First Edition
Fred Explains IPv6 In-depth Fred Bovy. IPv6 For Life! 2012 ©
Preface
1
This is why I wrote this very first book and a great tribute to my CISCO Colleagues from who I learned so many things! Then it also gives a pointer to the Web server that must be used with this book and the IPv6 Certifications.
Please read important information at the End of this Chapter!
1
Preface
My name is Fred Bovy, CCIE #3013, and I have been in the Networking industry for more than 20 years, with a focus primarily on IPv6 and Service Provider issues for about 10 years. In 1999 I joined CISCO as a Network Consultant. My initial long term project involved helping a Service Provider and an enterprise deploy brand new MPLS-VPN backbones. Since then, I have been hooked, and have developed an expertise in this subject. I later joined the CISCO IPv6 IOS Engineering Team as a dev-tester. For more than 3 years, I focused on 6PE and 6VPE testing. During that time, I developed many TCL scripts to test 6PE and 6VPE functionalities, routing and switching performance, scalability, High Availability, all the supported network design like Internet Access models, Carrier’s Carrier or Hub and Spoke and more. I also got deeply involved in testing Netflow for IPv6 and SeND. In 2009 I resumed teaching, keeping the focus on IPv6 with special attention on the transition to IPv6. I believe that we have finally hit the tipping point for IPv6, given that all of the IPv4 addresses ran out in February. It’s time for everyone to realize, before companies and individuals lose their competitive edge, that IPv6 is fast becoming a requirement that will enable the Next Generation Internet. About I have written this book to help anyone who needs to design, configure and troubleshoot IPv6 Networks because this is the experience I have gathered in my life as an IPv6 Tester, Consultant and Trainer and also from my 20+ (almost 25) years of IP and CISCO Routers. In this first book I will cover the Fundamentals. Following books will be about Routing Protocols, Transition To IPv6, Multicast, Security and more... The book must be used with the IPv6 TUTORIAL that can be found from http://www.ipv6forlife.com.
1.1
Tribute to C ISCO and to the U SA!
to support ALL applications for EVERYONE! ! 12 years ago I decided to join the community of people who are building the new Internet for everyone and for the new applications that IPv6 enables! I joined the CISCO IPv6 IOS® Engineering Team to help the development of 6PE and 6VPE for about 3 years then Netflow for IPv6 and finally SeND and related IPv6 Security for about 3 years. I would like to thank Eric Levy-Abegnoly, who was my IPv6 Team Leader and mentor (with Luc Revardel), who designed and developed 6PE, 6VPE, SeND and more, Ole Troan, another Great IPv6 Team Leader, who designed most of the IPv6 IOS Code, Benoit Lourdelet, who is the IPv6 Product manager, Patrick Grossetete before him and many other great CISCO people I have been working with. I learned so much with them. I was a CCIE and a CCSI when I joined CISCO, but I learned more about the Networks during the 10 years working for CISCO than all I had learned before. Special thanks to Jim Guichard (my first mentor who went with me to the customers in my first 6 months within CISCO), Peter Psenak (who was the NSA Engineer for EQUANT before me and also helped me a lot during the transition. He is now one of the best OSPF Engineers WorldWide. Networks are transparent for him.), Arjen Boers (The multicast man who hired me with Valerio), JP Vasseur (CISCO Fellow Guru who worked with me on the MPLS-TE Fast Re-Route project for EQUANT and such a nice guy !), Francois Le Faucheur (Another Brain, the Architects of QoS in MPLS Network who invented DiffServTE, QoS Models in MPLS Networks), Robert Hanzl (The Customer support Engineer who helped me on my first crisis with a customer and then became an MPLS Team Leader), Robert Rasczuk (The MPLS Deployment Engineer who helped me on my first big crisis with a customer facing a major Backbone instability), Luc Revardel (who taught me the basics of IPv6 Testing Automation), Greg Boland, Steve Glaus, Mandy Mac Diarmid, Mado Bourgoin and all my managers who helped me to focus on my work starting with Valerio Muzzolini, Serge Dupouy, Nick Gale.... And all the good guys and girls who I am forgetting, who are the CISCO Assets. These 10 years were the best school, university, experience and also basis for human values, not only technical... This was not only a matter of knowledge and people, it was also a way to manage the people that I had never found in any French companies or International companies not managed by Americans. During my interviews when I got hired, someone asked me what I was expecting from my management. I answered support to keep me focused on my technical job, and I was correct! This was typically what I found with all my managers with an exception of the French SE (Pre Sales) Manager I got when I joined the Account Team to help the customer validation process for free as this was normally a service charged to the customer. But except this one, I only got great managers who always supported me when I was a Network Consulting and a Software Engineer. I was always supported to focus on my job and didn't have to worry about the political cases that the French really enjoy in most big companies. I had the benefit of working for a big company, but at the same time I was so free to organize my work and received awards every time I was doing something good that I had the feeling I was working for my own company. This was the first time that I was also working for a company where the technical skills were considered and you did not have to become a (often bad) manager when you were good in your Technical role as a reward! At last I found people like me, people working like me! Working for CISCO was my best experience in my carreer. After CISCO I resumed my trainer and consultant life and started to teach what I had learned with my CISCO masters and more! I am a self-employed IPv6 Expert working as a Fast Lane IPv6 Course Subject Matter Expert with other CISCO partners and for myself as well.
IPv6 is more than a Job to me; it is a hobby and a philosophy; it is a Community. It is open, and everybody is welcome to bring something! IPv6 was designed about 20 years ago by people who thought that the Internet should be for everybody and not only for the lucky ones who can get a Class A or whatever IPv4 block... It was designed
2
2
2.1
About the book
You need to have a host connected to the Internet to do the proposed exercises and to validate that you were able to provide the correct answers.
IPv6 Fundamentals
This is Free and very interesting certification. 2.2.3
CISCO C CIE Rou5ng & Switching
Cisco has one main 5 days training course and a derivated training from this one I have designed for CISCO which is aimed at the SP Market
IPv6 cannot be understood if the Fundamentals are not. That's why the first Module of this book is essential. You can find some help in the "IPv6 For Life!" Tutorial from the home page: http://www.ipv6forlife.com. This Tutorial has several chapters for the Fundamental Module:
2.3
Fundamentals #1. Introduction and IPv6 Addressing Fundamentals #2. More about IPv6 Addressing. ICMPv6 and an Intro about Neighbor Discovery
THIS BOOK CAN BE READ COVER TO COVER OR YOU CAN PICK UP ANY PAGE FROM ANY CHAPTER WHEN NEEDED.
Fundamentals #3. DHCPv6, DNS, MOBILE IPV6 and derived applications Our first chapter will introduce the IPv6 basics.
THIS E-BOOK IS ALIVE. MANY VIDEO LINKS ARE FLASH PRESENTATIONS AND YOU WILL NEED A LARGE SCREEN AND FLASH® (ADOBE) SOFTWARE ENABLED BROWSER. PLEASE CHECK http://www.adobe.com.
Then we will study the IPv6 Addressing which is the main reason why IPv6 was developed, to provide an addressing which will match the requirements of the Internet for the next century. There was a day one missed requirement which was the Multihoming requirement. This should have been managed by the IPv6 Stack as a service like Mobile IPv6, but the Engineers just missed to address this issue which is still not completely resolved with a long term solution commonly accepted.
I AM ADDING NEW PRESENTATIONS ON A REGULAR BASIS AND I WILL UPDATE THE LINKS IN THIS BOOK. WHEN YOU GET A NEW VERSION OF THIS E-BOOK YOU WILL GET PLENTY OF NEW PRESENTATIONS.
The next chapter will be about the IPv6 header, the long addresses, the Extension Headers and other interesting improvements for more efficiency.
FOR ALL THE LINKS YOU WILL NEED To ACCESS IPv6 FOR LIFE® WEB SERVER: http://www.ipv6forlife.com
Then ICMPv6 basics, quite close to IPv4 and more interesting, the Neighbor Discovery Protocol which is described in two separate RFCs. Many solutions are provided by ND like Autoconfiguration or Router Discovery and more.
Despite I am based in France I have been speaking and writing more in English than French for the last 25 years but I still may do some mistakes that I need you to forgive me if it happens in this book!
Finally we will describe all the most important Services which are not implemented for all platforms. Linux is the best platform to test and support all the IPv6 Services.
2.2 2.2.1
IPv6 Cer5fica5ons
The IPv6 Internet belongs to everybody. Thanks for reading me!
IPv6 Forum Cer5fica5on
There are many certifications at the IPv6 Forum with 2 levels, Silver and Gold for Engineer and Trainer. The Trainer is more advanced than the Engineers. For the moment, all you need is to apply on the IPv6 Forum Web Server and provide a few proof of achievements to get certified. 2.2.2
Important informa5on
Kindest Regards, Fred Bovy
Hurricane Electric
Hurricane Electric propose a very challenging certification with multiple levels up to Sage Level. Each step requires both theory and practical exercise.
3
Introduction to IPv6
2
This chapter how we arrived to IPv6 in 2012 and the long path we walked by since the 80s! Address depletion is not a new issue and IPv4 was never intended to scale a Global Public Internet!
Chapter 2
Introduction to IPv6
1
1.1
Introduction to IPv6 History
IPv4 was developed in the 80s for a military network with a few thousands hosts maximum by the DoD of the USA. There was no need for security as it was a private network in the DoD Buildings. There was no need for Autoconfiguration or Mobility and many things. IPv4 Addresses were widely distributed until they were no more enough for everyone. In the early 90s, IPv4 Address depletion started to be a problem. I posted something about it in my blog about this history:
Digital Equipment thought that OSI would replace IPv4 and that DecNET Phase V was actually OSI Protocols.
http://ipv6forlife.net/wordpress/?p=61 1.1.1
OSI Protocols
The first serious candidate to replace TCP/IP was the OSI Protocols. The Open Systems Interconnection (OSI) protocols are a family of information exchange standards developed jointly by the ISO and the ITU-T starting in 1977. OSI defined a Layered Model with 7 Layers while TCP/IP just had 5 since OSI Layers 5, 6 and 7 were actually managed by the TCP/IP Application Layer. OSI Protocols was providing a Datagram Service like IP called Connectionless Network Service (CLNS) with an address of up to 20 bytes (160 bits) long. Its routing protocol, ISIS, very close to OSPF immediately interested many service providers since it was an Integrated routing protocol which could support IPv4 as well (RFC1195). Actually it was more SP Oriented and could support many more routers in the same area. It is also a much easier protocol to troubleshoot. A simple look at its Database will convince any Network Engineer in 5 minutes.
1.1.2
ATM and Frame-‐relay
But at the same time the convergence of Data and Voice Networks had started since the middle of the 80s, and we were looking for a network which could manage both Real Time (Voice, Video) and NonReal Time data with multiple levels of Precedence as IPv4 was already doing. Some people were working very hard for a converged network and they came up with a new protocol called ATM (Asynchronous Transfer Mode). ATM could manage any kind of Traffic: Voice, Video, Business Data, Bulk Data. ATM was really a Network Scientist Protocol Architecture, its routing protocol PNNI was able to react in Real-Time to any change in the Network to find paths which could match any Class of Service Traffic. ATM was based on 53 bytes cells at the Physical Level for Real-Time and Non Real-Time traffic to be interleaved. ATM was designed for 155 Mbps Sonet SDH Fiber links minimum, and this was not really widely available at this time. Also, the ASICS to manage the 53 Bytes Cells were not yet available or very expensive as it was not made at a sufficient large scale to get a reasonable price. So, an interim technology
5
was also created to transport Data and Voice while ATM was growing. This was Frame-Relay, a stripped down version of X.25 with PVC only. SVCs came later, but they were never as popular as PVC. In the mid 90s ATM was the only serious candidate to support these converged Networks, and VoIP was not an option in the networking business world. At the end of the 90s, most people realized that ATM would not scale with MultiGigabit Links, which were arriving slowly. Also, some ATM Protocols like LAN Emulations collapsed under traffic as the Node dedicated to replicate the Broadcast and Multicast was too much solicited. ATM, which was great on paper, proved to be not scalable, and a complex and expensive solution, so VoIP came back as a viable solution. But all this work made for ATM was not thrashed, and many protocols built for ATM are still in use in many solutions. A lot of of the QoS, a protocol like NHRP, which was developed for ATM Classical IP, is now used for CISCO DMVPN. 1.1.3
MPLS
And also, there was the idea to replace a long address by a label that was already used by the old X.25, then ATM networks gave the idea of replacing the IPv4 header with a short label! Epsilon's IP Switching, Cisco's tag switching and many other Vendors provided such a solution with an initial motivation to make faster routers. Then CISCO also saw that with Tag Switching it was possible to add some services which were not possible with IP like Tag-VPN. Tag-VPN permitted providing each connected customer with a Virtual Private Network having its own IPv4 Addresses. Tag-VPN was based on a Multi-Protocol BGP Extension with a new BGP vpnv4 address family as it was adding a 32 bit prefix to the the IPv4 address, called a Route Distinguisher (RD) for the BGP prefix to be unique in the Service Provider Backbone BGP Table. In addition to the RD, an Extended Community BGP Attribute was added to the BGP Prefix before it was advertised to a remote BGP Router. This Extended Attribute was then used to recognize a prefix and import it into the Customer Virtual Routing Table. The Benefits of Tag-VPN on the previous Layer 3 VPN based on IP were that: The Backbone routers (P) did not have to know any of the the Customers Route. Only the BGP NextHop, the exit point host route for each Provider Edge (PE) Router which was connecting to the Customer Edge (CE) Router was enough. Before Tag-VPN, in the SP Point of Presence, each Customers needed to have a dedicated router which was importing all the BGP Routes with a given Community Attribute. With Tag-VPN. the same PE could be shared by all the customers with each customer having its own Virtual Route.
! 1.1.4 IPv6 Later, in the early Y2Ks when IPv6 became the next version approved by the IETF and more and more requested by the Customers, CISCO's reply was to provide an IPv6 Service over IPv4/MPLS without any need to upgrade the backbone. They invented 6PE designed and developed in the South of France from an Architecture (RFC) of Francois Le Faucheur and other companies and then designed and coded by Eric Levy-Abegnoly. In the early Y2K, the first large scale IPv6 offers from SPs were mostly brought by 6PE in Asia and in the USA.
Customers could have overlapping addresses without any problem.
Later came 6VPE which was actually 6PE in the VRF, allowing the customers to have a dual-stack VPN supporting both IPv4 and IPv6.
The provisoning and the management of the VPN were very much simplified.
We will cover 6PE and 6VPE later with all details...
Traffic Engineering was another great service of Tag-VPN, allowing the SP to use more than the best route links in their backbone to use all the available bandwidth of the core. Tag-Switching was then standardised by the IETF to MPLS, So in the late 90s and in the early y2k, most service providers were upgrading their backbone to MPLS!
1.2
I Pv4 Address Deple5on
As we have seen earlier, the IPv4 address Depletion started to be a problem in the 90s, and while some people were working on new protocols to replace IPv4, some others were working on a workaround to keep on working longer with IPv4.
