Basic IPv6 Course - RIPE Network Coordination Centre
Basic IPv6 CourseTraining CourseAugust 2018
Schedule09:00 - 09:30Coffee, Tea11:00 - 11:15Break13:00 - 14:00Lunch15:30 - 15:45Break17:30End!2
Introductions Name Number in the list Experience with IPv6 Goals!3
Overview IPv4? IPv6 Address Basics Getting it Exercise: Making Assignments IPv6 Protocol Basics Exercise: Addressing Plan IPv6 Packets Deploying Exercise: Configuring IPv6 Real Life IPv6 Deployment Tips!4
IPv4?Section 1
Reaching the next billion Around 4,157 billion Internet users now- around 54,4 % of all people in the world Mobile phones are Internet devices The Internet of Things- How will the Internet look like in 5 - 10 years?!6
The Internet of ThingsLibelium Smart Worldhttp://www.libelium.com/top 50 iot sensor applications ranking Libelium Comunicaciones Distribuidas S.L.!7
IANA IPv4 2008200920102011!8
IPv4 Exhaustion“On 14 September 2012, the RIPE NCCran out of their regular pool of IPv4”!9
Network Address Translation Extends the capacity of the IPv4 address spaceby sharing an IPv4 address between clients Fairly common technology, used everywhere Breaks the end to end connectivity model It doesn’t allow communication with IPv6! You are probably going to need it in some form!10
Large Scale NATHome UserNAT44 Boxprivate IPv4Home UserNAT44 Boxprivate IPv4Home UserNAT44 BoxPrivateIPv4IPv4 InternetNAT44 Boxprivate IPv4CUSTOMERPROVIDERINTERNET!11
IPv6 Address BasicsSection 2
How much has been allocated to the RIRs?IP Address DistributionSept 2014Source: https://www.nro.net/statisticsNumber Resource OrganisationInternet Number Resource Report!13
IP Address A AssignmentEnd UserPI Assignment!14
IPv6 Address Basics IPv6 address: 128 bits- 32 bits in IPv4 Every subnet should be a /64 Customer assignments (sites) between:- /64 (1 subnet)- /48 (65,536 subnets) Minimum allocation size /32- 65,536 /48s- 16,777,216 /56s!15
Address 11:0:0:c100:4d1110111100010001!16
IPv6 4 bits interface ID/64/60 16 /64/56 256 /64/52 4096 /64/48 65536 /64/32 65536 /48!17
Multiple address 00::/64n/aLink Localfe80::/10linkGlobal Unicast2000::/3globalUnique Localfc00::/7globalMulticastff00::/8variable!18
IPv6 Address D00:A:B::1002001:67c:2e:1::c1FF05::1:3ff02::1!19
IPv6 Address NotationExercise
IPv6 Notation - RFC 5952 For more information, please read RFC 5952“A Recommendation for IPv6 Address c5952!21
Questions
Getting ItSection 3
Getting an IPv6 allocation To qualify, an organisation must:- Be an LIR- Have a plan for making assignments within two years Minimum allocation size /32- Up to a /29 without additional justification- More if justified by customer numbers and network extension- Additional bits based on hierarchical and geographicalstructure, planned longevity and security levels!24
Customer Assignments Give your customers enough addresses- Minimum /64- Up to /48 More than /48, send in request form- alternatively, make a sub-allocation Every assignment must be registered in theRIPE Database!25
Comparison IPv4 and IPv6 statusIPv4ALLOCATED Group of AssignmentsAGGREGATED-BY-LIRSUB-ALLOCATED PASub-AllocationALLOCATED-BY-LIRASSIGNED PIPI AssignmentASSIGNED PIASSIGNED PA!26
Examples ASSIGNED One single networkAn individual customerYour own infrastructureOne assignment ASSIGNED!27
Using GNED/64 Represents one assignment Minimum assignment size is a /64 For more than a /48, send a request form!28
Using ASSIGNED - Example PE!29
Examples AGGREGATED-BY-LIR Group of customers Same assignment size!30
Using assignment-size: 56/56/56/56/56/36/56 Can be used to group customers- example: residential broadband customers “assignment size:” assignment of each customer!31
Using AGGREGATED-BY-LIR - :35ZRIPE!32
Examples ALLOCATED-BY-LIR Reservation for a large customer Branch office or departmentLarge Customer/48Branch Office/46Reservation/48/48/36Delegation!33
Using SIGNED/52/36ASSIGNED/48 Can be used for customers with potential for growth- or for your own infrastructure- or to delegate address space to a downstream ISP!34
