  Headers Ethernet II, Src: ca:00:06:a9:00:1c (ca:00:06:a9:00:1c), Dst: IPv6mcast_00:00:00:01 (33:33:00:00:00:01) Destination: IPv6mcast_00:00:00:01 (33:33:00:00:00:01) Source: ca:00:06:a9:00:1c (ca:00:06:a9:00:1c) Type: IPv6 (0x86dd) 21
Internet Protocol Version 6 0110 .... = Version: 6 .... 1110 0000 .... .... .... .... .... = Traffic class: 0x000000e0 .... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000 Payload length: 36 Routing Header. 3 Types. Type 0 and 1 are now deprecated and should not be used anymore, too Next header: IPv6 hop-by-hop option (0x00) dangerous. Type 2 is still used by Mobile IPv6. Hop limit: 1 o Type 0. There is a list of addresses in the header, and the packet must go through Source: fe80::c800:6ff:fea9:1c (fe80::c800:6ff:fea9:1c) each of the routers listed. There is a pointer for the router to know where in the list we Destination: ff02::1 (ff02::1) Hop-by-Hop Option are. The destination IP address of the IP packet is the next hop of the source routing Next header: ICMPv6 (0x3a) header. This was not the case in IPv4 where the IP source and destination IP ad- Length: 0 (8 bytes) dresses were not modified by source routing. It is now deprecated since RFC5095. Router alert: MLD (4 bytes) o Type 1 is deprecated for a long time. PadN: 2 bytes Internet Control Message Protocol v6 o Type 2 are used by Mobile IPv6. It is used to specify the home address of the mobile Type: 130 (Multicast listener query) node. Only one hop! Code: 0 Checksum: 0x88d1 [correct] Example of a capture. Note that the addresses used are the deprecated site-local addresses : Maximum response delay[ms]: 10000 Multicast Address: :: Frame: S Flag: OFF + Ethernet: Etype = IPv6 Robustness: 2 QQI: 125 - Ipv6: Next Protocol = ICMPv6, Payload Length = 64 + Versions: IPv6, Internet Protocol, DSCP 0 PayloadLength: 64 (0x40) NextProtocol: IPv6 Routing header, 43(0x2b) HopLimit: 127 (0x7F) • Destination options. This Option is only checked by the Destination of the packet. Mobile SourceAddress: FEC0:0:0:2:2B0:D0FF:FEE9:4133 IPv6 uses this Option. DestinationAddress: FEC0:0:0:2:260:97FF:FE02:578F - RoutingHeader: If a routing header is present it tells what to do to each intermediary router. If there is no routing NextHeader: ICMPv6 header, it is only for the final destination. ExtHdrLen: 2(24 bytes) Example: RoutingType: 0 (0x0) SegmentsLeft: 1 (0x1) Frame 609 (114 bytes on wire, 114 bytes captured) Reserved: 0 (0x0) Ethernet II, Src: ca:00:06:a9:00:1c (ca:00:06:a9:00:1c), Dst: ca:01:06:a9:00:1c RouteAddress: FEC0:0:0:1:260:8FF:FE32:F9D8 (ca:01:06:a9:00:1c) Icmpv6: Echo request, ID = 0x0, Seq = 0x3d1a Internet Protocol Version 6 0110 .... = Version: 6 .... 1010 0000 .... .... .... .... .... = Traffic class: 0x000000a0 o Fragment. If the Source must fragment the packet. .... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000 Payload length: 60 o IPSec Authentication (AH) Next header: IPv6 hop-by-hop option (0x00) o IPSec Authentication and Encryption (ESP) Hop limit: 64 Source: 2001:db8:c0a8:b:c800:6ff:fea9:1c (2001:db8:c0a8:b:c800:6ff:fea9:1c) o Mobility. Used for the signaling of Mobile IPv6. Destination: 2001:db8:c0a8:b:c801:6ff:fea9:1c (2001:db8:c0a8:b:c801:6ff:fea9:1c) o Destination option (if routing absent) Hop-by-Hop Option o Jumbo Payload option Next header: IPv6 destination option (0x3c) Length: 0 (8 bytes) The Jumbo payload option allow for larger datagram than the 65,536 permitted by plain IPv6. With PadN: 6 bytes Jumbo payload option, it can be up to 4,294,967,295 octets (RFC2675). Destination Option Next header: UDP (0x11) Upper layer Length: 0 (8 bytes) PadN: 6 bytes User Datagram Protocol, Src Port: 57768 (57768), Dst Port: echo (7) Echo 22
.4 MAC  Encapsula5on  of  I Pv6  Packets Ethernet Protocol Encapsulation Dest Ethernet Source Ethernet Address Address 0x86DD IPv6 Datagram Protocol: 0x86dd In IPv4 it was 0x800 and 0x806 for ARP .4.1 Mul5cast  M AC  Address  Mapping !  IPv6 Multicast Address !  FF02:0:0:0:0:1:FF90:FE53 FF02:0:0:0:0:1:FF90:FE53 !  128 bits !  Mac Address !  33:33:FF:90:FE:53 33:33:FF:90:FE:53 !  48 bits 23
24
25
. 26
27
IPv6 ICMP & Neighbor Discovery 5 IPv6 ICMP is very similar to IPv4 but NEighbor Discovery which is encapsulated in ICMPv6 brings many IPv6 key features such as Address Autoconfiguration, Default Router Discovery or simple functions like an optimized version of ARP!
Section 1 ICMPv6 & ND Topic 1. ICMPv6 1. Introduction 2. Error Messages 3. Echo 4. Options 2. Neighbor Discovery Protocol 1. Introduction 2. ND Packets and Options 3. Neighbor Discovery (ND) 4. Duplicate Address Discovery (DAD) 5. Neighbor Unreachability Detection (NUD) 6. Router Discovery (RD) 7. Autoconfig (SLAAC) 29
IPv6 ICMP PadN: 6 bytes User Datagram Protocol, Src Port: 56486 (56486), Dst Port: echo (7) 1 Source port: 56486 (56486) Destination port: echo (7) Length: 1944 Checksum: 0xa5bd [unchecked, not all data available] 1.1 Introduc5on Echo Type Code Checksum 1.2.2 Packet  Too  Big  (Type  2) When a datagram is too big to be switched on an interface, an ICMP mesage packet that is too big Message Body must be sent back to the sender. MTU of the outgoing link is provided Frame: + Ethernet: Etype = IPv6 ICMPv6 can be used to report problems and to ping a destination. - Ipv6: Next Protocol = ICMPv6, Payload Length = 1240 + Versions: IPv6, Internet Protocol, DSCP 0 The Type identifies which kind of packet, which problem we want to report such as a "Destination Un- PayloadLength: 1240 (0x4D8) reachable" or "Echo Request". NextProtocol: ICMPv6, 58(0x3a) The Code gives more details about the problem. Why the destination is unreachable? The problem HopLimit: 64 (0x40) SourceAddress: FEC0:0:0:F282:201:2FF:FE44:87D1 with the destination address? port? filtered by an ACL? When ICMP is used to transport other proto- DestinationAddress: FEC0:0:0:F282:2B0:D0FF:FEE9:4143 cols like "Neighbor Discovery" (next chapter), the code is null. - Icmpv6: Packet too big ICMPv6 manage much more in IPv6 than its IPv4 counterpart. For instance, Neighbor Discovery and MessageType: Packet too big, 2(0x2) Multicast Listener Discovery are now part of ICMPv6. - PacketTooBig: Code: 0 (0x0) Much ICMP Information is provided in some standard ICMP Options which are Mandatory with some Checksum: 44349 (0xAD3D) requests. MTU: 1280 (0x500) - InvokingPacket: Next Protocol = ICMPv6, Payload Length = 1460 + Versions: IPv6, Internet Protocol, DSCP 0 PayloadLength: 1460 (0x5B4) 1.2 ICMP  Error  Messages NextProtocol: ICMPv6, 58(0x3a) HopLimit: 63 (0x3F) SourceAddress: FEC0:0:0:F282:2B:D0FF:FEE9:4143 Error Messages: DestinationAddress: FEC0:0:0:0:fredoc0:0:0:1 Destination Unreachable (Type 1) Packet Too Big (Type 2) Time Exceeded (Type 3) Parameter Problem (Type 4) 1.2.1 ICMPv6  Des5na5on  Unreachable  (Type  1) Payload length: 1960 Next header: IPv6 hop-by-hop option (0x00) Hop limit: 64 Source: 2001:db8::1 (2001:db8::1) Destination: 2001:db8::2 (2001:db8::2) ! Hop-by-Hop Option Next header: IPv6 destination option (0x3c) 1.2.3 Time  Exceed  (type  3) Length: 0 (8 bytes) PadN: 6 bytes Destination Option If Code = 0. Hop Limit Exceeded in Tansit. Next header: UDP (0x11) Length: 0 (8 bytes) 30
If Code = 1. Fragment Reassembly Time Exceeded. The receiving station could not reassemble the Destination: ca:00:06:a9:00:1c (ca:00:06:a9:00:1c) original datagram within 60 seconds. Source: ca:01:06:a9:00:1c (ca:01:06:a9:00:1c) Type: IPv6 (0x86dd) Internet Protocol Version 6 1.2.4 Parameter  Problem  (type  4) 0110 .... = Version: 6 .... 0000 0000 .... .... .... .... .... = Traffic class: 0x00000000 .... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000 Code Payload length: 60 0 - Erroneous header field encountered Next header: ICMPv6 (0x3a) Hop limit: 64 1 - Unrecognized Next Header type encountered Source: 2001:db8:c0a8:b:c801:6ff:fea9:1c (2001:db8:c0a8:b:c801:6ff:fea9:1c) Destination: 2001:db8:c0a8:b:c800:6ff:fea9:1c 2 - Unrecognized IPv6 option encountered (2001:db8:c0a8:b:c800:6ff:fea9:1c) Internet Control Message Protocol v6 Type: 129 (Echo reply) Code: 0 Checksum: 0x3f1b [correct] 1.3 ICMPv6  Informa5onal  Messages ID: 0x062b Sequence: 0x0002 Data (52 bytes) 1.3.1 ICMPv6  Echo  Request.  (Type  128) Frame 5219 (114 bytes on wire, 114 bytes captured) R0>ping 2001:DB8:C0A8:B:C801:6FF:FEA9:1C Ethernet II, Src: ca:00:06:a9:00:1c (ca:00:06:a9:00:1c), Dst: ca:01:06:a9:00:1c (ca:01:06:a9:00:1c) Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2001:DB8:C0A8:B:C801:6FF:FEA9:1C, timeout is 2 Destination: ca:01:06:a9:00:1c (ca:01:06:a9:00:1c) seconds: Source: ca:00:06:a9:00:1c (ca:00:06:a9:00:1c) Type: IPv6 (0x86dd) !!!!! Internet Protocol Version 6 0110 .... = Version: 6 Success rate is 100 percent (5/5), round-trip min/avg/max = 8/19/32 ms .... 0000 0000 .... .... .... .... .... = Traffic class: 0x00000000 .... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000 Payload length: 60 Next header: ICMPv6 (0x3a) Hop limit: 64 1.4 Other  Protocols  supported  by  I CMP Source: 2001:db8:c0a8:b:c800:6ff:fea9:1c (2001:db8:c0a8:b:c800:6ff:fea9:1c) Destination: 2001:db8:c0a8:b:c801:6ff:fea9:1c (2001:db8:c0a8:b:c801:6ff:fea9:1c) ICMPv6 also supports Neighbor Discovery, SEcured Neighbor Discovery, MLDv1 and MLDv2 for Mul- Internet Control Message Protocol v6 ticast. Type: 128 (Echo request) We are going to study ND in the next paragraph and Multicast later in this book. Code: 0 Checksum: 0x401b [correct] This will be an Intro to Multicast for IPv6 only as I will develop Multicast for IPv6 in another book. ID: 0x062b Sequence: 0x0002 Data (52 bytes) 1.3.2 Echo  Reply  (Type  129) Please note that in IPv6 the packet which triggers the MAC Address resolution is not dropped but buff- ered, waiting for the resolution. This could be a potential target for DoS attack, but you can see ping reached 100% even the first time you ping a destination. Frame 5220 (114 bytes on wire, 114 bytes captured) Ethernet II, Src: ca:01:06:a9:00:1c (ca:01:06:a9:00:1c), Dst: ca:00:06:a9:00:1c (ca:00:06:a9:00:1c) 31
Neighbor Discovery Protocol MAC Layer 2 Source MAC Address is NIC address Destination is all routers MAC address 33-33-00-00-00-02 IPv6 Layer 2.1 Introduc5on Link local or unspecified IPv6 address. IPv6 Nodes on the same link use NDP (rfc4861, rfc4862) to discover each other’s presence and link- Link local all routers IPv6 address layer addresses, to find routers, and to maintain reachability information about the paths to active neighbors. Both hosts and routers use NDP. ICMPv6 Layer Its functions include Neighbor Discovery (ND) and MAC or Layer 2 Address Resolution, Router Discov- Type 133 ery (RD), Address Autoconfiguration, Address Resolution, Neighbor Unreachability Detection (NUD), Code 0 Duplicate Address Detection (DAD), and Redirection. It is much more sophisticated than ARP was and uses a Finite State Machine (FSM) to manage its Neighbor Cache. ICMPv6 Checksum Source Link-Layer Address option ICMPv6 Option (Source link-layer address) 2.1.1 NDP  use  the  5  messages  (PDU)  and  5  Op5ons. Type: Source link-layer address (1) Length: 8 2.1.1.1 The  5  bases  P DUs  are: Neighbor Solicitation (NS)/Advertisements (NA) Link-layer address: ca:02:06:a9:00:54 Router Solicitation (RS)/Advertisements (RA) Redirection Sent by a host to get information from local routers. 2.1.1.2 The  5  Op>ons: Source Link-Layer Address (SLLA). Option 1 MAC Layer Target Link-Layer Address (TLLA). Option 2 Source MAC Address is NIC address Prefix Information. Option 3 Destination is all routers MAC address 33-33-00-00-00-02 Redirected Header. Option 4 IPv6 Layer MTU. Option 5 Link local or unspecified IPv6 address. Link local all routers IPv6 addressr ICMPv6 Layer Type 133 Code 0 2.2 ND  PACKETS  A ND  O PTIONS ICMPv6 Checksum Source Link-Layer Address option ICMPv6 Option (Source link-layer address) 2.2.1 ND  Packets Type: Source link-layer address (1) 2.2.2 Router  Solicita5on Length: 8 Link-layer address: ca:02:06:a9:00:54 Sent by a host to get information from local routers. 32
2.2.3 Router  Adver5sement Sent on a regular basis or as an answer to a router solicitation. Ethernet Layer Source MAC of the sending NIC Destination will be 33-33-00-00-00-01 or unicast IPv6 Layer Link local source Destination will be all-nodes: FF02::1 or unicast address of station which has sent the Router Solicita- tion Hop Limit 255 ICMPv6 Layer Router Advertisement Type 134 Code 0 Checksum ICMPv6 Current Hop Limit Managed Address Configuration Flag for Statefull DHCPv6. Other Stateful Configuration Flag for Stateless DHCPv6 Router Lifetime Retransmission timer Source Link-Layer Address Option ICMPv6 Layer MTU Option Type 135 Prefix Information Options Code 0 Advertisement Interval Option Target Address Home Agent Information Option for Mobile IPv6 Possible Option: Source Link-Layer Address Option Frame 5801 (118 bytes on wire, 118 bytes captured) Used to ask the link layer address of a neighbor Frame 5344 (86 bytes on wire, 86 bytes captured) Ethernet II, Src: ca:01:06:a9:00:1c (ca:01:06:a9:00:1c), Dst: ca:00:06:a9:00:1c (ca:00:06:a9:00:1c) 2.2.4 Neighbor  Solicita5on Destination: ca:00:06:a9:00:1c (ca:00:06:a9:00:1c) Source: ca:01:06:a9:00:1c (ca:01:06:a9:00:1c) Source Address. Either an address assigned to the interface from which this message is sent or (if Type: IPv6 (0x86dd) Duplicate Address Detection is in progress) the unspecified address. Internet Protocol Version 6 0110 .... = Version: 6 Destination Address. Either the solicited-node multicast address corresponding to the target address, .... 1110 0000 .... .... .... .... .... = Traffic class: 0x000000e0 or the target address. .... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000 Payload length: 32 Hop Limit is 255 33
Next header: ICMPv6 (0x3a) ICMPv6 Layer Hop limit: 255 Source: fe80::c801:6ff:fea9:1c (fe80::c801:6ff:fea9:1c) Type 135 Destination: 2001:db8:c0a8:b:c800:6ff:fea9:1c (2001:db8:c0a8:b:c800:6ff:fea9:1c) Code 0 Internet Control Message Protocol v6 Target Address Type: 135 (Neighbor solicitation) Code: 0 Possible Option: Checksum: 0x6230 [correct] Target: 2001:db8:c0a8:b:c800:6ff:fea9:1c (2001:db8:c0a8:b:c800:6ff:fea9:1c) Source Link-Layer Address Option ICMPv6 Option (Source link-layer address) Used to ask the link layer address of a neighbor Type: Source link-layer address (1) Length: 8 Frame 5344 (86 bytes on wire, 86 bytes captured) Ethernet II, Src: ca:01:06:a9:00:1c (ca:01:06:a9:00:1c), Dst: ca:00:06:a9:00:1c Link-layer address: ca:01:06:a9:00:1c (ca:00:06:a9:00:1c) Destination: ca:00:06:a9:00:1c (ca:00:06:a9:00:1c) Source: ca:01:06:a9:00:1c (ca:01:06:a9:00:1c) Type: IPv6 (0x86dd) 2.2.5 Neighbor  Adver5sement Internet Protocol Version 6 0110 .... = Version: 6 .... 1110 0000 .... .... .... .... .... = Traffic class: 0x000000e0 .... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000 They can be solicited or unsolicited. Payload length: 32 Next header: ICMPv6 (0x3a) ICMPv6 Layer Hop limit: 255 Source: fe80::c801:6ff:fea9:1c (fe80::c801:6ff:fea9:1c) Type 136 Destination: 2001:db8:c0a8:b:c800:6ff:fea9:1c Code 0 (2001:db8:c0a8:b:c800:6ff:fea9:1c) Internet Control Message Protocol v6 Router Flag if this is a Router Type: 135 (Neighbor solicitation) Code: 0 Solicited flag if this is an answer to a Solicitation Checksum: 0x6230 [correct] Target: 2001:db8:c0a8:b:c800:6ff:fea9:1c (2001:db8:c0a8:b:c800:6ff:fea9:1c) Override Flag if it must override an entry in the cache ICMPv6 Option (Source link-layer address) Target Address. For solicited advertisements, the Target Address field in the Neighbor Solicitation Type: Source link-layer address (1) message that prompted this advertisement. For an unsolicited advertisement, the address whose Length: 8 link-layer address has changed. The Target Address MUST NOT be a multicast address. Link-layer address: ca:01:06:a9:00:1c Possible Option: Target Link-Layer Address Option 2.2.7  Neighbor  Discovery  Op5ons 2.2.6 Redirect 2.2.7.1  Source  Link-­‐Layer  address  Op>on It is used by Neighbor Solicitation and Router Advertisement. Inform a neighbor of a better next hop to reach a particular destination. Redirect messages can be Frame 56 (118 bytes on wire, 118 bytes captured) dangerous and can be ignored by configuration on most platforms (Windows, MAC OS X, Linux). Ethernet II, Src: ca:02:06:a9:00:54 (ca:02:06:a9:00:54), Dst: IPv6mcast_00:00:00:01 Source Address. Either an address assigned to the interface from which this message is sent or (if (33:33:00:00:00:01) Duplicate Address Detection is in progress) the unspecified address. Destination: IPv6mcast_00:00:00:01 (33:33:00:00:00:01) Source: ca:02:06:a9:00:54 (ca:02:06:a9:00:54) Destination Address. Either the solicited-node multicast address corresponding to the target address, Type: IPv6 (0x86dd) or the target address. Internet Protocol Version 6 0110 .... = Version: 6 Hop Limit is 255 .... 1110 0000 .... .... .... .... .... = Traffic class: 0x000000e0 .... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000 Payload length: 64 Next header: ICMPv6 (0x3a) 34
Hop limit: 255 Ethernet II, Src: ca:01:06:a9:00:54 (ca:01:06:a9:00:54), Dst: ca:02:06:a9:00:54 Source: fe80::c802:6ff:fea9:54 (fe80::c802:6ff:fea9:54) (ca:02:06:a9:00:54) Destination: ff02::1 (ff02::1) Destination: ca:02:06:a9:00:54 (ca:02:06:a9:00:54) Internet Control Message Protocol v6 Source: ca:01:06:a9:00:54 (ca:01:06:a9:00:54) Type: 134 (Router advertisement) Type: IPv6 (0x86dd) Code: 0 Internet Protocol Version 6 Checksum: 0x9040 [correct] Cur hop limit: 64 0110 .... = Version: 6 Flags: 0x00 .... 1110 0000 .... .... .... .... .... = Traffic class: 0x000000e0 Router lifetime: 1800 .... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000 Reachable time: 0 Payload length: 32 Retrans timer: 0 Next header: ICMPv6 (0x3a) ICMPv6 Option (Source link-layer address) Type: Source link-layer address (1) Hop limit: 255 Length: 8 Source: fe80::c801:6ff:fea9:54 (fe80::c801:6ff:fea9:54) Link-layer address: ca:02:06:a9:00:54 Destination: fe80::c802:6ff:fea9:54 (fe80::c802:6ff:fea9:54) ICMPv6 Option (MTU) Internet Control Message Protocol v6 Type: MTU (5) Type: 136 (Neighbor advertisement) .... 1110 0000 .... .... .... .... .... = Traffic class: 0x000000e0 .... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000 Code: 0 Payload length: 64 Checksum: 0x5f24 [correct] Next header: ICMPv6 (0x3a) Flags: 0xe0000000 Hop limit: 255 Target: fe80::c801:6ff:fea9:54 (fe80::c801:6ff:fea9:54) Source: fe80::c802:6ff:fea9:54 (fe80::c802:6ff:fea9:54) ICMPv6 Option (Target link-layer address) Destination: ff02::1 (ff02::1) Internet Control Message Protocol v6 Type: Target link-layer address (2) Type: 134 (Router advertisement) Length: 8 Code: 0 Link-layer address: ca:01:06:a9:00:54 Checksum: 0x9040 [correct] Cur hop limit: 64 Flags: 0x00 Router lifetime: 1800 Reachable time: 0 Retrans timer: 0 2.2.7.3  Prefix  Informa>on  Op>on ICMPv6 Option (Source link-layer address) Can be sent with a Router Advertisement to advertise Prefixes. More than one prefixes can be in- Type: Source link-layer address (1) cluded. Length: 8 Type. 3 Link-layer address: ca:02:06:a9:00:54 ICMPv6 Option (MTU) Length. 4. Type: MTU (5) Length: 8 Prefix Length. 8 bits. Generally 64. MTU: 1500 ICMPv6 Option (Prefix information) On-Link Flag. 1 bit. If the prefix must be used to derive an address during SLAAC. Type: Prefix information (3) Autonomous Flag. 1 bit. If the prefix must be used to derive an address during SLAAC. Length: 32 Prefix length: 64 Router Address flag. Defined in RFC 3775 for Mobile IPv6 Flags: 0xc0 Valid lifetime: 2592000 Site Prefix Flag. Preferred lifetime: 604800 Valid Lifetime. How long the address derived from this prefix is Valid without any refreshment before Prefix: 2001:db8:c0a8:3:: the address is removed from the interface. A value of ALL ONEs bits represents infinity (for Static Ad- dresses). 2.2.7.2 Target  Link-­‐Layer  address  Op>on Prefered Lifetime. If not refreshed and the Preferred Timer expires, the address becomes deprecated and cannot be used to establish a new connection but the address is still valid for existing. A value of ALL ONEs bits represents infinity (for Static Addresses). It is used by Neighbor Advertisement and Redirect packets. Frame 56 (118 bytes on wire, 118 bytes captured) Frame 25 (86 bytes on wire, 86 bytes captured) Ethernet II, Src: ca:02:06:a9:00:54 (ca:02:06:a9:00:54), Dst: IPv6mcast_00:00:00:01 (33:33:00:00:00:01) 35
Destination: IPv6mcast_00:00:00:01 (33:33:00:00:00:01) Preferred lifetime: 604800 Source: ca:02:06:a9:00:54 (ca:02:06:a9:00:54) Prefix: 2001:db8:c0a8:3:: Type: IPv6 (0x86dd) Internet Protocol Version 6 0110 .... = Version: 6 .... 1110 0000 .... .... .... .... .... = Traffic class: 0x000000e0 2.2.7.4 Redirected  Header  Op>on .... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000 Payload length: 64 It is only used in the ND Redirect packet Next header: ICMPv6 (0x3a) Hop limit: 255 Frame 92 (214 bytes on wire, 214 bytes captured) Source: fe80::c802:6ff:fea9:54 (fe80::c802:6ff:fea9:54) Ethernet II, Src: ca:01:06:a9:00:1c (ca:01:06:a9:00:1c), Dst: ca:02:06:a9:00:1c Destination: ff02::1 (ff02::1) (ca:02:06:a9:00:1c) Internet Control Message Protocol v6 Destination: ca:02:06:a9:00:1c (ca:02:06:a9:00:1c) Type: 134 (Router advertisement) Source: ca:01:06:a9:00:1c (ca:01:06:a9:00:1c) Code: 0 Type: IPv6 (0x86dd) Checksum: 0x9040 [correct] Internet Protocol Version 6 Cur hop limit: 64 0110 .... = Version: 6 Flags: 0x00 .... 1110 0000 .... .... .... .... .... = Traffic class: 0x000000e0 Router lifetime: 1800 .... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000 Reachable time: 0 Payload length: 160 The MTU option is used in the ICMPv6 Packet too big and in the ND Router Advertisement. Next header: ICMPv6 (0x3a) Hop limit: 255 Source: fe80::c801:6ff:fea9:1c (fe80::c801:6ff:fea9:1c) Ethernet II, Src: ca:02:06:a9:00:54 (ca:02:06:a9:00:54), Dst: IPv6mcast_00:00:00:01 Destination: 2001:db8:c0a8:b::1 (2001:db8:c0a8:b::1) (33:33:00:00:00:01) Internet Control Message Protocol v6 Destination: IPv6mcast_00:00:00:01 (33:33:00:00:00:01) Type: 137 (Redirect) Source: ca:02:06:a9:00:54 (ca:02:06:a9:00:54) Code: 0 Type: IPv6 (0x86dd) Checksum: 0xd231 [correct] Internet Protocol Version 6 Target: 2001:db8:c0a8:a:c800:6ff:fea9:1c (2001:db8:c0a8:a:c800:6ff:fea9:1c) 0110 .... = Version: 6 Destination: 2001:db8:c0a8:a:c800:6ff:fea9:1c .... 1110 0000 .... .... .... .... .... = Traffic class: 0x000000e0 (2001:db8:c0a8:a:c800:6ff:fea9:1c) .... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000 ICMPv6 Option (Target link-layer address) Payload length: 64 Type: Target link-layer address (2) Next header: ICMPv6 (0x3a) Length: 8 Hop limit: 255 Link-layer address: ca:00:06:a9:00:1c Source: fe80::c802:6ff:fea9:54 (fe80::c802:6ff:fea9:54) ICMPv6 Option (Redirected header) Destination: ff02::1 (ff02::1) Type: Redirected header (4) Internet Control Message Protocol v6 Length: 112 Type: 134 (Router advertisement) Reserved: 0 (correct) Code: 0 Redirected packet Checksum: 0x9040 [correct] Internet Protocol Version 6 Cur hop limit: 64 0110 .... = Version: 6 Flags: 0x00 .... 0000 0000 .... .... .... .... .... = Traffic class: 0x00000000 Router lifetime: 1800 .... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000 Reachable time: 0 Payload length: 60 Retrans timer: 0 Next header: ICMPv6 (0x3a) ICMPv6 Option (Source link-layer address) Hop limit: 63 Type: Source link-layer address (1) Source: 2001:db8:c0a8:b::1 (2001:db8:c0a8:b::1) Length: 8 Destination: 2001:db8:c0a8:a:c800:6ff:fea9:1c Link-layer address: ca:02:06:a9:00:54 (2001:db8:c0a8:a:c800:6ff:fea9:1c) ICMPv6 Option (MTU) Internet Control Message Protocol v6 Type: MTU (5) Type: 128 (Echo request) Length: 8 Code: 0 MTU: 1500 Checksum: 0xbce7 [correct] ICMPv6 Option (Prefix information) ID: 0x22ef Type: Prefix information (3) Sequence: 0x0004 Length: 32 Data (52 bytes) Prefix length: 64 Flags: 0xc0 Valid lifetime: 2592000 36
2.2.7.5 MTU  Op>on The MTU option is used in the ICMPv6 Packet too big and in the ND Router Advertisement. 2.2.7.6 Route  Informa>on  Op>on Ethernet II, Src: ca:02:06:a9:00:54 (ca:02:06:a9:00:54), Dst: IPv6mcast_00:00:00:01 (33:33:00:00:00:01) Destination: IPv6mcast_00:00:00:01 (33:33:00:00:00:01) Sourcrbbre: ca:02:06:a9:00:54 (ca:02:06:a9:00:54) Type: IPv6 (0x86dd) Internet Protocol Version 6 0110 .... = Version: 6 .... 1110 0000 .... .... .... .... .... = Traffic class: 0x000000e0 .... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000 Payload length: 64 Next header: ICMPv6 (0x3a) Hop limit: 255 Source: fe80::c802:6ff:fea9:54 (fe80::c802:6ff:fea9:54) Destination: ff02::1 (ff02::1) Internet Control Message Protocol v6 Sent in Router Advertisement (see RFC4191.). Type: 134 (Router advertisement) It is used to give a preference to a router and to advertise routes (SHOULD not send more than 17 Code: 0 routes). It SHOULD not a be default behavior. Checksum: 0x9040 [correct] Possible Option: Route Information You can also advertise a more specific Route information Recur- Cur hop limit: 64 sive Flags: 0x00 Router lifetime: 1800 2.2.7.7 DNS  Server  Op>on Reachable time: 0 Retrans timer: 0 DNS Server address can also be advertised in RA (RFC 5006): ICMPv6 Option (Source link-layer address) Type: Source link-layer address (1) This is a very simple option with Length, Lifetime and the addrresses of all the DNS Servers. Length: 8 So you do not need to setup DHCPv6 Lite to advertise the DNS Server Address! Link-layer address: ca:02:06:a9:00:54 With Linux it can be advertised by radvd daemon. ICMPv6 Option (MTU) Type: MTU (5) Length: 8 MTU: 1500 2.3 Neighbor  Discovery ICMPv6 Option (Prefix information) Type: Prefix information (3) IPv6 uses ND to manage its Neighbor Cache. This includes resolving the MAC Address of the Neigh- Length: 32 bor and checking its Reachability (NUD). Prefix length: 64 Neighbor Discovery uses Neighbor Solicitation (NS) and Neighbor Advertisements (NA). Flags: 0xc0 NS are used to discover the Neighbor MAC Address, to check if our new address is a DUPlicate or to Valid lifetime: 2592000 check if a Neighbor is still Reachable (NUD). Preferred lifetime: 604800 Prefix: 2001:db8:c0a8:3:: 37
Code: 0 Checksum: 0xc88d [correct] Reserved: 00000000 Target Address: 2a01:e35:2f26:d340:e:6a75:6c8c:e4ac ICMPv6 Option (Source link-layer address : f4:ca:e5:44:10:ef) Type: Source link-layer address (1) Length: 1 (8 bytes) Link-layer address: FreeboxS_44:10:ef (f4:ca:e5:44:10:ef) 2.3.1.2 Neighbor  Adver5sement Internet Protocol Version 6, Src: 2a01:e35:2f26:d340:e:6a75:6c8c:e4ac , Dst: fe80::f6ca:e5ff:fe44:10ef 0110 .... = Version: 6 .... 0000 0000 .... .... .... .... .... = Traffic class: 0x00000000 .... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000 Payload length: 32 Next header: ICMPv6 (0x3a) Hop limit: 255 Source: 2a01:e35:2f26:d340:e:6a75:6c8c:e4ac (2a01:e35:2f26:d340:e:6a75:6c8c:e4ac) Destination: fe80::f6ca:e5ff:fe44:10ef (fe80::f6ca:e5ff:fe44:10ef) 2.3.1 MAC  Address  Resolu5on [Destination SA MAC: FreeboxS_44:10:ef (f4:ca:e5:44:10:ef)] Internet Control Message Protocol v6 When a host needs to send a packet to a destination, it verifies if it is a Neighbor. In this case it sends the packet directly to the Neighbor. There is an algorithm to check if the destination is a Neighbor as Type: Neighbor Advertisement (136) there can be many prefixes on the same cable. Code: 0 Once this is verified, the host creates an entry with state INCOMPLETE and the IPv6 Address of the Checksum: 0xe1ad [correct] destination in the Neighbor cache and sends a Neighbor Solicitation to its Solicited Node Multicast Flags: 0x60000000 Address. The NS contains the MAC Address of the Requester in the SLLA Option to save the reverse operation (below in Red). 0... .... .... .... .... .... .... .... = Router: Not set .1.. .... .... .... .... .... .... .... = Solicited: Set Example of NS/NA between two UBUNTU Hosts ..1. .... .... .... .... .... .... .... = Override: Set ...0 0000 0000 0000 0000 0000 0000 0000 = Reserved: 0 2.3.1.1 Neighbor  Solicita5on Target Address: 2a01:e35:2f26:d340:e:6a75:6c8c:e4ac Internet Protocol Version 6, Src: fe80::f6ca:e5ff:fe44:10ef ICMPv6 Option (Target link-layer address : 00:0c:29:30:33:86) (fe80::f6ca:e5ff:fe44:10ef), Dst: ff02::1:ff8c:e4ac (ff02::1:ff8c:e4ac) Type: Target link-layer address (2) 0110 .... = Version: 6 Length: 1 (8 bytes) .... 0000 0000 .... .... .... .... .... = Traffic class: 0x00000000 .... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000 Link-layer address: Vmware_30:33:86 (00:0c:29:30:33:86) Payload length: 32 Please note the Flags in the NA with a Router bit if we are a Router. A Solicited bit if this is a reply to a solicitation using NS and the Override bit to enable the replacement of a cache entry! This is why the dis- Next header: ICMPv6 (0x3a) play of your neighbor cache table tells you if an entry is a Router. Hop limit: 255 Source: fe80::f6ca:e5ff:fe44:10ef (fe80::f6ca:e5ff:fe44:10ef) The requester provides its MAC address in tbe SLLA Option. [Source SA MAC: FreeboxS_44:10:ef (f4:ca:e5:44:10:ef)] The Replier provides its MAC address in the TLLA Option. Destination: ff02::1:ff8c:e4ac (ff02::1:ff8c:e4ac) Once it has received an answer, it updates the Neighbor MAC Address from the reply and sets the Internet Control Message Protocol v6 neighbor state as REACHable. Type: Neighbor Solicitation (135) 38
If the Neighbor does not reply, it retries a MAX_UNICAST_SOLICIT (default: 3) time with a configured interval of RETRANS_TIMER (default: 1 second) between to request, and if no reply is received, it clears the entry in the Cache. DAD ATTACK:💀 💀 DAD Process can be the target of a local attacker. The bad guy just listen to all the Neighbor Solicitation 2.4 Duplicate  Address  Detec5on  (DAD) messages and replies to all as if all addresses are already in use. DAD fails and the interface is disabled for IPv6. You can get a tool which perform a DAD Attack from thc web site: http://www.thc.org/thc-ipv6/ This process is used when an interface is coming up or every time a new address is added on an IPv6 Interface. Its purpose is to check that the new address is not a Duplicate Address. It is a local process so the 2.5 Neighbor  Unreachability  Detec5on  (NUD) checking is only done on the link where the address is added. This is a very simple process that is just to send a NS to our own Solicited Node Multicast Address to As long as the host communicates with this Neighbor, the Upper Layer will reset the Reachable Timer request the MAC Address of our newly configured address. so it is never reached and the Neighbor remains in the state REACHable. We expect NO ANSWER. If the Upper Layer stops communication with the Neighbor for a time of the Reachable Timer (default: 30 seconds), the entry moves to a STALE state. If somebody does, it means that there is another myself on the Network and my Address is a DUP. Then the host does nothing until a packet is sent to the Neighbor. When a packet is sent to this Neigh- If I don't receive any NA, we send a NA to claim the Address for ourself and initialize the address. bor, the entry is moved to the DELAY state (default: 5 seconds) to give some time for the Upper Layer We can see the DAD process in the capture at the very beginning, using the unspecified source ad- protocol to check the availability of the Neighbor. dress ::/0. If no positive packet is received, the entry is moved to PROBE and the host starts sending the Unicast DAD Example on a CISCO Router: NS to the neighbor (Probe) every Retransmit Interval (default: 1 second). After MAX_UNICAST_SO- LICIT (default: 3) attempts, the Neighbor is considered as Unreachable and its entry is cleared in the ICMPv6-ND: L3 came up on GigabitEthernet0/2 Cache. IPv6-Addrmgr-ND: DAD request for 2000:1::1 on GigabitEthernet0/2 ICMPv6-ND: Sending NS for 2000:1::1 on GigabitEthernet0/2 IPv6-Addrmgr-ND: DAD: 2000:1::1 is unique. ICMPv6-ND: Sending NA for 2000:1::1 on GigabitEthernet0/2 IPv6-Address: Address 2000:1::1/64 is up on GigabitEthernet0/2 F IGURE 6.16 Address Autoconfiguration States VALID Tent Preferred Deprecated Invalid Preferred Lifetime Valid Lifetime 39
2.6 Router  Discovery F IGURE 6.10 Full DAD Process and UBUNTU Interface By default the hosts do not have to configure a default router. This is done automatically thanks to ND Startup Protocol. The Routers send Unsolicited Router Advertisements on a regular basis (min interval is 3 seconds). The hosts listen to the RA to refresh prefixes or update some parameters. When a host is booting and needs RA Information immediately, it sends a Router Solicitation message to the All Routers Multicast Address FF02::2. The RA contains the following information: o Default Link Parameters (Default Hop Limit, MTU) o Neighbor Unreachability Detection Parameters. These are Reachable Timer and Retransmit Inter- val, The value zero means unspecified which actually means that the configured information on the hosts must not be hanged by the RA. o Prefix availables on the Link with Timers and Flags for each Prefix about Autoconfiguration (SLAAC, Stateless Address Autoconfiguration o If the Router is a Candidate as Default Gateway (Lifetime, Preference). The Lifetime parameter is F IGURE 6.9 NS Send during DAD Process (UBUNTU) only there to say how long this advertisement is valid without being refreshed to use this router as a default Router Candidate. A RA with Lifetime=0 means: "stop using me as your default router immediately"! o Router IPv6 and MAC Addresses o DNS Server Addresses (RFC6106) o If DHCPv6 is available in the Network and if it must be used to configure Address and Everything or Everything but Addresses. If the Router is a Home Agent (Mobile IPv6)? 2.7 Autoconfigura5on  (SLAAC) If you got 2 Minutes: o follow the whole process you can follow this quick presentation URL (Flash Video): http://www.ipv6forlife.com/Tutorial/IPv6Startup.html F IGURE 6.11 NA Sent during DAD Process (UBUNTU) And if you have 30 minutes and if you prefer to have all the details of Autoconfig with IPv6, get this .mov video presentation of Autoconfig (.mov) on the Web which is the long version of the short flash presentation as it last about 30 minutes: http://www.youtube.com/watch?v=1DnDqxA7c_g It is also on slideshare The whole process is summarized on the next two figures from start when the interface is starting to stop when it is ready or disabled! 40
! 2.7.1 Introduc5on An IPv6 node must be able to configure its Network Access unattended with or without the presence of Routers on the Link(s). Autoconfiguration was one of the main requirements for IPv6 since day 1. In any case if not disable on Linux, the Workstation performs Stateless Address Autoconfiguration (SLAAC) when the Interfaces are coming Up. But an IPv6 DHCPv6 can be added to configure addresses and additional information. This is stateful DHCPv6. The additional information without addresses is stateless DHCPv6. 41
For instance a Rogue RA, DNS or DHCP can be forged on the local link if an employee wants to break the Company Network. For the RA, it must be on the local link since the most ND Packets, RA included, MUST have the Hop Limit = 255 to be valid or they are dropped! So SLAAC will be performed in most cases and here is the full process: Here is the full process. Between A and B, this is the Prefix-list verification process detailed in the next column. Let's explain it Step-by-Step or Click here for an animation: http://www.ipv6forlife.com/Tutorial/IPv6Startup.html 2.7.2.1 Valida>on  of  the  Link-­‐local  Address The Interface is brought up or the host is booting. The interface enters the TENTATIVE Mode. No user traffic can be exchanged until we reach the Stop Red State which is the end of the SLAAC process.
 From the Start, we can see that the very first step is to figure out the Link-local address with an EUI- 64 or Static Interface ID and to verify it using the DAD Process. We send a NS to our own Solicited Node Multicast Address for our own IPv6 address and expect no answer. If somebody replies, our link-local is not unique nor valid and the Interface is disabled for IPv6. 
 Only if we use SeND, we are doing two more attempts before we quit and log an error! We are most probably under a DoS Attack! 2.7.2.2 Send  a  Router  Solicita>on Then, the next Step is to send a RS to the All Router Link-Local Scope Multicast Address: FF02::1 If we don't receive any RA, we try DHCPv6 and we exit the SLAAC process. Otherwise, we configure the IPv6 interface from the parameter received in the RA: MTU, Hop Limit, Reachable Timer and Retransmit Interval, Router Lifetime, and so on... 2.7.2.3 Check  the  Prefix-­‐List. A DHCPv6 Server only needs to keep states when it allocates some addresses order tos poll a Work- Click on the diagram or the link below for a FLASH Animation:
 station which did not renew its reservation and get the reserved address back in the pool if the client http://www.ipv6forlife.com/Tutorial/IPv6Startup.html fails to answer. DHCPv6 will be studied in details later in this book. Right now we are going to focus on the Stateless Address Autoconfiguration (SLAAC) process itself. Just keep in mind that DHCPv6 cannot replace it but just be a complement to SLAAC. For instance, a default route cannot be config- The next step is to examine the Prefix-List if there is any in the Router Advertisement. ured with DHCPv6. If there is a list, we examine each prefix and check that the On-Link and Autonomous bit (Flag in the SLAAC is stateless because no state is kept on the router when the default SLAAC is used to config- Capture) are set. ure Addresses and any other things on the node. With each dynamic address, there are two timers: the Preferred and the Valid. When the Preferred Timer has expired, the Address is deprecated but remains Valid until the Valid 2.7.2 SLAAC  Process Timer has not expired. When the Address is deprecated, it is still there and can be used for an existing connection. On the other hand, a deprecated address cannot be used for a new connection. When the SLAAC is enabled by default on most platforms. I have seen some Linux distribution where it must be Valid Timer has expired, the address is removed from the Interface. enabled. Then we must also check the Timers: It is possible to configure everything statically and may be interesting for some Datacenter where we have only Servers and Routers to configure. We may then want to configure the addresses manually The Valid Timer MUST be NON NULL, >0 and the default route to an HSRP or GLBP Virtual IPv6 Link-local Address also configured statically. The Valid Timer MUST be > The preferred timers So you will not lose any time with protocols and don't risk anything with Rogue devices and advertise- ments. 42
If the bits and timers are OK, we derive an address using any of the configured mode for the Interface ID: Static, EUI-64, Random Temporary, CGA... And we check that this address is unique using DAD. If DAD passed, we initialize the Address otherwise the address is not used. We go to the next Prefix until there is no more, and we get back from the Prefix-list inspection Loop. The last step is to check if we need to call a DHCPv6 Server to configure Addresses and/or Other pa- Refreshing the SLAAC Addresses Timers rameters. Once the dynamic addresses have been acquired, they must be refreshed by SLAAC or DHCPv6 or •  An address which has been derived from a RA must they will become invalid and vanish! Periodic RA refresh the prefix. With DHCPv6, this is the client which renew or rebind its address. be refreshed by new RAs advertizing the same prefix •  The RA Interval must be consistent with the Preferred 2.8 Renumbering and the Valid Timers for the addresses to be refreshed in time As we have seen before, the Prefix is not allocated to the end-user with IPv6 but to the SP. When you ipv6 nd ra-interval 200 seconds by default ipv6 nd ra-lifetime 1800 seconds or 30 minutes default change SP, you will need to configure a new prefix in your network. ipv6 nd managed-config-flag ipv6 nd other-config-flag This process is Renumbering. With a good design and the right tools, it will not be a problem and will ipv6 nd prefix <prefix/mask>[Valid][Preferred][no-advertise| off-link | no-autoconfig] not take long to change the Prefix of your Network. The principle of Renumbering is very simple. We have two Prefixes. One is Deprecated, and its Pre- ferred Timers are set to 0. This way no new connection will be established on the addresses derived •  To Be used by SLAAC: from this prefix. These addresses can remain Deprecated but still valid for the rest of the day, the -  The On-Link and Autonomous Bits Must be Set week or even more! We need to find a reasonable timer value to enable all the users to close their sessions and not force the disconnection. -  If Preferred Lifetime > Valid lifetime, ignore the Prefix Information option. All the new connections are established on the connections which addresses are derived from Pre- A node MAY wish to LOG a system management ERROR in this case…. fixes which are still Preferred. So, when the Addresses are derived from a Prefix with a Valid Timer now expired and the derived ad- dresses are removed from their interfaces, hopefully there will not be any existing users using these addresses. © 2012 Fred Bovy. EIRL – IPv6 For Life! IPv6AutoConfig—1-35 This is how the Renumbering process operates. 3 Addi5onal  Informa5on  about  Prefix  Valida5on  in  the   SLAAC  Process The Configuration of CISCO Router for SLAAC Below is how to configure the Routers for SLAAC process. 43
IPv6 On Hosts and Routers 6 IPv6 is now widely distributed and it is the default protocol for most if not all of them: Windows, Linux, MAC OS, iPhone, iPAD, HP LaserPrinter talk IPv6 and many, many others... All applications and most content on the Internet are available via IPv6: Yahoo, Google, Facebook, MS and others... This is NOW!
IPv6 On Hosts & Cisco Routers As an alternative to using the user interface to disable IPv6 on a per-adapter basis, you can selec- tively disable certain features of IPv6 by creating and configuring the following DWORD registry value: HKLMSYSTEMCurrentControlSetServicestcpip6ParametersDisabledComponentsreally should disable them. .1 Configura5on  and  Checking  on  Hosts . .1.1 Windows More Details: IPv6 is loaded by default and now configured as the default preferred protocol. .1.1.1 IPv6  Tools  with  Windows On Windows XP it was loaded, but you had to enable it with a netsh command "netsh interface ipv6 .1.1.1.1 IPconfig install" You cannot uninstall IPv6 in Windows 7, but you can disable IPv6 on a per-adapter basis. To do this, Windows IP Configuration Ethernet adapter Local Area Connection: Flag Low- Connection-specific DNS Suffix . : ectasie.example.com Result of Setting this bit to a value of 1 IPv6 Address. . . . . . . . . . . : 2001:db8:21da:7:713e:a426:d167:37ab Order bit Temporary IPv6 Address. . . . . . : 2001:db8:21da:7:5099:ba54:9881:2e54 Link-local IPv6 Address . . . . . : fe80::713e:a426:d167:37ab%6 Disables all IPv6 tunnel interfaces, including ISATAP, 6to4 IPv4 Address. . . . . . . . . . . : 157.60.14.11 0 Subnet Mask . . . . . . . . . . . : 255.255.255.0 and Teredo Tunnels Default Gateway . . . . . . . . . : fe80::20a:42ff:feb0:5400%6 157.60.14.1 1 Disables all 6to4-based interfaces Tunnel adapter Local Area Connection* 6: 2 Disables all ISATAP-based interfaces Connection-specific DNS Suffix . : 3 Disables all Teredo-based interfaces IPv6 Address. . . . . . . . . . . : 2001:db8:908c:f70f:0:5efe:157.60.14.11 Link-local IPv6 Address . . . . . : fe80::5efe:157.60.14.11%9 Disables IPv6 over all non-tunnel interfaces, including LAN Site-local IPv6 Address . . . . . : fec0::6ab4:0:5efe:157.60.14.11%1 4 Default Gateway . . . . . . . . . : fe80::5efe:131.107.25.1%9 and PPP interfaces fe80::5efe:131.107.25.2%9 Modifies the default prefix policy table* to prefer IPv4 over IPv6 Tunnel adapter Local Area Connection* 7: 5 Media State . . . . . . . . . . . : Media disconnected when attempting connections Connection-specific DNS Suffix . : follow these steps: 1. In Control Panel, open Network And Sharing Center. .1.1.1.2 Route 2. Click Manage Network Connections and then double-click the connection you want to IPv6 Routing Table configure. =========================================================================== 3. Clear the check box labeled Internet Protocol Version 6 (TCP/IPv6), and then click Active Routes: OK. If Metric Network Destination Gateway Note that if you disable IPv6 on all your network connections using the user interface method de- 8 286 ::/0 fe80::3cec:bf16:505:eae6 scribed in the preceding steps, IPv6 will still remain enabled on all tunnel interfaces and on the loop- 1 306 ::1/128 On-link back interface. 45
8 38 2001:db8::/64 On-link Source to Here This Node/Link 8 286 2001:db8::4074:2dce:b313:7c65/128 Hop RTT Lost/Sent = Pct Lost/Sent = Pct Address On-link 0 server1.example.microsoft.com 8 286 2001:db8::b500:734b:fe5b:3945/128 [2001:db8:1:f282:204:5aff:fe56:1006] On-link 0/ 100 = 0% | 8 286 fe80::/64 On-link 1 0ms 0/ 100 = 0% 0/ 100 = 0% 2001:db8:1:f282:dd48:ab34:d07c: 17 296 fe80::5efe:10.0.0.3/128 On-link 3914 8 286 fe80::b500:734b:fe5b:3945/128 Trace complete. On-link 1 306 ff00::/8 On-link .1.1.1.6 netstat  -­‐s 8 286 ff00::/8 On-link F:>netstat -s =========================================================================== IPv4 Statistics .1.1.1.3 Ping Packets Received = 187107 f:>ping 2001:db8:1:f282:dd48:ab34:d07c:3914 Received Header Errors = 0 Received Address Errors = 84248 Pinging 2001:db8:1:f282:dd48:ab34:d07c:3914 from Datagrams Forwarded = 0 2001:db8:1:f282:3cec:bf16:505:eae6 with 32 bytes of data: Unknown Protocols Received = 0 Reply from 2001:db8:1:f282:dd48:ab34:d07c:3914: time<1ms Received Packets Discarded = 0 Reply from 2001:db8:1:f282:dd48:ab34:d07c:3914: time<1ms Reply from 2001:db8:1:f282:dd48:ab34:d07c:3914: time<1ms Received Packets Delivered = 186194 Reply from 2001:db8:1:f282:dd48:ab34:d07c:3914: time<1ms Output Requests = 27767 Routing Discards = 0 Ping statistics for 2001:db8:1:f282:dd48:ab34:d07c:3914: Discarded Output Packets = 0 Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Output Packet No Route = 0 Approximate round trip times in milli-seconds: Reassembly Required = 0 Minimum = 0ms, Maximum = 0ms, Average = 0ms Reassembly Successful = 0 Reassembly Failures = 0 Datagrams Successfully Fragmented = 0 .1.1.1.4 Tracert Datagrams Failing Fragmentation = 0 F:>tracert 2001:db8:1:f282:dd48:ab34:d07c:3914 Fragments Created = 0 Tracing route to 2001:db8:1:f282:dd48:ab34:d07c:3914 over a maximum of 30 hops IPv6 Statistics 1 <1 ms <1 ms <1 ms 2001:db8:1:f241:2b0:d0ff:fea4:243d Packets Received = 53118 2 <1 ms <1 ms <1 ms 2001:db8:1:f2ac:2b0:d0ff:fea5:d347 Received Header Errors = 0 3 <1 ms <1 ms <1 ms 2001:db8:1:f282:dd48:ab34:d07c:3914 Received Address Errors = 0 Datagrams Forwarded = 0 Trace complete. Unknown Protocols Received = 0 .1.1.1.5 Pathping Received Packets Discarded = 0 F:>pathping 2001:db8:1:f282:dd48:ab34:d07c:3914 Received Packets Delivered = 0 Output Requests = 60695 Routing Discards = 0 Tracing route to 2001:db8:1:f282:dd48:ab34:d07c:3914 over a maximum of 30 hops Discarded Output Packets = 0 Output Packet No Route = 0 0 server1.example.microsoft.com [2001:db8:1:f282:204:5aff:fe56:1006] Reassembly Required = 0 1 2001:db8:1:f282:dd48:ab34:d07c:3914 Reassembly Successful = 0 Reassembly Failures = 0 Computing statistics for 25 seconds... Datagrams Successfully Fragmented = 0 Datagrams Failing Fragmentation = 0 46
Fragments Created = 0 Segments Sent = 59813 Segments Retransmitted = 3 ICMPv4 Statistics UDP Statistics for IPv4 Received Sent Messages 682 881 Datagrams Received = 160982 Errors 0 0 No Ports = 2158 Destination Unreachable 2 201 Receive Errors = 2 Time Exceeded 0 0 Datagrams Sent = 591 Parameter Problems 0 0 Source Quenches 0 0 UDP Statistics for IPv6 Redirects 0 0 Echos 340 340 Datagrams Received = 0 Echo Replies 340 340 No Ports = 0 Timestamps 0 0 Receive Errors = 0 Timestamp Replies 0 0 Datagrams Sent = 744 Address Masks 0 0 Address Mask Replies 0 0 .1.1.1.7 Netsh  interface  ipv6  show  interface ICMPv6 Statistics Idx Met MTU State Name --- --- ----- ----------- ------------------- 1 50 4294967295 enabled Loopback Pseudo-Interface 1 Errors 0 0 9 50 1280 enabled Local Area Connection* 6 Destination Unreachable 193 0 6 20 1500 enabled Local Area Connection Echos 4 0 10 50 1280 enabled Local Area Connection* 7 Echo Replies 0 4 7 10 1500 disabled Local Area Connection 2 MLD Reports 0 6 Router Solicitations 0 7 Netsh interface ipv6 show address Router Advertisements 54 0 Interface 1: Loopback Pseudo-Interface 1 Neighbor Solicitations 31 32 Neighbor Advertisements 27 31 Addr Type DAD State Valid Life Pref. Life Address TCP Statistics for IPv4 --------- ----------- ---------- ---------- ------------------------ Other Preferred infinite infinite ::1 Active Opens = 128 Passive Opens = 106 Interface 9: Local Area Connection* 6 Failed Connection Attempts = 0 Reset Connections = 3 Addr Type DAD State Valid Life Pref. Life Address Current Connections = 16 --------- ----------- ---------- ---------- ------------------------ Segments Received = 22708 Other Deprecated infinite infinite fe80::5efe:1.0.0.127%9 Segments Sent = 26255 Segments Retransmitted = 37 Interface 6: Local Area Connection TCP Statistics for IPv6 Addr Type DAD State Valid Life Pref. Life Address --------- ----------- ---------- ---------- ------------------------ Active Opens = 74 Public Preferred 29d23h59m59s 6d23h59m59s 2001:db8:21da:7:1f3e:9e51:2178:b9ob Passive Opens = 72 Temporary Preferred 5d19h59m25s 5d19h59m25s 2001:db8:21da:7:a299:85ae:21da:59cc Failed Connection Attempts = 1 Reset Connections = 0 Other Preferred infinite infinite fe80::713e:a426:d167:37ab%6 Current Connections = 14 Segments Received = 52809 47
Interface 10: Local Area Connection* 7 2001:db8::4074:2dce:b313:7c65 00-00-00-00-00-00 Unreachable 2001:db8::6c4b:bf6d:201a:ccbf 00-00-00-00-00-00 Unreachable Addr Type DAD State Valid Life Pref. Life Address fe80::3cec:bf16:505:eae6 00-13-72-2b-34-07 Stale (Router) --------- ----------- ---------- ---------- ------------------------ ff02::16 33-33-00-00-00-16 Permanent Other Deprecated infinite infinite fe80::5efe:1.0.0.127%10 Interface 10: Local Area Connection* 9 Internet Address Physical Address Type .1.1.1.8 Netsh  interface  ipv6  show  route -------------------------------------------- ----------------- ----------- Publish Type Met Prefix Idx Gateway/Interface Name fe80::b500:734b:fe5b:3945 255.255.255.255:65535 Unreachable ------- -------- --- ------------------------ --- ----------------------- ff02::16 255.255.255.255:65535 Permanent No Manual 256 ::/0 8 fe80::3cec:bf16:505:eae6 No Manual 256 ::1/128 1 Loopback Pseudo-Interface 1 No Manual 8 2001:db8::/64 8 Local Area Connection No Manual 256 2001:db8::4074:2dce:b313:7c65/128 8 Local Area Connec- .1.1.1.10Netsh  interface  ipv6  show  des>na>on  cache               tion Interface 8: Local Area Connection No Manual 256 2001:db8::b500:734b:fe5b:3945/128 8 Local Area Connec- tion PMTU Destination Address Next Hop Address ---- --------------------------------------------- ------------------------- No Manual 1000 2002::/16 11 Local Area Connection* 7 1500 2001:db8::3cec:bf16:505:eae6 2001:db8::3cec:bf16:505:eae6 No Manual 256 fe80::/64 10 Local Area Connection* 9 No Manual 256 fe80::/64 8 Local Area Connection No Manual 256 fe80::100:7f:fffe/128 10 Local Area Connection* 9 No Manual 256 fe80::5efe:10.0.0.3/128 17 Local Area Connection* 6 .1.2 MAC  O S  X No Manual 256 fe80::b500:734b:fe5b:3945/128 8 Local Area Connection With LINUX and MAC OS all the IPv6 stack and usefull tools are available. Also, as Windows, the GUI No Manual 256 ff00::/8 1 Loopback Pseudo-Interface 1 cannot help much, and the CLI will be used for most commands. No Manual 256 ff00::/8 10 Local Area Connection* 9 Please note the percent sign which gives the interface name or index according to the OS. In IPv6 this No Manual 256 ff00::/8 refers to the zone (See RFC about Scoped Zone Architecture). Each zone has its own routing table internally, and it is currently being used by 1) Link-local ad- dresses, 2) Multicast Addresses, 3) Unicast. It is very rare BUT one application which was requested .1.1.1.9 Netsh  interface  ipv6  show  neighbors for our IPv6 Group was 6VPE. Interface 1: Loopback Pseudo-Interface 1 From an IPv6 point of view, 6VPE has no interest at all! MPLS-VPN was a great feature for IPv4 be- cause of address depletion. With IPv6 it is no longer very interesting, and the VRF that exists in IPv6 Internet Address Physical Address Type is called a Zone. The Zone has its own routing table internally, and there is no complex provisioning! -------------------------------------------- ----------------- ----------- With MAC OS or Linux it is the name of the interface: ff02::16 Permanent ff02::1:3 Permanent .1.2.1 netstat  -­‐in  ip6 Interface 8: Local Area Connection power-mac-g5-de-fred-bovy-6:~ root# netstat -in ip6 Name Mtu Network Address Ipkts Ierrs Opkts Oerrs Coll lo0 16384 <Link#1> 623227 0 623227 0 0 Internet Address Physical Address Type lo0 16384 ::1/128 ::1 623227 - 623227 - - -------------------------------------------- ----------------- ----------- lo0 16384 fe80::1%lo0 fe80:1::1 623227 - 623227 - - 2001:db8::3cec:bf16:505:eae6 00-13-72-2b-34-07 Stale (Router) lo0 16384 127 127.0.0.1 623227 - 623227 - - 48
lo0 16384 fd6e:28d7:6 fd6e:28d7:65b4:77 623227 - 623227 - - gif0* 1280 <Link#2> 0 0 0 0 0 .1.3 Linux stf0* 1280 <Link#3> 0 0 0 0 0 en0 1500 <Link#4> d4:9a:20:d0:f9:ae 0 0 0 0 0 Linux is the best platform to support a maximum of services like Mobile IPv6, DHCPv6 and more. Mo- fw0 4078 <Link#5> d4:9a:20:ff:fe:c7:17:70 0 0 0 0 0 bile IPv6 and DHCPv6 as not suppported by Linux or MAC OX. MAC OS is afree BSD so there may en1 1500 <Link#6> 04:1e:64:ec:73:a9 3393882 0 2455868 0 0 be aa way to have it running on MAC but it is not a MACOS X Supported feature. en1 1500 fe80::61e:6 fe80:6::61e:64ff: 3393882 - 2455868 - - Also with Linux you can enable or disable SLAAC and many parameters for very fine tuning of ND en1 1500 192.168.0 192.168.0.10 3393882 - 2455868 - - en1 1500 2a01:e35:2f 2a01:e35:2f26:d34 3393882 - 2455868 - - Tuning the Kernel vmnet 1500 <Link#8> 00:50:56:c0:00:01 0 0 0 0 0 The /proc/sys/net/ipv6 filesystem exports a number of parameters that you might want to set. The vmnet 1500 192.168.58 192.168.58.1 0 - 0 - - Linux IPv6 HOWTO explains all available parameters, so let me just show you the ones I set in vmnet 1500 <Link#9> 00:50:56:c0:00:08 0 0 0 0 0 /etc/sysctl.d/ipv6.conf and load with a call to sysctl -p: vmnet 1500 172.16.4/24 172.16.4.1 0 - 0 - - net.ipv6.conf.default.autoconf = 0 utun0 1500 <Link#7> 26 0 31 0 0 net.ipv6.conf.default.accept_ra = 0 utun0 1500 fe80::d69a: fe80:7::d69a:20ff 26 - 31 - - utun0 1500 fd00:6587:5 fd00:6587:52d7:f8 26 - 31 - - net.ipv6.conf.default.accept_ra_defrtr = 0 net.ipv6.conf.default.accept_ra_rtr_pref = 0 net.ipv6.conf.default.accept_ra_pinfo = 0 .1.2.2 ifconfig net.ipv6.conf.default.accept_source_route = 0 net.ipv6.conf.default.accept_redirects = 0 power-mac-g5-de-fred-bovy-6:~ root# ifconfig lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384 net.ipv6.conf.default.forwarding = 0 inet6 ::1 prefixlen 128 net.ipv6.conf.all.autoconf = 0 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1 net.ipv6.conf.all.accept_ra = 0 inet 127.0.0.1 netmask 0xff000000 net.ipv6.conf.all.accept_ra_defrtr = 0 inet6 fd6e:28d7:65b4:77b3:d69a:20ff:fed0:f9ae prefixlen 128 net.ipv6.conf.all.accept_ra_rtr_pref = 0 gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280 net.ipv6.conf.all.accept_ra_pinfo = 0 stf0: flags=0<> mtu 1280 net.ipv6.conf.all.accept_source_route = 0 en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500 net.ipv6.conf.all.accept_redirects = 0 ether d4:9a:20:d0:f9:ae net.ipv6.conf.all.forwarding = 0 media: autoselect status: inactive .1.3.1 Add  an  address  to  an  interface fw0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 4078 lladdr d4:9a:20:ff:fe:c7:17:70 Ifconfig <interface> ipv6 add <prefix>/<length > media: autoselect <full-duplex> status: inactive .1.3.2 Remove  an  address  from  an  interface en1: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500 ether 04:1e:64:ec:73:a9 Ifconfig <interface> ipv6 del <prefix>/<length> inet6 fe80::61e:64ff:feec:73a9%en1 prefixlen 64 scopeid 0x6 inet6 2a01:e35:2f26:d340:61e:64ff:feec:73a9 prefixlen 64 autoconf .1.3.3 Add  a  route Route –A inet6 add <destination> gw <next-hop> .1.3.4 Add  a  D NS  server  in  the  /etc/resolv.conf  file   nameserver 2001:db8:233::1 49