6
They came up with NAT and Private Addresses (RFC1918). Before RFC1918, some people were already doing some private addressing, but it was at their own risk if they were choosing an address already in use, and they could need one day to join like for instance 7.0.0.0/8 or 9.0.0.0/8. One of these was used in my company in the early 90s with Proxies to reach the Internet for http or ftp protocols. Now with RFC1918, some block were reserved for private addressing, and with NATPT aka PAT, it was possible to use one public address for a whole building or all the PCs of a residential user. Let's take a shortcut and call NAT: NAT, NATPT or PAT. NAT immediately solved the problem for many years, but at the same time, it killed some concepts which created the popularity of the Internet like the End-to-End Addressing or peer to peer capabilities. In the 90s, this was the time for Downsizing and Client-Server Applications. Many companies moved to TCP/IP for this reason. Downsizing was the migration of Applications from Mainframes to Servers running on RISC Workstations, Mini Computers (AS/400) or even PCs and PS/2s. Client-Server Applications was the migration from hierarchical Applications runnning on a Mainframe and accessed by dumb terminals to Applications on Servers accessed by smart Clients, mostly micro computers or Unix Plaforms, PCs or RISC based. To keep on working with NAT, now we have to provision a public address for each server and configure a Static NAT Translation for each Server. This can become tedious when you have a lot of servers to manage. And we cannot save anymore addresses. Still each server requires a Public Address. NAT introduced many states in the IP Network, which was a datagram best-effort model, and this has many Architectural Implications. Just make a search in the IETF Server for all the RFCs about NAT or PAT or NAPT, and you will find more than 80 documents explaining the limitations, how to workaround NAT to support most of the Network Applications. NAT seems an easy and cheap solution, but when you look into it, you find that it actually cost a fortune in hidden costs and thousands of lines of code to support it! To support Voice application, Skype workaround is to use a Server in the middle of your connection, and your Smartphone must send keepalive on a regular basis to keep the NAT States up draining your batteries. Skype makes it with the cost of a server and keepalives, but many voice applications are still impossible because of NAT! A 10.0.0/8 block looks like a big block for the needs of most companies, but it is still too small for some very large companies or some Service Providers. That's why the Cable SPs requested that DOCSIS 3.0 supports IPv6! Today, even with the use of NAT, we are now running out of IPv4 Addresses in most regions of the World!
! And even if the Service Provider was running NAT a second time in the SP Backbone to share an IPv4 Address among multiple Customers (NAT444), this could not give enough addresses to match the need of all the emerging countries, the need for more than one IPv4 address per user. We must now support plenty of new connected devices which did not exist in the 90s: Smartphones, iPADs, and so on... So today the question is no more if we need to move to IPv6 but when!
1.3
The Current Market Needs
We have seen that IPv4 even with double NAT could not provide enough addresses for all the Emerging Countries, new devices and new applications which require more and more addresses and even more and more ports (Ajax)! The Cable Networks Operators have requested that the last DOCSIS Cable standard MUST support IPv6. Voice Applications suffer more and more from the NAT limitations and Mobile IPv6 or Proxy Mobile IPv6 can bring solutions impossible to solve for IPv4.
7
All IPv6 Addresses of a building Xlate to one IPv4 Addresses: 2001:DB8:678:1000::/48 -> IP 10.12.13.2/24 2001:DB8:678:1000::/48 -> IP 10.12.13.3/24 2001:DB8:678:1000::/48 -> IP 10.12.13.4/24
We need
NAT44 (CGN/LSN)
NAT44
1
172.19.0.0 -> 10.0.0.0
10.0.0.0 -> 202.45.3.0
IPv4 Internet
2001:db8:678::1/64 (SLAAC)
172.19.0.0/12
DHCPv6 Client
RFC 1918 172.16.0.0/12
NAT44
101.12.13.1/24
ISP IPv4 Private Network
First Subnet 2001:db8:678::/64
10.0.0.0/8
2001:db8:678:1::/56 8 bits for Subnets
NAT44
2001:db8:678:3::/56 8 bits for Subnets
IPv6 Private Network
2001:db8:678:10::/64 2001:db8:678:11::/64 ...
172.18.0.0/12
autonomous devices which not only do autoconfiguration, but also can form Networks dynamically after they automatically discover neighbors. This is Wireless Sensors Networks (6LowPAN) applications.
Transi5on Richness
Since the IPv6 introduction, tools for a soft transition were provided. They have evolved with the time and the demand.
Clearly, maximum performances, security and other benefits we can think about with running IPv6 will be achieved when the transition is complete. During the transition we will need to compromise features, performances and security for the benefit of supporting old IPv4 nodes and applications. We have to address the four following problems: •
To Support a maximum of new IPv4 customers with the few remaining IPv4 Public Addresses.
2001:db8:678:2::/56 8 bits for Subnets
2001:db8:678:30::/64 2001:db8:678:31::/64 ...
2001:db8:678:20::/64 2001:db8:678:21::/64 ...
10.12.13.2/24
The current solutions to address this problem are the Stateful Carrier Grade NAT (CGN) aka Large Scale NAT (LSN) and the Stateless dIVI-pd or A+P Solutions. •
SPs with IPv4 Backbones need to provide IPv6 Access to the IPv6 Internet or among IPv6 customers. This is based on 6PE or 6VPE for MPLS/IPv4 or 6RD for IPv4 Backbone.
•
SPs with IPv6 Backbone need to provide IPv4 Access to the IPv4 Internet or among IPv4 Customers.
In 1996, IPv6 was shipped with a dual-stack and static tunnels. While the Internet is still growing very fast with more connected devices every day, the available IPv4 addresses have declined and IANA has been completely depleted since February 2011. As IPv6 has been now implemented for more than 15 years and available on most Operating Systems and Network vendors, most Service Providers and even more companies have not yet switched to the next generation Internet protocol. As a consequence we still need to buy some time to allow a smooth transition to IPv6. It is planned that we will need to support mixed IPv4 and IPv6 networks.
10.12.13.3/24
2001:db8:658::/48
10.12.13.1/24
1.4
2
IPv6 Internet
ISP Control
172.17.0.0/12
STATEFUL NAT64
DHCPv6-PD Client Use LL for the p2p Link Address to SP
IPv4 Only Host
This is based on DS-Lite or 4RD based Solutions. •
To Provide access to IPv4 Resources for IPv6 ONLY Customers.
This is based on Address Family Translators with NAT64 and DNS64 as currently the best solutions. These translators permit to translate IPv6 to IPv4 packets originating from the IPv6 side. With Stateless it is a One-to-One translation using a reserved IPv6 prefix.
With Stateful NAT64, multiple IPv6 addresses can be translated to one IPv4 addresses . There is a Stateless implementation on Linux called TAYGA. They say on theire Web site that to get a stateful NAT64 one just needs to combine their TAYGA with a Statefull NAT44 also available on Linux.
This implies more sharing of the remaining addresses.
8
This will be more developed in the next book with a module or a full book about Translation to IPv6. There are so many possibilies and so many technologies being tested if we really want to cover all the experience currently or lately performed.
1.5.3
SP are not very happy with the CGN or LSN based solutions since they have to run a stateful protocol in their backbone. The Capacity Planning is almost impossible in most cases so they may have to over provision the NAT64 or NAT444 with big CPU and a lot of RAM just in case you have to manage twice more translation for an occasion like a global sport event like the Olympic Games. If TV is not working for the Olympic Games or a Mundial soccer event it would be a reason for many users to move to a competitor! Protocol like 4RD, dIVI-PD.
Header aligned on 64 bits for more efficient access.
More Efficient Packets Switching
No more Header Checksum in IPv6. This field has been completely removed. Routers are no more responsible for fragmentation. If fragmentation must be done, it must be done by the source. The fragmentation information are no more carried in each packet but in an Extension Header if needed.
With CGN/LSN the SP must keep the logs which represent some Tera Bytes of Data each month. Transition protocols are expensive and as all SPs are transitioning to IPv6, I have serious doubts now that dual-stack will be supported for a long time. The "Good" Internet User who complies with IPv6 will not want to pay the bill of the one who is doing nothing for 15 years?
1.5 1.5.1
What are the I Pv6 improvements? 128 bits Addresses
1.5.1.1 IPv6 addresses -‐ how many is that in numbers? IPv6 is our Word of the Day today. The big difference between it and IPv4 is the increase in address space. IPv4 addresses are 32 bits; IPv6 addresses are 128 bits. That’s a lot more, for sure, but what does it look like in numbers? What could we compare it to in real-world terms? DevDevin did the math: How many IP addresses does IPv6 support? Well, without knowing the exact implementation details, we can get a rough estimate based on the fact that it uses 128 bits. So 2 to the power of 128 ends up being 340,282,366,920,938,000,000,000,000,000,000,000,000 unique IP addresses. How do you say that, though? 340 trillion, 282 billion, 366 million, 920 thousand, 938 — followed by 24 zeroes. There’s no short way to say it in numbers without resorting to math. Here’s how Wikipedia expresses it: The very large IPv6 address space supports a total of 2128 (about 3.4×1038) addresses - or approximately 5×1028 (roughly 295) addresses for each of the roughly 6.5 billion (6.5×109) people alive today. In a different perspective, this is 252 addresses for every observable star in the known universe. Steve Leibson takes a shot at putting it in real world terms. It’s big — grains of sand don’t even enter into it. No, he’s got to take it to the atomic level. Here’s his conclusion: So we could assign an IPv6 address to EVERY ATOM ON THE SURFACE OF THE EARTH, and still have enough addresses left to do another 100+ earths. It isn’t remotely likely that we’ll run out of IPV6 addresses at any time in the future. 1.5.2
Extension Headers
In IPv4 we had a limited amount of Option which could not provide for any new Extension. In IPv6 we have Extension Headers instead. These Extension Headers can be daisy chained so it is now possible to put as many Options as we want in an IPv6 packet to support any new IPv6 Level Applications. The first great example of what we can do with Extension Headers is Mobile IPv6 and all derived applications: Mobile router (NEMO), MANET, Wireless Sensors Networks (6LowPAN), PMIPv6. As we can tweak Addresses at the Network Layer it becomes transparent for the Transport or Application Level.
9
IPv6 Addresses Addresses
3
This chapter introduces the key feature of IPv6 which is an address that scales the Internet requirements of 2012 until we all die!
Chapter 2
IPv6 Addresses
1
IPv6 Addresses Introduc5on
1.1
IPv6 not only makes longer addresses, but also makes a better use of addresses and how to manage them. For instance if you have a small LAN without any routers, the workstations will be able to pick up an address automatically, which will only be valid on this LAN (Link-local) and will permit the Node to be automatically configured with a local address. Then if a router comes up, new prefixes will be advertised by the router, and the Workstation will automatically configure addresses derived from these prefixes. The most important things are: There is no more Broadcast, only Multicast!
Topics 1. Introduction
•
Link-Local addresses only valid on the link where it is configured. This leads to the concept of Zone. This Link-local address belongs to a zone with its own routing table.
•
Anycast Addresses which is an address to the nearest Service. This was already existing in IPv4 but now it is fully managed.
•
Routers are discovered Automatically
•
ARP has been dramatically improved in the Neighbor Discovery protocol. There is no more just a TImeout for the MAC to IP Address cache, but the Neighbors are Managed in the cache by a Finite State Machine. Useless entries of dead neighbors are cleared. When a Timer expires, a few probes are sent to the neighbor (About 35 seconds with default).
•
The concept of zone is also important in IPv6. For the moment it mostly applies to Multicast and Link-local Addresses, but it could be used to creat VPN. Still each zone has its own Routing Table (Please see RFC4007 "Scoped Zone Architecture" for more details).
2. What does 128 bit represent? 3. All types of IPv6 Addresses: 1. Unicast 1. Unique Local Unicast 2. Global Unicast Addresses 3. Special Addresses
See RFC4291 for IPv6 Address Architecture
1.2
What does 128 bit represent?
We could assign an IPv6 address to EVERY ATOM ON THE SURFACE OF THE EARTH, and still have enough addresses left to do another 100+ earths. It isn’t remotely likely that we’ll run out of IPV6 addresses at any time in the future! So we must change the way we design networks and stop trying to save IP Addresses!
2. Multicast
We must give large blocks when needed as wasting IPv6 Addresses is not to use the huge amount of available address to make scalable Networks rather than saving each single bit of Address! Wasting Addresses does not mean the same thing in IPv6 as in IPv4!
3. Anycast
1.3
How to write an I Pv6 Address?
The 128 bits Address is written as 8 16 bits digits written in Hexa and separated by a colon :. Leading zeros can be ignored. You can write:
11
2001:db8:1:459d:f123:98ab:d0:e1
IPv6 addresses are made of 128 bits, but we still find the same 3 parts that we have in an IPv4 Address:
instead of: 2001:0db8:0001:459d:f123:98ab:00d0:00e1. Once in the address you can replace a long list of zeroes with double colons ::
3
9 bits
001
ARIN
36 bits
RIR or ISP
You can write:
16 Bits
Subnet ID
Host. 64 bits
Interface ID
16bits
2001:db8::1
IPv6 Unicast Addresses
instead of: 2001:db8:0:0:0:0:0:1 1.3.1
1.4.1.1 Global Rou>ng Prefix An ISP Customer Prefix used to route the packet to the customer. This Prefix itself is built of a common prefix for all the Global Unicast Addresses 0010 or 2000::/3. Then you have a prefix matching a Regional Internet Registry, a RIR and then the part of the Address which addresses the customer. The most common prefixes are typically a /48 Prefix for each site. This may seem overkill, but we do not waste addresses if we use them. We waste them if we don't!
The I Pv6 Addresses are:
•
Unicast: One to One
•
Global Unicast Addresses (Public)
•
Unique Local Addresses (Private)
•
Link-Local Address
•
Special addresses: loopback, unspecified, IPv4 Mapped
•
Anycast: One to Any
•
Multicast: One to Many
1.4 1.4.1
2001:db8::/16 is reserved for documentation and labs! 1.4.1.2 The Subnets bits These bits can be used by the customer to address many subnets for each site. We may find that using a /48 prefix for each site may be a waste of Addresses with our IPv4 reflexes, but this is actually the other way around as we have so many addresses available that it would be wasting addresses if we were trying to save addresses instead of using them generously to maximize the scalability of the addressing and allow easy growing of the sites. 1.4.1.3 The Interface I D The Interface ID is similar to the IPv4 Host Address. It is used to identify the Host itself.
IPv6 Unicast Addresses
1.4.1.3.1EUI-‐64 or Modified E UI-‐64 This address is generally derived from the Interface MAC Address which is 48 bit. 0xFFFFE is added in the middle of the MAC address to make a 64 bits address:
Global Unicast Addresses (Public)
The Global Unicast Addresses are similar to the Public IPv4 addresses and are routable in the IPv6 Internet. Provider . 48 bits
Site . 16 bits
Global Routing Prefix
SLA
Host. 64 bits
Interface ID
Global Unicast Address
00 90 59 02 E0 F9 00 90 59 FF FE 02 E0 F9
In the Internet 2000::/3 (binary 0010) is reserved by IANA for the global unicast address. You will find more details on the Internet here and RFC4291 for IPv6 Address Architecture: ThAs the Global Routing Prefix contains the IANA prefix for Global Unicast Adddress, a prefix which identifies the Regional Internet Registries (RIPE in Europe for instance) and eventually another prefix which identifies the ISP: http://www.iana.org/assignments/ipv6-unicast-address-assignments/ipv6-unicast-address-assignments.xml
000000X0 EUI-64 Address In this example, the MAC Address is 00-90-59-02-E0-F9.
http://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xml
The EUI-64 Address will be: 90:59ff:ff02:e0f9 And the Modified EUI-64 Address will be: 290:59ff:fe02:e0f9
12
For the Modified EUI-64 address X=1 which means that the address is a Locally Administratively Managed Address. Global ID 40 bits
1.4.1.3.2Temporary Random Prefix (RFC4941) As NAT is no more used and the Interface ID of a Laptop may not change, a user may be tracked by its address. To avoid this possible problem it is possible to use a Random Temporary Interface ID and change it everyday! This is configurable on all the available platforms (Windows, MAC OS, Linux).