Using ALLOCATED-BY-LIR - -31T08:23:35ZRIPE!35
RASSIGNED/44AGGREGATED-BY-LIRassignment-size: 56/36/48!36
Getting IPv6 PI address space To qualify, an organisation must:- Meet the contractual requirements for provider independentresources- LIRs must demonstrate special routing requirements Minimum assignment size:/48 PI space can not be used for sub-assignments- not even 1 IP address!!37
Unique Local Addresses Prefixes from fc00::/7- Only from the fd00::/8 block Should not be routed on the Internet Generate a random 40-bit Global ID and insert it intofdxx:xxxx:xxxxGlobal ID:Prefix:da24154e1dfdda:2415:4e1d::/48!38
Making AssignmentsExercise
Making Assignments ExerciseSmart Home 6! 20 minutes preparation time 10 minutes discussion!40
Smart Home 6 Network DiagramIPv6 Internet/64LIR / ISP2001:db8::/324Gpo wireint- lesto- spoint/64/64?/64/64/64/64/64/64How much do you assign tothe whole smart home network?!41
Solution RIPE Database art Home 6 -05-31T12:34:01ZRIPE!42
Solution RIPE Database fied:source:2001:db8:1000::/36SMART-HOME-6Smart Home 6 :34:01Z2015-05-31T12:34:01ZRIPE!43
IPv6 Protocol BasicsSection 4
IPv6 Protocol Functions Address Autoconfiguration- Supported by Neighbor Discovery- Stateless - with SLAAC- Stateful - with DHCPv6 Neighbor Discovery Protocol- Replaces ARP from IPv4- Uses ICMPv6 and Multicast- Finds the other IPv6 devices on the link- Keeps track of reachability!45
The Autoconfiguration Process1. Make a Link-Local address2. Check for duplicates on the link3. Search for a router4. Make a Global Unicast address!46
Making a Link-Local Address48 bits - MAC Address Interface ID is madefrom the MAC addressFFfe80:: fe80::FEInterface ID Interface ID Link-Local address for the host!47
Checking for DuplicatesNeighbor SolicitationAHello! Is this IPv6 address in use?Can you tell me your MAC address?ANeighbor AdvertisementBBHello! Yes, I’m using that IPv6 address.My MAC address is 72:D6:0C:2F:FC:01If nobody replies to the Neighbor Solicitation,the host uses the generated link-local address!48
Solicited Node Multicast Address Used in Neighbor Discovery Protocol for obtainingthe layer 2 link-layer (MAC) addressesIPv6 unicast addressPrefixInterface IDLower 24 bitssame bitsSolicited-node multicast addressff0201ffLower 24 bits128 bits!49
Solicited Node Multicast AddressHey! This message is forff02::1:ffd9:aa6fYes! That is for me!!50
Searching for RoutersRouter SolicitationAHello! Is there a router out there?ARouter AdvertisementHello! I’m a router and I have someinformation for you The Router Advertisement gives the host more informationto get an IPv6 address and set up a connection!51
Stateless Address Auto-Configuration The Router Advertisement message tells the host:- Router’s address- Zero or more link prefixes- SLAAC allowed (yes/no)- DHCPv6 options- MTU size (optional)Link PrefixInterface IDGlobal Unicast IPv6 Address!52
Interfaces will have multiple addresses Unicast- Link Localfe80::5a55:caff:fef6:bdbf/64- Global Unicast2001::5a55:caff:fef6:bdbf/64 (multiple) Multicast- All Nodesff02::1 (scope: link)- Solicited Nodeff02::1:fff6:bdbf (scope: link) Routers- All Routersff02::2 (scope: link)!53
Verifying ReachabilityNeighbor SolicitationHello! Are you still out there?Is your MAC address still valid?ANeighbor AdvertisementBHello! Yes, I’m still online.My MAC address is 72:D6:0C:2F:FC:01If the target does not reply to the Neighbor Solicitation,the sender removes the MAC address from the cache!54
RedirectsIPv6 PacketThis packet is for an IPv6 host.ARedirectHello! That destination you wanted?I know a better way to reach it. Hosts can be redirected to a better first-hop routerThey can also be informed that the destination is a neighbor on the link!55
Questions
Addressing PlansSection 5
Why Create an IPv6 Addressing Plan? Mental health during implementation(!) Easier implementation of security policies Efficient addressing plans are scalable More efficient route aggregation!58