There are many tools and services available with Linux and only Linu like DHCPv6, Mobile IPv6, 14:30:21.598154 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 24) IPSec etc.... fe80::61e:64ff:feec:73a9 > fe80::f6ca:e5ff:fe44:10ef: [icmp6 sum ok] ICMP6, neigh- bor advertisement, length 24, tgt is fe80::61e:64ff:feec:73a9, Flags [solicited] Example below with both NDPmon and tcpdump utilities. 0x0000: 6000 0000 0018 3aff fe80 0000 0000 0000 `.....:......... 0x0010: 061e 64ff feec 73a9 fe80 0000 0000 0000 ..d...s......... 14:30:13.980542 IP6 (hlim 64, next-header TCP (6) payload length: 32) 0x0020: f6ca e5ff fe44 10ef 8800 94c3 4000 0000 .....D......@... 2a01:e35:2f26:d340:105d:f22a:d1bd:635e.55318 > 2a00:1450:4009:808::1005.80: Flags [.], cksum 0xb983 (correct), seq 3060, ack 9779, win 32249, options [nop,nop,TS val 0x0030: fe80 0000 0000 0000 061e 64ff feec 73a9 ..........d...s. 340919915 ecr 1985866212], length 0 ----- ND_ROUTER_SOLICIT ----- 0x0000: 6000 0000 0020 0640 2a01 0e35 2f26 d340 `......@*..5/&.@ Reset timer for 0:c:29:30:33:86 fe80:0:0:0:20c:29ff:fe30:3386 0x0010: 105d f22a d1bd 635e 2a00 1450 4009 0808 .].*..c^*..P@... ------------------ 0x0020: 0000 0000 0000 1005 d816 0050 a479 6453 ...........P.ydS [SNIP] 0x0030: 7a0b 605a 8010 7df9 b983 0000 0101 080a z.`Z..}......... Writing cache... 0x0040: 1452 066b 765d e9e4 .R.kv].. 14:37:07.319548 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 64) 14:30:13.981120 IP6 (hlim 64, next-header TCP (6) payload length: 32) fe80::20c:29ff:fe30:3386 > ff02::2: [icmp6 sum ok] ICMP6, router solicitation, 2a01:e35:2f26:d340:105d:f22a:d1bd:635e.55318 > 2a00:1450:4009:808::1005.80: Flags length 64 [.], cksum 0xb181 (correct), seq 3060, ack 11461, win 32616, options [nop,nop,TS val 340919916 ecr 1985866212], length 0 source link-address option (1), length 56 (7): 00:0c:29:30:33:86:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:85 0x0000: 6000 0000 0020 0640 2a01 0e35 2f26 d340 `......@*..5/&.@ :00:00:00:00:00:00:00:00:92:5e:aa:f8:cf:10:08:d4:c6:8b:bf:f4:6f:45:00:f4:4f:13 0x0010: 105d f22a d1bd 635e 2a00 1450 4009 0808 .].*..c^*..P@... 0x0000: 000c 2930 3386 0000 0000 0000 0000 0000 0x0020: 0000 0000 0000 1005 d816 0050 a479 6453 ...........P.ydS 0x0010: 0000 0000 0000 0000 0000 0085 0000 0000 0x0030: 7a0b 66ec 8010 7f68 b181 0000 0101 080a z.f....h........ 0x0020: 0000 0000 925e aaf8 cf10 08d4 c68b bff4 0x0040: 1452 066c 765d e9e4 .R.lv].. 0x0030: 6f45 00f4 4f13 ----- ND_NEIGHBOR_SOLICIT ----- 0x0000: 6000 0000 0040 3aff fe80 0000 0000 0000 `....@:......... Reset timer for 4:1e:64:ec:73:a9 fe80:0:0:0:61e:64ff:feec:73a9 0x0010: 020c 29ff fe30 3386 ff02 0000 0000 0000 ..)..03......... ------------------ 0x0020: 0000 0000 0000 0002 8500 65e5 0000 0000 ..........e..... 0x0030: 0107 000c 2930 3386 0000 0000 0000 0000 ....)03......... 14:30:16.588733 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) 0x0040: 0000 0000 0000 0000 0000 0000 0085 0000 ................ fe80::61e:64ff:feec:73a9 > fe80::f6ca:e5ff:fe44:10ef: [icmp6 sum ok] ICMP6, neigh- bor solicitation, length 32, who has fe80::f6ca:e5ff:fe44:10ef 0x0050: 0000 0000 0000 925e aaf8 cf10 08d4 c68b .......^........ source link-address option (1), length 8 (1): 04:1e:64:ec:73:a9 0x0060: bff4 6f45 00f4 4f13 ..oE..O. 0x0000: 041e 64ec 73a9 ----- ND_ROUTER_ADVERT ----- 0x0000: 6000 0000 0020 3aff fe80 0000 0000 0000 `.....:......... Reset timer for f4:ca:e5:44:10:ef fe80:0:0:0:f6ca:e5ff:fe44:10ef 0x0010: 061e 64ff feec 73a9 fe80 0000 0000 0000 ..d...s......... Warning: wrong ipv6 router f4:ca:e5:44:10:ef fe80:0:0:0:f6ca:e5ff:fe44:10ef 0x0020: f6ca e5ff fe44 10ef 8700 e9bb 0000 0000 .....D.......... ------------------ 0x0030: fe80 0000 0000 0000 f6ca e5ff fe44 10ef .............D.. 0x0040: 0101 041e 64ec 73a9 ....d.s. 14:37:07.322231 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 104) fe80::f6ca:e5ff:fe44:10ef > ff02::1: [icmp6 sum ok] ICMP6, router advertisement, ----- ND_NEIGHBOR_ADVERT ----- length 104 Reset timer for 4:1e:64:ec:73:a9 fe80:0:0:0:61e:64ff:feec:73a9 hop limit 64, Flags [none], pref medium, router lifetime 1800s, reachable time 0s, retrans time 0s ------------------ prefix info option (3), length 32 (4): 2a01:e35:2f26:d340::/64, Flags [on- link, auto], valid time 86400s, pref. time 86400s 0x0000: 40c0 0001 5180 0001 5180 0000 0000 2a01 50
0x0010: 0e35 2f26 d340 0000 0000 0000 0000 rdnss option (25), length 40 (5): lifetime 600s, addr: 2a01:e00::2 addr: 2a01:e00::1 .1.4 Linux 0x0000: 8000 0000 0258 2a01 0e00 0000 0000 0000 0x0010: 0000 0000 0002 2a01 0e00 0000 0000 0000 Linux is the best platform to support a maximum of services such as Mobile IPv6, DHCPv6 and more. Mobile IPv6 and DHCPv6 is not suppported by Linux or MAC OX. MAC OS is a free BSD so there 0x0020: 0000 0000 0001 may be a way to have it running on MAC, but it is not a MAC OS X Supported feature. mtu option (5), length 8 (1): 1480 Also with Linux you can enable or disable SLAAC and many parameters for very fine tuning of ND 0x0000: 0000 0000 05c8 source link-address option (1), length 8 (1): f4:ca:e5:44:10:ef .1.4.1  Tuning  the  Kernel   The /proc/sys/net/ipv6 filesystem exports a number of parameters that you might want to set. The 0x0000: f4ca e544 10ef Linux IPv6 HOWTO explains all available parameters, so let me just show you the ones I set in 0x0000: 6000 0000 0068 3aff fe80 0000 0000 0000 `....h:......... /etc/sysctl.d/ipv6.conf and load with a call to sysctl -p: 0x0010: f6ca e5ff fe44 10ef ff02 0000 0000 0000 .....D.......... 0x0020: 0000 0000 0000 0001 8600 2541 4000 0708 ..........%A@... .2 Test  your  I Pv6  Stack:  hdp://test-­‐ipv6.com/ 0x0030: 0000 0000 0000 0000 0304 40c0 0001 5180 ..........@...Q. 0x0040: 0001 5180 0000 0000 2a01 0e35 2f26 d340 ..Q.....*..5/&.@ 0x0050: 0000 0000 0000 0000 1905 8000 0000 0258 ...............X 0x0060: 2a01 0e00 0000 0000 0000 0000 0000 0002 *............... 0x0070: 2a01 0e00 0000 0000 0000 0000 0000 0001 *............... 0x0080: 0501 0000 0000 05c8 0101 f4ca e544 10ef .............D.. 14:37:07.387405 IP6 (hlim 255, next-header UDP (17) payload length: 53) fe80::61e:64ff:feec:73a9.5353 > ff02::fb.5353: [udp sum ok] 0 [2q] A (QM)? server.exchange.local. AAAA (QM)? server.exchange.local. (45) 0x0000: 6000 0000 0035 11ff fe80 0000 0000 0000 `....5.......... 0x0010: 061e 64ff feec 73a9 ff02 0000 0000 0000 ..d...s......... 0x0020: 0000 0000 0000 00fb 14e9 14e9 0035 117a .............5.z 0x0030: 0000 0000 0002 0000 0000 0000 0673 6572 .............ser 0x0040: 7665 7208 6578 6368 616e 6765 056c 6f63 ver.exchange.loc 0x0050: 616c 0000 0100 01c0 0c00 1c00 01 al........... 14:38:28.549702 IP6 (hlim 255, next-header UDP (17) payload length: 53) fe80::61e:64ff:feec:73a9.5353 > ff02::fb.5353: [udp sum ok] 0 [2q] A (QM)? server.exchange.local. AAAA (QM)? server.exchange.local. (45) 0x0000: 6000 0000 0035 11ff fe80 0000 0000 0000 `....5.......... 0x0010: 061e 64ff feec 73a9 ff02 0000 0000 0000 ..d...s......... 0x0020: 0000 0000 0000 00fb 14e9 14e9 0035 117a .............5.z 0x0030: 0000 0000 0002 0000 0000 0000 0673 6572 .............ser 0x0040: 7665 7208 6578 6368 616e 6765 056c 6f63 ver.exchange.loc 0x0050: 616c 0000 0100 01c0 0c00 1c00 01 al........... Example of Wireshark screen capture.of a Router Advertisement. 51
The next step is to configure IP routing with the config command: R2(config)# ipv6 routing In the past you also had to configure CEFv6 has it was not enabled by default with the command .3 Test  the  I Pv6  Web  Serverswqwqa R2(config)# ipv6 unicast-routing or R2(config)#ipv6 unicast-routing distributed For some platforms, you had the choice to run a distributed CEFv6 or not. With distributed CEFv6, a copy of the CEFv6 tables are downloaded on the Line Cards and the in- gress LC which receives the packet Takes the switching decison. The router CPU card is not involved. The first troubleshooting command I was checking with a low performance problem was to check if CEF was properly started with R2# show ipv6 cef summary R7#show ip cef summary IPv4 CEF is enabled and running VRF Default 17 prefixes (17/0 fwd/non-fwd) Table id 0x0 Database epoch: 0 (17 entries at this epoch) R7#show ipv6 cef summary IPv6 CEF is enabled and running centrally. VRF Default 14 prefixes (14/0 fwd/non-fwd) Table id 0x1E000000 Database epoch: 0 (14 entries at this epoch) 2 2.2 CEFv6 Configura5on  and  System  Checking  on  C ISCO  Routers If you have to Troubleshoot CISCO device One day you will have to deal with CEF! No DATA PLANE Troubleshooting without CEFv6!... 2.1 CISCO  Routers  Mode If you are looking for the Engineering Team with really high skills guys at cisco you are looking for the A CISCO Router has two main modes of Operation: CEF team! These guys need to do two things mutually exclusives and this all the time: They must sup- port a maximum number of services and at the same time they must design the fastest code because 2.1.1 Exec  Mode  (Normal  or  Priviledged).   all the cisco switching performances rely on CEF! If an IP feature is not supported by CEF, the feature This mode is to run any commands to display to reset something. Actually there are 16 levels of privi- has no future if it has also to be Efficient. if it is leges to give Authorization to each level. The Normal mode is the lowest mode when you enter the a slow terminal conversion things which need the speed of typing with one finger, fine! but if it must router by default. It is a kind of Read-Only mode where you cannot configure anything or cannot even dispaly the configuration file. support wire speed? Forget it! The default prompt is the Router name plus > if you are a Normal user or # for a privileged: R2(con- WHY??? fig)> OR R2(config)# We need to get back to the basics of computers to understand... 2.1.2 Configura>on  Mode.   When a packet is received by an ASIC specialized to process the data coming from a Physical Media This mode is used to configure the Router. So before giving any configuration mode you must enter port, an Interrupt is sent to the CPU. An interrupt is a Signal Transition like 0 to +5v or the opposite. into this mode with the command "Configure Terminal". You must be a privileged user to use this com- mand. This mode has many submodes. For instance, if you want to configure an interface or a routing The Interrupt is raised by the Physical Media Processor to tell the CPU that it has a packet just like protocol, you must first select it to enter in this submode. the Postman set up the flag after it has dropped a few mails in your mailbox! Guess who is called first The default prompt for Router R2 in configuration mode is: R2(config)# by the CPU when it gets the interrupt signal? CEF... 52
Now CEF must take a decision either switch the packet in interrupt mode, either Q the packet for prefix-list Build a prefix list further processing in a time sharing fashion. It is clear that Real-Time traffic will only be supported by route Configure static routes the Interrupt mode. So where is the problem? The process in interrupt mode disables any other router Enable an IPV6 routing process source-route Process packets with source routing header options interrupt. The other Line Cards have a dedicated ASIC with MEmory to accomodate a few packet but unicast-routing Enable unicast routing not too much... The process must manage the packet as fast as possible for the protocol which is being routed and for the other traffic waiting to be processed. This is why complex operation cannot be supported by R2(config)#ipv6 CEF and this has been the case of NAT-PT in IPv6! R2(config-subif)#IPV6 ? For more details about CEFv6, please click on the link below: IPv6 interface subcommands: http://www.ipv6forlife.com/Docs/CEFv6InaNutshell.pdf address Configure IPv6 address on interface authentication authentication subcommands The Next step to configure a Cisco Router of ipv6 is bandwidth-percent Set EIGRP bandwidth limit Then you might be interested to check some other commands listed be cga Configure cga on the interface Then you might be interested to check some other commands listed below: dhcp IPv6 DHCP interface subcommands eigrp Configure EIGRP IPv6 on interface 2.3 CISCO  Routers  I Pv6  Commands enable Enable IPv6 on interface flow Flow related commands R2(config)#ipv6 ? hello-interval Configures IP-EIGRP hello interval access-list Configure access lists hold-time Configures IP-EIGRP hold time cef Cisco Express Forwarding for IPv6 inspect Apply inspect name cga Configure IPv6 certified generated address mfib Interface Specific MFIB Control dhcp Configure IPv6 DHCP mld interface commands general-prefix Configure a general IPv6 prefix mobile Mobile IPv6 hop-limit Configure hop count limit mode Interface mode host Configure static hostnames mtu Set IPv6 Maximum Transmission Unit icmp Configure ICMP parameters multicast multicast inspect Context-based Access Control Engine nat Enable IPv6 NAT on interface local Specify local options nd IPv6 interface Neighbor Discovery subcommands mfib Multicast Forwarding next-hop-self Configures IP-EIGRP next-hop-self mld Global mld commands ospf OSPF interface commands mobile Mobile IPv6 pim PIM interface commands multicast IPv6 multicast policy Enable IPv6 policy routing multicast-routing Enable IPv6 multicast redirects Enable sending of ICMP Redirect messages nat NAT-PT Configuration commands rip Configure RIP routing protocol nd Configure IPv6 ND router IPv6 Router interface commands neighbor Neighbor split-horizon Perform split horizon ospf OSPF summary-address Summary prefix pim Configure Protocol Independent Multicast traffic-filter Access control list for packets port-map Port to application mapping (PAM) configuration commands 53
unnumbered Preferred interface for source address selection unreachables Enable sending of ICMP Unreachable messages UDP statistics: verify Enable per packet validation Rcvd: 212 input, 0 checksum errors, 0 length errors virtual-reassembly IPv6 Enable Virtual Fragment Reassembly 0 no port, 0 dropped Sent: 212 output TCP statistics: 2.4 Display  the  I Pv6  Traffic  Sta5s5cs Rcvd: 0 input, 0 checksum errors R2#show ipv6 traffic Sent: 0 output, 0 retransmitted IPv6 statistics: Rcvd: 295 total, 251 local destination 0 source-routed, 0 truncated 0 format errors, 0 hop count exceeded 2.5 Display  the  Neighbor  Cache 0 bad header, 0 unknown option, 0 bad source R2# show ipv6 neighbor 0 unknown protocol, 0 not a router IPv6 Address Age Link-layer Addr State Interface 0 fragments, 0 total reassembled 2001:DB8:CAFE:11::1 52 ca00.0494.0006 STALE Fa0/1.11 0 reassembly timeouts, 0 reassembly failures FE80::C800:4FF:FE94:6 44 ca00.0494.0006 STALE Fa0/1.11 Sent: 278 generated, 0 forwarded 0 fragmented into 0 fragments, 0 failed 0 encapsulation failed, 0 no route, 0 too big 0 RPF drops, 0 RPF suppressed drops Mcast: 276 received, 259 sent 2.6  Display  the  Routers  Cache ICMP statistics: R2# sh ipv6 routers Rcvd: 49 input, 0 checksum errors, 0 too short Router FE80::C800:4FF:FE94:6 on FastEthernet0/1.11, last update 0 min 0 unknown info type, 0 unknown error type Hops 64, Lifetime 1800 sec, AddrFlag=0, OtherFlag=0, MTU=1500 unreach: 0 routing, 0 admin, 0 neighbor, 0 address, 0 port HomeAgentFlag=0, Preference=Medium parameter: 0 error, 0 header, 0 option 0 hopcount expired, 0 reassembly timeout,0 too big Reachable time 0 (unspecified), Retransmit time 0 (unspecified) 10 echo request, 0 echo reply Prefix 2001:DB8:CAFE:11::/64 onlink autoconfig 0 group query, 0 group report, 0 group reduce Valid lifetime 2592000, preferred lifetime 604800 0 router solicit, 20 router advert, 0 redirects 4 neighbor solicit, 5 neighbor advert Sent: 46 output, 0 rate-limited 2.7 CEFv6  !!!  Mandatory  knowledge  to  Troubleshoot  the  Cisco  Routers  data  plane  ! unreach: 0 routing, 0 admin, 0 neighbor, 0 address, 0 port When you want to trace the handling of a paquet in a CISCO router, you need to take a look at the parameter: 0 error, 0 header, 0 option CEFv6 table. IPv6 paquet switching is performed by CEFv6. CEFv6 resolves all the recursions that 0 hopcount expired, 0 reassembly timeout,0 too big you may find in an IPv6 table and setup an optimized structure for very quick lookup and easy mainte- 0 echo request, 10 echo reply nance of a mtrie structure. CEFv6 table works with the help of adjacency table which gives the map between IPv6 packet and layer 2 address. 0 group query, 0 group report, 0 group reduce R1#show ipv6 cef 2001:db8:cafe:10::/64 internal 0 router solicit, 23 router advert, 0 redirects 2001:DB8:CAFE:10::/64, epoch 0, RIB[I], refcount 4, per-destination sharing 7 neighbor solicit, 6 neighbor advert 54
sources: RIB Addresses of an IPv6 Host. feature space: A link-local. IPRM: 0x00038000 One or many unicast addresses ifnums: One loopback ::1 FastEthernet0/1.11(11): FE80::C801:4FF:FE94:6 path 6822BA1C, path list 6822A77C, share 1/1, type attached nexthop, for IPv6 On each interface : nexthop FE80::C801:4FF:FE94:6 FastEthernet0/1.11, adjacency IPV6 adj out of Local node scope all-nodes multicast address : FF01 ::1 FastEthernet0/1.11, addr FE80::C801:4FF:FE94:6 66F91C60 A Link-local scope all-node multicast address : FF02 ::1 output chain: IPV6 adj out of FastEthernet0/1.11, addr FE80::C801:4FF:FE94:6 66F91C60 A solicited-node multicast address for each unicast. Once the CEFv6 entry is found, we need to look for the matching next-hop entry in the adja- Router IPv6 Addresses cency table. In the adjacency entry we find the origin of the resolution like ND for IPv6 or ARP for IPv4. The loopback ::1for the router A link-locale for each link As many global as needed If the router is currently resolving the IPv6 next hop to a layer 2 MAC Address, the entry will Multicast addresses such as all-nodes ff02 ::1, all-routers ff02 ::2 be in the state INCOMPLETE. The packet which has trigger the resolution must be buffered, waiting for the resolution to complete. Once the resolution is complete, the packet will be encapsulate and sent to its destination. This is different with IPv4 where the packet was dropped. We use to get 80% Example of a CISCO router : for the first time we ping a destination because first packet was dropped. This is no longer the case R0> show ipv6 int f1/0 and we should get 100% even for the first time. FastEthernet1/0 is up, line protocol is up IPv6 is enabled, link-local address is FE80::C800:6FF:FEA9:1C R1#show adjacency FE80::C801:4FF:FE94:6 No Virtual link-local address(es): Protocol Interface Address Global unicast address(es): IPV6 FastEthernet0/1.11 FE80::C801:4FF:FE94:6(7) 2001:DB8:C0A8:A:C800:6FF:FEA9:1C, subnet is 2001:DB8:C0A8:A::/64 [EUI] 2001:DB8:C0A8:B:C800:6FF:FEA9:1C, subnet is 2001:DB8:C0A8:B::/64 [EUI] R1#show adjacency FE80::C801:4FF:FE94:6 internal Joined group address(es): Protocol Interface Address FF02::1 IPV6 FastEthernet0/1.11 FE80::C801:4FF:FE94:6(7) FF02::2 0 packets, 0 bytes FF02::1:FFA9:1C epoch 0 MTU is 1500 bytes sourced in sev-epoch 1 ICMP error messages limited to one every 100 milliseconds Encap length 18 ICMP redirects are enabled CA0104940006CA00049400068100000B ICMP unreachables are sent 86DD ND DAD is enabled, number of DAD attempts: 1 IPv6 ND ND reachable time is 30000 milliseconds (using 30000) Fast adjacency enabled [OK] ND advertised reachable time is 0 (unspecified) L3 mtu 1500 ND advertised retransmit interval is 0 (unspecified) Flags (0x11A9E) ND router advertisements are sent every 200 seconds Fixup disabled ND router advertisements live for 1800 seconds HWIDB/IDB pointers 0x66CCDD10/0x67E58500 ND advertised default router preference is Medium IP redirect enabled Hosts use stateless autoconfig for addresses. Switching vector: IPv6 adjacency oce Adjacency pointer 0x66F91C60 55
Addresses, Names & Services Mgmt. 7 We need to manage IPv6 addresses 4 times longer than IP6 and the good old spreadsheet that we were using for IPv4 does not make it any more! With long addresses a good names management is key for a successful deployment! New software named IPAM are now the MUST have for any network to solve this important question.
Chapter 7 Addresses, Names 1 DHCPV6 Introduc5on & Services 1.1 DHCPv6 & DNS 1. Summary of dynamic addressing 2. SLAAC, DHCPv6 Stateful, Stateless Operations 3. DHCPv6 4. DHCP-PD Prefix Delegation IPv6 Supports 3 different methods to provide dynamic addressing DHCPv6 is DHCP support for IPv6 and has been enhanced to support multiple modes of operations. It is documented in many RFCs as multiple modes exist. which can be combined as they are not mutually exclusive! The principal mode is described in RFC3315. `Also, the presence of DHCPv6 must be advertised by the routers in the Router Advertisements (NDP) Without any DHCPv6 it can be plug and play thanks to SLAAC. for the workstation to send requests or the DHCPv6 servers will be ignored. DHCPv6 basic RFC3115 provides Authentication for the messages to avoid any sort of Rogue DHCP Server. A DHCPv6 Server can be added to get more details about4 the servers DHCPv6 can be used in 3 Modes: after we have figured out our IPv6 addresses without him. Stateful DHCPv6. This is the standard DHCP Operation. The request includes both Addresses and Other Information. DHCPv6 can be used to provide a full block to address the full site a site Stateless DHCPv6 RFC3736. This is a new mode in IPv6 where we do not want to get any Address from the DHCPv6 Servers but only Other Information like domain name, DNS and other Servers ad- DHCPv6 CANNOT REPLACE ND PROTOCOL (RA) 57
dresses. It is called stateless because in this mode the DHCPv6 Server does not need to keep any 1.2.3 IPv6  U DP  Ports  Number state because it does not allocate any address to remember and manage. DHCPv6 Prefix Delegation RFC3633. This is also a new mode for DHCP. It is used to request a full It is encapsulated in UDP over IPv6. block from the Service Provider. The block is allocated and then the block can be subnetted at will. DHCPv6 Clients use port 546 and Servers use 547. This mode is very convenient for some SPs who can manage the Prefixes allocated to each customer from a DHCPv6 Server which gets the Prefix for each customer from a Radius Server. 1.2.4 IPv6  Mul5cast  Addresses We have seen that at the end of the SLAAC process, a boot Workstation of an interface coming up may eventually request a DHCPv6 Server for more configuration. DHCPv6 also use IPv6 Multicast addresses: These bits are contained in a field called Flags. - All_DHCP_Relay_Agents_and_Servers: (ff02::1:2) If the Managed bit (M-bit) is set in Flags of the RA, the workstation makes a full request including Address(es) and other information. This is Stateful DHCPv6 because the server needs to keep states This is a Link-local IPv6 Multicast Address used by the Clients to communicate with all the local Serv- for the allocated addresses. ers and Relays. If the Other bit (O-bit) is set in the Flags of the RA, the workstation just requests Other information Only the DUID permits each one to see that the packet is for itself. and NO ADDRESS. This is Stateless DHCPv6. - All_DHCP_Servers (ff05::1:3) These bits MUST be set on the local routers interfaces where some workstations which need to re- This is a Site-local IPv6 Multicast Address which is used by the Relays to forward the local Clients quest DHCPv6 servers are located. Requests to all the DHCPv6 Servers of the Site that have registered this Multicast group. For a Quick Video Presentation of DHCPv6, there is a serie of Tutorial starting with Part1 from: Multicast routing must be enabled on all the site routers. http://www.ipv6forlife.com/Tutorial/DHCPv6-Part1.html DHCPv6 Relays can be used to encapsulate the messages from the Clients to the Servers and vice- versa. 1.2.5 Iden5ty  Associa5on  (IA) 1.2 DHCPv6  Commands  and  Fields Basically we need an Identity Association to request address(es) for each interface. DHCPv6 protocol basic operations are not very different from IPv4; the messages names are different See RFC 3315 Section 10 for an excellent definition and multicasts are more used in IPv6, but it is pretty much the same protocols. A DHCPv6 Server can provide Address(es) for a client and Other Information like Domain name or any Server Addresses. 'An "identity-association" (IA) is a construct through which a server and a client can identify, group, and manage a set of related IPv6 addresses. Each IA consists of an IAID and associated configura- tion information. 1.2.1 DUID A client must associate at least one distinct IA with each of its network interfaces for which it is to re- quest the assignment of IPv6 addresses from a DHCP server. The client uses the IAs assigned to an Each client and server is identified by its DHCP Unique Identifier (DUID). This Identifier is mostly de- interface to obtain configuration information from a server for that interface. Each IA must be associ- rived from one of the DHCP Mac Addresses, but it can be : ated with exactly one interface.' 1 Link-layer address plus time To get more details about how the addresses are allocated from the server, please see Section 11 of 2 Vendor-assigned unique ID based on Enterprise Number 3 Link-layer address RFC3315. The DUID are very important for a protocol which uses a lot of Multicast messages to reach many Another exemple of the uses of IA would be a Virtual Server with many virtual interfaces. Each virtual Servers or Relays. group of Interface playing the same role will be using the same Identity Association. See RFC3315 section 9 for details of the ways in which a DUID may be constructed. 1.2.6 Client/Server  I D 1.2.2 Transac5on  I Ds DHCPv6 uses a lot of Multicast. The SOLICIT and REQUEST messages are sent to the All_DH- CP_Relay_Agents_and_Servers (FF02::1:2). So it is important to identify both Client and Server with A Transaction ID is used to identify all the messages from the same Transaction. It permits pairing a something other than the address. solicit with a reply and should be chosen randomly with algorithms, making it quite impossible to guess! 58
1.2.7 DHCP  Messages 1.2.7.6 Client  confirm  that  allocated  address  is  s5ll  O K There are 13 messages to support the DHCPv6 Operations. There is no need to explain each mes- CONFIRM (4) sage one by one, but we will explain most if not all of them as we get into the details of how DHCPv6 operates. 1.2.7.7 Client  refuse  an  address  already  in  use For a full list with explanations, please refer to Section 5.3 of RFC3315. The 13 messages are: DECLINE (9) SOLICIT 1 1.2.7.8 A  new  config  available  needs  a  new  Request ADVERTISE 2 REQUEST 3 RECONFIGURE (10) CONFIRM 4 RENEW 5 1.2.7.9 DHCP  Messages  Authen5ca5on REBIND 6 DHCPv6 messages can be authenticated, See Section 21 of RFC3315. This would make Rogue REPLY 7 DHCP Server impossible. It is open to any Authentication Protocol and can manage the keys of a DHCPv6 Server Realm. RELEASE 8 A DHCPv6 Realm is a name used to identify the DHCP administrative domain from which a DHCP DECLINE 9 authentication key was selected. RECONFIGURE 10 INFORMATION-REQUEST 11 1.2.8 DHCP  Op5ons RELAY-FORW 12 All the Information which is requested by a client or given by a Server are actually coded in a DHCPv6 RELAY-REPL 13 Options. The full list is : OPTION_CLIENTID 1 1.2.7.1 Used  during  the  startup  without  Relays OPTION_SERVERID 2 OPTION_IA_NA 3 SOLICIT (1), ADVERTISE (2), REQUEST (3), REPLY (7) OPTION_IA_TA 4 OPTION_IAADDR 5 1.2.7.2   If  a  Relay  is  used  we  must  add  to  previous OPTION_ORO 6 RELAY-FORW (12), RELAY-REPL (13) OPTION_PREFERENCE 7 OPTION_ELAPSED_TIME 8 1.2.7.3 To  Refresh  an  Address  Reserva5on OPTION_RELAY_MSG 9 OPTION_AUTH 11 RENEW (5), REBIND (6), REPLY (7) OPTION_UNICAST 12 OPTION_STATUS_CODE 13 1.2.7.4 To  Request  Informa5on  Only  (Stateless  D HCPv6) OPTION_RAPID_COMMIT 14 OPTION_USER_CLASS 15 INFORMATION-REQUEST (11) OPTION_VENDOR_CLASS 16 OPTION_VENDOR_OPTS 17 1.2.7.5 Client  don't  need  this  address  anymore OPTION_INTERFACE_ID 18 RELEASE (8) OPTION_RECONF_MSG 19 59
OPTION_RECONF_ACCEPT 20 1.2.8.3 Prefix  Delega5on There are actually MORE OPTIONS which are added by RFC: This is used in DHCP-PD RFC3633 to request and provide a full block like 2001:db8:678::/48 to allocate all the building of a Company in a City for instance. IA_PD (RFC3633. Section 10) for DHCP-Prefix Delegation For all details, please see section 22 of RFC3115. 1.2.8.4 Op>on  Request  Op>on  (ORO) DNS Configuration options for Dynamic Host Configuration Protocol for IPv6 (DHCPv6) The ORO is used to provide the list of the Options which are requested by a client or need to be recon- http://tools.ietf.org/html/rfc3646 figured from the server. For instance, if the Client requested the Domain Name, it is in the ORO Op- tion. "A client MAY include an Option Request option in a Solicit, Request, Renew, Rebind, Confirm or Information-request message to inform the server about options the client wants the server to send to 1.2.8.1 Client  I D  and  Server,  I D  Op5on the client. A server MAY include an Option Request option in a Reconfigure option to indicate which options the client should request from the server." These options carry the Client DUID to the Server and the Server DUID to the Client. Generally, a MAC Address is used. http://tools.ietf.org/html/rfc3315#section-22.7 1.2.8.2 Addresses Example of a Captured ORO: 1.2.8.2.1  I AADDR  Op>on 1.2.9 Status  Code  Op5on The IAADDR Option permit to carry the IPv6 Dynamic Addresses allocated by the Server. It is used to report the status of an operation. If it does not appear where it should, success is as- sumed. Like the Prefixes advertised to the RA which permit deriving IPv6 Addresses for the interfaces, the IAADDR Option has a a Preferred Lifetime and a Valid Lifetime for each allocated Address. This permits IPv6 to manage the dynamic addresses Lifecycle like the addresses derived from Pre- 1.2.10 Preference  Op5on fixes contained in the RA. See the figure for more details about the states of a dynamic Address. Remember that an Address must remain in the Preferred State if we want to use it, so Preferred and It is possible for the servers to give a level of preference when multiple servers are available. When Valid Lifetime must be chosen carefully. the client receives multiple ADVERTISE messages, the client will prefer the server with the highest Preference. The IAADDR IPv6 Dynamic Address Option must be encapsulated in one of the following IA_NA or IA_TA. We can see the IAADDR Options with a yellow background and Red letters in both IA_NA and Elapsed Time Option IA_TA figures. This is used by the client to measure the duration of an exchange. For instance, if an exchange lasts too long, the client may use a secondary server. 1.2.8.2.2  I A_NA  Op>on 1.2.11 Relay The IA_NA is used to encapsulate Non-Temporary Addresses. There are two timers associated with the Refreshing of IPv6 Addresses. 1.2.11.1 Relay  Message  Op>on T1 is the timer when to query the DHCPv6 Server which has allocated the Address. It contains the DHCP message encapsulated by the replay in a Relay-Forward or a Relay-Reply Mes- sage. T2 is the Timer to query any DHCPv6 Server for an Address. Care should be taken in setting T1 or T2 to 0xffffffff ("infinity"). A client will never attempt to extend the 1.2.11.2 Interface-­‐ID  Op>on lifetimes of any addresses in an IA with T1 set to 0xffffffff. A client will never attempt to use a Rebind This option may be added by a Relay to add the Interface-Id by which the message was received. It message to locate a different server to extend the lifetimes of any addresses in an IA with T2 set to will use it to forward the reply back to the right interface. 0xffffffff. 1.2.12 Authen5ca5on  Op5on 1.2.8.2.3  I A_TA  Op>on The IA_TA is used to encapsulate Temporary Addresses (Privacy Extension RFC4941). There is no Timer associated with it. Used for DHCP message Authentication. Useful to avoid Rogue DHCP Servers. 60
1.2.13 Server  Unicast  Op5on The server sends this option to a client to indicate to the client. This way the client can bypass any Relay and send messages directly to the server. RFC3115 Section 18.1. "Use of unicast may avoid delays due to the relaying of messages by relay agents, as well as avoid overhead and duplicate responses by servers due to the delivery of client messages to multiple serv- ers. Requiring the client to relay all DHCP messages through a relay agent enables the inclusion of relay agent options in all messages sent by the client. The server should enable the use of unicast only when relay agent options will not be used." 1.2.14 Rapid  Commit  Op5on This option permits some transactions to be only 2 ways: Solicit, Reply instead of 4. It is set in the So- licit message by the client. 1.2.15 User    Class  Op5on This option permits one to configure a multiple class of users that do not need the same parameters. For instance, some clients may need a SIP server address and some don't. 1.2.16 Vendor 1.2.16.1 Vendor  Class  Op>on This option set by the client tells the server on which Vendor the client is running. 1.2.16.2 Vendor-­‐Specific  Informa>on  Op>on This Option allows some Vendor-Specific information to be exchanged between the Client and the Server. 1.2.17 Reconfigure 1.2.17.1 Reconfigure  Message  Op>on This Option is used when a server has been reconfigured. It is asking the client to send a message to get a new config. In a Reconfigure message, this Option tells the client if it must respond with a Re- new message to request an address or an Information-Request message to request Other Informa- tion. 1.2.17.2 Reconfigure  Accept  Op>on A client uses this message to tell the server if it accepts the Reconfigure message. The server uses this option to tell the client whether to accept or not the Reconfigure message. 61
This is why the Request and the Reply bypass the Relay. 1.3 DHCPv6  Startup The Server provides a block, for instance 2001:db8:678::/48, which can be used and subnetted by the DHCP-PD client. The DHCPv6 messages used during the initialization to request Addresses and/or Other Information are the following. 1.4 DHCPv6  Configura5on  Management 1.3.1 Client  &  Server(s)  are  on  the  same  link 1.3.1.1 Solicit "A client uses Request, Renew, Rebind, Release and Decline messages during the normal life cycle of addresses. It uses Confirm to validate addresses when it may have moved to a new link. It uses The client first sends a Solicit discovery message. It is not a reservation request when an address is Information-Request messages when it needs configuration information but no addresses." (Section needed, just a discovery to figure out which server around is available and could provide the informa- 18.1 RFC3115). tion needed. The destination address is the All Servers and Relays Link-local Multicast Address ff02::1:2, Source is 1.4.1 Address  Refreshment  ini5ated  by  the  Client the Workstation Link-local Address. The information needed by the client is in the Option Request Object (ORO). Once the Address has been allocated, it must be maintained and Refreshed as soon as required. IA_NA and IA_PD Addresses are provided with the DHCP timers, which trigger the process. 1.3.1.2 Adver>ze T1 and T2 are provided. These 2 timers must be set consistently with the Preferred and Valid Ad- The Server(s) reply(ies) with an Advertise including all the available resources matching the client dresses. Remember that an address MUST remain as a Preferred Address. So the T1/T2 Timers Pre- ORO. This is sent back to the Link-Local address of the Client. fixes must be set accordingly. 1.3.1.3 Request IPv6 Addresses come with two Timers, the Preferred and the Valid Timers. For Static Addresses, The Request is sent to the All Servers and Relays Link-local Multicast Address ff02::1:2, Source is the these timers are usually set to Infinity which is ALL ONEs. Workstation Link-local Address. For Dynamic Addresses, they must be refreshed to reset these timers for the Addresses or Derived The DUID of the Server is used to identify which server we want to use. Addresses remain in the Preferred State. In figure 6.18 we can see how these timers are Reset with Unsolicited RA. 1.3.1.4 Reply The Server provides the Reservation if an address has been requested and Information or Information With DHCPv6, the Preferred Timers and Valid Timers must also be Refreshed when the DHCPv6 RE- Only if this is what we have requested (Information-Request) NEWs its reservation. These timers are included in the IAADDR Option which is encapsulated in the IA_NA or IA_PD Option. Both IA_NA and IA_TA Options have also two timers related to DHCPv6 pro- tocol. When T1 expires, the client sends RENEW to the server from which it has learned its configuration. 1.3.2 Client  &  Server(s)  use  a  Relay If the client Timesout for the RENEW with the Server which had provided the initial configuration, it will send a REBIND to all the available servers. If the Server is not located on the same link than the client needs a Relay in between. The Relay will encapsulate the request to the Server as Unicast Messages of any kind, Anycast or a Well-known Mul- RFC3115. Section 18.1.4. ticast site-local ff05::1:3. "The message exchange is terminated when the valid lifetimes of all the addresses assigned to the IA expire (see section 10), at which time the client has several alternative actions to choose from. The Relay encapsulates the request in a Relay-Forward to the Server, and the server encapsulates its For example: response in in Relay-Reply Message The client may choose to use a Solicit message to locate a new DHCP server and send a Request for the expired IA to the new server. The client may have other addresses in other IAs, so the client may choose to discard the expired IA 1.3.3 DHCP-­‐PD  Startup  Example and use the addresses in the other IAs." 1.4.2 A  client  may  have  mooved In this example, the client sends a solicit with an IA_PD requesting a Prefix from the server. It is for- warded by the Relay. The server Advertises a Prefix and gives the Server Unicast Option for the Client http://tools.ietf.org/html/rfc3315#section-18.1.3 to send its request in a Unicast message. 62
1.5.2 Adver5se  Message In any situation when a client may have moved to a new link, the client MUST initiate a Confirm/Reply message exchange. Option Server ID, Client ID, IA_NA with IAADDR and Domain Search List For Example: The client reboots. 1.6 SUMMARY The client is physically connected to a wired connection. The client returns from sleep mode. The client using a wireless technology changes access points. 1.4.3 A  client  doesn't  need  an  Address  anymore The client sends a Release Message to the Server 1.4.4 A  client  detect  a  D UPlicated  Address The client sends a Decline Message to the Server. 1.4.5 Server  Configura5on  has  changed The Server must inform the client with a RECONFIGURE message. The RECONFIGURE message includes the Reconfigure Message Option to tell the client if it must send a Renew providing Addresses or an Information-Request not providing Address(es). 1.4.6 Constants 1.4.7 DHCP  Reliability Because UDP does not provide reliablity, it must be provided by the Application. The client begins the message exchange by transmitting a message to the server. The message exchange terminates when either the client successfully receives the appropriate response or responses from a server or servers, or when the message exchange is considered to have failed according to the retransmission mechanism described below. 1.5 Capture  Example 1.5.1 Solicit  Message 63
DNS 2.1.2 Top  Level  Domain  Servers 2 They return the address of the NS for a User domain for example fredbovy.com. The full list is at http://www.iana.org/domains/root/db/ 2.1 Introduc5on There are two kinds of TLD: DNS was introduced in RFC1035. The objects of DNS are organized as a tree structure. The root is 2.1.2.1 The  Generic  Top-­‐Level-­‐Domains  (gTLD)   the ".". .com, .edu, .net, .mil, But there are also some other registered gTLDs: It is transported by IPv6 then encapsulated over UDP port 53 for most messages but for some ex- • The .org domain is intended to serve the noncommercial community. changes like zone-transfer where TCP is more appropriate. • The .aero domain is reserved for members of the air transport industry. The initial RFC1035 had a serious limitation for IPv6, which is the UDP size limit of 512 octets. • The .biz domain is reserved for businesses. So we had actually two problems to solve: • The .coop domain is reserved for cooperative associations. The Maximum Size of 512 bytes for UDP Messages • The .int domain is only used for registering organizations established by international treaties be- How to Code IPv6 Names to Addresses and vice-versa tween governments. Many Objects are used for DNS: • The .museum domain is reserved for museums. NS for Name Servers, MX for Mail Exchange. DNS is playing a key role on Mail routing in the Internet, • The .name domain is reserved for individuqals. A for IPv4 Addresses, AAAA for IPv6 Addresses. • The .pro domain is being established; it will be restricted to credited professionals and related enti- And more... ties. 2.1.2.2 The  Country  Code  Top-­‐Level-­‐Domains  (ccTLD) 2.1.1 Servers  hierarchy There is one for each country: .us, .ca, .fr, .uk. 2.1.1.1  R OOT  Servers 2.1.3 The  Authorita5ve  Domain  Servers At the very top, we have the ROOT Servers. They manage the list of each Top-Level domain Servers like .com or .uk and they return their ad- To increase performance and reliability of DNS, there is more than one DNS server for each domain. dresses. 13 IPv4 anycast addresses are used and last time I checked 9 IPv6 Addresses were also ready: 2.1.3.1 Primary  or  Master  D NS  Server The Master Zone file describing the zone (Zone config file) is located on the Primary server. 13 ipv4 addresses can be sent in a 512 (436) bytes UDP message ! Remember that 512 octets were 2.1.3.2 Secondary  or  Slave  D NS  Server the size limit for an UDP message in RFC 1035! Adding 13 IPv6 addresses was certainly going over The Secondary Server is synchronized with the Primary thanks to Zone Transfer over TCP. the limit (800+ bytes)! 2.1.3.3 Caching  only  Servers There is actually 200+ physical servers around the globe. The Caching Server is used to cache the answer on a local Server so when the same query is re- Domain root-servers.net: a.root-servers.net through m.root-servers.net quested, it will be available locally. In Europe RIPE Servers k.root-servers.net are located in Amsterdam, Athens, Doha, Frankfurt, Lon- don and Milan. IPv4:193.0.14.129, IPv6:2001:7fd::1 2.2 Clients  Query  Modes IPv6 addresses are already supported by 9 of the 13 root-servers Requirements of a Root Server are in RFC2870 The are two modes for Clients to resolve the IPv6 Name to Address: http://www.iana.org/domains/root/ 2.2.1 Itera5ve  (supported  by  all  N S)   This mode actually involves more the requester than the local NS. 64
If no response is received, network and firewall administrators should first determine if a security pol- icy other than the vendor's default processing for DNS messages is blocking large response mes- sages or large UDP messages. If no policy other than the vendor's default processing is configured, 2.2.2 Recursive note the implementation and version and contact your vendor to determine if an upgrade or hot fix is available. The Recursive mode actually involves more the Local Server than the Requester. 2.4 DNSSEC DNSSEC is an effort to make DNS more secure with some Authentication of the messages. 2.3 Support  of  I Pv6  for  D NS DNSSEC is detailed in RFC4033, RFC4034 and RFC4035. A discussion of operational practices relat- ing to DNSSEC can be found in RFC4641. In DNSSEC a secure response to a query is one which is cryptographically signed and validated. No Protection against DoS attack 2.3.1 EDNS0 DNSSEC adds new Resource Record types: Resource Record Signature (RRSIG), DNS Public Key (DNSKEY), Delegation Signer (DS) and Next Secure (NSEC) RFC1035 specifies the maximum DNS UDP message to 512 bytes A signed zone will contain the 4 additional security-related records 13 IPv4 anycast addresses was used to represent 200+ Servers for the announce to fit in a 512 bytes message, 436 bytes actually to leave room for some options. DNSSEC requires support for EDNS0 (RFC2671) and DNSSEC OK (DO) EDNS bit EDNS0 (RFC 3225) With only 5 IPv6 addresses added to the Additional Section of the DNS Type NS response message root server operators return during the priming exchange, the size of the response message increases Root Zone is Signed from 436 bytes to 576 bytes. http://data.iana.org/root-anchors/draft-icann-dnssec-trust-anchor.html 9 Root Servers have been assigned IPv6 addresses When all 13 root name servers are assigned IPv6 addresses, the priming response will increase in size to 811 bytes ! 2.3.2 Priming  Exchange The priming exchange is done when the list of Root Servers are requested. Conditions for the success- ful completion of a priming exchange: Resolvers and any intermediate systems that are situated between resolvers and root name servers must be able to process DNS messages containing Type AAAA resource records. Additionally, Resolvers must use DNS Extensions (EDNS0, RFC 2671) to notify root name servers that are able to process DNS response messages larger than the 512 byte maximum DNS message size specified in RFC1035. Intermediate systems must be configured to forward UDP-encapsulated DNS response messages larger than the 512 byte maximum DNS message size specified in RFC1035 to resolvers that issued the priming request. 2.3.3 Test  E DNS0  Implementa5on To test the action a firewall implementation takes when it receives a UDP-encapsulated DNS re- sponse message larger than 512 bytes, a network or firewall administrator can perform the following DNS lookup using: This command should elicit a 699 bytes response that contains AAAA resource records 65
2.5 Configura5on  of  D NS  Bind  Server  on  Linux 2.5.1 Zones  and  Zones  Files A Zone file translates the domain names into addresses. A Zone File contains: Data that describes the zone authority known as the Start of the Authority (S0A) Resource Record. All the hosts within the zones. A Resource Record for an IPv4 Address AAAA Resource Record for an IPv6 Address Data that describes global information for the zone. MX Resource Records for the domain’s mail serv- ers and NS Resource Records for the Name Servers In the case of a subdomain delegation, the name servers responsible for this subdomain. A Zone file looks like this: 2.5.2 Reverse-­‐Mapping  Zone 2.5.3 Transport  of  I Pv6  Informa5on  in  I Pv6 DNS requests must be transported in IPv6 DNS Root servers and Top-level domains must support IPv6 9 of the 13 root-servers are IPv6 ready ! DNS messages larger than 512 bytes are supported since DNS Extension 0 (EDNS0. RFC2671) The old Firewalls were blocking the DNS UDP messages bigger than 512 Octets. It has been fixed for a long time, but if you are at a customer site which has not upgraded its Sw for a long time too, you may hit this issue. 66
2.6 Dynamic  D NS DNS Servers can be updated dynamically An address allocated with DHCPv6 or SLAAC automatically updates the DNS Servers by sending Updates to the Servers. So this is not only possble with Servers doing both DHCPv6 and DNS. The Authentication process between the client and the servers is not defined by the RFC but is left to the convenience of the designers. Dynamic Updates in the Domain Name System (DNS UPDATE): http://tools.ietf.org/html/RFC2136 Secure Domain Name System (DNS) Dynamic Update: http://tools.ietf.org/html/RFC3007 Operational Considerations and Issues with IPv6 DNS: http://tools.ietf.org/html/rfc4472 2.7 Capture  of  D NS  Traffic 67
Multicast 8 IPv6 Multicast is not very different from its IPv4 Counterpart. Only the non scalable protocols have been removed like PIM-DM or MSDP and the others have been ported with a new name sometime like MLD instead of IGMP.
Chapter 8 Multicast 1 Introduction IPv6 Multicast is not very different from the IPv6 Counterpart. Only the non scalable protocols have been removed: PIM-DM, and the other have been ported with a new name sometime like MLD instead of IGMP. PIM is used for the routing of Multicast and for the receivers management, IGMP has been ported as MLD. Topic The very long addresses of IPv6 allowed the Embedded RP 1. Introduction which is great not to have to configure the RP on each router. The IPv6 multicast router configuration can then be summa- 2. Protocol Independent Multicast (PIM) rized in only one command on CISCO IOS®: “ipv6 multicast- 1. PIM Sparse Mode or ASM routing”and that’s it. 2. PIM Source Specific Multicast (SSM) When multicast users are connected with Layer switches, MLD Snooping should be used where IGMP snooping was for IPv4. 3. PIM BIDIR The common rule for all Multicast routing is the Reverse Path 3. Embedded Rendez-vous Point Forwarding or RPF. This rule says that a packet MUST always be received on the interface which has the best cost to get 4. Multicast on Layer 2 back to the Source Address of the packet. Otherwise we say that RPF fails and packet get silently dropped. This is a basic rule to avoid Multicast Routing loops. 69
Préfixe Interface Identifier IPv6 Multicast Part 2
 http://www.ipv6forlife.com/Tutorial/IPv6Multicast-Part2.html FF02 O 0001 FF 24 bits 128 bits IPv6 Multicast Part 3
 http://www.ipv6forlife.com/Tutorial/IPv6Multicast-Part3.html !  Unicast Address !  805B:2D9D:DC28::FC57:D4C8:1FFF On the other hands, the Powerpoint Presentations can be found !  Prefix in PPS Slideshow format from IPv6 for Life Web Site and in !  FF02:0:0:0:0:1:FF PDF from the Public Slideshare Server so you can also down- !  Solicited-node multicast adress load it from there. !  FF02:0:0:0:0:1:FFC8:1FFF !  Automatically configured for each unicast Solicited Node IPv6 Multicast Address Just remember the Solicited Node Multicast address example which is derived from the Unicast address for the ND MAC Ad- dress Resolution Protocol. Other example of Applications which use Multicast are NTP or DHCP. For this Chapter you will need a Web connection and a Display unit supporting Flash® Presentation for these presentations: IPv6 Multicast Part 1
 http://www.ipv6forlife.com/Tutorial/IPv6Multicast-Part1.html 70
2 Protocol Independent Multicast Slideshare.com, look for Fred Bovy, IPv6 For Life Presenta- tions. PIM is Independent because it does not build a separate PIM-SM is also explained in these short Flash Presentations: Unicast Routing Table to run the RPF. Instead it uses the exist- ing routing table but the same good old RPF rule still applies. IPv6 Multicast Part 1
 http://www.ipv6forlife.com/Tutorial/IPv6Multicast-Part1.html At the beginning there was two flavors PIM Dense Mode and PIM Sparse Mode. The first one has not been ported to IPv6 be- IPv6 Multicast Part 2
 cause it was clearly not scalable. On the other hand PIM-SM is http://www.ipv6forlife.com/Tutorial/IPv6Multicast-Part2.html still in use for IPv6 Networks. IPv6 Multicast Part 3
 With PIM-SM, the Multicast Receivers are not supposed to http://www.ipv6forlife.com/Tutorial/IPv6Multicast-Part3.html know the addresses of the Sources when they register to listen for a particular Group with the local MLD Querier. The Mul- ticast sources do not need any signaling to send any traffic. With PIM-SSM, the Receivers know the address of the Source. This must be managed by its directly connected router that we When the receiver register with the MLD Querier, it provides call a PIM Designated Router or PIM-DR. both the Group address it wants to listen to and the IPv6 So we need a place somewhere in the network for any Source, unicast address of the source. So there is no need for a thanks to its PIM-DR to meet the receivers thanks to the local Rendez-Vous Point and its associated shared tree. We are al- MLD Querier. This meeting place is called a Rendez-Vous ways on the Shortest-Path Tree. Point. For a detailed presentation of PIM-SM Operations and other PIM-BIDIR is actually the Shortest Path Tree of PIM-SM (see topic addressed in this chapter, please use this presentation: the Flash Presentation but the Sources can also Receive and http://www.ipv6forlife.com/Docs/MulticastIPv6.pps the Receivers can also Send. This presentation and other is also located on the public site 71
3 Embedded Rendez-Vous Point The Embedded-RP is also fully covered in the PPT Slideshow given earlier. But it is really easy to explain quickly. FF7E:0130:2001:db8:9abc::4321 The idea is to code a 128 address in another /128 so what we do is that we only advertise a prefix which can be up to /64 long Rendez-Vous Point Address and then using only 4 bit we can code 16 RP from this prefix. 2001:db8:9abc::1 For the Prefix let’s see how it is coded. We got a Prefix length o  RFC3956 whoch is here 30hex or 48 decimal. Prefix is Embedded RP Address 2001:db8:9abc::/48 The IPv6 Address FLAGS are R, P and T. T is for Temporary ad- dress. R and P are both an Embedded RP information. The we see that the RP Address is 1, so the full address for this RP will be 2001:db8:9abc::1. FF7E:0130:2001:db8:9abc::4321 Then on the CISCO routers you just need to go on each router and type the coommand “ipv6 multicast-routing”and that’s it! Plen = 30 Hex = 48 dec Your work is done, the customer can sign the papers and you 2001:db8:9abc:: can get back home early today! Embedded RP Prefix and for the rest, let’s see this now: 72
4 IPv6 Multicast on Layer 2 IPv6 is encapsulate in Ethernet Frame using a prefix MAC Ad- dress of 33:33 instead of 01:00:5e for IPv4. Then we find the last 32 bits of the IPv6 Address. !  IPv6 Multicast Address !  FF02:0:0:0:0:1:FF90:FE53 !  128 bits
 FF02:0:0:0:0:1:FF90:FE53 
 