Subnet ID
Interface ID
1111 1100 1111 1101 FC00::/7 FD00::/8
1.4.1.3.3Manually Configured On Routers or some servers, it may be better to assign static addresses instead of a EUI or Random Interface ID. For instance, in a Datacenter your router HSRPv6 Group could be 2001:db8:a01::1 and you may configure a static default route on all your Servers.
Unique local Address The big benefits of ULA other RFC1918 in IPv4 is that you have 40 bits to make your Prefix Unique. So in case one day you need to merge two Private Networks using ULA Addresses you may not have to renumber your Network.
You make sure that your system will not waste anytime or receive any Rogue information!
Actually there are two kinds of ULA, the Locally Managed and the Centrally Managed. If you make a Reservation and use the Centrally Managed Addresses, there is absolutely no risk of finding a duplicate subnet. With Locally Managed, the risk exist.
IPv6 Global unicast address Format (RFC 3587)
You can make a reservation at this URL: http://www.sixxs.net/tools/grh/ula/
IPv6 Global Unicast Address Format (RFC 3587) Initial Format Provider . n bits
64 .n bits
Host. 64 bits
Global Routing Prefix
Subnet ID
Interface ID
IETF assigned 001 for Global Unicast, 2620::/12 assigned to American Registry for Internet Numbers 3
9 bits
36 bits
16 Bits
Host. 64 bits
00 1
ARIN
RIR or ISP
Subnet ID
Interface ID
RFC 2374: Aggregatable Global Unicast Address Structure Public Topology
Site Topology
At the beginning of IPv6, they was no ULA but a prefix for site-local addresses: fec0::/10. But with this approach we had the same problem as with RFC1928 IPv4 Addresses so this prefix is no more reserved for Site-Local Addresses, which are deprecated and replaced by ULA. To access the Internet from a ULA Address you may need Proxies. For instance, if your internal Servers only need http or ftp access to the Internet for SW Updates at night, ULA + Proxy may be the right approach.
1.4.3
Link-‐local Addresses
Link-local Addresses are the Only Mandatories Addresses for each interface. When an IPv6 interface is coming up, the first step is to validate that its Link-local address is unique (Valid). If not, the IPv6 Interface is disabled. The interface could be used for other protocols but not IPv6! IPv6 Link-local addresses are only valid on the interface where they are configured. If you have many interfaces on a host or a router, it is no problem to use the same address for all the interfaces. They all start with the prefix fe80::/10.
Interface Identifier
3
13
8
24
16
64 bits
FP
TLA ID
RES
NLA ID
SLA ID
Interface ID
128bits
11111 1010
Tout à 0
Interface ID
© Frédéric Bovy - October 2011 - 37
64 bits
FE80::/10
1.4.2
Unique Local Addresses (Private. R FC4193)
The ULA are Private Unicast Addresses not routable on the Internet.
Link-local Address When you are using a Link-local address in a command, you must specify the Outgoing interface by its name or its index with the % sign in between like: fe80::34f:a011:2:d78%FastEthernet1 on Cisco Router or
13
fe80::34f:a011:2:d78%15 on Microsoft Windows, 15 is the interface index. In IPv4 it is similar to the 169.254.0.0/16 address (RFC 3927).
These addresses do not have any reserved prefix so you cannot recognize an Anycast Address from a Unicast.
All the Next Hop but recursive static or BGP routes use a Link-local address. 1.4.4
Special Addresses
1.6
1.4.4.1 Unspecified Address is ::/0 The Unspecified is only used as a source address when a node is booting, and it is verifying its Linklocal Address. A router MUST NOT route a packet with an unspecified source address. 1.4.4.2 Loopback Address is ::1 The loopback address is a Link-local address to the node itself. It must not be assigned to any physical interface. It is similar to the IPv4 127.0.0.1 address. 1.4.4.3 IPv4 Mapped Address This is used when you need to code an IPv4 address in the IPv6 format. For instance with 6PE or 6VPE, the destination IPv6 Address will have the Egress PE IPv4 Loopback interface. This is illegal for BGP to advertise a destination with a next hop of another Address Family. So the Next Hop is coded as an IPv4 Mapped Address. You got 80 bit set to 0, then 16 bits set to ffff and then the 32 bits of your IPv4 address: If the next hop was 192.9.0.1, it would be coded:
I Pv6 Mul5cast Addresses
This is a one to many addressing. There is no Broadcast in IPv6 only Multicast. But you have an address for all IPv6 nodes (ff02::1) as in IPv4 an address for all IPv4 nodes (224.0.0.1). The prefix ff02:: is reserved just like 224.0.0.x for IPv4. Multicast Addresses are used like in IPv4, when a source needs to send a packet to a Group of Receivers.
The Flags are used for the Embedded RP Address. This is new in IPv6 and allows the RP Address to be embedded in the Group Address. We will study the Flags when we cover the Multicast in detail. The Scope is also new in IPv6 and allowed to set the Scope of the Multicast Group:
0:0:0:0:0:ffff: ::ffff:192.9.0.1 or
1 is Node Local 2 is Link-local scope. Example:ff02::1 4 is Admin-local 5 is Site-local 8 is Organization-local E is a Global Group Example:
::ffff:c009:1
1.4.4.4 Encapsula>on of I Pv6 in Ethernet IPv6 Protocol is 0x86dd Dest Ethernet Source Ethernet Adress Adress
0x86DD
IPv6 Header and charge
IPv6 in Ethernet
ff02::1:2 All DHCP Servers and Relay. Link-local Scope ff05::1:3 All DHCP Servers. Site-local Scope (used by Relays) ff02::2 All IPv6 Routers. Link-local Scope
1.5
I Pv6 Anycast Addresses
ff02::5 All IPv6 OSPFv3 Routers. Link-local Scope ff02::6 All IPv6 OSPFv3 DR Routers. Link-local Scope
This is a one to any addressing.
ff02::9 All IPv6 RIPng Routers. Link-local Scope
Anycast Addresses are like duplicated Unicast Addresses. The goal is to find the nearest server implementing a function.
ff02::A All IPv6 EIGRP Routers. Link-local Scope
It was already existing in IPv4 for the DNS Root Servers. We have only 13 addresses, which represent more than 200 physical servers.
Only the Link-local Scope is automatically filtered and not forwarded by Routers. All the other Scopes must be implemented with ACLs.
In IPv4 it was also used by Anycast RP to find the nearest RP in a redundant RP mode using MSDP to make the RPs communicate with each other.
14
For each unicast or anycast address configured, the IPv6 node automatically configures a Solicited Node Multicast Address derived address. This address is setup with a common Multicast Prefix and the last 24 bits of the Unicast Address. Example: Unicast Address 2001:DB8:DC28::FC57:D4C8:1FFF Solicited Node Multicast Prefix FF02:0:0:0:0:1:FF Solicited-node multicast address FF02:0:0:0:0:1:FFC8:1FFF The solicited node multicast address derived from the unicast
Préfixe
FF02
Interface Identifier
O
0001
FF
24 bits
128 bits 1.7
IPv6 Address Plan Example
Address Plan Example
IPv6
2001:db8:abcd::/48 has been assigned for the USA offices of this company. 2001:db8:abcd::/48 has been assigned for the USA offices of this company.
Each Regional largest office aggregates the traffic for the area as a /52 route. In the address 2001:db8:abcd:9000::/52, 9 identifies the West Coast.
Each Regional largest office aggregates the traffic for the area as a /52 route. In the address 2001:db8:abcd:9000::/52, 9 identifies the West Coast.
Each office has a /56 prefix. In the address 2001:db8:abcd:9100::/56, 91 identifies the San Francisco Office.
Each office has a /56 prefix. In the address 2001:db8:abcd:9100::/56, 91 identifies San Francisco Office.
Then 2001:db8:abcd:9101::/64 may be the first LAN in SF.
Then 2001:db8:abcd:9101::/64 may be the first LAN in SF.
15
Internet Admin hierarchy
The Mul5homing Issue
1.8 1.8.1
http://www.ripe.net/ripe/docs/ripe-512
IPv6 Addressing Hierarchy
Cust1 21ae:db8:1::/48
ISP1 21ae::/8
RIR
ISP2 2000::/3
ISP/ LIR
NIR National Internet Registries
IANA
21ae:db9::/32
EU
IANA
RIR1 21ae:db9:1::/48
ISP/ LIR
RIR
21ae:db8::/32
Cust2
EU/ISP
Regional Internet Registries (ARIN, APNIC, RIPE, NCC)
Local Internet Registries
EU End Users
Cust3 2001:db8:1::/48
Cust4
ISP3
RIR2 2001::/8
2001:db8::/32
2001:db8:2::/48
IPv6 Addressing Aggregation Having an address 4 times bigger, the IPv6 designers didn't want to need 4 times more memory! So they designed a model to maximize Aggregation.
1.8.2
Mul5homing Issue and solu5ons
This works very well as long as a customer does not want to use more than one SP for Redundancy or other reasons like best price in different regions of the world for instance. In this case, the customer will have to deal with multiple Prefixes. This is not a problem again as any IPv6 interface can be configured with multiple Prefixes. The problem is for resiliency and load-balancing. There is a Flash animation in my Free On-Line Tutorial Fundamentals #2.
IANA has allocated the block 2000::/3 for Global Unicast Addresses. Then in your address you will have a Prefix which identifies each Regional Internet Registry: RIPE-NCC, ARIN, APNIC, AfricNIC, LACNIC. And a Prefix for each SP The end user does not own a Prefix, and if he changes the SP, he will have to renumber its Network with a new Prefix.
ISP2
ISP1 2001::db8::/32 2001:db8:1::/48
2001:db9::/32 2001:db9:100::/48
The goal is to maximize route Aggregation, allowing each SP to summarize all its client with one or a few Prefixes. This is what we call Provider Assigned (PA) Prefixes.
2001:db8:1::/48
2001:db9:100::/48 2001:db8:1::/48 2001:db9:100::/48
Provider Assigned Address
16
1.8.3
Provider Independant Addresses Dest thru ISP2 is no longer reachable The session fails
ISP1 2001:db8:1::/48 2001:db8:66::/48
ISP2
ISP1
2001:db8:100::/48 2001:db8:66::/48
ISP2
2001:db8:1::/48
2001:db8:1::/48
2001:db8:100::/48
2001:db9:100::/48 2001:db9:100:99:42:345F:1:1/64 2001:db8:1:99:42:345F:1:1/64
2001:db8:66::/48 2001:db8:1::/48 2001:db8:100::/48 2001:db8:66::/48
The best solution, which may be expensive in some regions, is the P
In this case your RIR will allocate a Prefix to the end-user who is authorized to advertise its own prefix to multiple SPs. Below is an example. 2001:678:e01::/48 has been assigned to this company and the same prefix is advertised to SP ACME and ABC! So each of these SPs will have to advertise this Prefix in the IPv6 Internet if it does not fall under the summaries of each SP.
Provider Indendant (PI) Prefixes. They have been available since 2009, and we can see that the number of IPv6 prefixes has started to increase tremendously since this date. First, because there was no solution to this problem before and then because we cannot Aggregate the PI PRefix since it punched a hole in the summary address for each SP where it does not fall into one of its summary and must be advertised independantly.
It is seen as a short term solution as a long term solution should permit maximum aggregation and must be managed by Hosts or Routers.
A new session must be started Better route from ISP2 A session is started ISP1
ISP1
ISP2
ISP2
2001:db8:1::/48 2001:db9:100::/48 2001:db8:1::/48
2001:db9:100::/ 48 2001:db9:100:99:42:345F:1:1/64 2001:db8:1:99:42:345F:1:1/64
2001:db9:100:99:42:345F:1:1/64 2001:db8:1:99:42:345F:1:1/64
17
2001:678:e01::/48 2001:db8:1001:f000::/52
Internet
2001:678:e01:3000::/52 Campus 3 BB Router
ISP ABC
Campus 1 Backbone Router
ISP ACME Bldg 3-2 2001:678:e01:3200::/52
2001:678:e01::/48 2001:db8:1001:f1000::/52
2001:678:1001:f000::/52
Campus 2 BB Router
2001:678:1001:f100::/56
2001:678:1001:f1000::/52
Bldg 3-2 2001:678:e01:3100::/52
255 user /64 LANs per Building
2001:678:1001:f101::/64 Bldg 2-1 2001:678:1001:f1100::/52
Bldg 2-2 2001:678:1001:f1200::/52
Bldg B 1-1 2001:678:1001:f102::/64
1.8.4
Other Solu5ons
There are some host based and routers based solutions to solve this problem without losing the maximum Aggregation of the PA Prefixes. Some solutions are host based like shim6 or HIP, which also managed Mobility, and some others are managed by the routers like LISP. "The basic idea behind the Loc/ID split is that the current Internet routing and addressing architecture combines two functions: Routing Locators (RLOCs), which describe how a device is attached to the network, and Endpoint Identifiers (EIDs), which define 'who' the device is, in a single numbering space, the IP address. Proponents of the Loc/ID split argue that this "overloading" of functions makes it virtually impossible to build an efficient routing system without forcing unacceptable constraints on end-system use of addresses. Splitting these functions apart by using different numbering spaces for EIDs and RLOCs yields several advantages, including improved scalability of the routing system through greater aggregation of RLOCs. To achieve this aggregation, we must allocate RLOCs in a way that is congruent with the topology of the network ("Rekhter's Law"). Today's 'provider-allocated' IP address space is an example of such an allocation scheme. EIDs, on the other hand, are typically allocated along organizational boundaries. Because the network topology and organizational hierarchies are rarely congruent, it is difficult (if not impossible) to make a single numbering space efficiently serve both purposes without imposing unacceptable constraints (such as requiring renumbering upon provider changes) on the use of that space. LISP, as a specific instance of the Loc/ID split, aims to decouple location and identity. This decoupling will facilitate improved aggregation of the RLOC space, implement persistent identity in the EID space, and, in some cases, increase the security and efficiency of network mobility." http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_11-1/111_lisp.html
18
IPv6 Header
4
To summarize the IPv6 Header we could say: longer addresses and a simple efficient versatile, flexible, powerful Network Layer! The daisy chained IPv6 Extension header is a major important step for any application in the future! Mobile IPv6 is the first example of this power!