IPv6 Address Management Your spreadsheet might not scale- There are 65.536 /64s in a /48- There are 65.536 /48s in a /32- There are 524.288 /48s in a /29- There are 16.777.216 /56s in a /32- There are 134.217.728 /56s in a /29 Find a suitable IPAM solution!59
Addressing PlanExercise
Addressing Plan Exercise Things to consider- administrative ease!- use assignments on 4 bit boundary- 2 possible scenarios for network- 5 possible scenarios for customer assignments 20 minutes preparation time 10 minutes discussion!61
Decide the size of the customer assignmentsFill in the addressing plan accordinglyhings to consider:e most important goal with IPv6 is aggregation.u can assign a /48 per POP without sending a request to the RIPE NCC.r your most important connections/equipment, use the easiest to remember addresses. (loopbacksc.)r administrative ease (DNS and your mind), it is recommended you assign on 4-bit boundaryNetwork Diagram - POPsPOP1POP2mailcolo 1sw netcr2.pop1voipcr2.pop2sw 2colo 2DNSAR2switchlayer 3 switchrouterPoint-to-Pointcustomer 1Point-to-Pointcustomer 2!62
Decide the size of the customer assignmentsFill in the addressing plan accordinglyhings to consider:e most important goal with IPv6 is aggregation.u can assign a /48 per POP without sending a request to the RIPE NCC.r your most important connections/equipment, use the easiest to remember addresses. (loopbacksc.)r administrative ease (DNS and your mind), it is recommended you assign on 4-bit boundaryNetwork Diagram - POP1POP1POP2mailcolo 1sw netcr2.pop1voipcr2.pop2sw 2colo 2DNSAR2switchlayer 3 switchrouterPoint-to-Pointcustomer 1Point-to-Pointcustomer 2!63
Decide the size of the customer assignmentsFill in the addressing plan accordinglyhings to consider:e most important goal with IPv6 is aggregation.u can assign a /48 per POP without sending a request to the RIPE NCC.r your most important connections/equipment, use the easiest to remember addresses. (loopbacksc.)r administrative ease (DNS and your mind), it is recommended you assign on 4-bit boundaryNetwork Diagram - POP2POP1POP2mailcolo 1sw netcr2.pop1voipcr2.pop2sw 2colo 2DNSAR2switchlayer 3 switchrouterPoint-to-Pointcustomer 1Point-to-Pointcustomer 2!64
Addressing plans /64 for each subnet Number of hosts in a /64 is irrelevant Multiple /48s per pop can be used- separate blocks for infrastructure and customers- document address needs for allocation criteria Use one /64 block per site for loopbacks!65
More on Addressing Plans For private networks, consider ULA For servers you want a manual configuration Use port numbers for addresses- pop server 2001:db8:1::110- dns server 2001:db8:1::53- etc !66
Questions
IPv6 PacketsSection 6
IPv6 Header Format Fixed length- Optional headers are daisy-chained IPv6 header is twice as long (40 bytes) asIPv4 header without options (20 bytes)!69
IPv6 HeaderIPv6 HeaderIPv4 HeaderVersionType ofServiceIHLIdentificationTime to LiveTotal LengthFlagsProtocolFragment OffsetVersionTraffic ClassPayload LengthFlow LabelNext HeaderHop LimitHeader ChecksumSource AddressSource AddressDestination AddressOptionsLEGENDPaddingDestination AddressField’s name kept from IPv4 to IPv6Field not kept in IPv6Name and position changed in IPv6New field in IPv6!70
IPv6 Header Optional fields go into extension headersDaisy-chained after the main headerIPv6 HeaderTCP HeaderDataNext Header: TCPIPv6 HeaderRouting HeaderNextHeader:Header:TCPTCPNext Header: Routing NextIPv6 HeaderRouting HeaderNext Header: Routing NextNextHeader:Header:TCPFragmentTCP HeaderFragment HeaderNext Header: TCPDataTCP HeaderData!71
Common Headers Common values of Next Header Fields:- 0Hop-by-hop option (extension)- 6TCP (payload)- 17UDP (payload)- 43Routing (extension)- 44Fragmentation (extension)- 50Encrypted Security Payload (extension)- 58ICMPv6!72