 !  Mac Address !  33:33:FF:90:FE:53 33:33:FF:90:FE:53 MLD Snooping !  48 bits IPv6 Encapsulation in Ethernet When switches are used we use MLD Snooping to only for- ward traffic on the p2p links with attached interested Receivers. This is only possible because now switching is performed in the silicium with fast ASICS because this feature requires that the switch looks in the MLD Packet to find the unsolicited reports MLD messages to figure out that there is a receiver 73
33:33 This is the MAC address prefix for IPv6 encapsulated address. The next 32 bits are the IPv6 last IPv6 address bits. Related Glossary Terms Faire glisser ici les termes connexes Index Rechercher un terme Chapter 8 - Multicast
ASICS A chip which perform a special task in the silicium like Layer 2 switching in our case. Related Glossary Terms Faire glisser ici les termes connexes Index Rechercher un terme Chapter 8 - Multicast
ASM Any Source Multicast. This is another name for PIM Sparse Mode (see PIM) Related Glossary Terms Faire glisser ici les termes connexes Index Rechercher un terme Chapter 8 - Multicast
BIDIR Bi-directional. This is for PIM BIDIR which is actually the PIM-SM Shared Tree where Sources can Receive and Receivers can Send. Related Glossary Terms Faire glisser ici les termes connexes Index Rechercher un terme Chapter 8 - Multicast
CCIE Cisco Certified Internet Expert. It started with number 1023. With #3013 I deserve the CISCO dinosaur distinction. When I was younger and I passed at first attempts both the written and the lab test, cheating was impossible and the answers were not avail- able for $20 from the Web. It was a Great distinction! And you must be recertified every two years. Again it is not so old that you can get the answers before taking it and I had to take the written test every two years since 97 to be still active. I also find in the field many consultant who say that they are CCIE but they only have the written exam or they are not recertified for 10 years but they get hired as cheap “CCIE”! This is really unfair! Related Glossary Terms Faire glisser ici les termes connexes Index Rechercher un terme Chapter 1 - Preface
Cost This is the metric of Link-State Routing protocol. The lower the path cost is the better the route will be. The lowest path cost is used for routing. Related Glossary Terms Faire glisser ici les termes connexes Index Rechercher un terme Chapter 8 - Multicast
DAD Duplicate Address Detection, the Neighbor Discovery process to check that an ad- dress is not in use before using it. This is enabled by default on LAN interface on CISCO routers but disable on Serial interfaces. Related Glossary Terms Faire glisser ici les termes connexes Index Rechercher un terme Chapter 5 - ICMPv6 & ND
DHCP Dynamic Host Control Protocol used to configure the workstations with IPv6 address and/or Other information. With IPv6 there are much more variation than IPv4 because IPv6 has a Stateless built-in Autoconfiguration feature with Neighbor Discovery Proto- col (RFC 4862, RFC 4861). So DHCPv6 can be used for Other information but address. This is Stateless DHCPv6. DHCPv6 can also be used to provide a Site Prefix instead of individual Addresses. The prefix can then be subnetted. This is DHCP Prefix Delegation or DHCP-PD. Related Glossary Terms Faire glisser ici les termes connexes Index Rechercher un terme Chapter 8 - Multicast
DHCP-PD DHCP Prefix Delegation. See DHCP. Related Glossary Terms Faire glisser ici les termes connexes Index Rechercher un terme Chapter 7 - Addresses, Names & Services
DHCPv6 DHCP for IPv6. See DHCP. Related Glossary Terms Faire glisser ici les termes connexes Index Rechercher un terme Chapter 5 - ICMPv6 & ND
Embedded RP This is a method to code the PIM-SM Rendez-Vous Point in the group address. With Embedded RP you only need ONE command to have your multicast Routing config- ured on a CISCO IOS® Router, “ipv6 multicast-routing”. Related Glossary Terms Faire glisser ici les termes connexes Index Rechercher un terme Chapter 8 - Multicast
IGMP Internet Group Membership Protocol. The protocol to manage the signaling between the Receivers and the Multicast Last Hop Router, the IGMP Querier. For IPv6 it has been renamed MLD. (see MLD). Related Glossary Terms Faire glisser ici les termes connexes Index Rechercher un terme Chapter 8 - Multicast Chapter 8 - Multicast
IOS® Internetwork Operating System, the historical CISCO Operating System. A Great survi- vor pretty much like me! A big Monolith with a round-robin scheduler to manage the processes. A simple OS written and programmable in plain C Code. A basic Time Shared Scheduler which can be interrupted to switch a packet in “Real-time” when it is possible to make it shortly. Otherwise the incoming packet is punted to be switched later on. This is IOS and we love it! Related Glossary Terms Faire glisser ici les termes connexes Index Rechercher un terme Chapter 1 - Preface
IPAM IP Address Management Tools. With IPv4, many Service PRoviders were using Spreadsheet to manage their IPv4 addresses using home made macros and every- body was very happy. The 128 bits addresses of IPv6 made it impossible and new Soft- ware were introduced to manage these very long addresses. IPAM was born. The next step was to link these big databases with DNS and DHCP et voila! Today it is just insane or just impossible to plan any decent network without an IPAM to manage your IPv6 Addresses and node names. Related Glossary Terms Faire glisser ici les termes connexes Index Rechercher un terme Chapter 7 - Untitled
IPv4 Internet Protocol version 4. The protocol which started the Internet in the late 70s. Like Jim Morrison or Jimmy Hendrix IPv4 will die one day as it is clearly not designed to sustain the Internet of 2012. It was requested by the USA Department of Defense (DoD) to build a Private Internet when a few thousands hosts was just the impossible boundary that will never get reached. For the DoD and the 70s Mainframes technology, IPv4 with its 32 bits was here to last forever! Related Glossary Terms Faire glisser ici les termes connexes Index Rechercher un terme Chapter 8 - Multicast
IPv6 Internet Protocol version 6. The protocol developed in the 90s to scale the y2k Internet and replace IPv4 forever. http://www.tcpipguide.com/free/t_IPv6AddressSizeandAddressSpace-2.htm “Since IPv6 addresses are 128 bits long, the theoretical address space if all addresses were used is 2128 addresses. This number, when expanded out, is 340,282,366,920,938,463,463,374,607,431,768,211,456, which is normally expressed in scientific notation as about 3.4*1038 addresses. That's about 340 trillion, trillion, tril- lion addresses. As I said, it's pretty hard to grasp just how large this number is. Con- sider: " ◦" It's enough addresses for many trillions of addresses to be assigned to every human being on the planet. 
 " ◦" The earth is about 4.5 billion years old. If we had been assigning IPv6 ad- dresses at a rate of 1 billion per second since the earth was formed, we would have by now used up less than one trillionth of the address space. 
 " ◦" The earth's surface area is about 510 trillion square meters. If a typical com- puter has a footprint of about a tenth of a square meter, we would have to stack com- puters 10 billion high blanketing the entire surface of the earth to use up that same tril- lionth of the address space.” Related Glossary Terms Faire glisser ici les termes connexes Index Rechercher un terme Chapter 8 - Multicast
MAC MAC Addresses are used at Layer 2 to address an Ethernet workstation on a LAN. Related Glossary Terms Faire glisser ici les termes connexes Index Rechercher un terme Chapter 8 - Multicast
MLD Multicast Listener Discovery. MLD is IGMP ported to IPv6. MLDv1 is IGMPv2 and MLDv2 is IGMPv3. This is the signaling between the Receiver and the last hop router. Hosts use MLD to tell the local router that they want to receive a Group. Then the MLD Router propagate the MLD exchange with PIM protocol to build the Shared or Shortest Path Tree. Related Glossary Terms Faire glisser ici les termes connexes Index Rechercher un terme Chapter 8 - Multicast Chapter 8 - Multicast
MLD Snooping Does for IPv6 what IGMP snooping was doing for IPv4. It listens the Multicast traffic and looks into the MLD packet to find the control packet of a Receiver saying that it wanna join a given group. Then the switch will only forward the Multicast on the port where it knows that it has a receiver interested by this Group. Related Glossary Terms Faire glisser ici les termes connexes Index Rechercher un terme Chapter 8 - Multicast
MSDP Multicast Source Discovery Protocol. A protocol above TCP that was used to join two separate shared Tree. It was useful when you had multiple Rendez-Vous Point for the Source a Rendez-Vous point will find the Receivers registered on another RP. It was used by the Service Provider to setup Redundant RPs with a feature called Any- cast RP. Problem is that MSDP sessions must be full meshed leading to a O(n)2 Complexity. They were configuring 2 RPs in each country for Redundancy. For 40 Countries you had to configure (80*79)/2 MSDP over TCP sessions and reasonable size routers were not supporting that much MSDP Sessions and collapsed. MSDP and Anycast RP using MSDP have not been ported to IPv6. Related Glossary Terms Faire glisser ici les termes connexes Index Rechercher un terme
NAT Network Address Translation. A workaround which broke the peer to peer IP capability which was a key driver in th 80s for people to switch to TCP/IP. Just before they switch to TCP/IP, IBM proposed SNA LU6.2 based APPN Solution to move from a hierarchical model to a peer-to-peer. In the early 80s, Peer-to-peer and downsizing to port applica- tion from Mainframes down to Mini or RISC and Micro Computers was the way to go! But in the 90s Peer-to-Peer was broken by NAT which is breaking many applications and is a security weakness seen as a security feature by some NAT proponents! They are grasping IPv4 and NAT as if their life would have no reason to be without NAT! NAT was never a security feature. The best Security is true end-to-end security which does not work if someone change anything in the original Address. Because you can- not be identified from your address anymore = no security. Someone who does some really bad things using a NATed address will never get caught. Related Glossary Terms Faire glisser ici les termes connexes Index Rechercher un terme Chapter 2 - Introduction to IPv6
ND Neighbor Discovery Protocol defined in RFC 4861 is a key protocol for IPv6. Related Glossary Terms Faire glisser ici les termes connexes Index Rechercher un terme Chapter 5 - ICMPv6 & ND
NTP Network Time Protocol to synchronize all the system clocks in a Network. Related Glossary Terms Faire glisser ici les termes connexes Index Rechercher un terme Chapter 8 - Multicast
NUD Neighbor Unreachability Detection is a par of ND and is used to check that a NEighbor is still alive and clean up the entry if the node fails to reply. Related Glossary Terms Faire glisser ici les termes connexes Index Rechercher un terme Chapter 5 - ICMPv6 & ND
P2p Point-to-Point Network. Related Glossary Terms Faire glisser ici les termes connexes Index Rechercher un terme Chapter 8 - Multicast
PIM Protocol Independent Multicast Protocol. It is independent because it uses the default Unicast Routing Table to run RPF Algorithm instead of building a separate table. Related Glossary Terms Faire glisser ici les termes connexes Index Rechercher un terme Chapter 8 - Multicast
PIM-BIDIR PIM-BIDIR see PIM Related Glossary Terms Faire glisser ici les termes connexes Index Rechercher un terme Chapter 8 - Multicast
PIM-DM PIM Dense Mode†. Deprecated. It was not scalable. (See PIM) Related Glossary Terms Faire glisser ici les termes connexes Index Rechercher un terme Chapter 8 - Multicast Chapter 8 - Multicast
PIM-DR PIM Designated Router. The router which is directly connected to a Multicast Source. The highest priority wins. The highest IP address is used as a tie breaker. See PIM. Related Glossary Terms Faire glisser ici les termes connexes Index Rechercher un terme Chapter 8 - Multicast
PIM-SSM PIM Single Source Multicast. Only work with the Shortest Path Tree as the Receivers know the Source Address(es) when they register for a Group (see PIM). Related Glossary Terms Faire glisser ici les termes connexes Index Rechercher un terme Chapter 8 - Multicast
Querier MLD for IPv6 or IGMP for IPv4 Querier is the router which has directly connected Re- ceivers. The Lowest IP Address is the Elected Querier when multiple candidate are available. Related Glossary Terms Faire glisser ici les termes connexes Index Rechercher un terme Chapter 8 - Multicast
RD PIM Rendez-Vous point is the place where the PIM-SM Source meets the Receivers. Related Glossary Terms Faire glisser ici les termes connexes Index Rechercher un terme Chapter 5 - ICMPv6 & ND
Rendez-Vous See PIM-SP Related Glossary Terms Faire glisser ici les termes connexes Index Rechercher un terme Chapter 8 - Multicast
Reverse Path Forwarding The Reverse Path Forwarding Rule is the IP Multicast universal rule. To avoid routing loops a multicast router checks each packet receive on each interface against the Source Address. The packet MUST be received on the Interface which has the best (lower) path cost to get back to the Source or it gets dropped whe RPF failed. Related Glossary Terms Faire glisser ici les termes connexes Index Rechercher un terme
RPF See Reverse Path Forwarding Related Glossary Terms Faire glisser ici les termes connexes Index Rechercher un terme Chapter 8 - Multicast
SLAAC Stateless Address Auto Configuration. This is a process to get an interface automati- cally configured with address using NEighbor Discovery Protocol (RFC 4861). SLAAC is described in RFC 4862. Related Glossary Terms Faire glisser ici les termes connexes Index Rechercher un terme Chapter 5 - ICMPv6 & ND
SSM PIM Source Specific Multicast. (See PIM) Related Glossary Terms Faire glisser ici les termes connexes Index Rechercher un terme Chapter 8 - Multicast
Stateful Stateful means that a Server must keep some state for each allocation to manage the entry. For instance when DHCP allocate an Address, it keeps an entry for this allocated ad- dress and if the neighbor fails to RENEW the address, it will get back to the unused pool and will be allocated for another node. Stateful devices are easy target for DoS Attacks and should be protected with some mitigation technics to limit the effects of the attack! Related Glossary Terms Faire glisser ici les termes connexes Index Rechercher un terme Chapter 7 - Addresses, Names & Services
Stateless When DHCP is not used to allocate Addresses it is called Stateless DHCPv6 and only provides information, not addresses. Related Glossary Terms Faire glisser ici les termes connexes Index Rechercher un terme Chapter 7 - Addresses, Names & Services
ULA Unique Local Addresses are used when Private Addresses are needed. ULA can be centrally managed or locally administrated. The idea was not to repeat the IPv4 mis- takes, We have 40 bits to make the ULA unique and avoir any risk of having overlap- ping addresses when we merge two networks. Related Glossary Terms Faire glisser ici les termes connexes Index Rechercher un terme Chapter 3 - IPv6 Addresses