Section 1
IPv6 Header
Topics 1. IPv6 versus IPv4 headers 2. Path MTU discovery 3. Extension Headers 4. Encapsulations of Packets in Layer 2
20
IPv6 vs I Pv4 Headers
.1 •
No more Fragmentation fields (Fragment ID, Frag Offset, Flags). Fragmentation is no longer performed by Routers but only the source of the Traffic and an Extension Header will be used for the Fragmentation information
•
No more Header Checksum as it was redundant with the Link Layer and Transport Checksum
•
Other fields have been renamed with more explicit names like Hop Limit instead of TTL
•
The Traffic Class used instead of ToS/Precedence but still transports a DSCP for QoS
•
IPv6 Addresses are 4 times larger.
•
The Protocol field is replaced with a Next Header as now the Headers can be daisy chained to add several options to a packet!
•
A new field pretty much unused so far: the Flow Label. It should be used to identify a flow with the Source and Destination Addresses. It is not used for two reasons:
There is no common agreement to use it in a standard way. People are scared that a non default Flow Label (0) would give information to hackers about the sensitive traffic! The data are aligned on 64 bits for better memory access
.2
Path M TU Discovery
Fragmentation is expensive as it consumes resources on the Router or the Host which fragments the packet, and it also consumes resources on the destination host which reassembles the packets. Some Firewall or NAT devices do the reassembly as they need the information contained in the first fragment like the Port numbers. Fragmentation is also a very easy to initiate DoS Attack, as a station sending traffic requiring a lot of Fragmentation or Reassembly can kill this station overwhelming its CPU! So Fragmentation is avoided in IPv4 already systematically for all TCP Traffic with a protocol called Path MTU Discovery! An IPv6 router is not allowed to fragment a packet, only a source of a connection can, including a router is it is the head-end of a tunnel and it encapsulates IPv6 in IPv6 but this is a special case. The principle is that the station starts sending at the maximum MTU, and every time a Router cannot route the packet because of MTU it drops the packet rather than fragmenting and sends an ICMP Report providing the next Link MTU. The source sends the next packet at this MTU, and the operation may eventually be repeated. MINIMUM MTU FOR IPv6 IS 1280 BYTES
The biggest improvement which really gives IPv6 more Flexibility and Versatility is the use of daisy chained Extension Headers. Now, it becomes possible to push many headers in an IPv6 packet and as these Headers are TLV (Type, Length, Value) you can add a new Header Extension to support a new Network Layer Application. The first great example of what we can do will be introduced in a later Module. This is for Mobile IPv6 and the derived applications. The Extension Headers are the following and SHOULD follow this order: •
Hop-by-hop. This Option MUST be checked by each router in the path. In IPv4 we had the Router Alert to do the same, and this Router Alert is transported in this Option when needed. It is used by Multicast (IGMP or PIM), RSVP and other applications.
Router Alert Option The Router Alert Option (RFC2711) tells the router that it must take a look at the packet. It is carried in an hop-by-hop option. Example :
.3
Extension Headers
Frame 3836 (90 bytes on wire, 90 bytes captured) Ethernet II, Src: ca:00:06:a9:00:1c (ca:00:06:a9:00:1c), Dst: IPv6mcast_00:00:00:01 (33:33:00:00:00:01) Destination: IPv6mcast_00:00:00:01 (33:33:00:00:00:01) Source: ca:00:06:a9:00:1c (ca:00:06:a9:00:1c) Type: IPv6 (0x86dd)
21
Internet Protocol Version 6 0110 .... = Version: 6 .... 1110 0000 .... .... .... .... .... = Traffic class: 0x000000e0 .... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000 Payload length: 36 Next header: IPv6 hop-by-hop option (0x00) Hop limit: 1 Source: fe80::c800:6ff:fea9:1c (fe80::c800:6ff:fea9:1c) Destination: ff02::1 (ff02::1) Hop-by-Hop Option Next header: ICMPv6 (0x3a) Length: 0 (8 bytes) Router alert: MLD (4 bytes) PadN: 2 bytes Internet Control Message Protocol v6 Type: 130 (Multicast listener query) Code: 0 Checksum: 0x88d1 [correct] Maximum response delay[ms]: 10000 Multicast Address: :: S Flag: OFF Robustness: 2 QQI: 125
•
Destination options. This Option is only checked by the Destination of the packet. Mobile IPv6 uses this Option.
If a routing header is present it tells what to do to each intermediary router. If there is no routing header, it is only for the final destination. Example: Frame 609 (114 bytes on wire, 114 bytes captured) Ethernet II, Src: ca:00:06:a9:00:1c (ca:00:06:a9:00:1c), Dst: ca:01:06:a9:00:1c (ca:01:06:a9:00:1c) Internet Protocol Version 6 0110 .... = Version: 6 .... 1010 0000 .... .... .... .... .... = Traffic class: 0x000000a0 .... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000 Payload length: 60 Next header: IPv6 hop-by-hop option (0x00) Hop limit: 64 Source: 2001:db8:c0a8:b:c800:6ff:fea9:1c (2001:db8:c0a8:b:c800:6ff:fea9:1c) Destination: 2001:db8:c0a8:b:c801:6ff:fea9:1c (2001:db8:c0a8:b:c801:6ff:fea9:1c) Hop-by-Hop Option Next header: IPv6 destination option (0x3c) Length: 0 (8 bytes) PadN: 6 bytes Destination Option Next header: UDP (0x11) Length: 0 (8 bytes) PadN: 6 bytes User Datagram Protocol, Src Port: 57768 (57768), Dst Port: echo (7) Echo
Routing Header. 3 Types. Type 0 and 1 are now deprecated and should not be used anymore, too dangerous. Type 2 is still used by Mobile IPv6. o
Type 0. There is a list of addresses in the header, and the packet must go through each of the routers listed. There is a pointer for the router to know where in the list we are. The destination IP address of the IP packet is the next hop of the source routing header. This was not the case in IPv4 where the IP source and destination IP addresses were not modified by source routing. It is now deprecated since RFC5095.
o
Type 1 is deprecated for a long time.
o
Type 2 are used by Mobile IPv6. It is used to specify the home address of the mobile node. Only one hop!
Example of a capture. Note that the addresses used are the deprecated site-local addresses : Frame: + Ethernet: Etype = IPv6 - Ipv6: Next Protocol = ICMPv6, Payload Length = 64 + Versions: IPv6, Internet Protocol, DSCP 0 PayloadLength: 64 (0x40) NextProtocol: IPv6 Routing header, 43(0x2b) HopLimit: 127 (0x7F) SourceAddress: FEC0:0:0:2:2B0:D0FF:FEE9:4133 DestinationAddress: FEC0:0:0:2:260:97FF:FE02:578F - RoutingHeader: NextHeader: ICMPv6 ExtHdrLen: 2(24 bytes) RoutingType: 0 (0x0) SegmentsLeft: 1 (0x1) Reserved: 0 (0x0) RouteAddress: FEC0:0:0:1:260:8FF:FE32:F9D8 Icmpv6: Echo request, ID = 0x0, Seq = 0x3d1a
o
Fragment. If the Source must fragment the packet.
o
IPSec Authentication (AH)
o
IPSec Authentication and Encryption (ESP)
o
Mobility. Used for the signaling of Mobile IPv6.
o
Destination option (if routing absent)
o
Jumbo Payload option
The Jumbo payload option allow for larger datagram than the 65,536 permitted by plain IPv6. With Jumbo payload option, it can be up to 4,294,967,295 octets (RFC2675). Upper layer
22
MAC Encapsula5on of I Pv6 Packets
.4
Ethernet Protocol Encapsulation Dest Ethernet Address
Source Ethernet Address
0x86DD
IPv6 Datagram
Protocol: 0x86dd In IPv4 it was 0x800 and 0x806 for ARP .4.1
Mul5cast M AC Address Mapping
! IPv6 Multicast Address ! FF02:0:0:0:0:1:FF90:FE53 ! 128 bits
! Mac Address ! 33:33:FF:90:FE:53 ! 48 bits
FF02:0:0:0:0:1:FF90:FE53
33:33:FF:90:FE:53
23
24
25
.
26
27
IPv6 ICMP & Neighbor Discovery
5
IPv6 ICMP is very similar to IPv4 but NEighbor Discovery which is encapsulated in ICMPv6 brings many IPv6 key features such as Address Autoconfiguration, Default Router Discovery or simple functions like an optimized version of ARP!
Section 1
ICMPv6 & ND Topic 1. ICMPv6 1. Introduction 2. Error Messages 3. Echo 4. Options 2. Neighbor Discovery Protocol 1. Introduction 2. ND Packets and Options 3. Neighbor Discovery (ND) 4. Duplicate Address Discovery (DAD) 5. Neighbor Unreachability Detection (NUD) 6. Router Discovery (RD) 7. Autoconfig (SLAAC) 29
1
1.1
IPv6 ICMP
PadN: 6 bytes User Datagram Protocol, Src Port: 56486 (56486), Dst Port: echo (7) Source port: 56486 (56486) Destination port: echo (7) Length: 1944 Checksum: 0xa5bd [unchecked, not all data available] Echo
Introduc5on Type
Code
Checksum
Message Body
1.2.2
Packet Too Big (Type 2)
When a datagram is too big to be switched on an interface, an ICMP mesage packet that is too big must be sent back to the sender. MTU of the outgoing link is provided Frame:
ICMPv6 can be used to report problems and to ping a destination. The Type identifies which kind of packet, which problem we want to report such as a "Destination Unreachable" or "Echo Request". The Code gives more details about the problem. Why the destination is unreachable? The problem with the destination address? port? filtered by an ACL? When ICMP is used to transport other protocols like "Neighbor Discovery" (next chapter), the code is null. ICMPv6 manage much more in IPv6 than its IPv4 counterpart. For instance, Neighbor Discovery and Multicast Listener Discovery are now part of ICMPv6. Much ICMP Information is provided in some standard ICMP Options which are Mandatory with some requests.
1.2
+ Ethernet: Etype = IPv6 - Ipv6: Next Protocol = ICMPv6, Payload Length = 1240 + Versions: IPv6, Internet Protocol, DSCP 0 PayloadLength: 1240 (0x4D8) NextProtocol: ICMPv6, 58(0x3a) HopLimit: 64 (0x40) SourceAddress: FEC0:0:0:F282:201:2FF:FE44:87D1 DestinationAddress: FEC0:0:0:F282:2B0:D0FF:FEE9:4143 - Icmpv6: Packet too big MessageType: Packet too big, 2(0x2) - PacketTooBig: Code: 0 (0x0) Checksum: 44349 (0xAD3D) MTU: 1280 (0x500) - InvokingPacket: Next Protocol = ICMPv6, Payload Length = 1460 + Versions: IPv6, Internet Protocol, DSCP 0 PayloadLength: 1460 (0x5B4) NextProtocol: ICMPv6, 58(0x3a) HopLimit: 63 (0x3F) SourceAddress: FEC0:0:0:F282:2B:D0FF:FEE9:4143 DestinationAddress: FEC0:0:0:0:fredoc0:0:0:1
ICMP Error Messages
Error Messages: Destination Unreachable (Type 1) Packet Too Big (Type 2) Time Exceeded (Type 3) Parameter Problem (Type 4)
1.2.1
ICMPv6 Des5na5on Unreachable (Type 1) Payload length: 1960 Next header: IPv6 hop-by-hop option (0x00) Hop limit: 64 Source: 2001:db8::1 (2001:db8::1) Destination: 2001:db8::2 (2001:db8::2) Hop-by-Hop Option Next header: IPv6 destination option (0x3c) Length: 0 (8 bytes) PadN: 6 bytes Destination Option Next header: UDP (0x11) Length: 0 (8 bytes)
! 1.2.3
Time Exceed (type 3)
If Code = 0. Hop Limit Exceeded in Tansit.
30
If Code = 1. Fragment Reassembly Time Exceeded. The receiving station could not reassemble the original datagram within 60 seconds. 1.2.4
Parameter Problem (type 4)
Code 0 - Erroneous header field encountered 1 - Unrecognized Next Header type encountered 2 - Unrecognized IPv6 option encountered
1.3 1.3.1
ICMPv6 Informa5onal Messages
Destination: ca:00:06:a9:00:1c (ca:00:06:a9:00:1c) Source: ca:01:06:a9:00:1c (ca:01:06:a9:00:1c) Type: IPv6 (0x86dd) Internet Protocol Version 6 0110 .... = Version: 6 .... 0000 0000 .... .... .... .... .... = Traffic class: 0x00000000 .... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000 Payload length: 60 Next header: ICMPv6 (0x3a) Hop limit: 64 Source: 2001:db8:c0a8:b:c801:6ff:fea9:1c (2001:db8:c0a8:b:c801:6ff:fea9:1c) Destination: 2001:db8:c0a8:b:c800:6ff:fea9:1c (2001:db8:c0a8:b:c800:6ff:fea9:1c) Internet Control Message Protocol v6 Type: 129 (Echo reply) Code: 0 Checksum: 0x3f1b [correct] ID: 0x062b Sequence: 0x0002 Data (52 bytes)
ICMPv6 Echo Request. (Type 128)
Frame 5219 (114 bytes on wire, 114 bytes captured) Ethernet II, Src: ca:00:06:a9:00:1c (ca:00:06:a9:00:1c), Dst: ca:01:06:a9:00:1c (ca:01:06:a9:00:1c) Destination: ca:01:06:a9:00:1c (ca:01:06:a9:00:1c) Source: ca:00:06:a9:00:1c (ca:00:06:a9:00:1c) Type: IPv6 (0x86dd) Internet Protocol Version 6 0110 .... = Version: 6 .... 0000 0000 .... .... .... .... .... = Traffic class: 0x00000000 .... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000 Payload length: 60 Next header: ICMPv6 (0x3a) Hop limit: 64 Source: 2001:db8:c0a8:b:c800:6ff:fea9:1c (2001:db8:c0a8:b:c800:6ff:fea9:1c) Destination: 2001:db8:c0a8:b:c801:6ff:fea9:1c (2001:db8:c0a8:b:c801:6ff:fea9:1c) Internet Control Message Protocol v6 Type: 128 (Echo request) Code: 0 Checksum: 0x401b [correct] ID: 0x062b Sequence: 0x0002
R0>ping
2001:DB8:C0A8:B:C801:6FF:FEA9:1C
Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2001:DB8:C0A8:B:C801:6FF:FEA9:1C, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 8/19/32 ms
1.4
Other Protocols supported by I CMP
ICMPv6 also supports Neighbor Discovery, SEcured Neighbor Discovery, MLDv1 and MLDv2 for Multicast. We are going to study ND in the next paragraph and Multicast later in this book. This will be an Intro to Multicast for IPv6 only as I will develop Multicast for IPv6 in another book.