Fragmentation Routers don’t fragment packets with IPv6- More efficient handling of packets in the core- Fragmentation is being done by host If a packet is too big for next hop:- “Packet too big” error message- This is an ICMPv6 message- Filtering ICMPv6 causes problems!73
Path MTU Discovery A sender who gets this “message-too-big”ICMPv6 error tries again with a smaller packet- A hint of size is in the error message- This is called Path MTU DiscoveryMTU1500MTU1492MTU1280MTU1500Web Server!74
Ordering of Headers Order is important:- Only hop-by-hop header has to be processed by everynode- Routing header needs to be processed by every router- Fragmentation has to be processed before others at thedestination!75
Broadcast IPv6 has no broadcast There is an “all nodes” multicast group- ff02::1 Disadvantages of broadcast:- It wakes up all nodes- Only a few devices are involved- Can create broadcast storms!76
Neighbor Discovery IPv6 has no ARP Replacement is called Neighbor Discovery- Uses ICMPv6- Uses Multicast Every ARP request wakes up every node Each ND request only wakes up a few nodes!77
Neighbor Discovery ND is used by nodes:- For address resolution- To find neighboring routers- To track address changes- To check neighbor reachability- To do Duplicate Address Detection ND uses 5 different ICMPv6 packet types!78
Neighbor Discovery Protocol Router Sollicitation - ICMPv6 Type 133- Hosts sends an ICMPv6 message to inquire if there is arouter on the linkIs there a router?!79
Neighbor Discovery Protocol Router Advertisement - ICMPv6 Type 134- Routers advertise their presence periodically or in responseto a Router Solicitation message- Has a lot of important information for the hostYes, I am here!!80
Neighbor Discovery Protocol Neighbor Solicitation - ICMPv6 Type 135- Sent by a node to find the MAC-address of the neighbor, orto check if the neighbor is still reachableAre you still there?!81
Neighbor Discovery Protocol Neighbor Advertisement - ICMPv6 Type 136- A response to a neighbor solicitation messageYes, I am still here!!82
Neighbor Discovery Protocol Redirect - ICMPv6 Type 137- A router points the host to a better first hop router for adestinationYou can better go seethat guy over there!!83
Questions
Deploying IPv6Section 7
Assigning Addresses Routers influence how hosts connect to network Several options:- Manual configuration- Router Advertisement only (SLAAC)- RA DHCPv6 (‘M’ flag on)- RA DHCPv6 (‘O’ flag on)- RA (‘A’ flag off) DHCPv6 (‘M’ flag on) Gateway is always provided by the RA!86
Router Advertisement Options RA message is used to provide configuration info- Default gateway address- Which prefix(es) to use on the link? Prefix length?- Is SLAAC allowed?- Is DHCPv6 available? For address/options? Only options?- What is the preference of a router on the link?- DNS servers / Domain (optional)- MTU size (optional)RA: Network Configuration!87
Privacy Extensions for SLAAC & CGA Provides privacy for users Cryptographically Generated Addresses (CGA) replaces theinterface ID with a cryptographic hash of the public key of theaddress owner with other parameters Duplicate Address Detection ensures uniquenessPrivacy Extensions changes the interface ID randomly overtimeIn case of collision, a new address should be generated64 bits stay the sameLink Prefix64 bitsRandom Interface IDGlobal Unicast IPv6 Address!88
DHCPv6HostRouterDHCPv6ServerHello Router! Please provide IPv6 configuration.Here you go! There is also DHCPv6 for you.Hello DHCPv6 Server! Please provide IPv6 information.Here is an IPv6 address, DNS servers, NTP server and Domain!Now I have enough info toconfigure the IPv6 connection!!89
DHCPv6 Used to give additional information like DNS serversor to manage the address pool Router Advertisement message contains hints- If “managed” flag ‘1’can use DHCPv6 to get an address- Optionally provide the address of a DNS server (RFC 8106) Using additional flags, the network admin can disableSLAAC and force DHCPv6!90