More Related Content

PPTX
IkaLog_FPGAStartup1
Takeshi HASEGAWA
 
PDF
FPGA startup 第一回 LT
Yamato Kazuhiro
 
PDF
FPGAによるHDMI to LVDS変換器
I_HaL
 
PDF
High Availability from the DevOps side - OpenStack Summit Portland
eNovance
 
PPTX
Openstack ha
Deepak Mane
 
PPTX
Watcher, a Resource Manager for OpenStack: Plans for the N-release and Beyond
Antoine Cabot
 
PPTX
Openstackha 130925132534-phpapp02
Deepak Mane
 
PDF
Orchestrating Docker with OpenStack
Erica Windisch
 
IkaLog_FPGAStartup1
Takeshi HASEGAWA
 
FPGA startup 第一回 LT
Yamato Kazuhiro
 
FPGAによるHDMI to LVDS変換器
I_HaL
 
High Availability from the DevOps side - OpenStack Summit Portland
eNovance
 
Openstack ha
Deepak Mane
 
Watcher, a Resource Manager for OpenStack: Plans for the N-release and Beyond
Antoine Cabot
 
Openstackha 130925132534-phpapp02
Deepak Mane
 
Orchestrating Docker with OpenStack
Erica Windisch
 

Viewers also liked (17)

PDF
OpenStack Resource Scheduling
Guangya Liu
 
PDF
Openstack Scheduler and Scalability Issue
Vigneshvar A.S
 
PDF
IPv6 Best Practice
flyingpotato
 
PPTX
20161120_HPCでFPGAを使ってみたい_fpgastartup
HPCシステムズ株式会社
 
PPTX
Open stack HA - Theory to Reality
Sriram Subramanian
 
PDF
resource on openstack
jieun kim
 
PDF
10 Good Reasons: NetApp for DevOps
NetApp
 
PPTX
OpenStack HA
Kenneth Hui
 
PPTX
Openstack Installation (ver. liberty)
Eggy Cheng
 
PPT
IPv6 theoryfinalx
Pawan Sharma
 
PDF
Swiss IPv6 Council: IPv6 in der Cloud - Case Study der cloudscale.ch
Digicomp Academy AG
 
PDF
High Availability for OpenStack
Kamesh Pemmaraju
 
PDF
What's really the difference between a VM and a Container?
Adrian Otto
 
PDF
Cisco IPv6 Tutorial
kriz5
 
PPTX
IPv4 to IPv6
mithilak
 
PDF
Drbd9 and drbdmanage_june_2016
Philipp Reisner
 
PDF
IPv6
Peter R. Egli
 
OpenStack Resource Scheduling
Guangya Liu
 
Openstack Scheduler and Scalability Issue
Vigneshvar A.S
 
IPv6 Best Practice
flyingpotato
 
20161120_HPCでFPGAを使ってみたい_fpgastartup
HPCシステムズ株式会社
 
Open stack HA - Theory to Reality
Sriram Subramanian
 
resource on openstack
jieun kim
 
10 Good Reasons: NetApp for DevOps
NetApp
 
OpenStack HA
Kenneth Hui
 
Openstack Installation (ver. liberty)
Eggy Cheng
 
IPv6 theoryfinalx
Pawan Sharma
 
Swiss IPv6 Council: IPv6 in der Cloud - Case Study der cloudscale.ch
Digicomp Academy AG
 
High Availability for OpenStack
Kamesh Pemmaraju
 
What's really the difference between a VM and a Container?
Adrian Otto
 
Cisco IPv6 Tutorial
kriz5
 
IPv4 to IPv6
mithilak
 
Drbd9 and drbdmanage_june_2016
Philipp Reisner
 
IPv6
Peter R. Egli
 
Ad

Similar to Fred explains IPv6 (20)

PDF
Fred explainsi pv6-v2-alpha
Fred Bovy
 
PDF
Fred bovyresume@2
Fred Bovy
 
PDF
Resume
Fred Bovy
 
PDF
LKNOG6 IPv6 Implementation Stories and Where to Start presentation by Terry S...
APNIC
 
PPT
implementing IPv6 in an ISP network, case study and lessons learned - Amos Ro...
Israeli Internet Association technology committee
 
PPTX
PLNOG16: Mix 2-in-1: IPv6 troubleshooting for helpdesks - and – DANE/DNSSE...
PROIDEA
 
PDF
Qos For Ipmpls Networks Gallo Mark Zhang Raymond Alvarez Santiago
memicdavron
 
PDF
Testimonial from an IPv6 ready logo certified trainer - Silvia Hagen (Sunny C...
IPv6 Conference
 
PDF
Java Day Brochure
Altuğ Bilgin Altıntaş
 
PDF
Bringing Infosec Into The Devops Tribe: Q&A With Gene Kim and Pete Cheslock
Threat Stack
 
PDF
stackconf 2023 | Better Living by Changing Less – IncrativeOps by Michael Cot...
NETWAYS
 
PDF
C# o basico
Tiago
 
DOCX
TechDayConf Edition 1 - 2020
Hamida Rebai Trabelsi
 
PDF
ION Belfast - Opening Slides - Chris Grundemann
Deploy360 Programme (Internet Society)
 
PDF
Public IPv6 training provider’s testimonials - Florent Nolot (Univ. Reims)
IPv6 Conference
 
PDF
From hello world to goodbye code
Kim Moir
 
PDF
150515 - Final project - FIN
Javid Gozalov
 
PDF
Docker Demystified Learn How To Develop And Deploy Applications Using Docker ...
anduleisrayl
 
PDF
Workology Podcast Episode 136 – Future of Work: Workplace Accessibility and I...
Workology
 
PDF
SciPy Latin America 2019
Travis Oliphant
 
Fred explainsi pv6-v2-alpha
Fred Bovy
 
Fred bovyresume@2
Fred Bovy
 
Resume
Fred Bovy
 
LKNOG6 IPv6 Implementation Stories and Where to Start presentation by Terry S...
APNIC
 
implementing IPv6 in an ISP network, case study and lessons learned - Amos Ro...
Israeli Internet Association technology committee
 
PLNOG16: Mix 2-in-1: IPv6 troubleshooting for helpdesks - and – DANE/DNSSE...
PROIDEA
 
Qos For Ipmpls Networks Gallo Mark Zhang Raymond Alvarez Santiago
memicdavron
 
Testimonial from an IPv6 ready logo certified trainer - Silvia Hagen (Sunny C...
IPv6 Conference
 
Java Day Brochure
Altuğ Bilgin Altıntaş
 
Bringing Infosec Into The Devops Tribe: Q&A With Gene Kim and Pete Cheslock
Threat Stack
 
stackconf 2023 | Better Living by Changing Less – IncrativeOps by Michael Cot...
NETWAYS
 
C# o basico
Tiago
 
TechDayConf Edition 1 - 2020
Hamida Rebai Trabelsi
 
ION Belfast - Opening Slides - Chris Grundemann
Deploy360 Programme (Internet Society)
 
Public IPv6 training provider’s testimonials - Florent Nolot (Univ. Reims)
IPv6 Conference
 
From hello world to goodbye code
Kim Moir
 
150515 - Final project - FIN
Javid Gozalov
 
Docker Demystified Learn How To Develop And Deploy Applications Using Docker ...
anduleisrayl
 
Workology Podcast Episode 136 – Future of Work: Workplace Accessibility and I...
Workology
 
SciPy Latin America 2019
Travis Oliphant
 
Ad

More from Fred Bovy (20)