Data (52 bytes)
1.3.2
Echo Reply (Type 129)
Please note that in IPv6 the packet which triggers the MAC Address resolution is not dropped but buffered, waiting for the resolution. This could be a potential target for DoS attack, but you can see ping reached 100% even the first time you ping a destination. Frame 5220 (114 bytes on wire, 114 bytes captured) Ethernet II, Src: ca:01:06:a9:00:1c (ca:01:06:a9:00:1c), Dst: ca:00:06:a9:00:1c (ca:00:06:a9:00:1c)
31
2
Neighbor Discovery Protocol
MAC Layer Source MAC Address is NIC address Destination is all routers MAC address 33-33-00-00-00-02
2.1
Introduc5on
IPv6 Nodes on the same link use NDP (rfc4861, rfc4862) to discover each other’s presence and linklayer addresses, to find routers, and to maintain reachability information about the paths to active neighbors. Both hosts and routers use NDP. Its functions include Neighbor Discovery (ND) and MAC or Layer 2 Address Resolution, Router Discovery (RD), Address Autoconfiguration, Address Resolution, Neighbor Unreachability Detection (NUD), Duplicate Address Detection (DAD), and Redirection. It is much more sophisticated than ARP was and uses a Finite State Machine (FSM) to manage its Neighbor Cache.
IPv6 Layer Link local or unspecified IPv6 address. Link local all routers IPv6 address ICMPv6 Layer Type 133 Code 0 ICMPv6 Checksum Source Link-Layer Address option ICMPv6 Option (Source link-layer address)
2.1.1
NDP use the 5 messages (PDU) and 5 Op5ons.
2.1.1.1 The 5 bases P DUs are: Neighbor Solicitation (NS)/Advertisements (NA)
Type: Source link-layer address (1) Length: 8 Link-layer address: ca:02:06:a9:00:54
Router Solicitation (RS)/Advertisements (RA) Redirection 2.1.1.2 The 5 Op>ons: Source Link-Layer Address (SLLA). Option 1
Sent by a host to get information from local routers.
Target Link-Layer Address (TLLA). Option 2
Source MAC Address is NIC address
Prefix Information. Option 3
Destination is all routers MAC address 33-33-00-00-00-02
Redirected Header. Option 4
IPv6 Layer
MTU. Option 5
Link local or unspecified IPv6 address.
MAC Layer
Link local all routers IPv6 addressr ICMPv6 Layer Type 133 Code 0 2.2
ND PACKETS A ND O PTIONS
2.2.1
ND Packets
2.2.2
Router Solicita5on
Sent by a host to get information from local routers.
ICMPv6 Checksum Source Link-Layer Address option ICMPv6 Option (Source link-layer address) Type: Source link-layer address (1) Length: 8 Link-layer address: ca:02:06:a9:00:54
32
2.2.3
Router Adver5sement
Sent on a regular basis or as an answer to a router solicitation. Ethernet Layer Source MAC of the sending NIC Destination will be 33-33-00-00-00-01 or unicast IPv6 Layer Link local source Destination will be all-nodes: FF02::1 or unicast address of station which has sent the Router Solicitation Hop Limit 255 ICMPv6 Layer Router Advertisement Type 134 Code 0 Checksum ICMPv6 Current Hop Limit Managed Address Configuration Flag for Statefull DHCPv6. Other Stateful Configuration Flag for Stateless DHCPv6 Router Lifetime Retransmission timer Source Link-Layer Address Option
ICMPv6 Layer
MTU Option
Type 135
Prefix Information Options
Code 0
Advertisement Interval Option
Target Address
Home Agent Information Option for Mobile IPv6
Possible Option: Source Link-Layer Address Option
Frame 5801 (118 bytes on wire, 118 bytes captured)
2.2.4
Neighbor Solicita5on
Source Address. Either an address assigned to the interface from which this message is sent or (if Duplicate Address Detection is in progress) the unspecified address. Destination Address. Either the solicited-node multicast address corresponding to the target address, or the target address. Hop Limit is 255
Used to ask the link layer address of a neighbor Frame 5344 (86 bytes on wire, 86 bytes captured) Ethernet II, Src: ca:01:06:a9:00:1c (ca:01:06:a9:00:1c), Dst: ca:00:06:a9:00:1c (ca:00:06:a9:00:1c) Destination: ca:00:06:a9:00:1c (ca:00:06:a9:00:1c) Source: ca:01:06:a9:00:1c (ca:01:06:a9:00:1c) Type: IPv6 (0x86dd) Internet Protocol Version 6 0110 .... = Version: 6 .... 1110 0000 .... .... .... .... .... = Traffic class: 0x000000e0 .... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000 Payload length: 32
33
Next header: ICMPv6 (0x3a) Hop limit: 255 Source: fe80::c801:6ff:fea9:1c (fe80::c801:6ff:fea9:1c) Destination: 2001:db8:c0a8:b:c800:6ff:fea9:1c (2001:db8:c0a8:b:c800:6ff:fea9:1c) Internet Control Message Protocol v6 Type: 135 (Neighbor solicitation) Code: 0 Checksum: 0x6230 [correct] Target: 2001:db8:c0a8:b:c800:6ff:fea9:1c (2001:db8:c0a8:b:c800:6ff:fea9:1c) ICMPv6 Option (Source link-layer address) Type: Source link-layer address (1) Length: 8
Link-layer address: ca:01:06:a9:00:1c
2.2.5
Neighbor Adver5sement
They can be solicited or unsolicited. ICMPv6 Layer Type 136 Code 0 Router Flag if this is a Router Solicited flag if this is an answer to a Solicitation Override Flag if it must override an entry in the cache Target Address. For solicited advertisements, the Target Address field in the Neighbor Solicitation message that prompted this advertisement. For an unsolicited advertisement, the address whose link-layer address has changed. The Target Address MUST NOT be a multicast address.
ICMPv6 Layer Type 135 Code 0 Target Address Possible Option: Source Link-Layer Address Option Used to ask the link layer address of a neighbor Frame 5344 (86 bytes on wire, 86 bytes captured) Ethernet II, Src: ca:01:06:a9:00:1c (ca:01:06:a9:00:1c), Dst: ca:00:06:a9:00:1c (ca:00:06:a9:00:1c) Destination: ca:00:06:a9:00:1c (ca:00:06:a9:00:1c) Source: ca:01:06:a9:00:1c (ca:01:06:a9:00:1c) Type: IPv6 (0x86dd) Internet Protocol Version 6 0110 .... = Version: 6 .... 1110 0000 .... .... .... .... .... = Traffic class: 0x000000e0 .... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000 Payload length: 32 Next header: ICMPv6 (0x3a) Hop limit: 255 Source: fe80::c801:6ff:fea9:1c (fe80::c801:6ff:fea9:1c) Destination: 2001:db8:c0a8:b:c800:6ff:fea9:1c (2001:db8:c0a8:b:c800:6ff:fea9:1c) Internet Control Message Protocol v6 Type: 135 (Neighbor solicitation) Code: 0 Checksum: 0x6230 [correct] Target: 2001:db8:c0a8:b:c800:6ff:fea9:1c (2001:db8:c0a8:b:c800:6ff:fea9:1c) ICMPv6 Option (Source link-layer address) Type: Source link-layer address (1) Length: 8
Link-layer address: ca:01:06:a9:00:1c
Possible Option: Target Link-Layer Address Option 2.2.7 2.2.6
Redirect
Inform a neighbor of a better next hop to reach a particular destination. Redirect messages can be dangerous and can be ignored by configuration on most platforms (Windows, MAC OS X, Linux). Source Address. Either an address assigned to the interface from which this message is sent or (if Duplicate Address Detection is in progress) the unspecified address. Destination Address. Either the solicited-node multicast address corresponding to the target address, or the target address. Hop Limit is 255
Neighbor Discovery Op5ons
2.2.7.1 Source Link-‐Layer address Op>on It is used by Neighbor Solicitation and Router Advertisement. Frame 56 (118 bytes on wire, 118 bytes captured) Ethernet II, Src: ca:02:06:a9:00:54 (ca:02:06:a9:00:54), Dst: IPv6mcast_00:00:00:01 (33:33:00:00:00:01) Destination: IPv6mcast_00:00:00:01 (33:33:00:00:00:01) Source: ca:02:06:a9:00:54 (ca:02:06:a9:00:54) Type: IPv6 (0x86dd) Internet Protocol Version 6 0110 .... = Version: 6 .... 1110 0000 .... .... .... .... .... = Traffic class: 0x000000e0 .... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000 Payload length: 64 Next header: ICMPv6 (0x3a)
34
Hop limit: 255 Source: fe80::c802:6ff:fea9:54 (fe80::c802:6ff:fea9:54) Destination: ff02::1 (ff02::1) Internet Control Message Protocol v6 Type: 134 (Router advertisement) Code: 0 Checksum: 0x9040 [correct] Cur hop limit: 64 Flags: 0x00 Router lifetime: 1800 Reachable time: 0 Retrans timer: 0 ICMPv6 Option (Source link-layer address) Type: Source link-layer address (1) Length: 8 Link-layer address: ca:02:06:a9:00:54 ICMPv6 Option (MTU) Type: MTU (5) .... 1110 0000 .... .... .... .... .... = Traffic class: 0x000000e0 .... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000 Payload length: 64 Next header: ICMPv6 (0x3a) Hop limit: 255 Source: fe80::c802:6ff:fea9:54 (fe80::c802:6ff:fea9:54) Destination: ff02::1 (ff02::1) Internet Control Message Protocol v6 Type: 134 (Router advertisement) Code: 0 Checksum: 0x9040 [correct] Cur hop limit: 64 Flags: 0x00 Router lifetime: 1800 Reachable time: 0 Retrans timer: 0 ICMPv6 Option (Source link-layer address) Type: Source link-layer address (1) Length: 8 Link-layer address: ca:02:06:a9:00:54 ICMPv6 Option (MTU) Type: MTU (5) Length: 8 MTU: 1500 ICMPv6 Option (Prefix information) Type: Prefix information (3) Length: 32 Prefix length: 64 Flags: 0xc0 Valid lifetime: 2592000 Preferred lifetime: 604800 Prefix: 2001:db8:c0a8:3::
Ethernet II, Src: ca:01:06:a9:00:54 (ca:01:06:a9:00:54), Dst: ca:02:06:a9:00:54 (ca:02:06:a9:00:54) Destination: ca:02:06:a9:00:54 (ca:02:06:a9:00:54) Source: ca:01:06:a9:00:54 (ca:01:06:a9:00:54) Type: IPv6 (0x86dd) Internet Protocol Version 6 0110 .... = Version: 6 .... 1110 0000 .... .... .... .... .... = Traffic class: 0x000000e0 .... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000 Payload length: 32 Next header: ICMPv6 (0x3a) Hop limit: 255 Source: fe80::c801:6ff:fea9:54 (fe80::c801:6ff:fea9:54) Destination: fe80::c802:6ff:fea9:54 (fe80::c802:6ff:fea9:54) Internet Control Message Protocol v6 Type: 136 (Neighbor advertisement) Code: 0 Checksum: 0x5f24 [correct] Flags: 0xe0000000 Target: fe80::c801:6ff:fea9:54 (fe80::c801:6ff:fea9:54)
2.2.7.2 Target Link-‐Layer address Op>on
Prefered Lifetime. If not refreshed and the Preferred Timer expires, the address becomes deprecated and cannot be used to establish a new connection but the address is still valid for existing. A value of ALL ONEs bits represents infinity (for Static Addresses).
It is used by Neighbor Advertisement and Redirect packets. Frame 25 (86 bytes on wire, 86 bytes captured)
ICMPv6 Option (Target link-layer address) Type: Target link-layer address (2) Length: 8 Link-layer address: ca:01:06:a9:00:54
2.2.7.3 Prefix Informa>on Op>on Can be sent with a Router Advertisement to advertise Prefixes. More than one prefixes can be included. Type. 3 Length. 4. Prefix Length. 8 bits. Generally 64. On-Link Flag. 1 bit. If the prefix must be used to derive an address during SLAAC. Autonomous Flag. 1 bit. If the prefix must be used to derive an address during SLAAC. Router Address flag. Defined in RFC 3775 for Mobile IPv6 Site Prefix Flag. Valid Lifetime. How long the address derived from this prefix is Valid without any refreshment before the address is removed from the interface. A value of ALL ONEs bits represents infinity (for Static Addresses).
Frame 56 (118 bytes on wire, 118 bytes captured) Ethernet II, Src: ca:02:06:a9:00:54 (ca:02:06:a9:00:54), Dst: IPv6mcast_00:00:00:01 (33:33:00:00:00:01)
35
Destination: IPv6mcast_00:00:00:01 (33:33:00:00:00:01) Source: ca:02:06:a9:00:54 (ca:02:06:a9:00:54) Type: IPv6 (0x86dd) Internet Protocol Version 6 0110 .... = Version: 6 .... 1110 0000 .... .... .... .... .... = Traffic class: 0x000000e0 .... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000 Payload length: 64 Next header: ICMPv6 (0x3a) Hop limit: 255 Source: fe80::c802:6ff:fea9:54 (fe80::c802:6ff:fea9:54) Destination: ff02::1 (ff02::1) Internet Control Message Protocol v6 Type: 134 (Router advertisement) Code: 0 Checksum: 0x9040 [correct] Cur hop limit: 64 Flags: 0x00 Router lifetime: 1800 Reachable time: 0
The MTU option is used in the ICMPv6 Packet too big and in the ND Router Advertisement. Ethernet II, Src: ca:02:06:a9:00:54 (ca:02:06:a9:00:54), Dst: IPv6mcast_00:00:00:01 (33:33:00:00:00:01) Destination: IPv6mcast_00:00:00:01 (33:33:00:00:00:01) Source: ca:02:06:a9:00:54 (ca:02:06:a9:00:54) Type: IPv6 (0x86dd) Internet Protocol Version 6 0110 .... = Version: 6 .... 1110 0000 .... .... .... .... .... = Traffic class: 0x000000e0 .... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000 Payload length: 64 Next header: ICMPv6 (0x3a) Hop limit: 255 Source: fe80::c802:6ff:fea9:54 (fe80::c802:6ff:fea9:54) Destination: ff02::1 (ff02::1) Internet Control Message Protocol v6 Type: 134 (Router advertisement) Code: 0 Checksum: 0x9040 [correct] Cur hop limit: 64 Flags: 0x00 Router lifetime: 1800 Reachable time: 0 Retrans timer: 0 ICMPv6 Option (Source link-layer address) Type: Source link-layer address (1) Length: 8 Link-layer address: ca:02:06:a9:00:54 ICMPv6 Option (MTU) Type: MTU (5) Length: 8 MTU: 1500
ICMPv6 Option (Prefix information) Type: Prefix information (3) Length: 32 Prefix length: 64 Flags: 0xc0 Valid lifetime: 2592000
Preferred lifetime: 604800 Prefix: 2001:db8:c0a8:3:: 2.2.7.4 Redirected Header Op>on It is only used in the ND Redirect packet Frame 92 (214 bytes on wire, 214 bytes captured) Ethernet II, Src: ca:01:06:a9:00:1c (ca:01:06:a9:00:1c), Dst: ca:02:06:a9:00:1c (ca:02:06:a9:00:1c) Destination: ca:02:06:a9:00:1c (ca:02:06:a9:00:1c) Source: ca:01:06:a9:00:1c (ca:01:06:a9:00:1c) Type: IPv6 (0x86dd) Internet Protocol Version 6 0110 .... = Version: 6 .... 1110 0000 .... .... .... .... .... = Traffic class: 0x000000e0 .... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000 Payload length: 160 Next header: ICMPv6 (0x3a) Hop limit: 255 Source: fe80::c801:6ff:fea9:1c (fe80::c801:6ff:fea9:1c) Destination: 2001:db8:c0a8:b::1 (2001:db8:c0a8:b::1) Internet Control Message Protocol v6 Type: 137 (Redirect) Code: 0 Checksum: 0xd231 [correct] Target: 2001:db8:c0a8:a:c800:6ff:fea9:1c (2001:db8:c0a8:a:c800:6ff:fea9:1c) Destination: 2001:db8:c0a8:a:c800:6ff:fea9:1c (2001:db8:c0a8:a:c800:6ff:fea9:1c) ICMPv6 Option (Target link-layer address) Type: Target link-layer address (2) Length: 8 Link-layer address: ca:00:06:a9:00:1c ICMPv6 Option (Redirected header) Type: Redirected header (4) Length: 112 Reserved: 0 (correct) Redirected packet Internet Protocol Version 6 0110 .... = Version: 6 .... 0000 0000 .... .... .... .... .... = Traffic class: 0x00000000 .... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000 Payload length: 60 Next header: ICMPv6 (0x3a) Hop limit: 63 Source: 2001:db8:c0a8:b::1 (2001:db8:c0a8:b::1) Destination: 2001:db8:c0a8:a:c800:6ff:fea9:1c (2001:db8:c0a8:a:c800:6ff:fea9:1c) Internet Control Message Protocol v6 Type: 128 (Echo request) Code: 0 Checksum: 0xbce7 [correct] ID: 0x22ef Sequence: 0x0004 Data (52 bytes)
36
2.2.7.5 MTU Op>on The MTU option is used in the ICMPv6 Packet too big and in the ND Router Advertisement. Ethernet II, Src: ca:02:06:a9:00:54 (ca:02:06:a9:00:54), Dst: IPv6mcast_00:00:00:01 (33:33:00:00:00:01)
2.2.7.6 Route Informa>on Op>on
Destination: IPv6mcast_00:00:00:01 (33:33:00:00:00:01) Sourcrbbre: ca:02:06:a9:00:54 (ca:02:06:a9:00:54) Type: IPv6 (0x86dd) Internet Protocol Version 6 0110 .... = Version: 6 .... 1110 0000 .... .... .... .... .... = Traffic class: 0x000000e0 .... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000 Payload length: 64 Next header: ICMPv6 (0x3a) Hop limit: 255 Source: fe80::c802:6ff:fea9:54 (fe80::c802:6ff:fea9:54) Destination: ff02::1 (ff02::1) Internet Control Message Protocol v6 Type: 134 (Router advertisement) Code: 0 Checksum: 0x9040 [correct] Cur hop limit: 64
Sent in Router Advertisement (see RFC4191.). It is used to give a preference to a router and to advertise routes (SHOULD not send more than 17 routes). It SHOULD not a be default behavior. Possible Option: Route Information You can also advertise a more specific Route information Recursive
Flags: 0x00 Router lifetime: 1800 Reachable time: 0 Retrans timer: 0 ICMPv6 Option (Source link-layer address)
2.2.7.7 DNS Server Op>on DNS Server address can also be advertised in RA (RFC 5006):
Type: Source link-layer address (1)
This is a very simple option with Length, Lifetime and the addrresses of all the DNS Servers.