MLD Multicast Listener Discovery (MLD) is an importantcomponent of IPv6 IPv6 routers use MLD to discover multicast listenerson a directly attached link, similar to IGMP in IPv4 MLD is embedded in ICMPv6. Two versions exist:- MLDv1 similar to IGMPv2- MLDv2 similar to IGMPv3!91
MLD 3 types of messages: Query, Report, )Message TypeICMPv6 TypeFunctionListener Query130Discover multicast listenersListener Report131Response to a Query, joins a groupListener Done132Node reports that it has stopped listeningListener Query130Discover multicast listenersListener Report143Current multicast listening state, or changes!92
DNS in IPv6 is difficult? DNS is not IP layer dependent A record for IPv4 AAAA record for IPv6 Don't answer based on incoming protocol Only challenges are for translations- NAT64, proxies!93
Reverse DNS2001:db8:3e:ef11::c100:4d!94
Reverse DNS2001:2001 0ddb8:b8 003e:ef11:0000:0000:c100:004d. . . . . . . e.3.0.0.8.b.d.0.1.0.0.2.ip6.arpa. .0.0.1.1.f.e.e.3.0.0.8.b.d.0.1.0.0.2.ip6.arpa. PTR yourname.domain.tld.!95
IPv6 and Domain Objects IPv6 prefix:2001:db8::/32Domain ce:8.b.d.0.1.0.0.2.ip6.arparDNS for my whole IPv6 etsns.company.org45062 8 2 275d9acbf3d3fec11b6d6 :09:46ZRIPE!96
Security Considerations Everybody can claim to be a router- Use RA Guard to filter unauthorised RAs- RFC 6105- Secure Neighbour Discovery (SEND)- RFC
!6 Reaching the next billion Around 4,157 billion Internet users now - around 54,4 % of all people in the world Mobile phones are Internet devices The Internet of Things - How will the Internet look like in 5 - 10 years?
ipv6 hello-interval eigrp 10 1. ipv6 hold-time eigrp 10 3. ipv6 authentication mode eigrp 10 md5. ipv6 authentication keychain - eigrp 10 eigrp. interface Vlan4. description Data VLAN for Access: ipv6 address 2001:DB8:CAFE:4::2/64. ipv6 nd prefix 2001:DB8:CAFE:4::/64 no-advertise. ipv6 nd managed-config-flag. ipv6 dhcp relay destination 2001 .
7 IPv6 Technology IPv6 Benefits A summary of the Benefits of IPv6 are as follows: Scalability IPv6 has 128-bit address space, which is 4 times wider in bits in compared to IPv4's 32-bit address space. Security IPv6 includes security in the basic specification. IPv6 includes a Flow
LAB 20: IPv6 EIGRP Summarization Task 1: Configure IPv6 EIGRP Summarization Step 1 In the configuration mode of router configure 4 loopbacks with IPv6 network address in sequence R1: interface loopback 1 ipv6 address 11:0:0::1/64 exit interface loopback 2 ipv6 address 11:0:1::1/64 exit interface loopback 3 ipv6 address 11:0:2::1/64
Legacy Applications ported to run over IPv6 – Usable also where there is IPv6 infrastructure New Applications developed for use over IPv4, IPv6 or coupled IPv4/IPv6 infrastructure – Requires transition tools of course New Applications developed for use over IPv4, IPv6 or coupled; uses potential of IPv6, runs over IPv4
Structure of IPv6 Protocol IPv4 and IPv6 Header Comparison IPv6 Extension Headers IPv6 Addressing Addressing Format Types of IPv6 addresses. 3 ICMPv6 and Neighbor Discovery Router Solicitation & Advertisement Neighbor Solicitation & Advertisement Duplicate Address Detection Multicast in IPv6 DHCP & DNS for IPv
2 Mobile Broadband IPv6 Service, MENOG 7 Qtel IPv6 Overview 2 Qtel IPv6 Mobile Broadband Background Building an IPv6 Mobile Broadband Service Lessons Learnt Next Steps IPv6 Mobile Broadband 1 May, 2010 1 Jul, 2010 1 Sep, 2010 1 Nov, 2010 Project Timeline IPv6 Connection to ISP Established 8 Jul, 2010
This document provides IPv6 address planning guidance for public administrations. It is intended to provide a framework that public administrations can use to learn the key differences between IPv6 and IPv4 addressing, design an IPv6 address structure, obtain IPv6 address space, deploy IPv6 addresses and manage IPv6 addresses.
Client IPv6 preference:-hb.db test resulted in client using IPv6 Client IPv6 capable:-h6.d4 test resulted in client using IPv6 Resolver IPv6 capable:-h4.d6 test resulted in DNS resolver using IPv6 AAAA queries seen:-Any test resulted in AAAA queries being directed at measurement DNS server