PDF
Ospfv3 News version 2
Fred Bovy
 
PDF
Ospfv3 primer
Fred Bovy
 
PDF
Osp fv3 cs
Fred Bovy
 
PDF
IPv6 training
Fred Bovy
 
PDF
Fb i pv6-sparchimanv1.0
Fred Bovy
 
PDF
CEFv6 in a nutshell
Fred Bovy
 
PDF
Routing ipv6 v3
Fred Bovy
 
PDF
Autoconfig
Fred Bovy
 
PDF
Neighbor discoverydhcp
Fred Bovy
 
PDF
Inter as cisco1
Fred Bovy
 
PDF
IPv6 in IPv4/MPLS in a Nutshell
Fred Bovy
 
PDF
I pv6 better than IPv4 but why ?
Fred Bovy
 
PDF
I pv6 tutorial
Fred Bovy
 
PDF
Transition to ipv6 cgv6-edited
Fred Bovy
 
PDF
CEFv6 in a nutshell
Fred Bovy
 
PDF
IPv6 tools
Fred Bovy
 
PDF
Multicast for IPv6
Fred Bovy
 
PDF
Dhcp pd in brief
Fred Bovy
 
PDF
6Rd
Fred Bovy
 
PDF
IPv6 Autoconfig
Fred Bovy
 
Ospfv3 News version 2
Fred Bovy
 
Ospfv3 primer
Fred Bovy
 
Osp fv3 cs
Fred Bovy
 
IPv6 training
Fred Bovy
 
Fb i pv6-sparchimanv1.0
Fred Bovy
 
CEFv6 in a nutshell
Fred Bovy
 
Routing ipv6 v3
Fred Bovy
 
Autoconfig
Fred Bovy
 
Neighbor discoverydhcp
Fred Bovy
 
Inter as cisco1
Fred Bovy
 
IPv6 in IPv4/MPLS in a Nutshell
Fred Bovy
 
I pv6 better than IPv4 but why ?
Fred Bovy
 
I pv6 tutorial
Fred Bovy
 
Transition to ipv6 cgv6-edited
Fred Bovy
 
CEFv6 in a nutshell
Fred Bovy
 
IPv6 tools
Fred Bovy
 
Multicast for IPv6
Fred Bovy
 
Dhcp pd in brief
Fred Bovy
 
6Rd
Fred Bovy
 
IPv6 Autoconfig
Fred Bovy
 

Fred explains IPv6

  • 2. Preface 
 
 1 This is why I wrote this very first book and a great tribute to my CISCO Colleagues from who I learned so many things! Then it also gives a pointer to the Web server that must be used with this book and the IPv6 Certifications. Please read important information at the End of this Chapter!
  • 3. Preface to support ALL applications for EVERYONE! ! 12 years ago I decided to join the community of people who are building the new Internet for everyone and for the new applications that IPv6 enables! 1 I joined the CISCO IPv6 IOS® Engineering Team to help the development of 6PE and 6VPE for about 3 years then Netflow for IPv6 and finally SeND and related IPv6 Security for about 3 years. My name is Fred Bovy, CCIE #3013, and I have been in the Networking industry for I would like to thank Eric Levy-Abegnoly, who was my IPv6 Team Leader and mentor (with Luc Revar- more than 20 years, with a focus primarily on IPv6 and Service Provider issues for del), who designed and developed 6PE, 6VPE, SeND and more, Ole Troan, another Great IPv6 Team about 10 years. Leader, who designed most of the IPv6 IOS Code, Benoit Lourdelet, who is the IPv6 Product man- ager, Patrick Grossetete before him and many other great CISCO people I have been working with. I In 1999 I joined CISCO as a Network Consultant. My initial long term project involved learned so much with them. I was a CCIE and a CCSI when I joined CISCO, but I learned more about helping a Service Provider and an enterprise deploy brand new MPLS-VPN the Networks during the 10 years working for CISCO than all I had learned before. Special thanks to backbones. Since then, I have been hooked, and have developed an expertise in Jim Guichard (my first mentor who went with me to the customers in my first 6 months within CISCO), this subject. I later joined the CISCO IPv6 IOS Engineering Team as a dev-tester. Peter Psenak (who was the NSA Engineer for EQUANT before me and also helped me a lot during the transition. He is now one of the best OSPF Engineers WorldWide. Networks are transparent for For more than 3 years, I focused on 6PE and 6VPE testing. During that time, I devel- him.), Arjen Boers (The multicast man who hired me with Valerio), JP Vasseur (CISCO Fellow Guru oped many TCL scripts to test 6PE and 6VPE functionalities, routing and switching who worked with me on the MPLS-TE Fast Re-Route project for EQUANT and such a nice guy !), performance, scalability, High Availability, all the supported network design like Inter- Francois Le Faucheur (Another Brain, the Architects of QoS in MPLS Network who invented DiffServ- TE, QoS Models in MPLS Networks), Robert Hanzl (The Customer support Engineer who helped me net Access models, Carrier’s Carrier or Hub and Spoke and more. I also got deeply on my first crisis with a customer and then became an MPLS Team Leader), Robert Rasczuk (The involved in testing Netflow for IPv6 and SeND. MPLS Deployment Engineer who helped me on my first big crisis with a customer facing a major Back- bone instability), Luc Revardel (who taught me the basics of IPv6 Testing Automation), Greg Boland, In 2009 I resumed teaching, keeping the focus on IPv6 with special attention on the Steve Glaus, Mandy Mac Diarmid, Mado Bourgoin and all my managers who helped me to focus on transition to IPv6. I believe that we have finally hit the tipping point for IPv6, given my work starting with Valerio Muzzolini, Serge Dupouy, Nick Gale.... And all the good guys and girls that all of the IPv4 addresses ran out in February. It’s time for everyone to realize, who I am forgetting, who are the CISCO Assets. before companies and individuals lose their competitive edge, that IPv6 is fast be- These 10 years were the best school, university, experience and also basis for human values, not only coming a requirement that will enable the Next Generation Internet. technical... About This was not only a matter of knowledge and people, it was also a way to manage the people that I had never found in any French companies or International companies not managed by Americans. I have written this book to help anyone who needs to design, configure and trouble- During my interviews when I got hired, someone asked me what I was expecting from my manage- ment. I answered support to keep me focused on my technical job, and I was correct! This was typi- shoot IPv6 Networks because this is the experience I have gathered in my life as an cally what I found with all my managers with an exception of the French SE (Pre Sales) Manager I got IPv6 Tester, Consultant and Trainer and also from my 20+ (almost 25) years of IP when I joined the Account Team to help the customer validation process for free as this was normally and CISCO Routers. a service charged to the customer. But except this one, I only got great managers who always sup- ported me when I was a Network Consulting and a Software Engineer. I was always supported to fo- In this first book I will cover the Fundamentals. Following books will be about Routing cus on my job and didn't have to worry about the political cases that the French really enjoy in most Protocols, Transition To IPv6, Multicast, Security and more... big companies. I had the benefit of working for a big company, but at the same time I was so free to organize my work and received awards every time I was doing something good that I had the feeling I The book must be used with the IPv6 TUTORIAL that can be found from was working for my own company. This was the first time that I was also working for a company where the technical skills were considered and you did not have to become a (often bad) manager when you http://www.ipv6forlife.com. were good in your Technical role as a reward! At last I found people like me, people working like me! Working for CISCO was my best experience in my carreer. After CISCO I resumed my trainer and consultant life and started to teach what I had learned with my CISCO masters and more! I am a self-employed IPv6 Expert working as a Fast Lane IPv6 Course Subject Matter Expert with other CISCO partners and for myself as well. 1.1 Tribute  to  C ISCO  and  to  the  U SA! IPv6 is more than a Job to me; it is a hobby and a philosophy; it is a Community. It is open, and every- body is welcome to bring something! IPv6 was designed about 20 years ago by people who thought that the Internet should be for every- body and not only for the lucky ones who can get a Class A or whatever IPv4 block... It was designed 2
  • 4. About the book You need to have a host connected to the Internet to do the proposed exer- cises and to validate that you were able to provide the correct answers. 2 This is Free and very interesting certification. 2.1 IPv6  Fundamentals 2.2.3 CISCO  C CIE  Rou5ng  &  Switching IPv6 cannot be understood if the Fundamentals are not. That's why the first Module of this book is Cisco has one main 5 days training course and a derivated training from this essential. one I have designed for CISCO which is aimed at the SP Market You can find some help in the "IPv6 For Life!" Tutorial from the home page: http://www.ipv6forlife.com. This Tutorial has several chapters for the Fundamental Module: Fundamentals #1. Introduction and IPv6 Addressing 2.3 Important  informa5on Fundamentals #2. More about IPv6 Addressing. ICMPv6 and an Intro about Neighbor Discovery Fundamentals #3. DHCPv6, DNS, MOBILE IPV6 and derived applications THIS BOOK CAN BE READ COVER TO COVER OR YOU CAN PICK UP ANY PAGE FROM ANY CHAPTER WHEN NEEDED. Our first chapter will introduce the IPv6 basics. Then we will study the IPv6 Addressing which is the main reason why IPv6 was developed, to provide THIS E-BOOK IS ALIVE. MANY VIDEO LINKS ARE FLASH PRESENTATIONS an addressing which will match the requirements of the Internet for the next century. AND YOU WILL NEED A LARGE SCREEN AND FLASH® (ADOBE) SOFTWARE There was a day one missed requirement which was the Multihoming requirement. This should have ENABLED BROWSER. PLEASE CHECK http://www.adobe.com. been managed by the IPv6 Stack as a service like Mobile IPv6, but the Engineers just missed to ad- I AM ADDING NEW PRESENTATIONS ON A REGULAR BASIS AND I WILL UP- dress this issue which is still not completely resolved with a long term solution commonly accepted. DATE THE LINKS IN THIS BOOK. WHEN YOU GET A NEW VERSION OF THIS The next chapter will be about the IPv6 header, the long addresses, the Extension Headers and other E-BOOK YOU WILL GET PLENTY OF NEW PRESENTATIONS. interesting improvements for more efficiency. Then ICMPv6 basics, quite close to IPv4 and more interesting, the Neighbor Discovery Protocol which FOR ALL THE LINKS YOU WILL NEED To ACCESS IPv6 FOR LIFE® WEB is described in two separate RFCs. Many solutions are provided by ND like Autoconfiguration or SERVER: http://www.ipv6forlife.com Router Discovery and more. Despite I am based in France I have been speaking and writing more in English Finally we will describe all the most important Services which are not implemented for all platforms. than French for the last 25 years but I still may do some mistakes that I need Linux is the best platform to test and support all the IPv6 Services. you to forgive me if it happens in this book! 2.2 IPv6  Cer5fica5ons The IPv6 Internet belongs to everybody. Thanks for reading me! 2.2.1 IPv6  Forum  Cer5fica5on There are many certifications at the IPv6 Forum with 2 levels, Silver and Gold for 
 Engineer and Trainer. The Trainer is more advanced than the Engineers. Kindest Regards, For the moment, all you need is to apply on the IPv6 Forum Web Server and provide a few proof of achievements to get certified. Fred Bovy 2.2.2 Hurricane  Electric Hurricane Electric propose a very challenging certification with multiple levels up to Sage Level. Each step requires both theory and practical exercise. 3
  • 5. Introduction to IPv6 2 This chapter how we arrived to IPv6 in 2012 and the long path we walked by since the 80s! Address depletion is not a new issue and IPv4 was never intended to scale a Global Public Internet!
  • 6. Chapter 2 Introduction to IPv6 1 Introduction to IPv6 1.1 History IPv4 was developed in the 80s for a military network with a few thousands hosts maximum by the DoD of the USA. There was no need for security as it was a private network in the DoD Buildings. There was no need for Autoconfiguration or Mobility and many things. IPv4 Addresses were widely distributed until they were no more enough for everyone. In the early 90s, IPv4 Address depletion started to be a problem. Digital Equipment thought that OSI would replace IPv4 and that DecNET Phase V was actually OSI I posted something about it in my blog about this history: Protocols. http://ipv6forlife.net/wordpress/?p=61 1.1.1 OSI  Protocols 1.1.2 ATM  and  Frame-­‐relay   The first serious candidate to replace TCP/IP was the OSI Protocols. The Open Systems Interconnec- But at the same time the convergence of Data and Voice Networks had started since the middle of the tion (OSI) protocols are a family of information exchange standards developed jointly by the ISO and 80s, and we were looking for a network which could manage both Real Time (Voice, Video) and Non- the ITU-T starting in 1977. Real Time data with multiple levels of Precedence as IPv4 was already doing. Some people were working very hard for a converged network and they came up with a new protocol called ATM (Asyn- OSI defined a Layered Model with 7 Layers while TCP/IP just had 5 since OSI Layers 5, 6 and 7 were chronous Transfer Mode). actually managed by the TCP/IP Application Layer. ATM could manage any kind of Traffic: Voice, Video, Business Data, Bulk Data. ATM was really a Net- OSI Protocols was providing a Datagram Service like IP called Connectionless Network Service work Scientist Protocol Architecture, its routing protocol PNNI was able to react in Real-Time to any (CLNS) with an address of up to 20 bytes (160 bits) long. change in the Network to find paths which could match any Class of Service Traffic. Its routing protocol, ISIS, very close to OSPF immediately interested many service providers since it ATM was based on 53 bytes cells at the Physical Level for Real-Time and Non Real-Time traffic to be was an Integrated routing protocol which could support IPv4 as well (RFC1195). Actually it was more interleaved. SP Oriented and could support many more routers in the same area. It is also a much easier protocol to troubleshoot. A simple look at its Database will convince any Network Engineer in 5 minutes. ATM was designed for 155 Mbps Sonet SDH Fiber links minimum, and this was not really widely avail- able at this time. Also, the ASICS to manage the 53 Bytes Cells were not yet available or very expen- sive as it was not made at a sufficient large scale to get a reasonable price. So, an interim technology 5
  • 7. was also created to transport Data and Voice while ATM was growing. This was Frame-Relay, a stripped down version of X.25 with PVC only. SVCs came later, but they were never as popular as PVC. In the mid 90s ATM was the only serious candidate to support these converged Networks, and VoIP was not an option in the networking business world. At the end of the 90s, most people realized that ATM would not scale with MultiGigabit Links, which were arriving slowly. Also, some ATM Protocols like LAN Emulations collapsed under traffic as the Node dedicated to replicate the Broadcast and Multicast was too much solicited. ATM, which was great on paper, proved to be not scalable, and a complex and expensive solution, so VoIP came back as a viable solution. But all this work made for ATM was not thrashed, and many protocols built for ATM are still in use in many solutions. A lot of of the QoS, a protocol like NHRP, which was developed for ATM Classical IP, is now used for CISCO DMVPN. 1.1.3 MPLS   And also, there was the idea to replace a long address by a label that was already used by the old X.25, then ATM networks gave the idea of replacing the IPv4 header with a short label! Epsilon's IP Switching, Cisco's tag switching and many other Vendors provided such a solution with an initial moti- vation to make faster routers. Then CISCO also saw that with Tag Switching it was possible to add some services which were not possible with IP like Tag-VPN. Tag-VPN permitted providing each connected customer with a Virtual Private Network having its own IPv4 Addresses. Tag-VPN was based on a Multi-Protocol BGP Extension with a new BGP vpnv4 address family as it was adding a 32 bit prefix to the the IPv4 address, called a Route Distinguisher (RD) for the BGP pre- ! fix to be unique in the Service Provider Backbone BGP Table. In addition to the RD, an Extended Community BGP Attribute was added to the BGP Prefix before it 1.1.4   was advertised to a remote BGP Router. This Extended Attribute was then used to recognize a prefix IPv6   and import it into the Customer Virtual Routing Table. Later, in the early Y2Ks when IPv6 became the next version approved by the IETF and more and The Benefits of Tag-VPN on the previous Layer 3 VPN based on IP were that: more requested by the Customers, CISCO's reply was to provide an IPv6 Service over IPv4/MPLS The Backbone routers (P) did not have to know any of the the Customers Route. Only the BGP Next- without any need to upgrade the backbone. Hop, the exit point host route for each Provider Edge (PE) Router which was connecting to the Cus- They invented 6PE designed and developed in the South of France from an Architecture (RFC) of tomer Edge (CE) Router was enough. Francois Le Faucheur and other companies and then designed and coded by Eric Levy-Abegnoly. Before Tag-VPN, in the SP Point of Presence, each Customers needed to have a dedicated router In the early Y2K, the first large scale IPv6 offers from SPs were mostly brought by 6PE in Asia and in which was importing all the BGP Routes with a given Community Attribute. With Tag-VPN. the same the USA. PE could be shared by all the customers with each customer having its own Virtual Route. Later came 6VPE which was actually 6PE in the VRF, allowing the customers to have a dual-stack Customers could have overlapping addresses without any problem. VPN supporting both IPv4 and IPv6. The provisoning and the management of the VPN were very much simplified. We will cover 6PE and 6VPE later with all details... Traffic Engineering was another great service of Tag-VPN, allowing the SP to use more than the best route links in their backbone to use all the available bandwidth of the core. Tag-Switching was then standardised by the IETF to MPLS, So in the late 90s and in the early y2k, most service providers were upgrading their backbone to 1.2  I Pv4  Address  Deple5on MPLS! As we have seen earlier, the IPv4 address Depletion started to be a problem in the 90s, and while some people were working on new protocols to replace IPv4, some others were working on a work- around to keep on working longer with IPv4. 6
  • 8. They came up with NAT and Private Addresses (RFC1918). Before RFC1918, some people were already doing some private addressing, but it was at their own risk if they were choosing an address already in use, and they could need one day to join like for instance 7.0.0.0/8 or 9.0.0.0/8. One of these was used in my company in the early 90s with Proxies to reach the Internet for http or ftp protocols. Now with RFC1918, some block were reserved for private address- ing, and with NATPT aka PAT, it was possible to use one public ad- dress for a whole building or all the PCs of a residential user. Let's take a shortcut and call NAT: NAT, NATPT or PAT. NAT immediately solved the problem for many years, but at the same time, it killed some concepts which created the popularity of the Inter- net like the End-to-End Addressing or peer to peer capabilities. In the 90s, this was the time for Downsizing and Client-Server Applica- tions. Many companies moved to TCP/IP for this reason. Downsizing was the migration of Applications from Mainframes to Servers running on RISC Workstations, Mini Computers (AS/400) or even PCs and PS/2s. Client-Server Applications was the migration from hierarchical Applica- tions runnning on a Mainframe and accessed by dumb terminals to Applications on Servers accessed by smart Clients, mostly micro com- puters or Unix Plaforms, PCs or RISC based. To keep on working with NAT, now we have to provision a public ad- dress for each server and configure a Static NAT Translation for each Server. This can become tedious when you have a lot of servers to manage. And we cannot save anymore addresses. Still each server requires a Public Address. ! NAT introduced many states in the IP Network, which was a datagram best-effort model, and this has many Architectural Implications. Just And even if the Service Provider was running NAT a second time in the SP Backbone to share an make a search in the IETF Server for all the RFCs about NAT or PAT IPv4 Address among multiple Customers (NAT444), this could not give enough addresses to match or NAPT, and you will find more than 80 documents explaining the the need of all the emerging countries, the need for more than one IPv4 address per user. We must limitations, how to workaround NAT to support most of the Network now support plenty of new connected devices which did not exist in the 90s: Smartphones, iPADs, Applications. and so on... NAT seems an easy and cheap solution, but when you look into it, So today the question is no more if we need to move to IPv6 but when! you find that it actually cost a fortune in hidden costs and thousands of lines of code to support it! To support Voice application, Skype workaround is to use a Server in the middle of your connection, and your Smartphone must send keepalive on a regular basis to keep the NAT States up draining your batteries. 1.3 The  Current  Market  Needs Skype makes it with the cost of a server and keepalives, but many voice applications are still impossi- We have seen that IPv4 even with double NAT could not provide enough addresses for all the Emerg- ble because of NAT! ing Countries, new devices and new applications which require more and more addresses and even more and more ports (Ajax)! A 10.0.0/8 block looks like a big block for the needs of most companies, but it is still too small for some very large companies or some Service Providers. That's why the Cable SPs requested that The Cable Networks Operators have requested that the last DOCSIS Cable standard MUST support DOCSIS 3.0 supports IPv6! IPv6. Today, even with the use of NAT, we are now running out of IPv4 Addresses in most regions of the Voice Applications suffer more and more from the NAT limitations and Mobile IPv6 or Proxy Mobile World! IPv6 can bring solutions impossible to solve for IPv4. 7
  • 9. All IPv6 Addresses of a building Xlate to one IPv4 Addresses: 2001:DB8:678:1000::/48 -> IP 10.12.13.2/24 2001:DB8:678:1000::/48 -> IP 10.12.13.3/24 We 2001:DB8:678:1000::/48 -> IP 10.12.13.4/24 need NAT44 (CGN/LSN) NAT44 10.0.0.0 -> 202.45.3.0 172.19.0.0 -> 10.0.0.0 1 IPv4 Only Host IPv4 172.19.0.0/12 2001:db8:678::1/64 (SLAAC) STATEFUL 2 Internet DHCPv6 Client DHCPv6-PD Client Use LL for the p2p Link Address to SP NAT64 ISP Control IPv6 RFC 1918 Internet 172.16.0.0/12 101.12.13.1/24 ISP NAT44 First Subnet 172.17.0.0/12 IPv4 Private 2001:db8:678::/64 2001:db8:678:3::/56 8 bits for Subnets Network 10.0.0.0/8 IPv6 Private 2001:db8:678:1::/56 8 bits for Subnets Network 10.12.13.3/24 NAT44 2001:db8:658::/48 2001:db8:678:30::/64 2001:db8:678:31::/64 10.12.13.1/24 2001:db8:678:2::/56 ... 8 bits for Subnets 2001:db8:678:10::/64 172.18.0.0/12 2001:db8:678:11::/64 2001:db8:678:20::/64 ... 2001:db8:678:21::/64 ... autono- 10.12.13.2/24 mous devices which not only do autoconfiguration, but also can form Networks dynamically after they automatically discover neighbors. This is Wireless Sensors Networks (6LowPAN) applications. The current solutions to address this problem are the Stateful Carrier Grade NAT (CGN) aka 1.4 Transi5on  Richness Large Scale NAT (LSN) and the Stateless dIVI-pd or A+P Solutions. Since the IPv6 introduction, tools for a soft transition were provided. They have evolved with the time and the demand. • SPs with IPv4 Backbones need to provide IPv6 Access to the IPv6 Internet or among IPv6 customers. This is based on 6PE or 6VPE for MPLS/IPv4 or 6RD for IPv4 Backbone. 
 In 1996, IPv6 was shipped with a dual-stack and static tunnels. While the Internet is still growing very fast with more connected devices every day, the available IPv4 • SPs with IPv6 Backbone need to provide IPv4 Access to the IPv4 Internet or among IPv4 Cus- addresses have declined and IANA has been completely depleted since February 2011. As IPv6 has tomers. been now implemented for more than 15 years and available on most Operating Systems and Net- work vendors, most Service Providers and even more companies have not yet switched to the next This is based on DS-Lite or 4RD based Solutions. generation Internet protocol. As a consequence we still need to buy some time to allow a smooth tran- • To Provide access to IPv4 Resources for IPv6 ONLY Customers. sition to IPv6. It is planned that we will need to support mixed IPv4 and IPv6 networks. This is based on Address Family Translators with NAT64 and DNS64 as currently the best solu- Clearly, maximum performances, security and other benefits we can think about with running IPv6 will tions. These translators permit to translate IPv6 to IPv4 packets originating from the IPv6 side. be achieved when the transition is complete. With Stateless it is a One-to-One translation using a reserved IPv6 prefix.
 During the transition we will need to compromise features, performances and security for the With Stateful NAT64, multiple IPv6 addresses can be translated to one IPv4 addresses benefit of supporting old IPv4 nodes and applications. . We have to address the four following problems: There is a Stateless implementation on Linux called TAYGA. They say on theire Web site that to get a • To Support a maximum of new IPv4 customers with the few remaining IPv4 Public Addresses. stateful NAT64 one just needs to combine their TAYGA with a Statefull NAT44 also available on Linux. This implies more sharing of the remaining addresses. 8
  • 10. This will be more developed in the next book with a module or a full book about Translation to IPv6. 1.5.3 More  Efficient  Packets  Switching There are so many possibilies and so many technologies being tested if we really want to cover all the experience currently or lately performed. No more Header Checksum in IPv6. This field has been completely removed. SP are not very happy with the CGN or LSN based solutions since they have to run a stateful protocol Header aligned on 64 bits for more efficient access. in their backbone. The Capacity Planning is almost impossible in most cases so they may have to over provision the NAT64 or NAT444 with big CPU and a lot of RAM just in case you have to manage Routers are no more responsible for fragmentation. If fragmentation must be done, it must be twice more translation for an occasion like a global sport event like the Olympic Games. If TV is not done by the source. The fragmentation information are no more carried in each packet but in working for the Olympic Games or a Mundial soccer event it would be a reason for many users to an Extension Header if needed. move to a competitor! Protocol like 4RD, dIVI-PD. With CGN/LSN the SP must keep the logs which represent some Tera Bytes of Data each month. Transition protocols are expensive and as all SPs are transitioning to IPv6, I have serious doubts now that dual-stack will be supported for a long time. The "Good" Internet User who complies with IPv6 will not want to pay the bill of the one who is doing nothing for 15 years? 1.5 What  are  the  I Pv6  improvements? 1.5.1 128  bits  Addresses 1.5.1.1 IPv6  addresses  -­‐  how  many  is  that  in  numbers? IPv6 is our Word of the Day today. The big difference between it and IPv4 is the increase in address space. IPv4 addresses are 32 bits; IPv6 addresses are 128 bits. That’s a lot more, for sure, but what does it look like in numbers? What could we compare it to in real-world terms? DevDevin did the math: How many IP addresses does IPv6 support? Well, without knowing the exact implementation details, we can get a rough estimate based on the fact that it uses 128 bits. So 2 to the power of 128 ends up being 340,282,366,920,938,000,000,000,000,000,000,000,000 unique IP addresses. How do you say that, though? 340 trillion, 282 billion, 366 million, 920 thousand, 938 — followed by 24 zeroes. There’s no short way to say it in numbers without resorting to math. Here’s how Wikipedia expresses it: The very large IPv6 address space supports a total of 2128 (about 3.4×1038) addresses - or approxi- mately 5×1028 (roughly 295) addresses for each of the roughly 6.5 billion (6.5×109) people alive to- day. In a different perspective, this is 252 addresses for every observable star in the known universe. Steve Leibson takes a shot at putting it in real world terms. It’s big — grains of sand don’t even enter into it. No, he’s got to take it to the atomic level. Here’s his conclusion: So we could assign an IPv6 address to EVERY ATOM ON THE SURFACE OF THE EARTH, and still have enough addresses left to do another 100+ earths. It isn’t remotely likely that we’ll run out of IPV6 addresses at any time in the future. 1.5.2 Extension  Headers In IPv4 we had a limited amount of Option which could not provide for any new Extension. In IPv6 we have Extension Headers instead. These Extension Headers can be daisy chained so it is now possi- ble to put as many Options as we want in an IPv6 packet to support any new IPv6 Level Applications. The first great example of what we can do with Extension Headers is Mobile IPv6 and all derived appli- cations: Mobile router (NEMO), MANET, Wireless Sensors Networks (6LowPAN), PMIPv6. As we can tweak Addresses at the Network Layer it becomes transparent for the Transport or Application Level. 9
  • 11. IPv6 Addresses Addresses 3 This chapter introduces the key feature of IPv6 which is an address that scales the Internet requirements of 2012 until we all die!
  • 12. Chapter 2 IPv6 Addresses 1 IPv6 Addresses 1.1 Introduc5on IPv6 not only makes longer addresses, but also makes a better use of addresses and how to manage them. For instance if you have a small LAN without any routers, the workstations will be able to pick up an address automatically, which will only be valid on this LAN (Link-local) and will permit the Node to be automatically configured with a local address. Then if a router comes up, new prefixes will be advertised by the router, and the Workstation will automatically configure addresses derived from these prefixes. The most important things are: There is no more Broadcast, only Multicast! • Link-Local addresses only valid on the link where it is configured. This leads to the concept of Topics Zone. This Link-local address belongs to a zone with its own routing table. • Anycast Addresses which is an address to the nearest Service. This was already existing in IPv4 but now it is fully managed. • Routers are discovered Automatically 1. Introduction • ARP has been dramatically improved in the Neighbor Discovery protocol. There is no more just a TImeout for the MAC to IP Address cache, but the Neighbors are Managed in the cache by a Finite State Machine. Useless entries of dead neighbors are cleared. When a Timer ex- 2. What does 128 bit represent? pires, a few probes are sent to the neighbor (About 35 seconds with default). • The concept of zone is also important in IPv6. For the moment it mostly applies to Multicast and Link-local Addresses, but it could be used to creat VPN. Still each zone has its own Rout- 3. All types of IPv6 Addresses: ing Table (Please see RFC4007 "Scoped Zone Architecture" for more details). See RFC4291 for IPv6 Address Architecture 1. Unicast 1.2 What  does  128  bit  represent? 1. Unique Local Unicast We could assign an IPv6 address to EVERY ATOM ON THE SURFACE OF THE EARTH, and still 2. Global Unicast Addresses have enough addresses left to do another 100+ earths. It isn’t remotely likely that we’ll run out of IPV6 addresses at any time in the future! 3. Special Addresses So we must change the way we design networks and stop trying to save IP Addresses! We must give large blocks when needed as wasting IPv6 Addresses is not to use the huge amount of available address to make scalable Networks rather than saving each single bit of Address! Wasting 2. Multicast Addresses does not mean the same thing in IPv6 as in IPv4! 3. Anycast 1.3 How  to  write  an  I Pv6  Address? The 128 bits Address is written as 8 16 bits digits written in Hexa and separated by a colon :. Leading zeros can be ignored. You can write: 11
  • 13. 2001:db8:1:459d:f123:98ab:d0:e1 IPv6 addresses are made of 128 bits, but we still find the same 3 parts that we have in an IPv4 Address: instead of: 9 bits 36 bits 16 Bits Host. 64 bits 2001:0db8:0001:459d:f123:98ab:00d0:00e1. 3 Once in the address you can replace a long list of zeroes with double colons :: 001 ARIN RIR or ISP Subnet ID Interface ID You can write: 16bits 2001:db8::1 IPv6 Unicast Addresses instead of: 2001:db8:0:0:0:0:0:1 1.4.1.1 Global  Rou>ng  Prefix An ISP Customer Prefix used to route the packet to the customer. This Prefix itself is built of a com- 1.3.1 The  I Pv6  Addresses  are: mon prefix for all the Global Unicast Addresses 0010 or 2000::/3. Then you have a prefix matching a Regional Internet Registry, a RIR and then the part of the Address which addresses the customer. The • Unicast: One to One most common prefixes are typically a /48 Prefix for each site. This may seem overkill, but we do not waste addresses if we use them. We waste them if we don't! • Global Unicast Addresses (Public) 2001:db8::/16 is reserved for documentation and labs! • Unique Local Addresses (Private) • Link-Local Address 1.4.1.2 The  Subnets  bits These bits can be used by the customer to address many subnets for each site. We may find that us- • Special addresses: loopback, unspecified, IPv4 Mapped ing a /48 prefix for each site may be a waste of Addresses with our IPv4 reflexes, but this is actually • Anycast: One to Any the other way around as we have so many addresses available that it would be wasting addresses if we were trying to save addresses instead of using them generously to maximize the scalability of the • Multicast: One to Many addressing and allow easy growing of the sites. 1.4.1.3 The  Interface  I D 1.4 IPv6  Unicast  Addresses The Interface ID is similar to the IPv4 Host Address. It is used to identify the Host itself. 1.4.1.3.1EUI-­‐64  or  Modified  E UI-­‐64 1.4.1 Global  Unicast  Addresses  (Public) This address is generally derived from the Interface MAC Address which is 48 bit. 0xFFFFE is added in the middle of the MAC address to make a 64 bits address: The Global Unicast Addresses are similar to the Public IPv4 addresses and are routable in the IPv6 Internet. Provider . 48 bits Site . 16 bits Host. 64 bits 00 90 59 02 E0 F9 Global Routing Prefix SLA Interface ID Global Unicast Address 00 90 59 FF FE 02 E0 F9 In the Internet 2000::/3 (binary 0010) is reserved by IANA for the global unicast address. You will find more details on the Internet here and RFC4291 for IPv6 Address Architecture: ThAs the Global Routing Prefix contains the IANA prefix for Global Unicast Adddress, a prefix which identifies the Regional Internet Registries (RIPE in Europe for instance) and eventually another prefix which identifies the ISP: 000000X0 http://www.iana.org/assignments/ipv6-unicast-address-assignments/ipv6-unicast-address-assignments.xml EUI-64 Address In this example, the MAC Address is 00-90-59-02-E0-F9. http://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xml The EUI-64 Address will be: 90:59ff:ff02:e0f9 And the Modified EUI-64 Address will be: 290:59ff:fe02:e0f9 12
  • 14. For the Modified EUI-64 address X=1 which means that the address is a Locally Administratively Man- aged Address. Global ID 40 bits Subnet ID Interface ID 1.4.1.3.2Temporary  Random  Prefix  (RFC4941) As NAT is no more used and the Interface ID of a Laptop may not change, a user may be tracked by its address. To avoid this possible problem it is possible to use a Random Temporary Interface ID and 1111 1100 1111 1101 change it everyday! This is configurable on all the available platforms (Windows, MAC OS, Linux). FC00::/7 FD00::/8 1.4.1.3.3Manually  Configured Unique local Address On Routers or some servers, it may be better to assign static addresses instead of a EUI or Random Interface ID. The big benefits of ULA other RFC1918 in IPv4 is that you have 40 bits to make your Prefix Unique. So in case one day you need to merge two Private Networks using ULA Addresses you may not have For instance, in a Datacenter your router HSRPv6 Group could be 2001:db8:a01::1 and you may con- to renumber your Network. figure a static default route on all your Servers. Actually there are two kinds of ULA, the Locally Managed and the Centrally Managed. If you make a You make sure that your system will not waste anytime or receive any Rogue information! Reservation and use the Centrally Managed Addresses, there is absolutely no risk of finding a dupli- cate subnet. With Locally Managed, the risk exist. IPv6 Global unicast address Format (RFC 3587) You can make a reservation at this URL: http://www.sixxs.net/tools/grh/ula/ IPv6 Global Unicast Address Format (RFC 3587) At the beginning of IPv6, they was no ULA but a prefix for site-local addresses: fec0::/10. But with this approach we had the same problem as with RFC1928 IPv4 Addresses so this prefix is no more re- served for Site-Local Addresses, which are deprecated and replaced by ULA. Initial Format Provider . n bits 64 .n bits To access the Internet from a ULA Address you may need Proxies. For instance, if your internal Serv- Host. 64 bits ers only need http or ftp access to the Internet for SW Updates at night, ULA + Proxy may be the right approach. Global Routing Prefix Subnet ID Interface ID IETF assigned 001 for Global Unicast, 2620::/12 assigned to American 1.4.3 Link-­‐local  Addresses Registry for Internet Numbers 36 bits 16 Bits Host. 64 bits Link-local Addresses are the Only Mandatories Addresses for each interface. When an IPv6 interface 3 9 bits is coming up, the first step is to validate that its Link-local address is unique (Valid). If not, the IPv6 00 Interface is disabled. The interface could be used for other protocols but not IPv6! ARIN RIR or ISP Subnet ID Interface ID 1 IPv6 Link-local addresses are only valid on the interface where they are configured. If you have many interfaces on a host or a router, it is no problem to use the same address for all the interfaces. RFC 2374: Aggregatable Global Unicast Address Structure They all start with the prefix fe80::/10. Public Topology Site Topology Interface Identifier 128bits 3 13 8 24 16 64 bits 11111 Tout à 0 Interface ID FP TLA ID RES NLA ID SLA ID Interface ID 1010 © Frédéric Bovy - October 2011 - 37 64 bits FE80::/10 1.4.2 Unique  Local  Addresses  (Private.  R FC4193) Link-local Address When you are using a Link-local address in a command, you must specify the Outgoing interface by The ULA are Private Unicast Addresses not routable on the Internet. its name or its index with the % sign in between like: fe80::34f:a011:2:d78%FastEthernet1 on Cisco Router or 13
  • 15. fe80::34f:a011:2:d78%15 on Microsoft Windows, 15 is the interface index. These addresses do not have any reserved prefix so you cannot recognize an Anycast Address from a Unicast. In IPv4 it is similar to the 169.254.0.0/16 address (RFC 3927). All the Next Hop but recursive static or BGP routes use a Link-local address. 1.4.4 Special  Addresses 1.6  I Pv6  Mul5cast  Addresses 1.4.4.1 Unspecified  Address  is  ::/0 This is a one to many addressing. The Unspecified is only used as a source address when a node is booting, and it is verifying its Link- local Address. There is no Broadcast in IPv6 only Multicast. But you have an address for all IPv6 nodes (ff02::1) as in IPv4 an address for all IPv4 nodes (224.0.0.1). The prefix ff02:: is reserved just like 224.0.0.x for IPv4. A router MUST NOT route a packet with an unspecified source address. Multicast Addresses are used like in IPv4, when a source needs to send a packet to a Group of Re- 1.4.4.2 Loopback  Address  is  ::1 ceivers. The loopback address is a Link-local address to the node itself. It must not be assigned to any physi- cal interface. It is similar to the IPv4 127.0.0.1 address. 1.4.4.3 IPv4  Mapped  Address This is used when you need to code an IPv4 address in the IPv6 format. For instance with 6PE or 6VPE, the destination IPv6 Address will have the Egress PE IPv4 Loopback interface. This is illegal for BGP to advertise a destination with a next hop of another Address Family. So the Next Hop is coded as an IPv4 Mapped Address. The Flags are used for the Embedded RP Address. This is new in IPv6 and allows the RP Address to be embedded in the Group Address. We will study You got 80 bit set to 0, then 16 bits set to ffff and then the 32 bits of your IPv4 address: the Flags when we cover the Multicast in detail. If the next hop was 192.9.0.1, it would be coded: The Scope is also new in IPv6 and allowed to set the Scope of the Mul- 0:0:0:0:0:ffff:<32 bits IPv4 Address> ticast Group: ::ffff:192.9.0.1 or ::ffff:c009:1 1 is Node Local 2 is Link-local scope. Example:ff02::1 4 is Admin-local 1.4.4.4 Encapsula>on  of  I Pv6  in  Ethernet 5 is Site-local 8 is Organization-local IPv6 Protocol is 0x86dd E is a Global Group Example: Dest Ethernet Source Ethernet Adress Adress 0x86DD IPv6 Header and charge ff02::1:2 All DHCP Servers and Relay. Link-local Scope ff05::1:3 All DHCP Servers. Site-local Scope (used by Relays) IPv6 in Ethernet ff02::2 All IPv6 Routers. Link-local Scope ff02::5 All IPv6 OSPFv3 Routers. Link-local Scope 1.5  I Pv6  Anycast  Addresses ff02::6 All IPv6 OSPFv3 DR Routers. Link-local Scope This is a one to any addressing. ff02::9 All IPv6 RIPng Routers. Link-local Scope Anycast Addresses are like duplicated Unicast Addresses. The goal is to find the nearest server imple- ff02::A All IPv6 EIGRP Routers. Link-local Scope menting a function. It was already existing in IPv4 for the DNS Root Servers. We have only 13 addresses, which repre- Only the Link-local Scope is automatically filtered and not forwarded by Routers. All the other Scopes sent more than 200 physical servers. must be implemented with ACLs. In IPv4 it was also used by Anycast RP to find the nearest RP in a redundant RP mode using MSDP to make the RPs communicate with each other. 14
  • 16. For each unicast or anycast address configured, the IPv6 node automatically configures a Solicited Node Multicast Address derived address. This address is setup with a common Multicast Prefix and the last 24 bits of the Unicast Address. Example: Unicast Address 2001:DB8:DC28::FC57:D4C8:1FFF Solicited Node Multicast Prefix FF02:0:0:0:0:1:FF Solicited-node multicast address FF02:0:0:0:0:1:FFC8:1FFF The solicited node multicast address derived from the unicast Préfixe Interface Identifier FF02 O 0001 FF 24 bits 128 bits IPv6 Address Plan Example 1.7 IPv6  Address  Plan  Example 2001:db8:abcd::/48 has been assigned for the USA offices of this company. Each Regional largest office aggregates the traffic for the area as a /52 route. In the address 2001:db8:abcd::/48 has been assigned for the USA offices of this company. 2001:db8:abcd:9000::/52, 9 identifies the West Coast. Each Regional largest office aggregates the traffic for the area as a /52 route. In the address Each office has a /56 prefix. In the address 2001:db8:abcd:9100::/56, 91 identifies the San Francisco 2001:db8:abcd:9000::/52, 9 identifies the West Coast. Office. Each office has a /56 prefix. In the address 2001:db8:abcd:9100::/56, 91 identifies San Francisco Of- Then 2001:db8:abcd:9101::/64 may be the first LAN in SF. fice. Then 2001:db8:abcd:9101::/64 may be the first LAN in SF. 15
  • 17. Internet Admin hierarchy 1.8 The  Mul5homing  Issue http://www.ripe.net/ripe/docs/ripe-512 1.8.1 IPv6  Addressing  Hierarchy Regional Internet Registries EU/ISP (ARIN, APNIC, RIPE, NCC) Cust1 ISP/ RIR 21ae:db8:1::/48 ISP1 LIR EU 21ae:db8::/32 RIR1 IANA 21ae::/8 ISP/ RIR NIR EU Cust2 ISP2 LIR 21ae:db9:1::/48 National 21ae:db9::/32 IANA Internet Local Internet End Users 2000::/3 Registries Registries Cust3 2001:db8:1::/48 RIR2 1.8.2 Mul5homing  Issue  and  solu5ons ISP3 2001::/8 Cust4 2001:db8::/32 This works very well as long as a customer does not want to use more than one SP for Redundancy 2001:db8:2::/48 or other reasons like best price in different regions of the world for instance. In this case, the customer will have to deal with multiple Prefixes. This is not a problem again as any IPv6 Addressing Aggregation IPv6 interface can be configured with multiple Prefixes. Having an address 4 times bigger, the IPv6 designers didn't want to need 4 times more memory! So The problem is for resiliency and load-balancing. they designed a model to maximize Aggregation. There is a Flash animation in my Free On-Line Tutorial Fundamentals #2. IANA has allocated the block 2000::/3 for Global Unicast Addresses. Then in your address you will have a Prefix which identifies each Regional Internet Registry: RIPE-NCC, ARIN, APNIC, AfricNIC, LACNIC. And a Prefix for each SP ISP2 ISP1 2001:db9::/32 The end user does not own a Prefix, and if he changes the SP, he will have to renumber its Network 2001::db8::/32 2001:db9:100::/48 with a new Prefix. 2001:db8:1::/48 The goal is to maximize route Aggregation, allowing each SP to summarize all its client with one or a few Prefixes. This is what we call Provider Assigned (PA) Prefixes. 2001:db8:1::/48 2001:db9:100::/48 2001:db8:1::/48 2001:db9:100::/48 Provider Assigned Address 16
  • 18. 1.8.3 Provider  Independant  Addresses   Dest thru ISP2 is no longer reachable   The session fails ISP1 ISP2 ISP1 ISP2 2001:db8:100::/48 2001:db8:1::/48 2001:db8:66::/48 2001:db8:66::/48 2001:db8:1::/48 2001:db8:1::/48 2001:db8:100::/48 2001:db9:100::/48 2001:db9:100:99:42:345F:1:1/64 2001:db8:66::/48 2001:db8:1:99:42:345F:1:1/64 2001:db8:1::/48 2001:db8:100::/48 2001:db8:66::/48 In this case your RIR will allocate a Prefix to the end-user who is authorized to advertise its own prefix to multiple SPs. Below is an example. 2001:678:e01::/48 has been assigned to this company and the same prefix is advertised to SP ACME and The best solution, which may be expensive in some regions, is the P ABC! So each of these SPs will have to advertise this Prefix in the IPv6 Internet if it does not fall under Provider Indendant (PI) Prefixes. the summaries of each SP. They have been available since 2009, and we can see that the number of IPv6 prefixes has started to It is seen as a short term solution as a long term solution should permit maximum aggregation and increase tremendously since this date. First, because there was no solution to this problem before and must be managed by Hosts or Routers. then because we cannot Aggregate the PI PRefix since it punched a hole in the summary address for each SP where it does not fall into one of its summary and must be advertised independantly.   A new session must be started   Better route from ISP2   A session is started ISP2 ISP1 ISP1 ISP2 2001:db8:1::/48 2001:db9:100::/48 2001:db8:1::/48 2001:db9:100::/ 48 2001:db9:100:99:42:345F:1:1/64 2001:db8:1:99:42:345F:1:1/64 2001:db9:100:99:42:345F:1:1/64 2001:db8:1:99:42:345F:1:1/64 17
  • 19. Internet 2001:678:e01:3000::/52 2001:678:e01::/48 2001:db8:1001:f000::/52 Campus 3 BB Router Campus 1 Backbone Router ISP ABC ISP ACME Bldg 3-2 2001:678:e01::/48 2001:678:e01:3200::/52 2001:db8:1001:f1000::/52 2001:678:1001:f000::/52 Campus 2 BB Router Bldg 3-2 2001:678:1001:f100::/56 2001:678:1001:f1000::/52 2001:678:e01:3100::/52 255 user /64 LANs per Building 2001:678:1001:f101::/64 Bldg 2-2 Bldg 2-1 2001:678:1001:f1200::/52 2001:678:1001:f1100::/52 Bldg B 1-1 2001:678:1001:f102::/64 1.8.4 Other  Solu5ons There are some host based and routers based solutions to solve this problem without losing the maxi- mum Aggregation of the PA Prefixes. Some solutions are host based like shim6 or HIP, which also managed Mobility, and some others are managed by the routers like LISP. "The basic idea behind the Loc/ID split is that the current Internet routing and addressing architecture combines two functions: Routing Locators (RLOCs), which describe how a device is attached to the network, and Endpoint Identifiers (EIDs), which define 'who' the device is, in a single numbering space, the IP address. Proponents of the Loc/ID split argue that this "overloading" of functions makes it virtually impossible to build an efficient routing system without forcing unacceptable constraints on end-system use of addresses. Splitting these functions apart by using different numbering spaces for EIDs and RLOCs yields several advantages, including improved scalability of the routing system through greater aggregation of RLOCs. To achieve this aggregation, we must allocate RLOCs in a way that is congruent with the topology of the network ("Rekhter's Law"). Today's 'provider-allocated' IP address space is an example of such an allocation scheme. EIDs, on the other hand, are typically allocated along organizational boundaries. Because the network topology and organizational hierarchies are rarely congruent, it is difficult (if not impossible) to make a single numbering space efficiently serve both purposes without imposing unacceptable constraints (such as requiring renumbering upon provider changes) on the use of that space. LISP, as a specific instance of the Loc/ID split, aims to decouple location and identity. This decoupling will facilitate improved aggregation of the RLOC space, implement persistent identity in the EID space, and, in some cases, increase the security and efficiency of network mobility." http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_11-1/111_lisp.html 18
  • 20. IPv6 Header 4 To summarize the IPv6 Header we could say: longer addresses and a simple efficient versatile, flexible, powerful Network Layer! The daisy chained IPv6 Extension header is a major important step for any application in the future! Mobile IPv6 is the first example of this power!
  • 21. Section 1 IPv6 Header Topics 1. IPv6 versus IPv4 headers 2. Path MTU discovery 3. Extension Headers 4. Encapsulations of Packets in Layer 2 20
  • 22. .1 IPv6  vs  I Pv4  Headers • No more Fragmentation fields (Fragment ID, Frag Offset, Flags). Fragmentation is no longer performed by Routers but only the source of the Traffic and an Extension Header will be used for the Fragmentation information • No more Header Checksum as it was redundant with the Link Layer and Transport Check- sum • Other fields have been renamed with more explicit names like Hop Limit instead of TTL • The Traffic Class used instead of ToS/Precedence but still transports a DSCP for QoS • IPv6 Addresses are 4 times larger. • The Protocol field is replaced with a Next Header as now the Headers can be daisy chained to add several options to a packet! • A new field pretty much unused so far: the Flow Label. It should be used to identify a flow with the Source and Destination Addresses. It is not used for two reasons: There is no common agreement to use it in a standard way. People are scared that a non default Flow Label (0) would give information to hackers about the sensi- tive traffic! The data are aligned on 64 bits for better memory access .2 Path  M TU  Discovery Fragmentation is expensive as it consumes resources on the Router or the Host which fragments the packet, and it also consumes resources on the destination host which reassembles the packets. The biggest improvement which really gives IPv6 more Flexibility and Versatility is the use of daisy Some Firewall or NAT devices do the reassembly as they need the information contained in the first chained Extension Headers. Now, it becomes possible to push many headers in an IPv6 packet and fragment like the Port numbers. as these Headers are TLV (Type, Length, Value) you can add a new Header Extension to support a Fragmentation is also a very easy to initiate DoS Attack, as a station sending traffic requiring a lot of new Network Layer Application. Fragmentation or Reassembly can kill this station overwhelming its CPU! The first great example of what we can do will be introduced in a later Module. This is for Mobile IPv6 So Fragmentation is avoided in IPv4 already systematically for all TCP Traffic with a protocol called and the derived applications. Path MTU Discovery! An IPv6 router is not allowed to fragment a packet, only a source of a connection can, including a The Extension Headers are the following and SHOULD follow this order: router is it is the head-end of a tunnel and it encapsulates IPv6 in IPv6 but this is a special case. • Hop-by-hop. This Option MUST be checked by each router in the path. In IPv4 we had the The principle is that the station starts sending at the maximum MTU, and every time a Router cannot Router Alert to do the same, and this Router Alert is transported in this Option when needed. route the packet because of MTU it drops the packet rather than fragmenting and sends an ICMP Re- It is used by Multicast (IGMP or PIM), RSVP and other applications. port providing the next Link MTU. The source sends the next packet at this MTU, and the operation may eventually be repeated. Router Alert Option MINIMUM MTU FOR IPv6 IS 1280 BYTES The Router Alert Option (RFC2711) tells the router that it must take a look at the packet. It is car- ried in an hop-by-hop option. Example : Frame 3836 (90 bytes on wire, 90 bytes captured) .3 Extension  Headers Ethernet II, Src: ca:00:06:a9:00:1c (ca:00:06:a9:00:1c), Dst: IPv6mcast_00:00:00:01 (33:33:00:00:00:01) Destination: IPv6mcast_00:00:00:01 (33:33:00:00:00:01) Source: ca:00:06:a9:00:1c (ca:00:06:a9:00:1c) Type: IPv6 (0x86dd) 21