Length: 8
So you do not need to setup DHCPv6 Lite to advertise the DNS Server Address!
Link-layer address: ca:02:06:a9:00:54
With Linux it can be advertised by radvd daemon.
ICMPv6 Option (MTU) Type: MTU (5) Length: 8 MTU: 1500
2.3
Neighbor Discovery
ICMPv6 Option (Prefix information) Type: Prefix information (3) Length: 32
IPv6 uses ND to manage its Neighbor Cache. This includes resolving the MAC Address of the Neighbor and checking its Reachability (NUD).
Prefix length: 64
Neighbor Discovery uses Neighbor Solicitation (NS) and Neighbor Advertisements (NA).
Flags: 0xc0
NS are used to discover the Neighbor MAC Address, to check if our new address is a DUPlicate or to check if a Neighbor is still Reachable (NUD).
Valid lifetime: 2592000 Preferred lifetime: 604800 Prefix: 2001:db8:c0a8:3::
37
Code: 0 Checksum: 0xc88d [correct] Reserved: 00000000 Target Address: 2a01:e35:2f26:d340:e:6a75:6c8c:e4ac ICMPv6 Option (Source link-layer address : f4:ca:e5:44:10:ef) Type: Source link-layer address (1) Length: 1 (8 bytes) Link-layer address: FreeboxS_44:10:ef (f4:ca:e5:44:10:ef)
2.3.1.2
2.3.1
MAC Address Resolu5on
When a host needs to send a packet to a destination, it verifies if it is a Neighbor. In this case it sends the packet directly to the Neighbor. There is an algorithm to check if the destination is a Neighbor as there can be many prefixes on the same cable. Once this is verified, the host creates an entry with state INCOMPLETE and the IPv6 Address of the destination in the Neighbor cache and sends a Neighbor Solicitation to its Solicited Node Multicast Address. The NS contains the MAC Address of the Requester in the SLLA Option to save the reverse operation (below in Red). Example of NS/NA between two UBUNTU Hosts
Neighbor Adver5sement
Internet Protocol Version 6, Src: 2a01:e35:2f26:d340:e:6a75:6c8c:e4ac , Dst: fe80::f6ca:e5ff:fe44:10ef 0110 .... = Version: 6 .... 0000 0000 .... .... .... .... .... = Traffic class: 0x00000000 .... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000 Payload length: 32 Next header: ICMPv6 (0x3a) Hop limit: 255 Source: 2a01:e35:2f26:d340:e:6a75:6c8c:e4ac (2a01:e35:2f26:d340:e:6a75:6c8c:e4ac) Destination: fe80::f6ca:e5ff:fe44:10ef (fe80::f6ca:e5ff:fe44:10ef) [Destination SA MAC: FreeboxS_44:10:ef (f4:ca:e5:44:10:ef)] Internet Control Message Protocol v6 Type: Neighbor Advertisement (136) Code: 0 Checksum: 0xe1ad [correct] Flags: 0x60000000 0... .... .... .... .... .... .... .... = Router: Not set .1.. .... .... .... .... .... .... .... = Solicited: Set ..1. .... .... .... .... .... .... .... = Override: Set
2.3.1.1
Neighbor Solicita5on
Internet Protocol Version 6, Src: fe80::f6ca:e5ff:fe44:10ef
(fe80::f6ca:e5ff:fe44:10ef), Dst: ff02::1:ff8c:e4ac (ff02::1:ff8c:e4ac) 0110 .... = Version: 6 .... 0000 0000 .... .... .... .... .... = Traffic class: 0x00000000 .... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000 Payload length: 32 Next header: ICMPv6 (0x3a) Hop limit: 255 Source: fe80::f6ca:e5ff:fe44:10ef (fe80::f6ca:e5ff:fe44:10ef)
...0 0000 0000 0000 0000 0000 0000 0000 = Reserved: 0 Target Address: 2a01:e35:2f26:d340:e:6a75:6c8c:e4ac ICMPv6 Option (Target link-layer address : 00:0c:29:30:33:86) Type: Target link-layer address (2) Length: 1 (8 bytes) Link-layer address: Vmware_30:33:86 (00:0c:29:30:33:86) Please note the Flags in the NA with a Router bit if we are a Router. A Solicited bit if this is a reply to a solicitation using NS and the Override bit to enable the replacement of a cache entry! This is why the display of your neighbor cache table tells you if an entry is a Router.
The requester provides its MAC address in tbe SLLA Option.
[Source SA MAC: FreeboxS_44:10:ef (f4:ca:e5:44:10:ef)]
The Replier provides its MAC address in the TLLA Option.
Destination: ff02::1:ff8c:e4ac (ff02::1:ff8c:e4ac)
Once it has received an answer, it updates the Neighbor MAC Address from the reply and sets the neighbor state as REACHable.
Internet Control Message Protocol v6 Type: Neighbor Solicitation (135)
38
If the Neighbor does not reply, it retries a MAX_UNICAST_SOLICIT (default: 3) time with a configured interval of RETRANS_TIMER (default: 1 second) between to request, and if no reply is received, it clears the entry in the Cache.
DAD ATTACK:💀 💀 DAD Process can be the target of a local attacker. The bad guy just listen to all the Neighbor Solicitation
2.4
Duplicate Address Detec5on (DAD)
messages and replies to all as if all addresses are already in use. DAD fails and the interface is disabled for IPv6. You can get a tool which perform a DAD Attack from thc web site: http://www.thc.org/thc-ipv6/
This process is used when an interface is coming up or every time a new address is added on an IPv6 Interface.
Neighbor Unreachability Detec5on (NUD)
Its purpose is to check that the new address is not a Duplicate Address. It is a local process so the checking is only done on the link where the address is added.
2.5
This is a very simple process that is just to send a NS to our own Solicited Node Multicast Address to request the MAC Address of our newly configured address.
As long as the host communicates with this Neighbor, the Upper Layer will reset the Reachable Timer so it is never reached and the Neighbor remains in the state REACHable.
We expect NO ANSWER.
If the Upper Layer stops communication with the Neighbor for a time of the Reachable Timer (default: 30 seconds), the entry moves to a STALE state.
If somebody does, it means that there is another myself on the Network and my Address is a DUP. If I don't receive any NA, we send a NA to claim the Address for ourself and initialize the address. We can see the DAD process in the capture at the very beginning, using the unspecified source address ::/0. DAD Example on a CISCO Router: ICMPv6-ND: L3 came up on GigabitEthernet0/2
Then the host does nothing until a packet is sent to the Neighbor. When a packet is sent to this Neighbor, the entry is moved to the DELAY state (default: 5 seconds) to give some time for the Upper Layer protocol to check the availability of the Neighbor. If no positive packet is received, the entry is moved to PROBE and the host starts sending the Unicast NS to the neighbor (Probe) every Retransmit Interval (default: 1 second). After MAX_UNICAST_SOLICIT (default: 3) attempts, the Neighbor is considered as Unreachable and its entry is cleared in the Cache.
IPv6-Addrmgr-ND: DAD request for 2000:1::1 on GigabitEthernet0/2 ICMPv6-ND: Sending NS for 2000:1::1 on GigabitEthernet0/2 IPv6-Addrmgr-ND: DAD: 2000:1::1 is unique. ICMPv6-ND: Sending NA for 2000:1::1 on GigabitEthernet0/2 IPv6-Address: Address 2000:1::1/64 is up on GigabitEthernet0/2
F IGURE 6.16 Address Autoconfiguration States VALID
Tent
Preferred
Deprecated
Invalid
Preferred Lifetime Valid Lifetime
39
2.6
F IGURE 6.10 Full DAD Process and UBUNTU Interface Startup
Router Discovery
By default the hosts do not have to configure a default router. This is done automatically thanks to ND Protocol. The Routers send Unsolicited Router Advertisements on a regular basis (min interval is 3 seconds). The hosts listen to the RA to refresh prefixes or update some parameters. When a host is booting and needs RA Information immediately, it sends a Router Solicitation message to the All Routers Multicast Address FF02::2. The RA contains the following information:
F IGURE 6.9 NS Send during DAD Process (UBUNTU)
o
Default Link Parameters (Default Hop Limit, MTU)
o
Neighbor Unreachability Detection Parameters. These are Reachable Timer and Retransmit Interval, The value zero means unspecified which actually means that the configured information on the hosts must not be hanged by the RA.
o
Prefix availables on the Link with Timers and Flags for each Prefix about Autoconfiguration (SLAAC, Stateless Address Autoconfiguration
o
If the Router is a Candidate as Default Gateway (Lifetime, Preference). The Lifetime parameter is only there to say how long this advertisement is valid without being refreshed to use this router as a default Router Candidate. A RA with Lifetime=0 means: "stop using me as your default router immediately"!
o
Router IPv6 and MAC Addresses
o
DNS Server Addresses (RFC6106)
o
If DHCPv6 is available in the Network and if it must be used to configure Address and Everything or Everything but Addresses. If the Router is a Home Agent (Mobile IPv6)?
2.7
Autoconfigura5on (SLAAC)
If you got 2 Minutes: o follow the whole process you can follow this quick presentation URL (Flash Video): http://www.ipv6forlife.com/Tutorial/IPv6Startup.html
F IGURE 6.11 NA Sent during DAD Process (UBUNTU)
And if you have 30 minutes and if you prefer to have all the details of Autoconfig with IPv6, get this .mov video presentation of Autoconfig (.mov) on the Web which is the long version of the short flash presentation as it last about 30 minutes: http://www.youtube.com/watch?v=1DnDqxA7c_g It is also on slideshare The whole process is summarized on the next two figures from start when the interface is starting to stop when it is ready or disabled!
40
!
2.7.1
Introduc5on
An IPv6 node must be able to configure its Network Access unattended with or without the presence of Routers on the Link(s). Autoconfiguration was one of the main requirements for IPv6 since day 1. In any case if not disable on Linux, the Workstation performs Stateless Address Autoconfiguration (SLAAC) when the Interfaces are coming Up. But an IPv6 DHCPv6 can be added to configure addresses and additional information. This is stateful DHCPv6. The additional information without addresses is stateless DHCPv6.
41
For instance a Rogue RA, DNS or DHCP can be forged on the local link if an employee wants to break the Company Network. For the RA, it must be on the local link since the most ND Packets, RA included, MUST have the Hop Limit = 255 to be valid or they are dropped! So SLAAC will be performed in most cases and here is the full process: Here is the full process. Between A and B, this is the Prefix-list verification process detailed in the next column. Let's explain it Step-by-Step or Click here for an animation: http://www.ipv6forlife.com/Tutorial/IPv6Startup.html
2.7.2.1 Valida>on of the Link-‐local Address The Interface is brought up or the host is booting. The interface enters the TENTATIVE Mode. No user traffic can be exchanged until we reach the Stop Red State which is the end of the SLAAC process.
From the Start, we can see that the very first step is to figure out the Link-local address with an EUI64 or Static Interface ID and to verify it using the DAD Process. We send a NS to our own Solicited Node Multicast Address for our own IPv6 address and expect no answer. If somebody replies, our link-local is not unique nor valid and the Interface is disabled for IPv6.
Only if we use SeND, we are doing two more attempts before we quit and log an error! We are most probably under a DoS Attack!
2.7.2.2 Send a Router Solicita>on Then, the next Step is to send a RS to the All Router Link-Local Scope Multicast Address: FF02::1 If we don't receive any RA, we try DHCPv6 and we exit the SLAAC process. Otherwise, we configure the IPv6 interface from the parameter received in the RA: MTU, Hop Limit, Reachable Timer and Retransmit Interval, Router Lifetime, and so on... A DHCPv6 Server only needs to keep states when it allocates some addresses order tos poll a Workstation which did not renew its reservation and get the reserved address back in the pool if the client fails to answer. DHCPv6 will be studied in details later in this book. Right now we are going to focus on the Stateless Address Autoconfiguration (SLAAC) process itself. Just keep in mind that DHCPv6 cannot replace it but just be a complement to SLAAC. For instance, a default route cannot be configured with DHCPv6. SLAAC is stateless because no state is kept on the router when the default SLAAC is used to configure Addresses and any other things on the node. 2.7.2
SLAAC Process
SLAAC is enabled by default on most platforms. I have seen some Linux distribution where it must be enabled. It is possible to configure everything statically and may be interesting for some Datacenter where we have only Servers and Routers to configure. We may then want to configure the addresses manually and the default route to an HSRP or GLBP Virtual IPv6 Link-local Address also configured statically. So you will not lose any time with protocols and don't risk anything with Rogue devices and advertisements.