  • 23. Internet Protocol Version 6 0110 .... = Version: 6 .... 1110 0000 .... .... .... .... .... = Traffic class: 0x000000e0 .... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000 Payload length: 36 Routing Header. 3 Types. Type 0 and 1 are now deprecated and should not be used anymore, too Next header: IPv6 hop-by-hop option (0x00) dangerous. Type 2 is still used by Mobile IPv6. Hop limit: 1 o Type 0. There is a list of addresses in the header, and the packet must go through Source: fe80::c800:6ff:fea9:1c (fe80::c800:6ff:fea9:1c) each of the routers listed. There is a pointer for the router to know where in the list we Destination: ff02::1 (ff02::1) Hop-by-Hop Option are. The destination IP address of the IP packet is the next hop of the source routing Next header: ICMPv6 (0x3a) header. This was not the case in IPv4 where the IP source and destination IP ad- Length: 0 (8 bytes) dresses were not modified by source routing. It is now deprecated since RFC5095. Router alert: MLD (4 bytes) o Type 1 is deprecated for a long time. PadN: 2 bytes Internet Control Message Protocol v6 o Type 2 are used by Mobile IPv6. It is used to specify the home address of the mobile Type: 130 (Multicast listener query) node. Only one hop! Code: 0 Checksum: 0x88d1 [correct] Example of a capture. Note that the addresses used are the deprecated site-local addresses : Maximum response delay[ms]: 10000 Multicast Address: :: Frame: S Flag: OFF + Ethernet: Etype = IPv6 Robustness: 2 QQI: 125 - Ipv6: Next Protocol = ICMPv6, Payload Length = 64 + Versions: IPv6, Internet Protocol, DSCP 0 PayloadLength: 64 (0x40) NextProtocol: IPv6 Routing header, 43(0x2b) HopLimit: 127 (0x7F) • Destination options. This Option is only checked by the Destination of the packet. Mobile SourceAddress: FEC0:0:0:2:2B0:D0FF:FEE9:4133 IPv6 uses this Option. DestinationAddress: FEC0:0:0:2:260:97FF:FE02:578F - RoutingHeader: If a routing header is present it tells what to do to each intermediary router. If there is no routing NextHeader: ICMPv6 header, it is only for the final destination. ExtHdrLen: 2(24 bytes) Example: RoutingType: 0 (0x0) SegmentsLeft: 1 (0x1) Frame 609 (114 bytes on wire, 114 bytes captured) Reserved: 0 (0x0) Ethernet II, Src: ca:00:06:a9:00:1c (ca:00:06:a9:00:1c), Dst: ca:01:06:a9:00:1c RouteAddress: FEC0:0:0:1:260:8FF:FE32:F9D8 (ca:01:06:a9:00:1c) Icmpv6: Echo request, ID = 0x0, Seq = 0x3d1a Internet Protocol Version 6 0110 .... = Version: 6 .... 1010 0000 .... .... .... .... .... = Traffic class: 0x000000a0 o Fragment. If the Source must fragment the packet. .... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000 Payload length: 60 o IPSec Authentication (AH) Next header: IPv6 hop-by-hop option (0x00) o IPSec Authentication and Encryption (ESP) Hop limit: 64 Source: 2001:db8:c0a8:b:c800:6ff:fea9:1c (2001:db8:c0a8:b:c800:6ff:fea9:1c) o Mobility. Used for the signaling of Mobile IPv6. Destination: 2001:db8:c0a8:b:c801:6ff:fea9:1c (2001:db8:c0a8:b:c801:6ff:fea9:1c) o Destination option (if routing absent) Hop-by-Hop Option o Jumbo Payload option Next header: IPv6 destination option (0x3c) Length: 0 (8 bytes) The Jumbo payload option allow for larger datagram than the 65,536 permitted by plain IPv6. With PadN: 6 bytes Jumbo payload option, it can be up to 4,294,967,295 octets (RFC2675). Destination Option Next header: UDP (0x11) Upper layer Length: 0 (8 bytes) PadN: 6 bytes User Datagram Protocol, Src Port: 57768 (57768), Dst Port: echo (7) Echo 22
  • 24. .4 MAC  Encapsula5on  of  I Pv6  Packets Ethernet Protocol Encapsulation Dest Ethernet Source Ethernet Address Address 0x86DD IPv6 Datagram Protocol: 0x86dd In IPv4 it was 0x800 and 0x806 for ARP .4.1 Mul5cast  M AC  Address  Mapping !  IPv6 Multicast Address !  FF02:0:0:0:0:1:FF90:FE53 FF02:0:0:0:0:1:FF90:FE53 !  128 bits !  Mac Address !  33:33:FF:90:FE:53 33:33:FF:90:FE:53 !  48 bits 23
  • 25. 24
  • 26. 25
  • 27. . 26
  • 28. 27
  • 29. IPv6 ICMP & Neighbor Discovery 5 IPv6 ICMP is very similar to IPv4 but NEighbor Discovery which is encapsulated in ICMPv6 brings many IPv6 key features such as Address Autoconfiguration, Default Router Discovery or simple functions like an optimized version of ARP!
  • 30. Section 1 ICMPv6 & ND Topic 1. ICMPv6 1. Introduction 2. Error Messages 3. Echo 4. Options 2. Neighbor Discovery Protocol 1. Introduction 2. ND Packets and Options 3. Neighbor Discovery (ND) 4. Duplicate Address Discovery (DAD) 5. Neighbor Unreachability Detection (NUD) 6. Router Discovery (RD) 7. Autoconfig (SLAAC) 29
  • 31. IPv6 ICMP PadN: 6 bytes User Datagram Protocol, Src Port: 56486 (56486), Dst Port: echo (7) 1 Source port: 56486 (56486) Destination port: echo (7) Length: 1944 Checksum: 0xa5bd [unchecked, not all data available] 1.1 Introduc5on Echo Type Code Checksum 1.2.2 Packet  Too  Big  (Type  2) When a datagram is too big to be switched on an interface, an ICMP mesage packet that is too big Message Body must be sent back to the sender. MTU of the outgoing link is provided Frame: + Ethernet: Etype = IPv6 ICMPv6 can be used to report problems and to ping a destination. - Ipv6: Next Protocol = ICMPv6, Payload Length = 1240 + Versions: IPv6, Internet Protocol, DSCP 0 The Type identifies which kind of packet, which problem we want to report such as a "Destination Un- PayloadLength: 1240 (0x4D8) reachable" or "Echo Request". NextProtocol: ICMPv6, 58(0x3a) The Code gives more details about the problem. Why the destination is unreachable? The problem HopLimit: 64 (0x40) SourceAddress: FEC0:0:0:F282:201:2FF:FE44:87D1 with the destination address? port? filtered by an ACL? When ICMP is used to transport other proto- DestinationAddress: FEC0:0:0:F282:2B0:D0FF:FEE9:4143 cols like "Neighbor Discovery" (next chapter), the code is null. - Icmpv6: Packet too big ICMPv6 manage much more in IPv6 than its IPv4 counterpart. For instance, Neighbor Discovery and MessageType: Packet too big, 2(0x2) Multicast Listener Discovery are now part of ICMPv6. - PacketTooBig: Code: 0 (0x0) Much ICMP Information is provided in some standard ICMP Options which are Mandatory with some Checksum: 44349 (0xAD3D) requests. MTU: 1280 (0x500) - InvokingPacket: Next Protocol = ICMPv6, Payload Length = 1460 + Versions: IPv6, Internet Protocol, DSCP 0 PayloadLength: 1460 (0x5B4) 1.2 ICMP  Error  Messages NextProtocol: ICMPv6, 58(0x3a) HopLimit: 63 (0x3F) SourceAddress: FEC0:0:0:F282:2B:D0FF:FEE9:4143 Error Messages: DestinationAddress: FEC0:0:0:0:fredoc0:0:0:1 Destination Unreachable (Type 1) Packet Too Big (Type 2) Time Exceeded (Type 3) Parameter Problem (Type 4) 1.2.1 ICMPv6  Des5na5on  Unreachable  (Type  1) Payload length: 1960 Next header: IPv6 hop-by-hop option (0x00) Hop limit: 64 Source: 2001:db8::1 (2001:db8::1) Destination: 2001:db8::2 (2001:db8::2) ! Hop-by-Hop Option Next header: IPv6 destination option (0x3c) 1.2.3 Time  Exceed  (type  3) Length: 0 (8 bytes) PadN: 6 bytes Destination Option If Code = 0. Hop Limit Exceeded in Tansit. Next header: UDP (0x11) Length: 0 (8 bytes) 30
  • 32. If Code = 1. Fragment Reassembly Time Exceeded. The receiving station could not reassemble the Destination: ca:00:06:a9:00:1c (ca:00:06:a9:00:1c) original datagram within 60 seconds. Source: ca:01:06:a9:00:1c (ca:01:06:a9:00:1c) Type: IPv6 (0x86dd) Internet Protocol Version 6 1.2.4 Parameter  Problem  (type  4) 0110 .... = Version: 6 .... 0000 0000 .... .... .... .... .... = Traffic class: 0x00000000 .... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000 Code Payload length: 60 0 - Erroneous header field encountered Next header: ICMPv6 (0x3a) Hop limit: 64 1 - Unrecognized Next Header type encountered Source: 2001:db8:c0a8:b:c801:6ff:fea9:1c (2001:db8:c0a8:b:c801:6ff:fea9:1c) Destination: 2001:db8:c0a8:b:c800:6ff:fea9:1c 2 - Unrecognized IPv6 option encountered (2001:db8:c0a8:b:c800:6ff:fea9:1c) Internet Control Message Protocol v6 Type: 129 (Echo reply) Code: 0 Checksum: 0x3f1b [correct] 1.3 ICMPv6  Informa5onal  Messages ID: 0x062b Sequence: 0x0002 Data (52 bytes) 1.3.1 ICMPv6  Echo  Request.  (Type  128) Frame 5219 (114 bytes on wire, 114 bytes captured) R0>ping 2001:DB8:C0A8:B:C801:6FF:FEA9:1C Ethernet II, Src: ca:00:06:a9:00:1c (ca:00:06:a9:00:1c), Dst: ca:01:06:a9:00:1c (ca:01:06:a9:00:1c) Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2001:DB8:C0A8:B:C801:6FF:FEA9:1C, timeout is 2 Destination: ca:01:06:a9:00:1c (ca:01:06:a9:00:1c) seconds: Source: ca:00:06:a9:00:1c (ca:00:06:a9:00:1c) Type: IPv6 (0x86dd) !!!!! Internet Protocol Version 6 0110 .... = Version: 6 Success rate is 100 percent (5/5), round-trip min/avg/max = 8/19/32 ms .... 0000 0000 .... .... .... .... .... = Traffic class: 0x00000000 .... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000 Payload length: 60 Next header: ICMPv6 (0x3a) Hop limit: 64 1.4 Other  Protocols  supported  by  I CMP Source: 2001:db8:c0a8:b:c800:6ff:fea9:1c (2001:db8:c0a8:b:c800:6ff:fea9:1c) Destination: 2001:db8:c0a8:b:c801:6ff:fea9:1c (2001:db8:c0a8:b:c801:6ff:fea9:1c) ICMPv6 also supports Neighbor Discovery, SEcured Neighbor Discovery, MLDv1 and MLDv2 for Mul- Internet Control Message Protocol v6 ticast. Type: 128 (Echo request) We are going to study ND in the next paragraph and Multicast later in this book. Code: 0 Checksum: 0x401b [correct] This will be an Intro to Multicast for IPv6 only as I will develop Multicast for IPv6 in another book. ID: 0x062b Sequence: 0x0002 Data (52 bytes) 1.3.2 Echo  Reply  (Type  129) Please note that in IPv6 the packet which triggers the MAC Address resolution is not dropped but buff- ered, waiting for the resolution. This could be a potential target for DoS attack, but you can see ping reached 100% even the first time you ping a destination. Frame 5220 (114 bytes on wire, 114 bytes captured) Ethernet II, Src: ca:01:06:a9:00:1c (ca:01:06:a9:00:1c), Dst: ca:00:06:a9:00:1c (ca:00:06:a9:00:1c) 31
  • 33. Neighbor Discovery Protocol MAC Layer 2 Source MAC Address is NIC address Destination is all routers MAC address 33-33-00-00-00-02 IPv6 Layer 2.1 Introduc5on Link local or unspecified IPv6 address. IPv6 Nodes on the same link use NDP (rfc4861, rfc4862) to discover each other’s presence and link- Link local all routers IPv6 address layer addresses, to find routers, and to maintain reachability information about the paths to active neighbors. Both hosts and routers use NDP. ICMPv6 Layer Its functions include Neighbor Discovery (ND) and MAC or Layer 2 Address Resolution, Router Discov- Type 133 ery (RD), Address Autoconfiguration, Address Resolution, Neighbor Unreachability Detection (NUD), Code 0 Duplicate Address Detection (DAD), and Redirection. It is much more sophisticated than ARP was and uses a Finite State Machine (FSM) to manage its Neighbor Cache. ICMPv6 Checksum Source Link-Layer Address option ICMPv6 Option (Source link-layer address) 2.1.1 NDP  use  the  5  messages  (PDU)  and  5  Op5ons. Type: Source link-layer address (1) Length: 8 2.1.1.1 The  5  bases  P DUs  are: Neighbor Solicitation (NS)/Advertisements (NA) Link-layer address: ca:02:06:a9:00:54 Router Solicitation (RS)/Advertisements (RA) Redirection Sent by a host to get information from local routers. 2.1.1.2 The  5  Op>ons: Source Link-Layer Address (SLLA). Option 1 MAC Layer Target Link-Layer Address (TLLA). Option 2 Source MAC Address is NIC address Prefix Information. Option 3 Destination is all routers MAC address 33-33-00-00-00-02 Redirected Header. Option 4 IPv6 Layer MTU. Option 5 Link local or unspecified IPv6 address. Link local all routers IPv6 addressr ICMPv6 Layer Type 133 Code 0 2.2 ND  PACKETS  A ND  O PTIONS ICMPv6 Checksum Source Link-Layer Address option ICMPv6 Option (Source link-layer address) 2.2.1 ND  Packets Type: Source link-layer address (1) 2.2.2 Router  Solicita5on Length: 8 Link-layer address: ca:02:06:a9:00:54 Sent by a host to get information from local routers. 32
  • 34. 2.2.3 Router  Adver5sement Sent on a regular basis or as an answer to a router solicitation. Ethernet Layer Source MAC of the sending NIC Destination will be 33-33-00-00-00-01 or unicast IPv6 Layer Link local source Destination will be all-nodes: FF02::1 or unicast address of station which has sent the Router Solicita- tion Hop Limit 255 ICMPv6 Layer Router Advertisement Type 134 Code 0 Checksum ICMPv6 Current Hop Limit Managed Address Configuration Flag for Statefull DHCPv6. Other Stateful Configuration Flag for Stateless DHCPv6 Router Lifetime Retransmission timer Source Link-Layer Address Option ICMPv6 Layer MTU Option Type 135 Prefix Information Options Code 0 Advertisement Interval Option Target Address Home Agent Information Option for Mobile IPv6 Possible Option: Source Link-Layer Address Option Frame 5801 (118 bytes on wire, 118 bytes captured) Used to ask the link layer address of a neighbor Frame 5344 (86 bytes on wire, 86 bytes captured) Ethernet II, Src: ca:01:06:a9:00:1c (ca:01:06:a9:00:1c), Dst: ca:00:06:a9:00:1c (ca:00:06:a9:00:1c) 2.2.4 Neighbor  Solicita5on Destination: ca:00:06:a9:00:1c (ca:00:06:a9:00:1c) Source: ca:01:06:a9:00:1c (ca:01:06:a9:00:1c) Source Address. Either an address assigned to the interface from which this message is sent or (if Type: IPv6 (0x86dd) Duplicate Address Detection is in progress) the unspecified address. Internet Protocol Version 6 0110 .... = Version: 6 Destination Address. Either the solicited-node multicast address corresponding to the target address, .... 1110 0000 .... .... .... .... .... = Traffic class: 0x000000e0 or the target address. .... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000 Payload length: 32 Hop Limit is 255 33
  • 35. Next header: ICMPv6 (0x3a) ICMPv6 Layer Hop limit: 255 Source: fe80::c801:6ff:fea9:1c (fe80::c801:6ff:fea9:1c) Type 135 Destination: 2001:db8:c0a8:b:c800:6ff:fea9:1c (2001:db8:c0a8:b:c800:6ff:fea9:1c) Code 0 Internet Control Message Protocol v6 Target Address Type: 135 (Neighbor solicitation) Code: 0 Possible Option: Checksum: 0x6230 [correct] Target: 2001:db8:c0a8:b:c800:6ff:fea9:1c (2001:db8:c0a8:b:c800:6ff:fea9:1c) Source Link-Layer Address Option ICMPv6 Option (Source link-layer address) Used to ask the link layer address of a neighbor Type: Source link-layer address (1) Length: 8 Frame 5344 (86 bytes on wire, 86 bytes captured) Ethernet II, Src: ca:01:06:a9:00:1c (ca:01:06:a9:00:1c), Dst: ca:00:06:a9:00:1c Link-layer address: ca:01:06:a9:00:1c (ca:00:06:a9:00:1c) Destination: ca:00:06:a9:00:1c (ca:00:06:a9:00:1c) Source: ca:01:06:a9:00:1c (ca:01:06:a9:00:1c) Type: IPv6 (0x86dd) 2.2.5 Neighbor  Adver5sement Internet Protocol Version 6 0110 .... = Version: 6 .... 1110 0000 .... .... .... .... .... = Traffic class: 0x000000e0 .... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000 They can be solicited or unsolicited. Payload length: 32 Next header: ICMPv6 (0x3a) ICMPv6 Layer Hop limit: 255 Source: fe80::c801:6ff:fea9:1c (fe80::c801:6ff:fea9:1c) Type 136 Destination: 2001:db8:c0a8:b:c800:6ff:fea9:1c Code 0 (2001:db8:c0a8:b:c800:6ff:fea9:1c) Internet Control Message Protocol v6 Router Flag if this is a Router Type: 135 (Neighbor solicitation) Code: 0 Solicited flag if this is an answer to a Solicitation Checksum: 0x6230 [correct] Target: 2001:db8:c0a8:b:c800:6ff:fea9:1c (2001:db8:c0a8:b:c800:6ff:fea9:1c) Override Flag if it must override an entry in the cache ICMPv6 Option (Source link-layer address) Target Address. For solicited advertisements, the Target Address field in the Neighbor Solicitation Type: Source link-layer address (1) message that prompted this advertisement. For an unsolicited advertisement, the address whose Length: 8 link-layer address has changed. The Target Address MUST NOT be a multicast address. Link-layer address: ca:01:06:a9:00:1c Possible Option: Target Link-Layer Address Option 2.2.7  Neighbor  Discovery  Op5ons 2.2.6 Redirect 2.2.7.1  Source  Link-­‐Layer  address  Op>on It is used by Neighbor Solicitation and Router Advertisement. Inform a neighbor of a better next hop to reach a particular destination. Redirect messages can be Frame 56 (118 bytes on wire, 118 bytes captured) dangerous and can be ignored by configuration on most platforms (Windows, MAC OS X, Linux). Ethernet II, Src: ca:02:06:a9:00:54 (ca:02:06:a9:00:54), Dst: IPv6mcast_00:00:00:01 Source Address. Either an address assigned to the interface from which this message is sent or (if (33:33:00:00:00:01) Duplicate Address Detection is in progress) the unspecified address. Destination: IPv6mcast_00:00:00:01 (33:33:00:00:00:01) Source: ca:02:06:a9:00:54 (ca:02:06:a9:00:54) Destination Address. Either the solicited-node multicast address corresponding to the target address, Type: IPv6 (0x86dd) or the target address. Internet Protocol Version 6 0110 .... = Version: 6 Hop Limit is 255 .... 1110 0000 .... .... .... .... .... = Traffic class: 0x000000e0 .... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000 Payload length: 64 Next header: ICMPv6 (0x3a) 34
  • 36. Hop limit: 255 Ethernet II, Src: ca:01:06:a9:00:54 (ca:01:06:a9:00:54), Dst: ca:02:06:a9:00:54 Source: fe80::c802:6ff:fea9:54 (fe80::c802:6ff:fea9:54) (ca:02:06:a9:00:54) Destination: ff02::1 (ff02::1) Destination: ca:02:06:a9:00:54 (ca:02:06:a9:00:54) Internet Control Message Protocol v6 Source: ca:01:06:a9:00:54 (ca:01:06:a9:00:54) Type: 134 (Router advertisement) Type: IPv6 (0x86dd) Code: 0 Internet Protocol Version 6 Checksum: 0x9040 [correct] Cur hop limit: 64 0110 .... = Version: 6 Flags: 0x00 .... 1110 0000 .... .... .... .... .... = Traffic class: 0x000000e0 Router lifetime: 1800 .... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000 Reachable time: 0 Payload length: 32 Retrans timer: 0 Next header: ICMPv6 (0x3a) ICMPv6 Option (Source link-layer address) Type: Source link-layer address (1) Hop limit: 255 Length: 8 Source: fe80::c801:6ff:fea9:54 (fe80::c801:6ff:fea9:54) Link-layer address: ca:02:06:a9:00:54 Destination: fe80::c802:6ff:fea9:54 (fe80::c802:6ff:fea9:54) ICMPv6 Option (MTU) Internet Control Message Protocol v6 Type: MTU (5) Type: 136 (Neighbor advertisement) .... 1110 0000 .... .... .... .... .... = Traffic class: 0x000000e0 .... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000 Code: 0 Payload length: 64 Checksum: 0x5f24 [correct] Next header: ICMPv6 (0x3a) Flags: 0xe0000000 Hop limit: 255 Target: fe80::c801:6ff:fea9:54 (fe80::c801:6ff:fea9:54) Source: fe80::c802:6ff:fea9:54 (fe80::c802:6ff:fea9:54) ICMPv6 Option (Target link-layer address) Destination: ff02::1 (ff02::1) Internet Control Message Protocol v6 Type: Target link-layer address (2) Type: 134 (Router advertisement) Length: 8 Code: 0 Link-layer address: ca:01:06:a9:00:54 Checksum: 0x9040 [correct] Cur hop limit: 64 Flags: 0x00 Router lifetime: 1800 Reachable time: 0 Retrans timer: 0 2.2.7.3  Prefix  Informa>on  Op>on ICMPv6 Option (Source link-layer address) Can be sent with a Router Advertisement to advertise Prefixes. More than one prefixes can be in- Type: Source link-layer address (1) cluded. Length: 8 Type. 3 Link-layer address: ca:02:06:a9:00:54 ICMPv6 Option (MTU) Length. 4. Type: MTU (5) Length: 8 Prefix Length. 8 bits. Generally 64. MTU: 1500 ICMPv6 Option (Prefix information) On-Link Flag. 1 bit. If the prefix must be used to derive an address during SLAAC. Type: Prefix information (3) Autonomous Flag. 1 bit. If the prefix must be used to derive an address during SLAAC. Length: 32 Prefix length: 64 Router Address flag. Defined in RFC 3775 for Mobile IPv6 Flags: 0xc0 Valid lifetime: 2592000 Site Prefix Flag. Preferred lifetime: 604800 Valid Lifetime. How long the address derived from this prefix is Valid without any refreshment before Prefix: 2001:db8:c0a8:3:: the address is removed from the interface. A value of ALL ONEs bits represents infinity (for Static Ad- dresses). 2.2.7.2 Target  Link-­‐Layer  address  Op>on Prefered Lifetime. If not refreshed and the Preferred Timer expires, the address becomes deprecated and cannot be used to establish a new connection but the address is still valid for existing. A value of ALL ONEs bits represents infinity (for Static Addresses). It is used by Neighbor Advertisement and Redirect packets. Frame 56 (118 bytes on wire, 118 bytes captured) Frame 25 (86 bytes on wire, 86 bytes captured) Ethernet II, Src: ca:02:06:a9:00:54 (ca:02:06:a9:00:54), Dst: IPv6mcast_00:00:00:01 (33:33:00:00:00:01) 35
  • 37. Destination: IPv6mcast_00:00:00:01 (33:33:00:00:00:01) Preferred lifetime: 604800 Source: ca:02:06:a9:00:54 (ca:02:06:a9:00:54) Prefix: 2001:db8:c0a8:3:: Type: IPv6 (0x86dd) Internet Protocol Version 6 0110 .... = Version: 6 .... 1110 0000 .... .... .... .... .... = Traffic class: 0x000000e0 2.2.7.4 Redirected  Header  Op>on .... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000 Payload length: 64 It is only used in the ND Redirect packet Next header: ICMPv6 (0x3a) Hop limit: 255 Frame 92 (214 bytes on wire, 214 bytes captured) Source: fe80::c802:6ff:fea9:54 (fe80::c802:6ff:fea9:54) Ethernet II, Src: ca:01:06:a9:00:1c (ca:01:06:a9:00:1c), Dst: ca:02:06:a9:00:1c Destination: ff02::1 (ff02::1) (ca:02:06:a9:00:1c) Internet Control Message Protocol v6 Destination: ca:02:06:a9:00:1c (ca:02:06:a9:00:1c) Type: 134 (Router advertisement) Source: ca:01:06:a9:00:1c (ca:01:06:a9:00:1c) Code: 0 Type: IPv6 (0x86dd) Checksum: 0x9040 [correct] Internet Protocol Version 6 Cur hop limit: 64 0110 .... = Version: 6 Flags: 0x00 .... 1110 0000 .... .... .... .... .... = Traffic class: 0x000000e0 Router lifetime: 1800 .... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000 Reachable time: 0 Payload length: 160 The MTU option is used in the ICMPv6 Packet too big and in the ND Router Advertisement. Next header: ICMPv6 (0x3a) Hop limit: 255 Source: fe80::c801:6ff:fea9:1c (fe80::c801:6ff:fea9:1c) Ethernet II, Src: ca:02:06:a9:00:54 (ca:02:06:a9:00:54), Dst: IPv6mcast_00:00:00:01 Destination: 2001:db8:c0a8:b::1 (2001:db8:c0a8:b::1) (33:33:00:00:00:01) Internet Control Message Protocol v6 Destination: IPv6mcast_00:00:00:01 (33:33:00:00:00:01) Type: 137 (Redirect) Source: ca:02:06:a9:00:54 (ca:02:06:a9:00:54) Code: 0 Type: IPv6 (0x86dd) Checksum: 0xd231 [correct] Internet Protocol Version 6 Target: 2001:db8:c0a8:a:c800:6ff:fea9:1c (2001:db8:c0a8:a:c800:6ff:fea9:1c) 0110 .... = Version: 6 Destination: 2001:db8:c0a8:a:c800:6ff:fea9:1c .... 1110 0000 .... .... .... .... .... = Traffic class: 0x000000e0 (2001:db8:c0a8:a:c800:6ff:fea9:1c) .... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000 ICMPv6 Option (Target link-layer address) Payload length: 64 Type: Target link-layer address (2) Next header: ICMPv6 (0x3a) Length: 8 Hop limit: 255 Link-layer address: ca:00:06:a9:00:1c Source: fe80::c802:6ff:fea9:54 (fe80::c802:6ff:fea9:54) ICMPv6 Option (Redirected header) Destination: ff02::1 (ff02::1) Type: Redirected header (4) Internet Control Message Protocol v6 Length: 112 Type: 134 (Router advertisement) Reserved: 0 (correct) Code: 0 Redirected packet Checksum: 0x9040 [correct] Internet Protocol Version 6 Cur hop limit: 64 0110 .... = Version: 6 Flags: 0x00 .... 0000 0000 .... .... .... .... .... = Traffic class: 0x00000000 Router lifetime: 1800 .... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000 Reachable time: 0 Payload length: 60 Retrans timer: 0 Next header: ICMPv6 (0x3a) ICMPv6 Option (Source link-layer address) Hop limit: 63 Type: Source link-layer address (1) Source: 2001:db8:c0a8:b::1 (2001:db8:c0a8:b::1) Length: 8 Destination: 2001:db8:c0a8:a:c800:6ff:fea9:1c Link-layer address: ca:02:06:a9:00:54 (2001:db8:c0a8:a:c800:6ff:fea9:1c) ICMPv6 Option (MTU) Internet Control Message Protocol v6 Type: MTU (5) Type: 128 (Echo request) Length: 8 Code: 0 MTU: 1500 Checksum: 0xbce7 [correct] ICMPv6 Option (Prefix information) ID: 0x22ef Type: Prefix information (3) Sequence: 0x0004 Length: 32 Data (52 bytes) Prefix length: 64 Flags: 0xc0 Valid lifetime: 2592000 36
  • 38. 2.2.7.5 MTU  Op>on The MTU option is used in the ICMPv6 Packet too big and in the ND Router Advertisement. 2.2.7.6 Route  Informa>on  Op>on Ethernet II, Src: ca:02:06:a9:00:54 (ca:02:06:a9:00:54), Dst: IPv6mcast_00:00:00:01 (33:33:00:00:00:01) Destination: IPv6mcast_00:00:00:01 (33:33:00:00:00:01) Sourcrbbre: ca:02:06:a9:00:54 (ca:02:06:a9:00:54) Type: IPv6 (0x86dd) Internet Protocol Version 6 0110 .... = Version: 6 .... 1110 0000 .... .... .... .... .... = Traffic class: 0x000000e0 .... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000 Payload length: 64 Next header: ICMPv6 (0x3a) Hop limit: 255 Source: fe80::c802:6ff:fea9:54 (fe80::c802:6ff:fea9:54) Destination: ff02::1 (ff02::1) Internet Control Message Protocol v6 Sent in Router Advertisement (see RFC4191.). Type: 134 (Router advertisement) It is used to give a preference to a router and to advertise routes (SHOULD not send more than 17 Code: 0 routes). It SHOULD not a be default behavior. Checksum: 0x9040 [correct] Possible Option: Route Information You can also advertise a more specific Route information Recur- Cur hop limit: 64 sive Flags: 0x00 Router lifetime: 1800 2.2.7.7 DNS  Server  Op>on Reachable time: 0 Retrans timer: 0 DNS Server address can also be advertised in RA (RFC 5006): ICMPv6 Option (Source link-layer address) Type: Source link-layer address (1) This is a very simple option with Length, Lifetime and the addrresses of all the DNS Servers. Length: 8 So you do not need to setup DHCPv6 Lite to advertise the DNS Server Address! Link-layer address: ca:02:06:a9:00:54 With Linux it can be advertised by radvd daemon. ICMPv6 Option (MTU) Type: MTU (5) Length: 8 MTU: 1500 2.3 Neighbor  Discovery ICMPv6 Option (Prefix information) Type: Prefix information (3) IPv6 uses ND to manage its Neighbor Cache. This includes resolving the MAC Address of the Neigh- Length: 32 bor and checking its Reachability (NUD). Prefix length: 64 Neighbor Discovery uses Neighbor Solicitation (NS) and Neighbor Advertisements (NA). Flags: 0xc0 NS are used to discover the Neighbor MAC Address, to check if our new address is a DUPlicate or to Valid lifetime: 2592000 check if a Neighbor is still Reachable (NUD). Preferred lifetime: 604800 Prefix: 2001:db8:c0a8:3:: 37
  • 39. Code: 0 Checksum: 0xc88d [correct] Reserved: 00000000 Target Address: 2a01:e35:2f26:d340:e:6a75:6c8c:e4ac ICMPv6 Option (Source link-layer address : f4:ca:e5:44:10:ef) Type: Source link-layer address (1) Length: 1 (8 bytes) Link-layer address: FreeboxS_44:10:ef (f4:ca:e5:44:10:ef) 2.3.1.2 Neighbor  Adver5sement Internet Protocol Version 6, Src: 2a01:e35:2f26:d340:e:6a75:6c8c:e4ac , Dst: fe80::f6ca:e5ff:fe44:10ef 0110 .... = Version: 6 .... 0000 0000 .... .... .... .... .... = Traffic class: 0x00000000 .... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000 Payload length: 32 Next header: ICMPv6 (0x3a) Hop limit: 255 Source: 2a01:e35:2f26:d340:e:6a75:6c8c:e4ac (2a01:e35:2f26:d340:e:6a75:6c8c:e4ac) Destination: fe80::f6ca:e5ff:fe44:10ef (fe80::f6ca:e5ff:fe44:10ef) 2.3.1 MAC  Address  Resolu5on [Destination SA MAC: FreeboxS_44:10:ef (f4:ca:e5:44:10:ef)] Internet Control Message Protocol v6 When a host needs to send a packet to a destination, it verifies if it is a Neighbor. In this case it sends the packet directly to the Neighbor. There is an algorithm to check if the destination is a Neighbor as Type: Neighbor Advertisement (136) there can be many prefixes on the same cable. Code: 0 Once this is verified, the host creates an entry with state INCOMPLETE and the IPv6 Address of the Checksum: 0xe1ad [correct] destination in the Neighbor cache and sends a Neighbor Solicitation to its Solicited Node Multicast Flags: 0x60000000 Address. The NS contains the MAC Address of the Requester in the SLLA Option to save the reverse operation (below in Red). 0... .... .... .... .... .... .... .... = Router: Not set .1.. .... .... .... .... .... .... .... = Solicited: Set Example of NS/NA between two UBUNTU Hosts ..1. .... .... .... .... .... .... .... = Override: Set ...0 0000 0000 0000 0000 0000 0000 0000 = Reserved: 0 2.3.1.1 Neighbor  Solicita5on Target Address: 2a01:e35:2f26:d340:e:6a75:6c8c:e4ac Internet Protocol Version 6, Src: fe80::f6ca:e5ff:fe44:10ef ICMPv6 Option (Target link-layer address : 00:0c:29:30:33:86) (fe80::f6ca:e5ff:fe44:10ef), Dst: ff02::1:ff8c:e4ac (ff02::1:ff8c:e4ac) Type: Target link-layer address (2) 0110 .... = Version: 6 Length: 1 (8 bytes) .... 0000 0000 .... .... .... .... .... = Traffic class: 0x00000000 .... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000 Link-layer address: Vmware_30:33:86 (00:0c:29:30:33:86) Payload length: 32 Please note the Flags in the NA with a Router bit if we are a Router. A Solicited bit if this is a reply to a solicitation using NS and the Override bit to enable the replacement of a cache entry! This is why the dis- Next header: ICMPv6 (0x3a) play of your neighbor cache table tells you if an entry is a Router. Hop limit: 255 Source: fe80::f6ca:e5ff:fe44:10ef (fe80::f6ca:e5ff:fe44:10ef) The requester provides its MAC address in tbe SLLA Option. [Source SA MAC: FreeboxS_44:10:ef (f4:ca:e5:44:10:ef)] The Replier provides its MAC address in the TLLA Option. Destination: ff02::1:ff8c:e4ac (ff02::1:ff8c:e4ac) Once it has received an answer, it updates the Neighbor MAC Address from the reply and sets the Internet Control Message Protocol v6 neighbor state as REACHable. Type: Neighbor Solicitation (135) 38
  • 40. If the Neighbor does not reply, it retries a MAX_UNICAST_SOLICIT (default: 3) time with a configured interval of RETRANS_TIMER (default: 1 second) between to request, and if no reply is received, it clears the entry in the Cache. DAD ATTACK:💀 💀 DAD Process can be the target of a local attacker. The bad guy just listen to all the Neighbor Solicitation 2.4 Duplicate  Address  Detec5on  (DAD) messages and replies to all as if all addresses are already in use. DAD fails and the interface is disabled for IPv6. You can get a tool which perform a DAD Attack from thc web site: http://www.thc.org/thc-ipv6/ This process is used when an interface is coming up or every time a new address is added on an IPv6 Interface. Its purpose is to check that the new address is not a Duplicate Address. It is a local process so the 2.5 Neighbor  Unreachability  Detec5on  (NUD) checking is only done on the link where the address is added. This is a very simple process that is just to send a NS to our own Solicited Node Multicast Address to As long as the host communicates with this Neighbor, the Upper Layer will reset the Reachable Timer request the MAC Address of our newly configured address. so it is never reached and the Neighbor remains in the state REACHable. We expect NO ANSWER. If the Upper Layer stops communication with the Neighbor for a time of the Reachable Timer (default: 30 seconds), the entry moves to a STALE state. If somebody does, it means that there is another myself on the Network and my Address is a DUP. Then the host does nothing until a packet is sent to the Neighbor. When a packet is sent to this Neigh- If I don't receive any NA, we send a NA to claim the Address for ourself and initialize the address. bor, the entry is moved to the DELAY state (default: 5 seconds) to give some time for the Upper Layer We can see the DAD process in the capture at the very beginning, using the unspecified source ad- protocol to check the availability of the Neighbor. dress ::/0. If no positive packet is received, the entry is moved to PROBE and the host starts sending the Unicast DAD Example on a CISCO Router: NS to the neighbor (Probe) every Retransmit Interval (default: 1 second). After MAX_UNICAST_SO- LICIT (default: 3) attempts, the Neighbor is considered as Unreachable and its entry is cleared in the ICMPv6-ND: L3 came up on GigabitEthernet0/2 Cache. IPv6-Addrmgr-ND: DAD request for 2000:1::1 on GigabitEthernet0/2 ICMPv6-ND: Sending NS for 2000:1::1 on GigabitEthernet0/2 IPv6-Addrmgr-ND: DAD: 2000:1::1 is unique. ICMPv6-ND: Sending NA for 2000:1::1 on GigabitEthernet0/2 IPv6-Address: Address 2000:1::1/64 is up on GigabitEthernet0/2 F IGURE 6.16 Address Autoconfiguration States VALID Tent Preferred Deprecated Invalid Preferred Lifetime Valid Lifetime 39
  • 41. 2.6 Router  Discovery F IGURE 6.10 Full DAD Process and UBUNTU Interface By default the hosts do not have to configure a default router. This is done automatically thanks to ND Startup Protocol. The Routers send Unsolicited Router Advertisements on a regular basis (min interval is 3 seconds). The hosts listen to the RA to refresh prefixes or update some parameters. When a host is booting and needs RA Information immediately, it sends a Router Solicitation message to the All Routers Multicast Address FF02::2. The RA contains the following information: o Default Link Parameters (Default Hop Limit, MTU) o Neighbor Unreachability Detection Parameters. These are Reachable Timer and Retransmit Inter- val, The value zero means unspecified which actually means that the configured information on the hosts must not be hanged by the RA. o Prefix availables on the Link with Timers and Flags for each Prefix about Autoconfiguration (SLAAC, Stateless Address Autoconfiguration o If the Router is a Candidate as Default Gateway (Lifetime, Preference). The Lifetime parameter is F IGURE 6.9 NS Send during DAD Process (UBUNTU) only there to say how long this advertisement is valid without being refreshed to use this router as a default Router Candidate. A RA with Lifetime=0 means: "stop using me as your default router immediately"! o Router IPv6 and MAC Addresses o DNS Server Addresses (RFC6106) o If DHCPv6 is available in the Network and if it must be used to configure Address and Everything or Everything but Addresses. If the Router is a Home Agent (Mobile IPv6)? 2.7 Autoconfigura5on  (SLAAC) If you got 2 Minutes: o follow the whole process you can follow this quick presentation URL (Flash Video): http://www.ipv6forlife.com/Tutorial/IPv6Startup.html F IGURE 6.11 NA Sent during DAD Process (UBUNTU) And if you have 30 minutes and if you prefer to have all the details of Autoconfig with IPv6, get this .mov video presentation of Autoconfig (.mov) on the Web which is the long version of the short flash presentation as it last about 30 minutes: http://www.youtube.com/watch?v=1DnDqxA7c_g It is also on slideshare The whole process is summarized on the next two figures from start when the interface is starting to stop when it is ready or disabled! 40
  • 42. ! 2.7.1 Introduc5on An IPv6 node must be able to configure its Network Access unattended with or without the presence of Routers on the Link(s). Autoconfiguration was one of the main requirements for IPv6 since day 1. In any case if not disable on Linux, the Workstation performs Stateless Address Autoconfiguration (SLAAC) when the Interfaces are coming Up. But an IPv6 DHCPv6 can be added to configure addresses and additional information. This is stateful DHCPv6. The additional information without addresses is stateless DHCPv6. 41
  • 43. For instance a Rogue RA, DNS or DHCP can be forged on the local link if an employee wants to break the Company Network. For the RA, it must be on the local link since the most ND Packets, RA included, MUST have the Hop Limit = 255 to be valid or they are dropped! So SLAAC will be performed in most cases and here is the full process: Here is the full process. Between A and B, this is the Prefix-list verification process detailed in the next column. Let's explain it Step-by-Step or Click here for an animation: http://www.ipv6forlife.com/Tutorial/IPv6Startup.html 2.7.2.1 Valida>on  of  the  Link-­‐local  Address The Interface is brought up or the host is booting. The interface enters the TENTATIVE Mode. No user traffic can be exchanged until we reach the Stop Red State which is the end of the SLAAC process.
 From the Start, we can see that the very first step is to figure out the Link-local address with an EUI- 64 or Static Interface ID and to verify it using the DAD Process. We send a NS to our own Solicited Node Multicast Address for our own IPv6 address and expect no answer. If somebody replies, our link-local is not unique nor valid and the Interface is disabled for IPv6. 
 Only if we use SeND, we are doing two more attempts before we quit and log an error! We are most probably under a DoS Attack! 2.7.2.2 Send  a  Router  Solicita>on Then, the next Step is to send a RS to the All Router Link-Local Scope Multicast Address: FF02::1 If we don't receive any RA, we try DHCPv6 and we exit the SLAAC process. Otherwise, we configure the IPv6 interface from the parameter received in the RA: MTU, Hop Limit, Reachable Timer and Retransmit Interval, Router Lifetime, and so on... 2.7.2.3 Check  the  Prefix-­‐List. A DHCPv6 Server only needs to keep states when it allocates some addresses order tos poll a Work- Click on the diagram or the link below for a FLASH Animation:
 station which did not renew its reservation and get the reserved address back in the pool if the client http://www.ipv6forlife.com/Tutorial/IPv6Startup.html fails to answer. DHCPv6 will be studied in details later in this book. Right now we are going to focus on the Stateless Address Autoconfiguration (SLAAC) process itself. Just keep in mind that DHCPv6 cannot replace it but just be a complement to SLAAC. For instance, a default route cannot be config- The next step is to examine the Prefix-List if there is any in the Router Advertisement. ured with DHCPv6. If there is a list, we examine each prefix and check that the On-Link and Autonomous bit (Flag in the SLAAC is stateless because no state is kept on the router when the default SLAAC is used to config- Capture) are set. ure Addresses and any other things on the node. With each dynamic address, there are two timers: the Preferred and the Valid. When the Preferred Timer has expired, the Address is deprecated but remains Valid until the Valid 2.7.2 SLAAC  Process Timer has not expired. When the Address is deprecated, it is still there and can be used for an existing connection. On the other hand, a deprecated address cannot be used for a new connection. When the SLAAC is enabled by default on most platforms. I have seen some Linux distribution where it must be Valid Timer has expired, the address is removed from the Interface. enabled. Then we must also check the Timers: It is possible to configure everything statically and may be interesting for some Datacenter where we have only Servers and Routers to configure. We may then want to configure the addresses manually The Valid Timer MUST be NON NULL, >0 and the default route to an HSRP or GLBP Virtual IPv6 Link-local Address also configured statically. The Valid Timer MUST be > The preferred timers So you will not lose any time with protocols and don't risk anything with Rogue devices and advertise- ments. 42
  • 44. If the bits and timers are OK, we derive an address using any of the configured mode for the Interface ID: Static, EUI-64, Random Temporary, CGA... And we check that this address is unique using DAD. If DAD passed, we initialize the Address otherwise the address is not used. We go to the next Prefix until there is no more, and we get back from the Prefix-list inspection Loop. The last step is to check if we need to call a DHCPv6 Server to configure Addresses and/or Other pa- Refreshing the SLAAC Addresses Timers rameters. Once the dynamic addresses have been acquired, they must be refreshed by SLAAC or DHCPv6 or •  An address which has been derived from a RA must they will become invalid and vanish! Periodic RA refresh the prefix. With DHCPv6, this is the client which renew or rebind its address. be refreshed by new RAs advertizing the same prefix •  The RA Interval must be consistent with the Preferred 2.8 Renumbering and the Valid Timers for the addresses to be refreshed in time As we have seen before, the Prefix is not allocated to the end-user with IPv6 but to the SP. When you ipv6 nd ra-interval 200 seconds by default ipv6 nd ra-lifetime 1800 seconds or 30 minutes default change SP, you will need to configure a new prefix in your network. ipv6 nd managed-config-flag ipv6 nd other-config-flag This process is Renumbering. With a good design and the right tools, it will not be a problem and will ipv6 nd prefix <prefix/mask>[Valid][Preferred][no-advertise| off-link | no-autoconfig] not take long to change the Prefix of your Network. The principle of Renumbering is very simple. We have two Prefixes. One is Deprecated, and its Pre- ferred Timers are set to 0. This way no new connection will be established on the addresses derived •  To Be used by SLAAC: from this prefix. These addresses can remain Deprecated but still valid for the rest of the day, the -  The On-Link and Autonomous Bits Must be Set week or even more! We need to find a reasonable timer value to enable all the users to close their sessions and not force the disconnection. -  If Preferred Lifetime > Valid lifetime, ignore the Prefix Information option. All the new connections are established on the connections which addresses are derived from Pre- A node MAY wish to LOG a system management ERROR in this case…. fixes which are still Preferred. So, when the Addresses are derived from a Prefix with a Valid Timer now expired and the derived ad- dresses are removed from their interfaces, hopefully there will not be any existing users using these addresses. © 2012 Fred Bovy. EIRL – IPv6 For Life! IPv6AutoConfig—1-35 This is how the Renumbering process operates. 3 Addi5onal  Informa5on  about  Prefix  Valida5on  in  the   SLAAC  Process The Configuration of CISCO Router for SLAAC Below is how to configure the Routers for SLAAC process. 43
  • 45. IPv6 On Hosts and Routers 6 IPv6 is now widely distributed and it is the default protocol for most if not all of them: Windows, Linux, MAC OS, iPhone, iPAD, HP LaserPrinter talk IPv6 and many, many others... All applications and most content on the Internet are available via IPv6: Yahoo, Google, Facebook, MS and others... This is NOW!
  • 46. IPv6 On Hosts & Cisco Routers As an alternative to using the user interface to disable IPv6 on a per-adapter basis, you can selec- tively disable certain features of IPv6 by creating and configuring the following DWORD registry value: HKLMSYSTEMCurrentControlSetServicestcpip6ParametersDisabledComponentsreally should disable them. .1 Configura5on  and  Checking  on  Hosts . .1.1 Windows More Details: IPv6 is loaded by default and now configured as the default preferred protocol. .1.1.1 IPv6  Tools  with  Windows On Windows XP it was loaded, but you had to enable it with a netsh command "netsh interface ipv6 .1.1.1.1 IPconfig install" You cannot uninstall IPv6 in Windows 7, but you can disable IPv6 on a per-adapter basis. To do this, Windows IP Configuration Ethernet adapter Local Area Connection: Flag Low- Connection-specific DNS Suffix . : ectasie.example.com Result of Setting this bit to a value of 1 IPv6 Address. . . . . . . . . . . : 2001:db8:21da:7:713e:a426:d167:37ab Order bit Temporary IPv6 Address. . . . . . : 2001:db8:21da:7:5099:ba54:9881:2e54 Link-local IPv6 Address . . . . . : fe80::713e:a426:d167:37ab%6 Disables all IPv6 tunnel interfaces, including ISATAP, 6to4 IPv4 Address. . . . . . . . . . . : 157.60.14.11 0 Subnet Mask . . . . . . . . . . . : 255.255.255.0 and Teredo Tunnels Default Gateway . . . . . . . . . : fe80::20a:42ff:feb0:5400%6 157.60.14.1 1 Disables all 6to4-based interfaces Tunnel adapter Local Area Connection* 6: 2 Disables all ISATAP-based interfaces Connection-specific DNS Suffix . : 3 Disables all Teredo-based interfaces IPv6 Address. . . . . . . . . . . : 2001:db8:908c:f70f:0:5efe:157.60.14.11 Link-local IPv6 Address . . . . . : fe80::5efe:157.60.14.11%9 Disables IPv6 over all non-tunnel interfaces, including LAN Site-local IPv6 Address . . . . . : fec0::6ab4:0:5efe:157.60.14.11%1 4 Default Gateway . . . . . . . . . : fe80::5efe:131.107.25.1%9 and PPP interfaces fe80::5efe:131.107.25.2%9 Modifies the default prefix policy table* to prefer IPv4 over IPv6 Tunnel adapter Local Area Connection* 7: 5 Media State . . . . . . . . . . . : Media disconnected when attempting connections Connection-specific DNS Suffix . : follow these steps: 1. In Control Panel, open Network And Sharing Center. .1.1.1.2 Route 2. Click Manage Network Connections and then double-click the connection you want to IPv6 Routing Table configure. =========================================================================== 3. Clear the check box labeled Internet Protocol Version 6 (TCP/IPv6), and then click Active Routes: OK. If Metric Network Destination Gateway Note that if you disable IPv6 on all your network connections using the user interface method de- 8 286 ::/0 fe80::3cec:bf16:505:eae6 scribed in the preceding steps, IPv6 will still remain enabled on all tunnel interfaces and on the loop- 1 306 ::1/128 On-link back interface. 45
  • 47. 8 38 2001:db8::/64 On-link Source to Here This Node/Link 8 286 2001:db8::4074:2dce:b313:7c65/128 Hop RTT Lost/Sent = Pct Lost/Sent = Pct Address On-link 0 server1.example.microsoft.com 8 286 2001:db8::b500:734b:fe5b:3945/128 [2001:db8:1:f282:204:5aff:fe56:1006] On-link 0/ 100 = 0% | 8 286 fe80::/64 On-link 1 0ms 0/ 100 = 0% 0/ 100 = 0% 2001:db8:1:f282:dd48:ab34:d07c: 17 296 fe80::5efe:10.0.0.3/128 On-link 3914 8 286 fe80::b500:734b:fe5b:3945/128 Trace complete. On-link 1 306 ff00::/8 On-link .1.1.1.6 netstat  -­‐s 8 286 ff00::/8 On-link F:>netstat -s =========================================================================== IPv4 Statistics .1.1.1.3 Ping Packets Received = 187107 f:>ping 2001:db8:1:f282:dd48:ab34:d07c:3914 Received Header Errors = 0 Received Address Errors = 84248 Pinging 2001:db8:1:f282:dd48:ab34:d07c:3914 from Datagrams Forwarded = 0 2001:db8:1:f282:3cec:bf16:505:eae6 with 32 bytes of data: Unknown Protocols Received = 0 Reply from 2001:db8:1:f282:dd48:ab34:d07c:3914: time<1ms Received Packets Discarded = 0 Reply from 2001:db8:1:f282:dd48:ab34:d07c:3914: time<1ms Reply from 2001:db8:1:f282:dd48:ab34:d07c:3914: time<1ms Received Packets Delivered = 186194 Reply from 2001:db8:1:f282:dd48:ab34:d07c:3914: time<1ms Output Requests = 27767 Routing Discards = 0 Ping statistics for 2001:db8:1:f282:dd48:ab34:d07c:3914: Discarded Output Packets = 0 Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Output Packet No Route = 0 Approximate round trip times in milli-seconds: Reassembly Required = 0 Minimum = 0ms, Maximum = 0ms, Average = 0ms Reassembly Successful = 0 Reassembly Failures = 0 Datagrams Successfully Fragmented = 0 .1.1.1.4 Tracert Datagrams Failing Fragmentation = 0 F:>tracert 2001:db8:1:f282:dd48:ab34:d07c:3914 Fragments Created = 0 Tracing route to 2001:db8:1:f282:dd48:ab34:d07c:3914 over a maximum of 30 hops IPv6 Statistics 1 <1 ms <1 ms <1 ms 2001:db8:1:f241:2b0:d0ff:fea4:243d Packets Received = 53118 2 <1 ms <1 ms <1 ms 2001:db8:1:f2ac:2b0:d0ff:fea5:d347 Received Header Errors = 0 3 <1 ms <1 ms <1 ms 2001:db8:1:f282:dd48:ab34:d07c:3914 Received Address Errors = 0 Datagrams Forwarded = 0 Trace complete. Unknown Protocols Received = 0 .1.1.1.5 Pathping Received Packets Discarded = 0 F:>pathping 2001:db8:1:f282:dd48:ab34:d07c:3914 Received Packets Delivered = 0 Output Requests = 60695 Routing Discards = 0 Tracing route to 2001:db8:1:f282:dd48:ab34:d07c:3914 over a maximum of 30 hops Discarded Output Packets = 0 Output Packet No Route = 0 0 server1.example.microsoft.com [2001:db8:1:f282:204:5aff:fe56:1006] Reassembly Required = 0 1 2001:db8:1:f282:dd48:ab34:d07c:3914 Reassembly Successful = 0 Reassembly Failures = 0 Computing statistics for 25 seconds... Datagrams Successfully Fragmented = 0 Datagrams Failing Fragmentation = 0 46
  • 48. Fragments Created = 0 Segments Sent = 59813 Segments Retransmitted = 3 ICMPv4 Statistics UDP Statistics for IPv4 Received Sent Messages 682 881 Datagrams Received = 160982 Errors 0 0 No Ports = 2158 Destination Unreachable 2 201 Receive Errors = 2 Time Exceeded 0 0 Datagrams Sent = 591 Parameter Problems 0 0 Source Quenches 0 0 UDP Statistics for IPv6 Redirects 0 0 Echos 340 340 Datagrams Received = 0 Echo Replies 340 340 No Ports = 0 Timestamps 0 0 Receive Errors = 0 Timestamp Replies 0 0 Datagrams Sent = 744 Address Masks 0 0 Address Mask Replies 0 0 .1.1.1.7 Netsh  interface  ipv6  show  interface ICMPv6 Statistics Idx Met MTU State Name --- --- ----- ----------- ------------------- 1 50 4294967295 enabled Loopback Pseudo-Interface 1 Errors 0 0 9 50 1280 enabled Local Area Connection* 6 Destination Unreachable 193 0 6 20 1500 enabled Local Area Connection Echos 4 0 10 50 1280 enabled Local Area Connection* 7 Echo Replies 0 4 7 10 1500 disabled Local Area Connection 2 MLD Reports 0 6 Router Solicitations 0 7 Netsh interface ipv6 show address Router Advertisements 54 0 Interface 1: Loopback Pseudo-Interface 1 Neighbor Solicitations 31 32 Neighbor Advertisements 27 31 Addr Type DAD State Valid Life Pref. Life Address TCP Statistics for IPv4 --------- ----------- ---------- ---------- ------------------------ Other Preferred infinite infinite ::1 Active Opens = 128 Passive Opens = 106 Interface 9: Local Area Connection* 6 Failed Connection Attempts = 0 Reset Connections = 3 Addr Type DAD State Valid Life Pref. Life Address Current Connections = 16 --------- ----------- ---------- ---------- ------------------------ Segments Received = 22708 Other Deprecated infinite infinite fe80::5efe:1.0.0.127%9 Segments Sent = 26255 Segments Retransmitted = 37 Interface 6: Local Area Connection TCP Statistics for IPv6 Addr Type DAD State Valid Life Pref. Life Address --------- ----------- ---------- ---------- ------------------------ Active Opens = 74 Public Preferred 29d23h59m59s 6d23h59m59s 2001:db8:21da:7:1f3e:9e51:2178:b9ob Passive Opens = 72 Temporary Preferred 5d19h59m25s 5d19h59m25s 2001:db8:21da:7:a299:85ae:21da:59cc Failed Connection Attempts = 1 Reset Connections = 0 Other Preferred infinite infinite fe80::713e:a426:d167:37ab%6 Current Connections = 14 Segments Received = 52809 47
  • 49. Interface 10: Local Area Connection* 7 2001:db8::4074:2dce:b313:7c65 00-00-00-00-00-00 Unreachable 2001:db8::6c4b:bf6d:201a:ccbf 00-00-00-00-00-00 Unreachable Addr Type DAD State Valid Life Pref. Life Address fe80::3cec:bf16:505:eae6 00-13-72-2b-34-07 Stale (Router) --------- ----------- ---------- ---------- ------------------------ ff02::16 33-33-00-00-00-16 Permanent Other Deprecated infinite infinite fe80::5efe:1.0.0.127%10 Interface 10: Local Area Connection* 9 Internet Address Physical Address Type .1.1.1.8 Netsh  interface  ipv6  show  route -------------------------------------------- ----------------- ----------- Publish Type Met Prefix Idx Gateway/Interface Name fe80::b500:734b:fe5b:3945 255.255.255.255:65535 Unreachable ------- -------- --- ------------------------ --- ----------------------- ff02::16 255.255.255.255:65535 Permanent No Manual 256 ::/0 8 fe80::3cec:bf16:505:eae6 No Manual 256 ::1/128 1 Loopback Pseudo-Interface 1 No Manual 8 2001:db8::/64 8 Local Area Connection No Manual 256 2001:db8::4074:2dce:b313:7c65/128 8 Local Area Connec- .1.1.1.10Netsh  interface  ipv6  show  des>na>on  cache               tion Interface 8: Local Area Connection No Manual 256 2001:db8::b500:734b:fe5b:3945/128 8 Local Area Connec- tion PMTU Destination Address Next Hop Address ---- --------------------------------------------- ------------------------- No Manual 1000 2002::/16 11 Local Area Connection* 7 1500 2001:db8::3cec:bf16:505:eae6 2001:db8::3cec:bf16:505:eae6 No Manual 256 fe80::/64 10 Local Area Connection* 9 No Manual 256 fe80::/64 8 Local Area Connection No Manual 256 fe80::100:7f:fffe/128 10 Local Area Connection* 9 No Manual 256 fe80::5efe:10.0.0.3/128 17 Local Area Connection* 6 .1.2 MAC  O S  X No Manual 256 fe80::b500:734b:fe5b:3945/128 8 Local Area Connection With LINUX and MAC OS all the IPv6 stack and usefull tools are available. Also, as Windows, the GUI No Manual 256 ff00::/8 1 Loopback Pseudo-Interface 1 cannot help much, and the CLI will be used for most commands. No Manual 256 ff00::/8 10 Local Area Connection* 9 Please note the percent sign which gives the interface name or index according to the OS. In IPv6 this No Manual 256 ff00::/8 refers to the zone (See RFC about Scoped Zone Architecture). Each zone has its own routing table internally, and it is currently being used by 1) Link-local ad- dresses, 2) Multicast Addresses, 3) Unicast. It is very rare BUT one application which was requested .1.1.1.9 Netsh  interface  ipv6  show  neighbors for our IPv6 Group was 6VPE. Interface 1: Loopback Pseudo-Interface 1 From an IPv6 point of view, 6VPE has no interest at all! MPLS-VPN was a great feature for IPv4 be- cause of address depletion. With IPv6 it is no longer very interesting, and the VRF that exists in IPv6 Internet Address Physical Address Type is called a Zone. The Zone has its own routing table internally, and there is no complex provisioning! -------------------------------------------- ----------------- ----------- With MAC OS or Linux it is the name of the interface: ff02::16 Permanent ff02::1:3 Permanent .1.2.1 netstat  -­‐in  ip6 Interface 8: Local Area Connection power-mac-g5-de-fred-bovy-6:~ root# netstat -in ip6 Name Mtu Network Address Ipkts Ierrs Opkts Oerrs Coll lo0 16384 <Link#1> 623227 0 623227 0 0 Internet Address Physical Address Type lo0 16384 ::1/128 ::1 623227 - 623227 - - -------------------------------------------- ----------------- ----------- lo0 16384 fe80::1%lo0 fe80:1::1 623227 - 623227 - - 2001:db8::3cec:bf16:505:eae6 00-13-72-2b-34-07 Stale (Router) lo0 16384 127 127.0.0.1 623227 - 623227 - - 48
  • 50. lo0 16384 fd6e:28d7:6 fd6e:28d7:65b4:77 623227 - 623227 - - gif0* 1280 <Link#2> 0 0 0 0 0 .1.3 Linux stf0* 1280 <Link#3> 0 0 0 0 0 en0 1500 <Link#4> d4:9a:20:d0:f9:ae 0 0 0 0 0 Linux is the best platform to support a maximum of services like Mobile IPv6, DHCPv6 and more. Mo- fw0 4078 <Link#5> d4:9a:20:ff:fe:c7:17:70 0 0 0 0 0 bile IPv6 and DHCPv6 as not suppported by Linux or MAC OX. MAC OS is afree BSD so there may en1 1500 <Link#6> 04:1e:64:ec:73:a9 3393882 0 2455868 0 0 be aa way to have it running on MAC but it is not a MACOS X Supported feature. en1 1500 fe80::61e:6 fe80:6::61e:64ff: 3393882 - 2455868 - - Also with Linux you can enable or disable SLAAC and many parameters for very fine tuning of ND en1 1500 192.168.0 192.168.0.10 3393882 - 2455868 - - en1 1500 2a01:e35:2f 2a01:e35:2f26:d34 3393882 - 2455868 - - Tuning the Kernel vmnet 1500 <Link#8> 00:50:56:c0:00:01 0 0 0 0 0 The /proc/sys/net/ipv6 filesystem exports a number of parameters that you might want to set. The vmnet 1500 192.168.58 192.168.58.1 0 - 0 - - Linux IPv6 HOWTO explains all available parameters, so let me just show you the ones I set in vmnet 1500 <Link#9> 00:50:56:c0:00:08 0 0 0 0 0 /etc/sysctl.d/ipv6.conf and load with a call to sysctl -p: vmnet 1500 172.16.4/24 172.16.4.1 0 - 0 - - net.ipv6.conf.default.autoconf = 0 utun0 1500 <Link#7> 26 0 31 0 0 net.ipv6.conf.default.accept_ra = 0 utun0 1500 fe80::d69a: fe80:7::d69a:20ff 26 - 31 - - utun0 1500 fd00:6587:5 fd00:6587:52d7:f8 26 - 31 - - net.ipv6.conf.default.accept_ra_defrtr = 0 net.ipv6.conf.default.accept_ra_rtr_pref = 0 net.ipv6.conf.default.accept_ra_pinfo = 0 .1.2.2 ifconfig net.ipv6.conf.default.accept_source_route = 0 net.ipv6.conf.default.accept_redirects = 0 power-mac-g5-de-fred-bovy-6:~ root# ifconfig lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384 net.ipv6.conf.default.forwarding = 0 inet6 ::1 prefixlen 128 net.ipv6.conf.all.autoconf = 0 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1 net.ipv6.conf.all.accept_ra = 0 inet 127.0.0.1 netmask 0xff000000 net.ipv6.conf.all.accept_ra_defrtr = 0 inet6 fd6e:28d7:65b4:77b3:d69a:20ff:fed0:f9ae prefixlen 128 net.ipv6.conf.all.accept_ra_rtr_pref = 0 gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280 net.ipv6.conf.all.accept_ra_pinfo = 0 stf0: flags=0<> mtu 1280 net.ipv6.conf.all.accept_source_route = 0 en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500 net.ipv6.conf.all.accept_redirects = 0 ether d4:9a:20:d0:f9:ae net.ipv6.conf.all.forwarding = 0 media: autoselect status: inactive .1.3.1 Add  an  address  to  an  interface fw0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 4078 lladdr d4:9a:20:ff:fe:c7:17:70 Ifconfig <interface> ipv6 add <prefix>/<length > media: autoselect <full-duplex> status: inactive .1.3.2 Remove  an  address  from  an  interface en1: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500 ether 04:1e:64:ec:73:a9 Ifconfig <interface> ipv6 del <prefix>/<length> inet6 fe80::61e:64ff:feec:73a9%en1 prefixlen 64 scopeid 0x6 inet6 2a01:e35:2f26:d340:61e:64ff:feec:73a9 prefixlen 64 autoconf .1.3.3 Add  a  route Route –A inet6 add <destination> gw <next-hop> .1.3.4 Add  a  D NS  server  in  the  /etc/resolv.conf  file   nameserver 2001:db8:233::1 49
  • 51. There are many tools and services available with Linux and only Linu like DHCPv6, Mobile IPv6, 14:30:21.598154 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 24) IPSec etc.... fe80::61e:64ff:feec:73a9 > fe80::f6ca:e5ff:fe44:10ef: [icmp6 sum ok] ICMP6, neigh- bor advertisement, length 24, tgt is fe80::61e:64ff:feec:73a9, Flags [solicited] Example below with both NDPmon and tcpdump utilities. 0x0000: 6000 0000 0018 3aff fe80 0000 0000 0000 `.....:......... 0x0010: 061e 64ff feec 73a9 fe80 0000 0000 0000 ..d...s......... 14:30:13.980542 IP6 (hlim 64, next-header TCP (6) payload length: 32) 0x0020: f6ca e5ff fe44 10ef 8800 94c3 4000 0000 .....D......@... 2a01:e35:2f26:d340:105d:f22a:d1bd:635e.55318 > 2a00:1450:4009:808::1005.80: Flags [.], cksum 0xb983 (correct), seq 3060, ack 9779, win 32249, options [nop,nop,TS val 0x0030: fe80 0000 0000 0000 061e 64ff feec 73a9 ..........d...s. 340919915 ecr 1985866212], length 0 ----- ND_ROUTER_SOLICIT ----- 0x0000: 6000 0000 0020 0640 2a01 0e35 2f26 d340 `......@*..5/&.@ Reset timer for 0:c:29:30:33:86 fe80:0:0:0:20c:29ff:fe30:3386 0x0010: 105d f22a d1bd 635e 2a00 1450 4009 0808 .].*..c^*..P@... ------------------ 0x0020: 0000 0000 0000 1005 d816 0050 a479 6453 ...........P.ydS [SNIP] 0x0030: 7a0b 605a 8010 7df9 b983 0000 0101 080a z.`Z..}......... Writing cache... 0x0040: 1452 066b 765d e9e4 .R.kv].. 14:37:07.319548 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 64) 14:30:13.981120 IP6 (hlim 64, next-header TCP (6) payload length: 32) fe80::20c:29ff:fe30:3386 > ff02::2: [icmp6 sum ok] ICMP6, router solicitation, 2a01:e35:2f26:d340:105d:f22a:d1bd:635e.55318 > 2a00:1450:4009:808::1005.80: Flags length 64 [.], cksum 0xb181 (correct), seq 3060, ack 11461, win 32616, options [nop,nop,TS val 340919916 ecr 1985866212], length 0 source link-address option (1), length 56 (7): 00:0c:29:30:33:86:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:85 0x0000: 6000 0000 0020 0640 2a01 0e35 2f26 d340 `......@*..5/&.@ :00:00:00:00:00:00:00:00:92:5e:aa:f8:cf:10:08:d4:c6:8b:bf:f4:6f:45:00:f4:4f:13 0x0010: 105d f22a d1bd 635e 2a00 1450 4009 0808 .].*..c^*..P@... 0x0000: 000c 2930 3386 0000 0000 0000 0000 0000 0x0020: 0000 0000 0000 1005 d816 0050 a479 6453 ...........P.ydS 0x0010: 0000 0000 0000 0000 0000 0085 0000 0000 0x0030: 7a0b 66ec 8010 7f68 b181 0000 0101 080a z.f....h........ 0x0020: 0000 0000 925e aaf8 cf10 08d4 c68b bff4 0x0040: 1452 066c 765d e9e4 .R.lv].. 0x0030: 6f45 00f4 4f13 ----- ND_NEIGHBOR_SOLICIT ----- 0x0000: 6000 0000 0040 3aff fe80 0000 0000 0000 `....@:......... Reset timer for 4:1e:64:ec:73:a9 fe80:0:0:0:61e:64ff:feec:73a9 0x0010: 020c 29ff fe30 3386 ff02 0000 0000 0000 ..)..03......... ------------------ 0x0020: 0000 0000 0000 0002 8500 65e5 0000 0000 ..........e..... 0x0030: 0107 000c 2930 3386 0000 0000 0000 0000 ....)03......... 14:30:16.588733 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) 0x0040: 0000 0000 0000 0000 0000 0000 0085 0000 ................ fe80::61e:64ff:feec:73a9 > fe80::f6ca:e5ff:fe44:10ef: [icmp6 sum ok] ICMP6, neigh- bor solicitation, length 32, who has fe80::f6ca:e5ff:fe44:10ef 0x0050: 0000 0000 0000 925e aaf8 cf10 08d4 c68b .......^........ source link-address option (1), length 8 (1): 04:1e:64:ec:73:a9 0x0060: bff4 6f45 00f4 4f13 ..oE..O. 0x0000: 041e 64ec 73a9 ----- ND_ROUTER_ADVERT ----- 0x0000: 6000 0000 0020 3aff fe80 0000 0000 0000 `.....:......... Reset timer for f4:ca:e5:44:10:ef fe80:0:0:0:f6ca:e5ff:fe44:10ef 0x0010: 061e 64ff feec 73a9 fe80 0000 0000 0000 ..d...s......... Warning: wrong ipv6 router f4:ca:e5:44:10:ef fe80:0:0:0:f6ca:e5ff:fe44:10ef 0x0020: f6ca e5ff fe44 10ef 8700 e9bb 0000 0000 .....D.......... ------------------ 0x0030: fe80 0000 0000 0000 f6ca e5ff fe44 10ef .............D.. 0x0040: 0101 041e 64ec 73a9 ....d.s. 14:37:07.322231 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 104) fe80::f6ca:e5ff:fe44:10ef > ff02::1: [icmp6 sum ok] ICMP6, router advertisement, ----- ND_NEIGHBOR_ADVERT ----- length 104 Reset timer for 4:1e:64:ec:73:a9 fe80:0:0:0:61e:64ff:feec:73a9 hop limit 64, Flags [none], pref medium, router lifetime 1800s, reachable time 0s, retrans time 0s ------------------ prefix info option (3), length 32 (4): 2a01:e35:2f26:d340::/64, Flags [on- link, auto], valid time 86400s, pref. time 86400s 0x0000: 40c0 0001 5180 0001 5180 0000 0000 2a01 50
  • 52. 0x0010: 0e35 2f26 d340 0000 0000 0000 0000 rdnss option (25), length 40 (5): lifetime 600s, addr: 2a01:e00::2 addr: 2a01:e00::1 .1.4 Linux 0x0000: 8000 0000 0258 2a01 0e00 0000 0000 0000 0x0010: 0000 0000 0002 2a01 0e00 0000 0000 0000 Linux is the best platform to support a maximum of services such as Mobile IPv6, DHCPv6 and more. Mobile IPv6 and DHCPv6 is not suppported by Linux or MAC OX. MAC OS is a free BSD so there 0x0020: 0000 0000 0001 may be a way to have it running on MAC, but it is not a MAC OS X Supported feature. mtu option (5), length 8 (1): 1480 Also with Linux you can enable or disable SLAAC and many parameters for very fine tuning of ND 0x0000: 0000 0000 05c8 source link-address option (1), length 8 (1): f4:ca:e5:44:10:ef .1.4.1  Tuning  the  Kernel   The /proc/sys/net/ipv6 filesystem exports a number of parameters that you might want to set. The 0x0000: f4ca e544 10ef Linux IPv6 HOWTO explains all available parameters, so let me just show you the ones I set in 0x0000: 6000 0000 0068 3aff fe80 0000 0000 0000 `....h:......... /etc/sysctl.d/ipv6.conf and load with a call to sysctl -p: 0x0010: f6ca e5ff fe44 10ef ff02 0000 0000 0000 .....D.......... 0x0020: 0000 0000 0000 0001 8600 2541 4000 0708 ..........%A@... .2 Test  your  I Pv6  Stack:  hdp://test-­‐ipv6.com/ 0x0030: 0000 0000 0000 0000 0304 40c0 0001 5180 ..........@...Q. 0x0040: 0001 5180 0000 0000 2a01 0e35 2f26 d340 ..Q.....*..5/&.@ 0x0050: 0000 0000 0000 0000 1905 8000 0000 0258 ...............X 0x0060: 2a01 0e00 0000 0000 0000 0000 0000 0002 *............... 0x0070: 2a01 0e00 0000 0000 0000 0000 0000 0001 *............... 0x0080: 0501 0000 0000 05c8 0101 f4ca e544 10ef .............D.. 14:37:07.387405 IP6 (hlim 255, next-header UDP (17) payload length: 53) fe80::61e:64ff:feec:73a9.5353 > ff02::fb.5353: [udp sum ok] 0 [2q] A (QM)? server.exchange.local. AAAA (QM)? server.exchange.local. (45) 0x0000: 6000 0000 0035 11ff fe80 0000 0000 0000 `....5.......... 0x0010: 061e 64ff feec 73a9 ff02 0000 0000 0000 ..d...s......... 0x0020: 0000 0000 0000 00fb 14e9 14e9 0035 117a .............5.z 0x0030: 0000 0000 0002 0000 0000 0000 0673 6572 .............ser 0x0040: 7665 7208 6578 6368 616e 6765 056c 6f63 ver.exchange.loc 0x0050: 616c 0000 0100 01c0 0c00 1c00 01 al........... 14:38:28.549702 IP6 (hlim 255, next-header UDP (17) payload length: 53) fe80::61e:64ff:feec:73a9.5353 > ff02::fb.5353: [udp sum ok] 0 [2q] A (QM)? server.exchange.local. AAAA (QM)? server.exchange.local. (45) 0x0000: 6000 0000 0035 11ff fe80 0000 0000 0000 `....5.......... 0x0010: 061e 64ff feec 73a9 ff02 0000 0000 0000 ..d...s......... 0x0020: 0000 0000 0000 00fb 14e9 14e9 0035 117a .............5.z 0x0030: 0000 0000 0002 0000 0000 0000 0673 6572 .............ser 0x0040: 7665 7208 6578 6368 616e 6765 056c 6f63 ver.exchange.loc 0x0050: 616c 0000 0100 01c0 0c00 1c00 01 al........... Example of Wireshark screen capture.of a Router Advertisement. 51
  • 53. The next step is to configure IP routing with the config command: R2(config)# ipv6 routing In the past you also had to configure CEFv6 has it was not enabled by default with the command .3 Test  the  I Pv6  Web  Serverswqwqa R2(config)# ipv6 unicast-routing or R2(config)#ipv6 unicast-routing distributed For some platforms, you had the choice to run a distributed CEFv6 or not. With distributed CEFv6, a copy of the CEFv6 tables are downloaded on the Line Cards and the in- gress LC which receives the packet Takes the switching decison. The router CPU card is not involved. The first troubleshooting command I was checking with a low performance problem was to check if CEF was properly started with R2# show ipv6 cef summary R7#show ip cef summary IPv4 CEF is enabled and running VRF Default 17 prefixes (17/0 fwd/non-fwd) Table id 0x0 Database epoch: 0 (17 entries at this epoch) R7#show ipv6 cef summary IPv6 CEF is enabled and running centrally. VRF Default 14 prefixes (14/0 fwd/non-fwd) Table id 0x1E000000 Database epoch: 0 (14 entries at this epoch) 2 2.2 CEFv6 Configura5on  and  System  Checking  on  C ISCO  Routers If you have to Troubleshoot CISCO device One day you will have to deal with CEF! No DATA PLANE Troubleshooting without CEFv6!... 2.1 CISCO  Routers  Mode If you are looking for the Engineering Team with really high skills guys at cisco you are looking for the A CISCO Router has two main modes of Operation: CEF team! These guys need to do two things mutually exclusives and this all the time: They must sup- port a maximum number of services and at the same time they must design the fastest code because 2.1.1 Exec  Mode  (Normal  or  Priviledged).   all the cisco switching performances rely on CEF! If an IP feature is not supported by CEF, the feature This mode is to run any commands to display to reset something. Actually there are 16 levels of privi- has no future if it has also to be Efficient. if it is leges to give Authorization to each level. The Normal mode is the lowest mode when you enter the a slow terminal conversion things which need the speed of typing with one finger, fine! but if it must router by default. It is a kind of Read-Only mode where you cannot configure anything or cannot even dispaly the configuration file. support wire speed? Forget it! The default prompt is the Router name plus > if you are a Normal user or # for a privileged: R2(con- WHY??? fig)> OR R2(config)# We need to get back to the basics of computers to understand... 2.1.2 Configura>on  Mode.   When a packet is received by an ASIC specialized to process the data coming from a Physical Media This mode is used to configure the Router. So before giving any configuration mode you must enter port, an Interrupt is sent to the CPU. An interrupt is a Signal Transition like 0 to +5v or the opposite. into this mode with the command "Configure Terminal". You must be a privileged user to use this com- mand. This mode has many submodes. For instance, if you want to configure an interface or a routing The Interrupt is raised by the Physical Media Processor to tell the CPU that it has a packet just like protocol, you must first select it to enter in this submode. the Postman set up the flag after it has dropped a few mails in your mailbox! Guess who is called first The default prompt for Router R2 in configuration mode is: R2(config)# by the CPU when it gets the interrupt signal? CEF... 52
  • 54. Now CEF must take a decision either switch the packet in interrupt mode, either Q the packet for prefix-list Build a prefix list further processing in a time sharing fashion. It is clear that Real-Time traffic will only be supported by route Configure static routes the Interrupt mode. So where is the problem? The process in interrupt mode disables any other router Enable an IPV6 routing process source-route Process packets with source routing header options interrupt. The other Line Cards have a dedicated ASIC with MEmory to accomodate a few packet but unicast-routing Enable unicast routing not too much... The process must manage the packet as fast as possible for the protocol which is being routed and for the other traffic waiting to be processed. This is why complex operation cannot be supported by R2(config)#ipv6 CEF and this has been the case of NAT-PT in IPv6! R2(config-subif)#IPV6 ? For more details about CEFv6, please click on the link below: IPv6 interface subcommands: http://www.ipv6forlife.com/Docs/CEFv6InaNutshell.pdf address Configure IPv6 address on interface authentication authentication subcommands The Next step to configure a Cisco Router of ipv6 is bandwidth-percent Set EIGRP bandwidth limit Then you might be interested to check some other commands listed be cga Configure cga on the interface Then you might be interested to check some other commands listed below: dhcp IPv6 DHCP interface subcommands eigrp Configure EIGRP IPv6 on interface 2.3 CISCO  Routers  I Pv6  Commands enable Enable IPv6 on interface flow Flow related commands R2(config)#ipv6 ? hello-interval Configures IP-EIGRP hello interval access-list Configure access lists hold-time Configures IP-EIGRP hold time cef Cisco Express Forwarding for IPv6 inspect Apply inspect name cga Configure IPv6 certified generated address mfib Interface Specific MFIB Control dhcp Configure IPv6 DHCP mld interface commands general-prefix Configure a general IPv6 prefix mobile Mobile IPv6 hop-limit Configure hop count limit mode Interface mode host Configure static hostnames mtu Set IPv6 Maximum Transmission Unit icmp Configure ICMP parameters multicast multicast inspect Context-based Access Control Engine nat Enable IPv6 NAT on interface local Specify local options nd IPv6 interface Neighbor Discovery subcommands mfib Multicast Forwarding next-hop-self Configures IP-EIGRP next-hop-self mld Global mld commands ospf OSPF interface commands mobile Mobile IPv6 pim PIM interface commands multicast IPv6 multicast policy Enable IPv6 policy routing multicast-routing Enable IPv6 multicast redirects Enable sending of ICMP Redirect messages nat NAT-PT Configuration commands rip Configure RIP routing protocol nd Configure IPv6 ND router IPv6 Router interface commands neighbor Neighbor split-horizon Perform split horizon ospf OSPF summary-address Summary prefix pim Configure Protocol Independent Multicast traffic-filter Access control list for packets port-map Port to application mapping (PAM) configuration commands 53
  • 55. unnumbered Preferred interface for source address selection unreachables Enable sending of ICMP Unreachable messages UDP statistics: verify Enable per packet validation Rcvd: 212 input, 0 checksum errors, 0 length errors virtual-reassembly IPv6 Enable Virtual Fragment Reassembly 0 no port, 0 dropped Sent: 212 output TCP statistics: 2.4 Display  the  I Pv6  Traffic  Sta5s5cs Rcvd: 0 input, 0 checksum errors R2#show ipv6 traffic Sent: 0 output, 0 retransmitted IPv6 statistics: Rcvd: 295 total, 251 local destination 0 source-routed, 0 truncated 0 format errors, 0 hop count exceeded 2.5 Display  the  Neighbor  Cache 0 bad header, 0 unknown option, 0 bad source R2# show ipv6 neighbor 0 unknown protocol, 0 not a router IPv6 Address Age Link-layer Addr State Interface 0 fragments, 0 total reassembled 2001:DB8:CAFE:11::1 52 ca00.0494.0006 STALE Fa0/1.11 0 reassembly timeouts, 0 reassembly failures FE80::C800:4FF:FE94:6 44 ca00.0494.0006 STALE Fa0/1.11 Sent: 278 generated, 0 forwarded 0 fragmented into 0 fragments, 0 failed 0 encapsulation failed, 0 no route, 0 too big 0 RPF drops, 0 RPF suppressed drops Mcast: 276 received, 259 sent 2.6  Display  the  Routers  Cache ICMP statistics: R2# sh ipv6 routers Rcvd: 49 input, 0 checksum errors, 0 too short Router FE80::C800:4FF:FE94:6 on FastEthernet0/1.11, last update 0 min 0 unknown info type, 0 unknown error type Hops 64, Lifetime 1800 sec, AddrFlag=0, OtherFlag=0, MTU=1500 unreach: 0 routing, 0 admin, 0 neighbor, 0 address, 0 port HomeAgentFlag=0, Preference=Medium parameter: 0 error, 0 header, 0 option 0 hopcount expired, 0 reassembly timeout,0 too big Reachable time 0 (unspecified), Retransmit time 0 (unspecified) 10 echo request, 0 echo reply Prefix 2001:DB8:CAFE:11::/64 onlink autoconfig 0 group query, 0 group report, 0 group reduce Valid lifetime 2592000, preferred lifetime 604800 0 router solicit, 20 router advert, 0 redirects 4 neighbor solicit, 5 neighbor advert Sent: 46 output, 0 rate-limited 2.7 CEFv6  !!!  Mandatory  knowledge  to  Troubleshoot  the  Cisco  Routers  data  plane  ! unreach: 0 routing, 0 admin, 0 neighbor, 0 address, 0 port When you want to trace the handling of a paquet in a CISCO router, you need to take a look at the parameter: 0 error, 0 header, 0 option CEFv6 table. IPv6 paquet switching is performed by CEFv6. CEFv6 resolves all the recursions that 0 hopcount expired, 0 reassembly timeout,0 too big you may find in an IPv6 table and setup an optimized structure for very quick lookup and easy mainte- 0 echo request, 10 echo reply nance of a mtrie structure. CEFv6 table works with the help of adjacency table which gives the map between IPv6 packet and layer 2 address. 0 group query, 0 group report, 0 group reduce R1#show ipv6 cef 2001:db8:cafe:10::/64 internal 0 router solicit, 23 router advert, 0 redirects 2001:DB8:CAFE:10::/64, epoch 0, RIB[I], refcount 4, per-destination sharing 7 neighbor solicit, 6 neighbor advert 54
  • 56. sources: RIB Addresses of an IPv6 Host. feature space: A link-local. IPRM: 0x00038000 One or many unicast addresses ifnums: One loopback ::1 FastEthernet0/1.11(11): FE80::C801:4FF:FE94:6 path 6822BA1C, path list 6822A77C, share 1/1, type attached nexthop, for IPv6 On each interface : nexthop FE80::C801:4FF:FE94:6 FastEthernet0/1.11, adjacency IPV6 adj out of Local node scope all-nodes multicast address : FF01 ::1 FastEthernet0/1.11, addr FE80::C801:4FF:FE94:6 66F91C60 A Link-local scope all-node multicast address : FF02 ::1 output chain: IPV6 adj out of FastEthernet0/1.11, addr FE80::C801:4FF:FE94:6 66F91C60 A solicited-node multicast address for each unicast. Once the CEFv6 entry is found, we need to look for the matching next-hop entry in the adja- Router IPv6 Addresses cency table. In the adjacency entry we find the origin of the resolution like ND for IPv6 or ARP for IPv4. The loopback ::1for the router A link-locale for each link As many global as needed If the router is currently resolving the IPv6 next hop to a layer 2 MAC Address, the entry will Multicast addresses such as all-nodes ff02 ::1, all-routers ff02 ::2 be in the state INCOMPLETE. The packet which has trigger the resolution must be buffered, waiting for the resolution to complete. Once the resolution is complete, the packet will be encapsulate and sent to its destination. This is different with IPv4 where the packet was dropped. We use to get 80% Example of a CISCO router : for the first time we ping a destination because first packet was dropped. This is no longer the case R0> show ipv6 int f1/0 and we should get 100% even for the first time. FastEthernet1/0 is up, line protocol is up IPv6 is enabled, link-local address is FE80::C800:6FF:FEA9:1C R1#show adjacency FE80::C801:4FF:FE94:6 No Virtual link-local address(es): Protocol Interface Address Global unicast address(es): IPV6 FastEthernet0/1.11 FE80::C801:4FF:FE94:6(7) 2001:DB8:C0A8:A:C800:6FF:FEA9:1C, subnet is 2001:DB8:C0A8:A::/64 [EUI] 2001:DB8:C0A8:B:C800:6FF:FEA9:1C, subnet is 2001:DB8:C0A8:B::/64 [EUI] R1#show adjacency FE80::C801:4FF:FE94:6 internal Joined group address(es): Protocol Interface Address FF02::1 IPV6 FastEthernet0/1.11 FE80::C801:4FF:FE94:6(7) FF02::2 0 packets, 0 bytes FF02::1:FFA9:1C epoch 0 MTU is 1500 bytes sourced in sev-epoch 1 ICMP error messages limited to one every 100 milliseconds Encap length 18 ICMP redirects are enabled CA0104940006CA00049400068100000B ICMP unreachables are sent 86DD ND DAD is enabled, number of DAD attempts: 1 IPv6 ND ND reachable time is 30000 milliseconds (using 30000) Fast adjacency enabled [OK] ND advertised reachable time is 0 (unspecified) L3 mtu 1500 ND advertised retransmit interval is 0 (unspecified) Flags (0x11A9E) ND router advertisements are sent every 200 seconds Fixup disabled ND router advertisements live for 1800 seconds HWIDB/IDB pointers 0x66CCDD10/0x67E58500 ND advertised default router preference is Medium IP redirect enabled Hosts use stateless autoconfig for addresses. Switching vector: IPv6 adjacency oce Adjacency pointer 0x66F91C60 55
  • 57. Addresses, Names & Services Mgmt. 7 We need to manage IPv6 addresses 4 times longer than IP6 and the good old spreadsheet that we were using for IPv4 does not make it any more! With long addresses a good names management is key for a successful deployment! New software named IPAM are now the MUST have for any network to solve this important question.
  • 58. Chapter 7 Addresses, Names 1 DHCPV6 Introduc5on & Services 1.1 DHCPv6 & DNS 1. Summary of dynamic addressing 2. SLAAC, DHCPv6 Stateful, Stateless Operations 3. DHCPv6 4. DHCP-PD Prefix Delegation IPv6 Supports 3 different methods to provide dynamic addressing DHCPv6 is DHCP support for IPv6 and has been enhanced to support multiple modes of operations. It is documented in many RFCs as multiple modes exist. which can be combined as they are not mutually exclusive! The principal mode is described in RFC3315. `Also, the presence of DHCPv6 must be advertised by the routers in the Router Advertisements (NDP) Without any DHCPv6 it can be plug and play thanks to SLAAC. for the workstation to send requests or the DHCPv6 servers will be ignored. DHCPv6 basic RFC3115 provides Authentication for the messages to avoid any sort of Rogue DHCP Server. A DHCPv6 Server can be added to get more details about4 the servers DHCPv6 can be used in 3 Modes: after we have figured out our IPv6 addresses without him. Stateful DHCPv6. This is the standard DHCP Operation. The request includes both Addresses and Other Information. DHCPv6 can be used to provide a full block to address the full site a site Stateless DHCPv6 RFC3736. This is a new mode in IPv6 where we do not want to get any Address from the DHCPv6 Servers but only Other Information like domain name, DNS and other Servers ad- DHCPv6 CANNOT REPLACE ND PROTOCOL (RA) 57
  • 59. dresses. It is called stateless because in this mode the DHCPv6 Server does not need to keep any 1.2.3 IPv6  U DP  Ports  Number state because it does not allocate any address to remember and manage. DHCPv6 Prefix Delegation RFC3633. This is also a new mode for DHCP. It is used to request a full It is encapsulated in UDP over IPv6. block from the Service Provider. The block is allocated and then the block can be subnetted at will. DHCPv6 Clients use port 546 and Servers use 547. This mode is very convenient for some SPs who can manage the Prefixes allocated to each customer from a DHCPv6 Server which gets the Prefix for each customer from a Radius Server. 1.2.4 IPv6  Mul5cast  Addresses We have seen that at the end of the SLAAC process, a boot Workstation of an interface coming up may eventually request a DHCPv6 Server for more configuration. DHCPv6 also use IPv6 Multicast addresses: These bits are contained in a field called Flags. - All_DHCP_Relay_Agents_and_Servers: (ff02::1:2) If the Managed bit (M-bit) is set in Flags of the RA, the workstation makes a full request including Address(es) and other information. This is Stateful DHCPv6 because the server needs to keep states This is a Link-local IPv6 Multicast Address used by the Clients to communicate with all the local Serv- for the allocated addresses. ers and Relays. If the Other bit (O-bit) is set in the Flags of the RA, the workstation just requests Other information Only the DUID permits each one to see that the packet is for itself. and NO ADDRESS. This is Stateless DHCPv6. - All_DHCP_Servers (ff05::1:3) These bits MUST be set on the local routers interfaces where some workstations which need to re- This is a Site-local IPv6 Multicast Address which is used by the Relays to forward the local Clients quest DHCPv6 servers are located. Requests to all the DHCPv6 Servers of the Site that have registered this Multicast group. For a Quick Video Presentation of DHCPv6, there is a serie of Tutorial starting with Part1 from: Multicast routing must be enabled on all the site routers. http://www.ipv6forlife.com/Tutorial/DHCPv6-Part1.html DHCPv6 Relays can be used to encapsulate the messages from the Clients to the Servers and vice- versa. 1.2.5 Iden5ty  Associa5on  (IA) 1.2 DHCPv6  Commands  and  Fields Basically we need an Identity Association to request address(es) for each interface. DHCPv6 protocol basic operations are not very different from IPv4; the messages names are different See RFC 3315 Section 10 for an excellent definition and multicasts are more used in IPv6, but it is pretty much the same protocols. A DHCPv6 Server can provide Address(es) for a client and Other Information like Domain name or any Server Addresses. 'An "identity-association" (IA) is a construct through which a server and a client can identify, group, and manage a set of related IPv6 addresses. Each IA consists of an IAID and associated configura- tion information. 1.2.1 DUID A client must associate at least one distinct IA with each of its network interfaces for which it is to re- quest the assignment of IPv6 addresses from a DHCP server. The client uses the IAs assigned to an Each client and server is identified by its DHCP Unique Identifier (DUID). This Identifier is mostly de- interface to obtain configuration information from a server for that interface. Each IA must be associ- rived from one of the DHCP Mac Addresses, but it can be : ated with exactly one interface.' 1 Link-layer address plus time To get more details about how the addresses are allocated from the server, please see Section 11 of 2 Vendor-assigned unique ID based on Enterprise Number 3 Link-layer address RFC3315. The DUID are very important for a protocol which uses a lot of Multicast messages to reach many Another exemple of the uses of IA would be a Virtual Server with many virtual interfaces. Each virtual Servers or Relays. group of Interface playing the same role will be using the same Identity Association. See RFC3315 section 9 for details of the ways in which a DUID may be constructed. 1.2.6 Client/Server  I D 1.2.2 Transac5on  I Ds DHCPv6 uses a lot of Multicast. The SOLICIT and REQUEST messages are sent to the All_DH- CP_Relay_Agents_and_Servers (FF02::1:2). So it is important to identify both Client and Server with A Transaction ID is used to identify all the messages from the same Transaction. It permits pairing a something other than the address. solicit with a reply and should be chosen randomly with algorithms, making it quite impossible to guess! 58
  • 60. 1.2.7 DHCP  Messages 1.2.7.6 Client  confirm  that  allocated  address  is  s5ll  O K There are 13 messages to support the DHCPv6 Operations. There is no need to explain each mes- CONFIRM (4) sage one by one, but we will explain most if not all of them as we get into the details of how DHCPv6 operates. 1.2.7.7 Client  refuse  an  address  already  in  use For a full list with explanations, please refer to Section 5.3 of RFC3315. The 13 messages are: DECLINE (9) SOLICIT 1 1.2.7.8 A  new  config  available  needs  a  new  Request ADVERTISE 2 REQUEST 3 RECONFIGURE (10) CONFIRM 4 RENEW 5 1.2.7.9 DHCP  Messages  Authen5ca5on REBIND 6 DHCPv6 messages can be authenticated, See Section 21 of RFC3315. This would make Rogue REPLY 7 DHCP Server impossible. It is open to any Authentication Protocol and can manage the keys of a DHCPv6 Server Realm. RELEASE 8 A DHCPv6 Realm is a name used to identify the DHCP administrative domain from which a DHCP DECLINE 9 authentication key was selected. RECONFIGURE 10 INFORMATION-REQUEST 11 1.2.8 DHCP  Op5ons RELAY-FORW 12 All the Information which is requested by a client or given by a Server are actually coded in a DHCPv6 RELAY-REPL 13 Options. The full list is : OPTION_CLIENTID 1 1.2.7.1 Used  during  the  startup  without  Relays OPTION_SERVERID 2 OPTION_IA_NA 3 SOLICIT (1), ADVERTISE (2), REQUEST (3), REPLY (7) OPTION_IA_TA 4 OPTION_IAADDR 5 1.2.7.2   If  a  Relay  is  used  we  must  add  to  previous OPTION_ORO 6 RELAY-FORW (12), RELAY-REPL (13) OPTION_PREFERENCE 7 OPTION_ELAPSED_TIME 8 1.2.7.3 To  Refresh  an  Address  Reserva5on OPTION_RELAY_MSG 9 OPTION_AUTH 11 RENEW (5), REBIND (6), REPLY (7) OPTION_UNICAST 12 OPTION_STATUS_CODE 13 1.2.7.4 To  Request  Informa5on  Only  (Stateless  D HCPv6) OPTION_RAPID_COMMIT 14 OPTION_USER_CLASS 15 INFORMATION-REQUEST (11) OPTION_VENDOR_CLASS 16 OPTION_VENDOR_OPTS 17 1.2.7.5 Client  don't  need  this  address  anymore OPTION_INTERFACE_ID 18 RELEASE (8) OPTION_RECONF_MSG 19 59
  • 61. OPTION_RECONF_ACCEPT 20 1.2.8.3 Prefix  Delega5on There are actually MORE OPTIONS which are added by RFC: This is used in DHCP-PD RFC3633 to request and provide a full block like 2001:db8:678::/48 to allocate all the building of a Company in a City for instance. IA_PD (RFC3633. Section 10) for DHCP-Prefix Delegation For all details, please see section 22 of RFC3115. 1.2.8.4 Op>on  Request  Op>on  (ORO) DNS Configuration options for Dynamic Host Configuration Protocol for IPv6 (DHCPv6) The ORO is used to provide the list of the Options which are requested by a client or need to be recon- http://tools.ietf.org/html/rfc3646 figured from the server. For instance, if the Client requested the Domain Name, it is in the ORO Op- tion. "A client MAY include an Option Request option in a Solicit, Request, Renew, Rebind, Confirm or Information-request message to inform the server about options the client wants the server to send to 1.2.8.1 Client  I D  and  Server,  I D  Op5on the client. A server MAY include an Option Request option in a Reconfigure option to indicate which options the client should request from the server." These options carry the Client DUID to the Server and the Server DUID to the Client. Generally, a MAC Address is used. http://tools.ietf.org/html/rfc3315#section-22.7 1.2.8.2 Addresses Example of a Captured ORO: 1.2.8.2.1  I AADDR  Op>on 1.2.9 Status  Code  Op5on The IAADDR Option permit to carry the IPv6 Dynamic Addresses allocated by the Server. It is used to report the status of an operation. If it does not appear where it should, success is as- sumed. Like the Prefixes advertised to the RA which permit deriving IPv6 Addresses for the interfaces, the IAADDR Option has a a Preferred Lifetime and a Valid Lifetime for each allocated Address. This permits IPv6 to manage the dynamic addresses Lifecycle like the addresses derived from Pre- 1.2.10 Preference  Op5on fixes contained in the RA. See the figure for more details about the states of a dynamic Address. Remember that an Address must remain in the Preferred State if we want to use it, so Preferred and It is possible for the servers to give a level of preference when multiple servers are available. When Valid Lifetime must be chosen carefully. the client receives multiple ADVERTISE messages, the client will prefer the server with the highest Preference. The IAADDR IPv6 Dynamic Address Option must be encapsulated in one of the following IA_NA or IA_TA. We can see the IAADDR Options with a yellow background and Red letters in both IA_NA and Elapsed Time Option IA_TA figures. This is used by the client to measure the duration of an exchange. For instance, if an exchange lasts too long, the client may use a secondary server. 1.2.8.2.2  I A_NA  Op>on 1.2.11 Relay The IA_NA is used to encapsulate Non-Temporary Addresses. There are two timers associated with the Refreshing of IPv6 Addresses. 1.2.11.1 Relay  Message  Op>on T1 is the timer when to query the DHCPv6 Server which has allocated the Address. It contains the DHCP message encapsulated by the replay in a Relay-Forward or a Relay-Reply Mes- sage. T2 is the Timer to query any DHCPv6 Server for an Address. Care should be taken in setting T1 or T2 to 0xffffffff ("infinity"). A client will never attempt to extend the 1.2.11.2 Interface-­‐ID  Op>on lifetimes of any addresses in an IA with T1 set to 0xffffffff. A client will never attempt to use a Rebind This option may be added by a Relay to add the Interface-Id by which the message was received. It message to locate a different server to extend the lifetimes of any addresses in an IA with T2 set to will use it to forward the reply back to the right interface. 0xffffffff. 1.2.12 Authen5ca5on  Op5on 1.2.8.2.3  I A_TA  Op>on The IA_TA is used to encapsulate Temporary Addresses (Privacy Extension RFC4941). There is no Timer associated with it. Used for DHCP message Authentication. Useful to avoid Rogue DHCP Servers. 60
  • 62. 1.2.13 Server  Unicast  Op5on The server sends this option to a client to indicate to the client. This way the client can bypass any Relay and send messages directly to the server. RFC3115 Section 18.1. "Use of unicast may avoid delays due to the relaying of messages by relay agents, as well as avoid overhead and duplicate responses by servers due to the delivery of client messages to multiple serv- ers. Requiring the client to relay all DHCP messages through a relay agent enables the inclusion of relay agent options in all messages sent by the client. The server should enable the use of unicast only when relay agent options will not be used." 1.2.14 Rapid  Commit  Op5on This option permits some transactions to be only 2 ways: Solicit, Reply instead of 4. It is set in the So- licit message by the client. 1.2.15 User    Class  Op5on This option permits one to configure a multiple class of users that do not need the same parameters. For instance, some clients may need a SIP server address and some don't. 1.2.16 Vendor 1.2.16.1 Vendor  Class  Op>on This option set by the client tells the server on which Vendor the client is running. 1.2.16.2 Vendor-­‐Specific  Informa>on  Op>on This Option allows some Vendor-Specific information to be exchanged between the Client and the Server. 1.2.17 Reconfigure 1.2.17.1 Reconfigure  Message  Op>on This Option is used when a server has been reconfigured. It is asking the client to send a message to get a new config. In a Reconfigure message, this Option tells the client if it must respond with a Re- new message to request an address or an Information-Request message to request Other Informa- tion. 1.2.17.2 Reconfigure  Accept  Op>on A client uses this message to tell the server if it accepts the Reconfigure message. The server uses this option to tell the client whether to accept or not the Reconfigure message. 61
  • 63. This is why the Request and the Reply bypass the Relay. 1.3 DHCPv6  Startup The Server provides a block, for instance 2001:db8:678::/48, which can be used and subnetted by the DHCP-PD client. The DHCPv6 messages used during the initialization to request Addresses and/or Other Information are the following. 1.4 DHCPv6  Configura5on  Management 1.3.1 Client  &  Server(s)  are  on  the  same  link 1.3.1.1 Solicit "A client uses Request, Renew, Rebind, Release and Decline messages during the normal life cycle of addresses. It uses Confirm to validate addresses when it may have moved to a new link. It uses The client first sends a Solicit discovery message. It is not a reservation request when an address is Information-Request messages when it needs configuration information but no addresses." (Section needed, just a discovery to figure out which server around is available and could provide the informa- 18.1 RFC3115). tion needed. The destination address is the All Servers and Relays Link-local Multicast Address ff02::1:2, Source is 1.4.1 Address  Refreshment  ini5ated  by  the  Client the Workstation Link-local Address. The information needed by the client is in the Option Request Object (ORO). Once the Address has been allocated, it must be maintained and Refreshed as soon as required. IA_NA and IA_PD Addresses are provided with the DHCP timers, which trigger the process. 1.3.1.2 Adver>ze T1 and T2 are provided. These 2 timers must be set consistently with the Preferred and Valid Ad- The Server(s) reply(ies) with an Advertise including all the available resources matching the client dresses. Remember that an address MUST remain as a Preferred Address. So the T1/T2 Timers Pre- ORO. This is sent back to the Link-Local address of the Client. fixes must be set accordingly. 1.3.1.3 Request IPv6 Addresses come with two Timers, the Preferred and the Valid Timers. For Static Addresses, The Request is sent to the All Servers and Relays Link-local Multicast Address ff02::1:2, Source is the these timers are usually set to Infinity which is ALL ONEs. Workstation Link-local Address. For Dynamic Addresses, they must be refreshed to reset these timers for the Addresses or Derived The DUID of the Server is used to identify which server we want to use. Addresses remain in the Preferred State. In figure 6.18 we can see how these timers are Reset with Unsolicited RA. 1.3.1.4 Reply The Server provides the Reservation if an address has been requested and Information or Information With DHCPv6, the Preferred Timers and Valid Timers must also be Refreshed when the DHCPv6 RE- Only if this is what we have requested (Information-Request) NEWs its reservation. These timers are included in the IAADDR Option which is encapsulated in the IA_NA or IA_PD Option. Both IA_NA and IA_TA Options have also two timers related to DHCPv6 pro- tocol. When T1 expires, the client sends RENEW to the server from which it has learned its configuration. 1.3.2 Client  &  Server(s)  use  a  Relay If the client Timesout for the RENEW with the Server which had provided the initial configuration, it will send a REBIND to all the available servers. If the Server is not located on the same link than the client needs a Relay in between. The Relay will encapsulate the request to the Server as Unicast Messages of any kind, Anycast or a Well-known Mul- RFC3115. Section 18.1.4. ticast site-local ff05::1:3. "The message exchange is terminated when the valid lifetimes of all the addresses assigned to the IA expire (see section 10), at which time the client has several alternative actions to choose from. The Relay encapsulates the request in a Relay-Forward to the Server, and the server encapsulates its For example: response in in Relay-Reply Message The client may choose to use a Solicit message to locate a new DHCP server and send a Request for the expired IA to the new server. The client may have other addresses in other IAs, so the client may choose to discard the expired IA 1.3.3 DHCP-­‐PD  Startup  Example and use the addresses in the other IAs." 1.4.2 A  client  may  have  mooved In this example, the client sends a solicit with an IA_PD requesting a Prefix from the server. It is for- warded by the Relay. The server Advertises a Prefix and gives the Server Unicast Option for the Client http://tools.ietf.org/html/rfc3315#section-18.1.3 to send its request in a Unicast message. 62
  • 64. 1.5.2 Adver5se  Message In any situation when a client may have moved to a new link, the client MUST initiate a Confirm/Reply message exchange. Option Server ID, Client ID, IA_NA with IAADDR and Domain Search List For Example: The client reboots. 1.6 SUMMARY The client is physically connected to a wired connection. The client returns from sleep mode. The client using a wireless technology changes access points. 1.4.3 A  client  doesn't  need  an  Address  anymore The client sends a Release Message to the Server 1.4.4 A  client  detect  a  D UPlicated  Address The client sends a Decline Message to the Server. 1.4.5 Server  Configura5on  has  changed The Server must inform the client with a RECONFIGURE message. The RECONFIGURE message includes the Reconfigure Message Option to tell the client if it must send a Renew providing Addresses or an Information-Request not providing Address(es). 1.4.6 Constants 1.4.7 DHCP  Reliability Because UDP does not provide reliablity, it must be provided by the Application. The client begins the message exchange by transmitting a message to the server. The message exchange terminates when either the client successfully receives the appropriate response or responses from a server or servers, or when the message exchange is considered to have failed according to the retransmission mechanism described below. 1.5 Capture  Example 1.5.1 Solicit  Message 63
  • 65. DNS 2.1.2 Top  Level  Domain  Servers 2 They return the address of the NS for a User domain for example fredbovy.com. The full list is at http://www.iana.org/domains/root/db/ 2.1 Introduc5on There are two kinds of TLD: DNS was introduced in RFC1035. The objects of DNS are organized as a tree structure. The root is 2.1.2.1 The  Generic  Top-­‐Level-­‐Domains  (gTLD)   the ".". .com, .edu, .net, .mil, But there are also some other registered gTLDs: It is transported by IPv6 then encapsulated over UDP port 53 for most messages but for some ex- • The .org domain is intended to serve the noncommercial community. changes like zone-transfer where TCP is more appropriate. • The .aero domain is reserved for members of the air transport industry. The initial RFC1035 had a serious limitation for IPv6, which is the UDP size limit of 512 octets. • The .biz domain is reserved for businesses. So we had actually two problems to solve: • The .coop domain is reserved for cooperative associations. The Maximum Size of 512 bytes for UDP Messages • The .int domain is only used for registering organizations established by international treaties be- How to Code IPv6 Names to Addresses and vice-versa tween governments. Many Objects are used for DNS: • The .museum domain is reserved for museums. NS for Name Servers, MX for Mail Exchange. DNS is playing a key role on Mail routing in the Internet, • The .name domain is reserved for individuqals. A for IPv4 Addresses, AAAA for IPv6 Addresses. • The .pro domain is being established; it will be restricted to credited professionals and related enti- And more... ties. 2.1.2.2 The  Country  Code  Top-­‐Level-­‐Domains  (ccTLD) 2.1.1 Servers  hierarchy There is one for each country: .us, .ca, .fr, .uk. 2.1.1.1  R OOT  Servers 2.1.3 The  Authorita5ve  Domain  Servers At the very top, we have the ROOT Servers. They manage the list of each Top-Level domain Servers like .com or .uk and they return their ad- To increase performance and reliability of DNS, there is more than one DNS server for each domain. dresses. 13 IPv4 anycast addresses are used and last time I checked 9 IPv6 Addresses were also ready: 2.1.3.1 Primary  or  Master  D NS  Server The Master Zone file describing the zone (Zone config file) is located on the Primary server. 13 ipv4 addresses can be sent in a 512 (436) bytes UDP message ! Remember that 512 octets were 2.1.3.2 Secondary  or  Slave  D NS  Server the size limit for an UDP message in RFC 1035! Adding 13 IPv6 addresses was certainly going over The Secondary Server is synchronized with the Primary thanks to Zone Transfer over TCP. the limit (800+ bytes)! 2.1.3.3 Caching  only  Servers There is actually 200+ physical servers around the globe. The Caching Server is used to cache the answer on a local Server so when the same query is re- Domain root-servers.net: a.root-servers.net through m.root-servers.net quested, it will be available locally. In Europe RIPE Servers k.root-servers.net are located in Amsterdam, Athens, Doha, Frankfurt, Lon- don and Milan. IPv4:193.0.14.129, IPv6:2001:7fd::1 2.2 Clients  Query  Modes IPv6 addresses are already supported by 9 of the 13 root-servers Requirements of a Root Server are in RFC2870 The are two modes for Clients to resolve the IPv6 Name to Address: http://www.iana.org/domains/root/ 2.2.1 Itera5ve  (supported  by  all  N S)   This mode actually involves more the requester than the local NS. 64
  • 66. If no response is received, network and firewall administrators should first determine if a security pol- icy other than the vendor's default processing for DNS messages is blocking large response mes- sages or large UDP messages. If no policy other than the vendor's default processing is configured, 2.2.2 Recursive note the implementation and version and contact your vendor to determine if an upgrade or hot fix is available. The Recursive mode actually involves more the Local Server than the Requester. 2.4 DNSSEC DNSSEC is an effort to make DNS more secure with some Authentication of the messages. 2.3 Support  of  I Pv6  for  D NS DNSSEC is detailed in RFC4033, RFC4034 and RFC4035. A discussion of operational practices relat- ing to DNSSEC can be found in RFC4641. In DNSSEC a secure response to a query is one which is cryptographically signed and validated. No Protection against DoS attack 2.3.1 EDNS0 DNSSEC adds new Resource Record types: Resource Record Signature (RRSIG), DNS Public Key (DNSKEY), Delegation Signer (DS) and Next Secure (NSEC) RFC1035 specifies the maximum DNS UDP message to 512 bytes A signed zone will contain the 4 additional security-related records 13 IPv4 anycast addresses was used to represent 200+ Servers for the announce to fit in a 512 bytes message, 436 bytes actually to leave room for some options. DNSSEC requires support for EDNS0 (RFC2671) and DNSSEC OK (DO) EDNS bit EDNS0 (RFC 3225) With only 5 IPv6 addresses added to the Additional Section of the DNS Type NS response message root server operators return during the priming exchange, the size of the response message increases Root Zone is Signed from 436 bytes to 576 bytes. http://data.iana.org/root-anchors/draft-icann-dnssec-trust-anchor.html 9 Root Servers have been assigned IPv6 addresses When all 13 root name servers are assigned IPv6 addresses, the priming response will increase in size to 811 bytes ! 2.3.2 Priming  Exchange The priming exchange is done when the list of Root Servers are requested. Conditions for the success- ful completion of a priming exchange: Resolvers and any intermediate systems that are situated between resolvers and root name servers must be able to process DNS messages containing Type AAAA resource records. Additionally, Resolvers must use DNS Extensions (EDNS0, RFC 2671) to notify root name servers that are able to process DNS response messages larger than the 512 byte maximum DNS message size specified in RFC1035. Intermediate systems must be configured to forward UDP-encapsulated DNS response messages larger than the 512 byte maximum DNS message size specified in RFC1035 to resolvers that issued the priming request. 2.3.3 Test  E DNS0  Implementa5on To test the action a firewall implementation takes when it receives a UDP-encapsulated DNS re- sponse message larger than 512 bytes, a network or firewall administrator can perform the following DNS lookup using: This command should elicit a 699 bytes response that contains AAAA resource records 65
  • 67. 2.5 Configura5on  of  D NS  Bind  Server  on  Linux 2.5.1 Zones  and  Zones  Files A Zone file translates the domain names into addresses. A Zone File contains: Data that describes the zone authority known as the Start of the Authority (S0A) Resource Record. All the hosts within the zones. A Resource Record for an IPv4 Address AAAA Resource Record for an IPv6 Address Data that describes global information for the zone. MX Resource Records for the domain’s mail serv- ers and NS Resource Records for the Name Servers In the case of a subdomain delegation, the name servers responsible for this subdomain. A Zone file looks like this: 2.5.2 Reverse-­‐Mapping  Zone 2.5.3 Transport  of  I Pv6  Informa5on  in  I Pv6 DNS requests must be transported in IPv6 DNS Root servers and Top-level domains must support IPv6 9 of the 13 root-servers are IPv6 ready ! DNS messages larger than 512 bytes are supported since DNS Extension 0 (EDNS0. RFC2671) The old Firewalls were blocking the DNS UDP messages bigger than 512 Octets. It has been fixed for a long time, but if you are at a customer site which has not upgraded its Sw for a long time too, you may hit this issue. 66
  • 68. 2.6 Dynamic  D NS DNS Servers can be updated dynamically An address allocated with DHCPv6 or SLAAC automatically updates the DNS Servers by sending Updates to the Servers. So this is not only possble with Servers doing both DHCPv6 and DNS. The Authentication process between the client and the servers is not defined by the RFC but is left to the convenience of the designers. Dynamic Updates in the Domain Name System (DNS UPDATE): http://tools.ietf.org/html/RFC2136 Secure Domain Name System (DNS) Dynamic Update: http://tools.ietf.org/html/RFC3007 Operational Considerations and Issues with IPv6 DNS: http://tools.ietf.org/html/rfc4472 2.7 Capture  of  D NS  Traffic 67
  • 69. Multicast 8 IPv6 Multicast is not very different from its IPv4 Counterpart. Only the non scalable protocols have been removed like PIM-DM or MSDP and the others have been ported with a new name sometime like MLD instead of IGMP.
  • 70. Chapter 8 Multicast 1 Introduction IPv6 Multicast is not very different from the IPv6 Counterpart. Only the non scalable protocols have been removed: PIM-DM, and the other have been ported with a new name sometime like MLD instead of IGMP. PIM is used for the routing of Multicast and for the receivers management, IGMP has been ported as MLD. Topic The very long addresses of IPv6 allowed the Embedded RP 1. Introduction which is great not to have to configure the RP on each router. The IPv6 multicast router configuration can then be summa- 2. Protocol Independent Multicast (PIM) rized in only one command on CISCO IOS®: “ipv6 multicast- 1. PIM Sparse Mode or ASM routing”and that’s it. 2. PIM Source Specific Multicast (SSM) When multicast users are connected with Layer switches, MLD Snooping should be used where IGMP snooping was for IPv4. 3. PIM BIDIR The common rule for all Multicast routing is the Reverse Path 3. Embedded Rendez-vous Point Forwarding or RPF. This rule says that a packet MUST always be received on the interface which has the best cost to get 4. Multicast on Layer 2 back to the Source Address of the packet. Otherwise we say that RPF fails and packet get silently dropped. This is a basic rule to avoid Multicast Routing loops. 69
  • 71. Préfixe Interface Identifier IPv6 Multicast Part 2
 http://www.ipv6forlife.com/Tutorial/IPv6Multicast-Part2.html FF02 O 0001 FF 24 bits 128 bits IPv6 Multicast Part 3
 http://www.ipv6forlife.com/Tutorial/IPv6Multicast-Part3.html !  Unicast Address !  805B:2D9D:DC28::FC57:D4C8:1FFF On the other hands, the Powerpoint Presentations can be found !  Prefix in PPS Slideshow format from IPv6 for Life Web Site and in !  FF02:0:0:0:0:1:FF PDF from the Public Slideshare Server so you can also down- !  Solicited-node multicast adress load it from there. !  FF02:0:0:0:0:1:FFC8:1FFF !  Automatically configured for each unicast Solicited Node IPv6 Multicast Address Just remember the Solicited Node Multicast address example which is derived from the Unicast address for the ND MAC Ad- dress Resolution Protocol. Other example of Applications which use Multicast are NTP or DHCP. For this Chapter you will need a Web connection and a Display unit supporting Flash® Presentation for these presentations: IPv6 Multicast Part 1
 http://www.ipv6forlife.com/Tutorial/IPv6Multicast-Part1.html 70
  • 72. 2 Protocol Independent Multicast Slideshare.com, look for Fred Bovy, IPv6 For Life Presenta- tions. PIM is Independent because it does not build a separate PIM-SM is also explained in these short Flash Presentations: Unicast Routing Table to run the RPF. Instead it uses the exist- ing routing table but the same good old RPF rule still applies. IPv6 Multicast Part 1
 http://www.ipv6forlife.com/Tutorial/IPv6Multicast-Part1.html At the beginning there was two flavors PIM Dense Mode and PIM Sparse Mode. The first one has not been ported to IPv6 be- IPv6 Multicast Part 2
 cause it was clearly not scalable. On the other hand PIM-SM is http://www.ipv6forlife.com/Tutorial/IPv6Multicast-Part2.html still in use for IPv6 Networks. IPv6 Multicast Part 3
 With PIM-SM, the Multicast Receivers are not supposed to http://www.ipv6forlife.com/Tutorial/IPv6Multicast-Part3.html know the addresses of the Sources when they register to listen for a particular Group with the local MLD Querier. The Mul- ticast sources do not need any signaling to send any traffic. With PIM-SSM, the Receivers know the address of the Source. This must be managed by its directly connected router that we When the receiver register with the MLD Querier, it provides call a PIM Designated Router or PIM-DR. both the Group address it wants to listen to and the IPv6 So we need a place somewhere in the network for any Source, unicast address of the source. So there is no need for a thanks to its PIM-DR to meet the receivers thanks to the local Rendez-Vous Point and its associated shared tree. We are al- MLD Querier. This meeting place is called a Rendez-Vous ways on the Shortest-Path Tree. Point. For a detailed presentation of PIM-SM Operations and other PIM-BIDIR is actually the Shortest Path Tree of PIM-SM (see topic addressed in this chapter, please use this presentation: the Flash Presentation but the Sources can also Receive and http://www.ipv6forlife.com/Docs/MulticastIPv6.pps the Receivers can also Send. This presentation and other is also located on the public site 71
  • 73. 3 Embedded Rendez-Vous Point The Embedded-RP is also fully covered in the PPT Slideshow given earlier. But it is really easy to explain quickly. FF7E:0130:2001:db8:9abc::4321 The idea is to code a 128 address in another /128 so what we do is that we only advertise a prefix which can be up to /64 long Rendez-Vous Point Address and then using only 4 bit we can code 16 RP from this prefix. 2001:db8:9abc::1 For the Prefix let’s see how it is coded. We got a Prefix length o  RFC3956 whoch is here 30hex or 48 decimal. Prefix is Embedded RP Address 2001:db8:9abc::/48 The IPv6 Address FLAGS are R, P and T. T is for Temporary ad- dress. R and P are both an Embedded RP information. The we see that the RP Address is 1, so the full address for this RP will be 2001:db8:9abc::1. FF7E:0130:2001:db8:9abc::4321 Then on the CISCO routers you just need to go on each router and type the coommand “ipv6 multicast-routing”and that’s it! Plen = 30 Hex = 48 dec Your work is done, the customer can sign the papers and you 2001:db8:9abc:: can get back home early today! Embedded RP Prefix and for the rest, let’s see this now: 72
  • 74. 4 IPv6 Multicast on Layer 2 IPv6 is encapsulate in Ethernet Frame using a prefix MAC Ad- dress of 33:33 instead of 01:00:5e for IPv4. Then we find the last 32 bits of the IPv6 Address. !  IPv6 Multicast Address !  FF02:0:0:0:0:1:FF90:FE53 !  128 bits
 FF02:0:0:0:0:1:FF90:FE53 
 