2.7.2.3 Check the Prefix-‐List. Click on the diagram or the link below for a FLASH Animation:
http://www.ipv6forlife.com/Tutorial/IPv6Startup.html The next step is to examine the Prefix-List if there is any in the Router Advertisement. If there is a list, we examine each prefix and check that the On-Link and Autonomous bit (Flag in the Capture) are set. With each dynamic address, there are two timers: the Preferred and the Valid. When the Preferred Timer has expired, the Address is deprecated but remains Valid until the Valid Timer has not expired. When the Address is deprecated, it is still there and can be used for an existing connection. On the other hand, a deprecated address cannot be used for a new connection. When the Valid Timer has expired, the address is removed from the Interface. Then we must also check the Timers: The Valid Timer MUST be NON NULL, >0 The Valid Timer MUST be > The preferred timers
42
If the bits and timers are OK, we derive an address using any of the configured mode for the Interface ID: Static, EUI-64, Random Temporary, CGA... And we check that this address is unique using DAD. If DAD passed, we initialize the Address otherwise the address is not used. We go to the next Prefix until there is no more, and we get back from the Prefix-list inspection Loop. The last step is to check if we need to call a DHCPv6 Server to configure Addresses and/or Other parameters. Once the dynamic addresses have been acquired, they must be refreshed by SLAAC or DHCPv6 or they will become invalid and vanish! Periodic RA refresh the prefix. With DHCPv6, this is the client which renew or rebind its address.
2.8
Renumbering
As we have seen before, the Prefix is not allocated to the end-user with IPv6 but to the SP. When you change SP, you will need to configure a new prefix in your network. This process is Renumbering. With a good design and the right tools, it will not be a problem and will not take long to change the Prefix of your Network. The principle of Renumbering is very simple. We have two Prefixes. One is Deprecated, and its Preferred Timers are set to 0. This way no new connection will be established on the addresses derived from this prefix. These addresses can remain Deprecated but still valid for the rest of the day, the week or even more! We need to find a reasonable timer value to enable all the users to close their sessions and not force the disconnection. All the new connections are established on the connections which addresses are derived from Prefixes which are still Preferred. So, when the Addresses are derived from a Prefix with a Valid Timer now expired and the derived addresses are removed from their interfaces, hopefully there will not be any existing users using these addresses.
Refreshing the SLAAC Addresses Timers • An address which has been derived from a RA must be refreshed by new RAs advertizing the same prefix • The RA Interval must be consistent with the Preferred and the Valid Timers for the addresses to be refreshed in time ipv6 ipv6 ipv6 ipv6 ipv6
nd nd nd nd nd
ra-interval 200 seconds by default ra-lifetime 1800 seconds or 30 minutes default managed-config-flag other-config-flag prefix [Valid][Preferred][no-advertise| off-link | no-autoconfig]
• To Be used by SLAAC:
- The On-Link and Autonomous Bits Must be Set - If Preferred Lifetime > Valid lifetime, ignore the Prefix Information option. A node MAY wish to LOG a system management ERROR in this case….
© 2012 Fred Bovy. EIRL – IPv6 For Life!
IPv6AutoConfig—1-35
This is how the Renumbering process operates.
3
Addi5onal Informa5on about Prefix Valida5on in the SLAAC Process
The Configuration of CISCO Router for SLAAC Below is how to configure the Routers for SLAAC process.
43
IPv6 On Hosts and Routers
6
IPv6 is now widely distributed and it is the default protocol for most if not all of them: Windows, Linux, MAC OS, iPhone, iPAD, HP LaserPrinter talk IPv6 and many, many others... All applications and most content on the Internet are available via IPv6: Yahoo, Google, Facebook, MS and others... This is NOW!
IPv6 On Hosts & Cisco Routers .1
Configura5on and Checking on Hosts
.1.1
As an alternative to using the user interface to disable IPv6 on a per-adapter basis, you can selectively disable certain features of IPv6 by creating and configuring the following DWORD registry value: HKLM\SYSTEM\CurrentControlSet\Services\tcpip6\Parameters\DisabledComponentsreally should disable them. . More Details:
Windows
IPv6 is loaded by default and now configured as the default preferred protocol.
.1.1.1
On Windows XP it was loaded, but you had to enable it with a netsh command "netsh interface ipv6 install"
.1.1.1.1 IPconfig
You cannot uninstall IPv6 in Windows 7, but you can disable IPv6 on a per-adapter basis. To do this,
Windows IP Configuration
Flag LowOrder bit
Result of Setting this bit to a value of 1
0
Disables all IPv6 tunnel interfaces, including ISATAP, 6to4 and Teredo Tunnels
1
Disables all 6to4-based interfaces
2
Disables all ISATAP-based interfaces
3
Disables all Teredo-based interfaces
4
Disables IPv6 over all non-tunnel interfaces, including LAN and PPP interfaces
5
Modifies the default prefix policy table* to prefer IPv4 over IPv6 when attempting connections
IPv6 Tools with Windows
Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : ectasie.example.com IPv6 Address. . . . . . . . . . . : 2001:db8:21da:7:713e:a426:d167:37ab Temporary IPv6 Address. . . . . . : 2001:db8:21da:7:5099:ba54:9881:2e54 Link-local IPv6 Address . . . . . : fe80::713e:a426:d167:37ab%6 IPv4 Address. . . . . . . . . . . : 157.60.14.11 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : fe80::20a:42ff:feb0:5400%6 157.60.14.1 Tunnel adapter Local Area Connection* 6: Connection-specific DNS IPv6 Address. . . . . . Link-local IPv6 Address Site-local IPv6 Address Default Gateway . . . .
Suffix . . . . . . . . . . . . . . . . . . . . .
: : : : :
2001:db8:908c:f70f:0:5efe:157.60.14.11 fe80::5efe:157.60.14.11%9 fec0::6ab4:0:5efe:157.60.14.11%1 fe80::5efe:131.107.25.1%9 fe80::5efe:131.107.25.2%9
Tunnel adapter Local Area Connection* 7: Media State . . . . . . . . . . . : Media disconnected Connection-specific DNS Suffix . :
follow these steps: 1. 2. configure. OK.
3.
In Control Panel, open Network And Sharing Center. Click Manage Network Connections and then double-click the connection you want to Clear the check box labeled Internet Protocol Version 6 (TCP/IPv6), and then click
Note that if you disable IPv6 on all your network connections using the user interface method described in the preceding steps, IPv6 will still remain enabled on all tunnel interfaces and on the loopback interface.
.1.1.1.2 Route IPv6 Routing Table =========================================================================== Active Routes: If Metric Network Destination Gateway 8 286 ::/0 fe80::3cec:bf16:505:eae6 1 306 ::1/128 On-link
45
8 8
38 2001:db8::/64 On-link 286 2001:db8::4074:2dce:b313:7c65/128 On-link 8 286 2001:db8::b500:734b:fe5b:3945/128 On-link 8 286 fe80::/64 On-link 17 296 fe80::5efe:10.0.0.3/128 On-link 8 286 fe80::b500:734b:fe5b:3945/128 On-link 1 306 ff00::/8 On-link 8 286 ff00::/8 On-link ===========================================================================
.1.1.1.3 Ping
f:\>ping 2001:db8:1:f282:dd48:ab34:d07c:3914 Pinging 2001:db8:1:f282:dd48:ab34:d07c:3914 from 2001:db8:1:f282:3cec:bf16:505:eae6 with 32 bytes of data: Reply from 2001:db8:1:f282:dd48:ab34:d07c:3914: time ff02::fb.5353: [udp sum ok] 0 [2q] A (QM)? server.exchange.local. AAAA (QM)? server.exchange.local. (45) 0x0000:
6000 0000 0035 11ff fe80 0000 0000 0000
`....5..........
0x0010:
061e 64ff feec 73a9 ff02 0000 0000 0000
..d...s.........
0x0020:
0000 0000 0000 00fb 14e9 14e9 0035 117a
.............5.z
0x0030:
0000 0000 0002 0000 0000 0000 0673 6572
.............ser
0x0040:
7665 7208 6578 6368 616e 6765 056c 6f63
ver.exchange.loc
0x0050:
616c 0000 0100 01c0 0c00 1c00 01
al...........
Example of Wireshark screen capture.of a Router Advertisement.
51
The next step is to configure IP routing with the config command: R2(config)# ipv6 routing
.3
Test the I Pv6 Web Serverswqwqa
In the past you also had to configure CEFv6 has it was not enabled by default with the command R2(config)# ipv6 unicast-routing or R2(config)#ipv6 unicast-routing distributed
For some platforms, you had the choice to run a distributed CEFv6 or not. With distributed CEFv6, a copy of the CEFv6 tables are downloaded on the Line Cards and the ingress LC which receives the packet Takes the switching decison. The router CPU card is not involved. The first troubleshooting command I was checking with a low performance problem was to check if CEF was properly started with R2# show ipv6 cef summary R7#show ip cef summary IPv4 CEF is enabled and running VRF Default 17 prefixes (17/0 fwd/non-fwd) Table id 0x0 Database epoch: 0 (17 entries at this epoch) R7#show ipv6 cef summary IPv6 CEF is enabled and running centrally. VRF Default 14 prefixes (14/0 fwd/non-fwd) Table id 0x1E000000 Database epoch: 0 (14 entries at this epoch)
2.2
2
Configura5on and System Checking on C ISCO Routers
CEFv6
If you have to Troubleshoot CISCO device One day you will have to deal with CEF! No DATA PLANE Troubleshooting without CEFv6!...
2.1
CISCO Routers Mode
A CISCO Router has two main modes of Operation: 2.1.1 Exec Mode (Normal or Priviledged). This mode is to run any commands to display to reset something. Actually there are 16 levels of privileges to give Authorization to each level. The Normal mode is the lowest mode when you enter the router by default. It is a kind of Read-Only mode where you cannot configure anything or cannot even dispaly the configuration file.
If you are looking for the Engineering Team with really high skills guys at cisco you are looking for the CEF team! These guys need to do two things mutually exclusives and this all the time: They must support a maximum number of services and at the same time they must design the fastest code because all the cisco switching performances rely on CEF! If an IP feature is not supported by CEF, the feature has no future if it has also to be Efficient. if it is a slow terminal conversion things which need the speed of typing with one finger, fine! but if it must support wire speed? Forget it!
The default prompt is the Router name plus > if you are a Normal user or # for a privileged: R2(config)> OR R2(config)#
WHY???
2.1.2 Configura>on Mode. This mode is used to configure the Router. So before giving any configuration mode you must enter into this mode with the command "Configure Terminal". You must be a privileged user to use this command. This mode has many submodes. For instance, if you want to configure an interface or a routing protocol, you must first select it to enter in this submode.
When a packet is received by an ASIC specialized to process the data coming from a Physical Media
The default prompt for Router R2 in configuration mode is: R2(config)#
We need to get back to the basics of computers to understand... port, an Interrupt is sent to the CPU. An interrupt is a Signal Transition like 0 to +5v or the opposite. The Interrupt is raised by the Physical Media Processor to tell the CPU that it has a packet just like the Postman set up the flag after it has dropped a few mails in your mailbox! Guess who is called first by the CPU when it gets the interrupt signal? CEF...
52
Now CEF must take a decision either switch the packet in interrupt mode, either Q the packet for
prefix-list
Build a prefix list
further processing in a time sharing fashion. It is clear that Real-Time traffic will only be supported by
route
Configure static routes
the Interrupt mode. So where is the problem? The process in interrupt mode disables any other
router
Enable an IPV6 routing process
interrupt. The other Line Cards have a dedicated ASIC with MEmory to accomodate a few packet but
source-route
Process packets with source routing header options
not too much...
unicast-routing
Enable unicast routing
The process must manage the packet as fast as possible for the protocol which is being routed and for the other traffic waiting to be processed. This is why complex operation cannot be supported by CEF and this has been the case of NAT-PT in IPv6!
R2(config)#ipv6
For more details about CEFv6, please click on the link below:
IPv6 interface subcommands:
http://www.ipv6forlife.com/Docs/CEFv6InaNutshell.pdf
R2(config-subif)#IPV6 ? address
Configure IPv6 address on interface
authentication
authentication subcommands
The Next step to configure a Cisco Router of ipv6 is
bandwidth-percent
Set EIGRP bandwidth limit
Then you might be interested to check some other commands listed be
cga
Configure cga on the interface
Then you might be interested to check some other commands listed below:
dhcp
IPv6 DHCP interface subcommands
eigrp
Configure EIGRP IPv6 on interface
enable
Enable IPv6 on interface
flow
Flow related commands
hello-interval
Configures IP-EIGRP hello interval
hold-time
Configures IP-EIGRP hold time
inspect
Apply inspect name
mfib
Interface Specific MFIB Control
mld
interface commands
mobile
Mobile IPv6
mode
Interface mode
mtu
Set IPv6 Maximum Transmission Unit
multicast
multicast
nat
Enable IPv6 NAT on interface
nd
IPv6 interface Neighbor Discovery subcommands
next-hop-self
Configures IP-EIGRP next-hop-self
ospf
OSPF interface commands
pim
PIM interface commands
policy
Enable IPv6 policy routing
redirects
Enable sending of ICMP Redirect messages
rip
Configure RIP routing protocol
router
IPv6 Router interface commands
split-horizon
Perform split horizon
summary-address
Summary prefix
traffic-filter
Access control list for packets
2.3
CISCO Routers I Pv6 Commands
R2(config)#ipv6 ? access-list
Configure access lists
cef
Cisco Express Forwarding for IPv6
cga
Configure IPv6 certified generated address
dhcp
Configure IPv6 DHCP
general-prefix
Configure a general IPv6 prefix
hop-limit
Configure hop count limit
host
Configure static hostnames
icmp
Configure ICMP parameters
inspect
Context-based Access Control Engine
local
Specify local options
mfib
Multicast Forwarding
mld
Global mld commands
mobile
Mobile IPv6
multicast
IPv6 multicast
multicast-routing
Enable IPv6 multicast
nat
NAT-PT Configuration commands
nd
Configure IPv6 ND
neighbor
Neighbor
ospf
OSPF
pim
Configure Protocol Independent Multicast
port-map
Port to application mapping (PAM) configuration commands
53
unnumbered
Preferred interface for source address selection
unreachables
Enable sending of ICMP Unreachable messages
verify
Enable per packet validation
virtual-reassembly
IPv6 Enable Virtual Fragment Reassembly
UDP statistics: Rcvd: 212 input, 0 checksum errors, 0 length errors 0 no port, 0 dropped Sent: 212 output
2.4
Display the I Pv6 Traffic Sta5s5cs
R2#show ipv6 traffic
TCP statistics: Rcvd: 0 input, 0 checksum errors Sent: 0 output, 0 retransmitted
IPv6 statistics: Rcvd:
295 total, 251 local destination 0 source-routed, 0 truncated 0 format errors, 0 hop count exceeded 0 bad header, 0 unknown option, 0 bad source 0 unknown protocol, 0 not a router 0 fragments, 0 total reassembled 0 reassembly timeouts, 0 reassembly failures
Sent:
278 generated, 0 forwarded
2.5
Display the Neighbor Cache
R2# show ipv6 neighbor IPv6 Address
Age Link-layer Addr State Interface
2001:DB8:CAFE:11::1
52 ca00.0494.0006
STALE Fa0/1.11
FE80::C800:4FF:FE94:6
44 ca00.0494.0006
STALE Fa0/1.11
0 fragmented into 0 fragments, 0 failed 0 encapsulation failed, 0 no route, 0 too big 0 RPF drops, 0 RPF suppressed drops Mcast: 276 received, 259 sent ICMP statistics: Rcvd: 49 input, 0 checksum errors, 0 too short 0 unknown info type, 0 unknown error type unreach: 0 routing, 0 admin, 0 neighbor, 0 address, 0 port parameter: 0 error, 0 header, 0 option
2.6
Display the Routers Cache
R2# sh ipv6 routers Router FE80::C800:4FF:FE94:6 on FastEthernet0/1.11, last update 0 min Hops 64, Lifetime 1800 sec, AddrFlag=0, OtherFlag=0, MTU=1500 HomeAgentFlag=0, Preference=Medium
0 hopcount expired, 0 reassembly timeout,0 too big
Reachable time 0 (unspecified), Retransmit time 0 (unspecified)
10 echo request, 0 echo reply
Prefix 2001:DB8:CAFE:11::/64 onlink autoconfig Valid lifetime 2592000, preferred lifetime 604800
0 group query, 0 group report, 0 group reduce 0 router solicit, 20 router advert, 0 redirects 4 neighbor solicit, 5 neighbor advert Sent: 46 output, 0 rate-limited unreach: 0 routing, 0 admin, 0 neighbor, 0 address, 0 port parameter: 0 error, 0 header, 0 option 0 hopcount expired, 0 reassembly timeout,0 too big 0 echo request, 10 echo reply 0 group query, 0 group report, 0 group reduce 0 router solicit, 23 router advert, 0 redirects 7 neighbor solicit, 6 neighbor advert
2.7
CEFv6 !!! Mandatory knowledge to Troubleshoot the Cisco Routers data plane !