 !  Mac Address !  33:33:FF:90:FE:53 33:33:FF:90:FE:53 MLD Snooping !  48 bits IPv6 Encapsulation in Ethernet When switches are used we use MLD Snooping to only for- ward traffic on the p2p links with attached interested Receivers. This is only possible because now switching is performed in the silicium with fast ASICS because this feature requires that the switch looks in the MLD Packet to find the unsolicited reports MLD messages to figure out that there is a receiver 73
  • 75. 33:33 This is the MAC address prefix for IPv6 encapsulated address. The next 32 bits are the IPv6 last IPv6 address bits. Related Glossary Terms Faire glisser ici les termes connexes Index Rechercher un terme Chapter 8 - Multicast
  • 76. ASICS A chip which perform a special task in the silicium like Layer 2 switching in our case. Related Glossary Terms Faire glisser ici les termes connexes Index Rechercher un terme Chapter 8 - Multicast
  • 77. ASM Any Source Multicast. This is another name for PIM Sparse Mode (see PIM) Related Glossary Terms Faire glisser ici les termes connexes Index Rechercher un terme Chapter 8 - Multicast
  • 78. BIDIR Bi-directional. This is for PIM BIDIR which is actually the PIM-SM Shared Tree where Sources can Receive and Receivers can Send. Related Glossary Terms Faire glisser ici les termes connexes Index Rechercher un terme Chapter 8 - Multicast
  • 79. CCIE Cisco Certified Internet Expert. It started with number 1023. With #3013 I deserve the CISCO dinosaur distinction. When I was younger and I passed at first attempts both the written and the lab test, cheating was impossible and the answers were not avail- able for $20 from the Web. It was a Great distinction! And you must be recertified every two years. Again it is not so old that you can get the answers before taking it and I had to take the written test every two years since 97 to be still active. I also find in the field many consultant who say that they are CCIE but they only have the written exam or they are not recertified for 10 years but they get hired as cheap “CCIE”! This is really unfair! Related Glossary Terms Faire glisser ici les termes connexes Index Rechercher un terme Chapter 1 - Preface
  • 80. Cost This is the metric of Link-State Routing protocol. The lower the path cost is the better the route will be. The lowest path cost is used for routing. Related Glossary Terms Faire glisser ici les termes connexes Index Rechercher un terme Chapter 8 - Multicast
  • 81. DAD Duplicate Address Detection, the Neighbor Discovery process to check that an ad- dress is not in use before using it. This is enabled by default on LAN interface on CISCO routers but disable on Serial interfaces. Related Glossary Terms Faire glisser ici les termes connexes Index Rechercher un terme Chapter 5 - ICMPv6 & ND
  • 82. DHCP Dynamic Host Control Protocol used to configure the workstations with IPv6 address and/or Other information. With IPv6 there are much more variation than IPv4 because IPv6 has a Stateless built-in Autoconfiguration feature with Neighbor Discovery Proto- col (RFC 4862, RFC 4861). So DHCPv6 can be used for Other information but address. This is Stateless DHCPv6. DHCPv6 can also be used to provide a Site Prefix instead of individual Addresses. The prefix can then be subnetted. This is DHCP Prefix Delegation or DHCP-PD. Related Glossary Terms Faire glisser ici les termes connexes Index Rechercher un terme Chapter 8 - Multicast
  • 83. DHCP-PD DHCP Prefix Delegation. See DHCP. Related Glossary Terms Faire glisser ici les termes connexes Index Rechercher un terme Chapter 7 - Addresses, Names & Services
  • 84. DHCPv6 DHCP for IPv6. See DHCP. Related Glossary Terms Faire glisser ici les termes connexes Index Rechercher un terme Chapter 5 - ICMPv6 & ND
  • 85. Embedded RP This is a method to code the PIM-SM Rendez-Vous Point in the group address. With Embedded RP you only need ONE command to have your multicast Routing config- ured on a CISCO IOS® Router, “ipv6 multicast-routing”. Related Glossary Terms Faire glisser ici les termes connexes Index Rechercher un terme Chapter 8 - Multicast
  • 86. IGMP Internet Group Membership Protocol. The protocol to manage the signaling between the Receivers and the Multicast Last Hop Router, the IGMP Querier. For IPv6 it has been renamed MLD. (see MLD). Related Glossary Terms Faire glisser ici les termes connexes Index Rechercher un terme Chapter 8 - Multicast Chapter 8 - Multicast
  • 87. IOS® Internetwork Operating System, the historical CISCO Operating System. A Great survi- vor pretty much like me! A big Monolith with a round-robin scheduler to manage the processes. A simple OS written and programmable in plain C Code. A basic Time Shared Scheduler which can be interrupted to switch a packet in “Real-time” when it is possible to make it shortly. Otherwise the incoming packet is punted to be switched later on. This is IOS and we love it! Related Glossary Terms Faire glisser ici les termes connexes Index Rechercher un terme Chapter 1 - Preface
  • 88. IPAM IP Address Management Tools. With IPv4, many Service PRoviders were using Spreadsheet to manage their IPv4 addresses using home made macros and every- body was very happy. The 128 bits addresses of IPv6 made it impossible and new Soft- ware were introduced to manage these very long addresses. IPAM was born. The next step was to link these big databases with DNS and DHCP et voila! Today it is just insane or just impossible to plan any decent network without an IPAM to manage your IPv6 Addresses and node names. Related Glossary Terms Faire glisser ici les termes connexes Index Rechercher un terme Chapter 7 - Untitled
  • 89. IPv4 Internet Protocol version 4. The protocol which started the Internet in the late 70s. Like Jim Morrison or Jimmy Hendrix IPv4 will die one day as it is clearly not designed to sustain the Internet of 2012. It was requested by the USA Department of Defense (DoD) to build a Private Internet when a few thousands hosts was just the impossible boundary that will never get reached. For the DoD and the 70s Mainframes technology, IPv4 with its 32 bits was here to last forever! Related Glossary Terms Faire glisser ici les termes connexes Index Rechercher un terme Chapter 8 - Multicast
  • 90. IPv6 Internet Protocol version 6. The protocol developed in the 90s to scale the y2k Internet and replace IPv4 forever. http://www.tcpipguide.com/free/t_IPv6AddressSizeandAddressSpace-2.htm “Since IPv6 addresses are 128 bits long, the theoretical address space if all addresses were used is 2128 addresses. This number, when expanded out, is 340,282,366,920,938,463,463,374,607,431,768,211,456, which is normally expressed in scientific notation as about 3.4*1038 addresses. That's about 340 trillion, trillion, tril- lion addresses. As I said, it's pretty hard to grasp just how large this number is. Con- sider: " ◦" It's enough addresses for many trillions of addresses to be assigned to every human being on the planet. 
 " ◦" The earth is about 4.5 billion years old. If we had been assigning IPv6 ad- dresses at a rate of 1 billion per second since the earth was formed, we would have by now used up less than one trillionth of the address space. 
 " ◦" The earth's surface area is about 510 trillion square meters. If a typical com- puter has a footprint of about a tenth of a square meter, we would have to stack com- puters 10 billion high blanketing the entire surface of the earth to use up that same tril- lionth of the address space.” Related Glossary Terms Faire glisser ici les termes connexes Index Rechercher un terme Chapter 8 - Multicast
  • 91. MAC MAC Addresses are used at Layer 2 to address an Ethernet workstation on a LAN. Related Glossary Terms Faire glisser ici les termes connexes Index Rechercher un terme Chapter 8 - Multicast
  • 92. MLD Multicast Listener Discovery. MLD is IGMP ported to IPv6. MLDv1 is IGMPv2 and MLDv2 is IGMPv3. This is the signaling between the Receiver and the last hop router. Hosts use MLD to tell the local router that they want to receive a Group. Then the MLD Router propagate the MLD exchange with PIM protocol to build the Shared or Shortest Path Tree. Related Glossary Terms Faire glisser ici les termes connexes Index Rechercher un terme Chapter 8 - Multicast Chapter 8 - Multicast
  • 93. MLD Snooping Does for IPv6 what IGMP snooping was doing for IPv4. It listens the Multicast traffic and looks into the MLD packet to find the control packet of a Receiver saying that it wanna join a given group. Then the switch will only forward the Multicast on the port where it knows that it has a receiver interested by this Group. Related Glossary Terms Faire glisser ici les termes connexes Index Rechercher un terme Chapter 8 - Multicast
  • 94. MSDP Multicast Source Discovery Protocol. A protocol above TCP that was used to join two separate shared Tree. It was useful when you had multiple Rendez-Vous Point for the Source a Rendez-Vous point will find the Receivers registered on another RP. It was used by the Service Provider to setup Redundant RPs with a feature called Any- cast RP. Problem is that MSDP sessions must be full meshed leading to a O(n)2 Complexity. They were configuring 2 RPs in each country for Redundancy. For 40 Countries you had to configure (80*79)/2 MSDP over TCP sessions and reasonable size routers were not supporting that much MSDP Sessions and collapsed. MSDP and Anycast RP using MSDP have not been ported to IPv6. Related Glossary Terms Faire glisser ici les termes connexes Index Rechercher un terme
  • 95. NAT Network Address Translation. A workaround which broke the peer to peer IP capability which was a key driver in th 80s for people to switch to TCP/IP. Just before they switch to TCP/IP, IBM proposed SNA LU6.2 based APPN Solution to move from a hierarchical model to a peer-to-peer. In the early 80s, Peer-to-peer and downsizing to port applica- tion from Mainframes down to Mini or RISC and Micro Computers was the way to go! But in the 90s Peer-to-Peer was broken by NAT which is breaking many applications and is a security weakness seen as a security feature by some NAT proponents! They are grasping IPv4 and NAT as if their life would have no reason to be without NAT! NAT was never a security feature. The best Security is true end-to-end security which does not work if someone change anything in the original Address. Because you can- not be identified from your address anymore = no security. Someone who does some really bad things using a NATed address will never get caught. Related Glossary Terms Faire glisser ici les termes connexes Index Rechercher un terme Chapter 2 - Introduction to IPv6
  • 96. ND Neighbor Discovery Protocol defined in RFC 4861 is a key protocol for IPv6. Related Glossary Terms Faire glisser ici les termes connexes Index Rechercher un terme Chapter 5 - ICMPv6 & ND
  • 97. NTP Network Time Protocol to synchronize all the system clocks in a Network. Related Glossary Terms Faire glisser ici les termes connexes Index Rechercher un terme Chapter 8 - Multicast
  • 98. NUD Neighbor Unreachability Detection is a par of ND and is used to check that a NEighbor is still alive and clean up the entry if the node fails to reply. Related Glossary Terms Faire glisser ici les termes connexes Index Rechercher un terme Chapter 5 - ICMPv6 & ND
  • 99. P2p Point-to-Point Network. Related Glossary Terms Faire glisser ici les termes connexes Index Rechercher un terme Chapter 8 - Multicast
  • 100. PIM Protocol Independent Multicast Protocol. It is independent because it uses the default Unicast Routing Table to run RPF Algorithm instead of building a separate table. Related Glossary Terms Faire glisser ici les termes connexes Index Rechercher un terme Chapter 8 - Multicast
  • 101. PIM-BIDIR PIM-BIDIR see PIM Related Glossary Terms Faire glisser ici les termes connexes Index Rechercher un terme Chapter 8 - Multicast
  • 102. PIM-DM PIM Dense Mode†. Deprecated. It was not scalable. (See PIM) Related Glossary Terms Faire glisser ici les termes connexes Index Rechercher un terme Chapter 8 - Multicast Chapter 8 - Multicast
  • 103. PIM-DR PIM Designated Router. The router which is directly connected to a Multicast Source. The highest priority wins. The highest IP address is used as a tie breaker. See PIM. Related Glossary Terms Faire glisser ici les termes connexes Index Rechercher un terme Chapter 8 - Multicast
  • 104. PIM-SSM PIM Single Source Multicast. Only work with the Shortest Path Tree as the Receivers know the Source Address(es) when they register for a Group (see PIM). Related Glossary Terms Faire glisser ici les termes connexes Index Rechercher un terme Chapter 8 - Multicast
  • 105. Querier MLD for IPv6 or IGMP for IPv4 Querier is the router which has directly connected Re- ceivers. The Lowest IP Address is the Elected Querier when multiple candidate are available. Related Glossary Terms Faire glisser ici les termes connexes Index Rechercher un terme Chapter 8 - Multicast
  • 106. RD PIM Rendez-Vous point is the place where the PIM-SM Source meets the Receivers. Related Glossary Terms Faire glisser ici les termes connexes Index Rechercher un terme Chapter 5 - ICMPv6 & ND
  • 107. Rendez-Vous See PIM-SP Related Glossary Terms Faire glisser ici les termes connexes Index Rechercher un terme Chapter 8 - Multicast
  • 108. Reverse Path Forwarding The Reverse Path Forwarding Rule is the IP Multicast universal rule. To avoid routing loops a multicast router checks each packet receive on each interface against the Source Address. The packet MUST be received on the Interface which has the best (lower) path cost to get back to the Source or it gets dropped whe RPF failed. Related Glossary Terms Faire glisser ici les termes connexes Index Rechercher un terme
  • 109. RPF See Reverse Path Forwarding Related Glossary Terms Faire glisser ici les termes connexes Index Rechercher un terme Chapter 8 - Multicast
  • 110. SLAAC Stateless Address Auto Configuration. This is a process to get an interface automati- cally configured with address using NEighbor Discovery Protocol (RFC 4861). SLAAC is described in RFC 4862. Related Glossary Terms Faire glisser ici les termes connexes Index Rechercher un terme Chapter 5 - ICMPv6 & ND
  • 111. SSM PIM Source Specific Multicast. (See PIM) Related Glossary Terms Faire glisser ici les termes connexes Index Rechercher un terme Chapter 8 - Multicast
  • 112. Stateful Stateful means that a Server must keep some state for each allocation to manage the entry. For instance when DHCP allocate an Address, it keeps an entry for this allocated ad- dress and if the neighbor fails to RENEW the address, it will get back to the unused pool and will be allocated for another node. Stateful devices are easy target for DoS Attacks and should be protected with some mitigation technics to limit the effects of the attack! Related Glossary Terms Faire glisser ici les termes connexes Index Rechercher un terme Chapter 7 - Addresses, Names & Services
  • 113. Stateless When DHCP is not used to allocate Addresses it is called Stateless DHCPv6 and only provides information, not addresses. Related Glossary Terms Faire glisser ici les termes connexes Index Rechercher un terme Chapter 7 - Addresses, Names & Services
  • 114. ULA Unique Local Addresses are used when Private Addresses are needed. ULA can be centrally managed or locally administrated. The idea was not to repeat the IPv4 mis- takes, We have 40 bits to make the ULA unique and avoir any risk of having overlap- ping addresses when we merge two networks. Related Glossary Terms Faire glisser ici les termes connexes Index Rechercher un terme Chapter 3 - IPv6 Addresses