When you want to trace the handling of a paquet in a CISCO router, you need to take a look at the CEFv6 table. IPv6 paquet switching is performed by CEFv6. CEFv6 resolves all the recursions that you may find in an IPv6 table and setup an optimized structure for very quick lookup and easy maintenance of a mtrie structure. CEFv6 table works with the help of adjacency table which gives the map between IPv6 packet and layer 2 address. R1#show ipv6 cef 2001:db8:cafe:10::/64 internal 2001:DB8:CAFE:10::/64, epoch 0, RIB[I], refcount 4, per-destination sharing
54
sources: RIB
Addresses of an IPv6 Host.
feature space:
A link-local.
IPRM: 0x00038000
One or many unicast addresses
ifnums:
One loopback ::1
FastEthernet0/1.11(11): FE80::C801:4FF:FE94:6 path 6822BA1C, path list 6822A77C, share 1/1, type attached nexthop, for IPv6
Local node scope all-nodes multicast address : FF01 ::1
nexthop FE80::C801:4FF:FE94:6 FastEthernet0/1.11, adjacency IPV6 adj out of FastEthernet0/1.11, addr FE80::C801:4FF:FE94:6 66F91C60 output chain: IPV6 adj out of FastEthernet0/1.11, addr FE80::C801:4FF:FE94:6
On each interface : A Link-local scope all-node multicast address : FF02 ::1
66F91C60
Once the CEFv6 entry is found, we need to look for the matching next-hop entry in the adjacency table. In the adjacency entry we find the origin of the resolution like ND for IPv6 or ARP for IPv4.
A solicited-node multicast address for each unicast. Router IPv6 Addresses The loopback ::1for the router A link-locale for each link As many global as needed
If the router is currently resolving the IPv6 next hop to a layer 2 MAC Address, the entry will be in the state INCOMPLETE. The packet which has trigger the resolution must be buffered, waiting for the resolution to complete. Once the resolution is complete, the packet will be encapsulate and sent to its destination. This is different with IPv4 where the packet was dropped. We use to get 80% for the first time we ping a destination because first packet was dropped. This is no longer the case and we should get 100% even for the first time. R1#show adjacency FE80::C801:4FF:FE94:6 Protocol Interface Address IPV6 FastEthernet0/1.11 FE80::C801:4FF:FE94:6(7) R1#show adjacency FE80::C801:4FF:FE94:6 internal Protocol Interface Address IPV6 FastEthernet0/1.11 FE80::C801:4FF:FE94:6(7) 0 packets, 0 bytes epoch 0 sourced in sev-epoch 1 Encap length 18 CA0104940006CA00049400068100000B 86DD IPv6 ND Fast adjacency enabled [OK] L3 mtu 1500 Flags (0x11A9E) Fixup disabled HWIDB/IDB pointers 0x66CCDD10/0x67E58500 IP redirect enabled Switching vector: IPv6 adjacency oce Adjacency pointer 0x66F91C60
Multicast addresses such as all-nodes ff02 ::1, all-routers ff02 ::2 Example of a CISCO router : R0> show ipv6 int f1/0 FastEthernet1/0 is up, line protocol is up IPv6 is enabled, link-local address is FE80::C800:6FF:FEA9:1C No Virtual link-local address(es): Global unicast address(es): 2001:DB8:C0A8:A:C800:6FF:FEA9:1C, subnet is 2001:DB8:C0A8:A::/64 [EUI] 2001:DB8:C0A8:B:C800:6FF:FEA9:1C, subnet is 2001:DB8:C0A8:B::/64 [EUI] Joined group address(es): FF02::1 FF02::2 FF02::1:FFA9:1C MTU is 1500 bytes ICMP error messages limited to one every 100 milliseconds ICMP redirects are enabled ICMP unreachables are sent ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds (using 30000) ND advertised reachable time is 0 (unspecified) ND advertised retransmit interval is 0 (unspecified) ND router advertisements are sent every 200 seconds ND router advertisements live for 1800 seconds ND advertised default router preference is Medium Hosts use stateless autoconfig for addresses.
55
Addresses, Names & Services Mgmt.
7
We need to manage IPv6 addresses 4 times longer than IP6 and the good old spreadsheet that we were using for IPv4 does not make it any more! With long addresses a good names management is key for a successful deployment! New software named IPAM are now the MUST have for any network to solve this important question.
Chapter 7
Addresses, Names & Services
1
1.1
DHCPV6 Introduc5on
DHCPv6 & DNS 1. Summary of dynamic addressing 2. SLAAC, DHCPv6 Stateful, Stateless Operations 3. DHCPv6 4. DHCP-PD Prefix Delegation IPv6 Supports 3 different methods to provide dynamic addressing which can be combined as they are not mutually exclusive!
DHCPv6 is DHCP support for IPv6 and has been enhanced to support multiple modes of operations. It is documented in many RFCs as multiple modes exist.
Without any DHCPv6 it can be plug and play thanks to SLAAC.
`Also, the presence of DHCPv6 must be advertised by the routers in the Router Advertisements (NDP) for the workstation to send requests or the DHCPv6 servers will be ignored.
A DHCPv6 Server can be added to get more details about4 the servers after we have figured out our IPv6 addresses without him. DHCPv6 can be used to provide a full block to address the full site a site
The principal mode is described in RFC3315.
DHCPv6 basic RFC3115 provides Authentication for the messages to avoid any sort of Rogue DHCP Server. DHCPv6 can be used in 3 Modes: Stateful DHCPv6. This is the standard DHCP Operation. The request includes both Addresses and Other Information. Stateless DHCPv6 RFC3736. This is a new mode in IPv6 where we do not want to get any Address from the DHCPv6 Servers but only Other Information like domain name, DNS and other Servers ad-
DHCPv6 CANNOT REPLACE ND PROTOCOL (RA) 57
dresses. It is called stateless because in this mode the DHCPv6 Server does not need to keep any state because it does not allocate any address to remember and manage.
1.2.3
DHCPv6 Prefix Delegation RFC3633. This is also a new mode for DHCP. It is used to request a full block from the Service Provider. The block is allocated and then the block can be subnetted at will. This mode is very convenient for some SPs who can manage the Prefixes allocated to each customer from a DHCPv6 Server which gets the Prefix for each customer from a Radius Server.
It is encapsulated in UDP over IPv6.
We have seen that at the end of the SLAAC process, a boot Workstation of an interface coming up may eventually request a DHCPv6 Server for more configuration. These bits are contained in a field called Flags. If the Managed bit (M-bit) is set in Flags of the RA, the workstation makes a full request including Address(es) and other information. This is Stateful DHCPv6 because the server needs to keep states for the allocated addresses.
IPv6 U DP Ports Number
DHCPv6 Clients use port 546 and Servers use 547. 1.2.4
IPv6 Mul5cast Addresses
DHCPv6 also use IPv6 Multicast addresses: - All_DHCP_Relay_Agents_and_Servers: (ff02::1:2) This is a Link-local IPv6 Multicast Address used by the Clients to communicate with all the local Servers and Relays.
If the Other bit (O-bit) is set in the Flags of the RA, the workstation just requests Other information and NO ADDRESS. This is Stateless DHCPv6.
Only the DUID permits each one to see that the packet is for itself.
These bits MUST be set on the local routers interfaces where some workstations which need to request DHCPv6 servers are located.
This is a Site-local IPv6 Multicast Address which is used by the Relays to forward the local Clients Requests to all the DHCPv6 Servers of the Site that have registered this Multicast group.
For a Quick Video Presentation of DHCPv6, there is a serie of Tutorial starting with Part1 from:
Multicast routing must be enabled on all the site routers.
http://www.ipv6forlife.com/Tutorial/DHCPv6-Part1.html
DHCPv6 Relays can be used to encapsulate the messages from the Clients to the Servers and viceversa.
1.2
1.2.5
DHCPv6 Commands and Fields
DUID
Each client and server is identified by its DHCP Unique Identifier (DUID). This Identifier is mostly derived from one of the DHCP Mac Addresses, but it can be : 1
Link-layer address plus time
2
Vendor-assigned unique ID based on Enterprise Number
Iden5ty Associa5on (IA)
Basically we need an Identity Association to request address(es) for each interface.
DHCPv6 protocol basic operations are not very different from IPv4; the messages names are different and multicasts are more used in IPv6, but it is pretty much the same protocols. A DHCPv6 Server can provide Address(es) for a client and Other Information like Domain name or any Server Addresses. 1.2.1
- All_DHCP_Servers (ff05::1:3)
3
Link-layer address
The DUID are very important for a protocol which uses a lot of Multicast messages to reach many Servers or Relays.
See RFC 3315 Section 10 for an excellent definition 'An "identity-association" (IA) is a construct through which a server and a client can identify, group, and manage a set of related IPv6 addresses. Each IA consists of an IAID and associated configuration information. A client must associate at least one distinct IA with each of its network interfaces for which it is to request the assignment of IPv6 addresses from a DHCP server. The client uses the IAs assigned to an interface to obtain configuration information from a server for that interface. Each IA must be associated with exactly one interface.' To get more details about how the addresses are allocated from the server, please see Section 11 of RFC3315. Another exemple of the uses of IA would be a Virtual Server with many virtual interfaces. Each virtual group of Interface playing the same role will be using the same Identity Association.
See RFC3315 section 9 for details of the ways in which a DUID may be constructed. 1.2.6 1.2.2
Transac5on I Ds
A Transaction ID is used to identify all the messages from the same Transaction. It permits pairing a solicit with a reply and should be chosen randomly with algorithms, making it quite impossible to guess!
Client/Server I D
DHCPv6 uses a lot of Multicast. The SOLICIT and REQUEST messages are sent to the All_DHCP_Relay_Agents_and_Servers (FF02::1:2). So it is important to identify both Client and Server with something other than the address.
58
1.2.7
DHCP Messages
There are 13 messages to support the DHCPv6 Operations. There is no need to explain each message one by one, but we will explain most if not all of them as we get into the details of how DHCPv6 operates. For a full list with explanations, please refer to Section 5.3 of RFC3315. The 13 messages are: SOLICIT 1
1.2.7.6
Client confirm that allocated address is s5ll O K
CONFIRM (4) 1.2.7.7
Client refuse an address already in use
DECLINE (9)
ADVERTISE 2
1.2.7.8
A new config available needs a new Request
REQUEST 3
RECONFIGURE (10)
CONFIRM 4 RENEW 5
1.2.7.9
REBIND 6
DHCPv6 messages can be authenticated, See Section 21 of RFC3315. This would make Rogue DHCP Server impossible. It is open to any Authentication Protocol and can manage the keys of a DHCPv6 Server Realm.
REPLY 7 RELEASE 8
DHCP Messages Authen5ca5on
A DHCPv6 Realm is a name used to identify the DHCP administrative domain from which a DHCP authentication key was selected.
DECLINE 9 RECONFIGURE 10 INFORMATION-REQUEST 11 RELAY-FORW 12 RELAY-REPL 13
1.2.8
DHCP Op5ons
All the Information which is requested by a client or given by a Server are actually coded in a DHCPv6 Options. The full list is :
1.2.7.1
Used during the startup without Relays
SOLICIT (1), ADVERTISE (2), REQUEST (3), REPLY (7) 1.2.7.2
If a Relay is used we must add to previous
RELAY-FORW (12), RELAY-REPL (13) 1.2.7.3
To Refresh an Address Reserva5on
RENEW (5), REBIND (6), REPLY (7) 1.2.7.4
To Request Informa5on Only (Stateless D HCPv6)
INFORMATION-REQUEST (11) 1.2.7.5
Client don't need this address anymore
RELEASE (8)
OPTION_CLIENTID OPTION_SERVERID OPTION_IA_NA OPTION_IA_TA OPTION_IAADDR OPTION_ORO OPTION_PREFERENCE OPTION_ELAPSED_TIME OPTION_RELAY_MSG OPTION_AUTH OPTION_UNICAST OPTION_STATUS_CODE OPTION_RAPID_COMMIT OPTION_USER_CLASS OPTION_VENDOR_CLASS OPTION_VENDOR_OPTS OPTION_INTERFACE_ID OPTION_RECONF_MSG
1 2 3 4 5 6 7 8 9 11 12 13 14 15 16 17 18 19
59
OPTION_RECONF_ACCEPT
20
There are actually MORE OPTIONS which are added by RFC: IA_PD (RFC3633. Section 10) for DHCP-Prefix Delegation
1.2.8.3
Prefix Delega5on
This is used in DHCP-PD RFC3633 to request and provide a full block like 2001:db8:678::/48 to allocate all the building of a Company in a City for instance.
For all details, please see section 22 of RFC3115. DNS Configuration options for Dynamic Host Configuration Protocol for IPv6 (DHCPv6) http://tools.ietf.org/html/rfc3646
1.2.8.1
Client I D and Server, I D Op5on
These options carry the Client DUID to the Server and the Server DUID to the Client. Generally, a MAC Address is used. 1.2.8.2 1.2.8.2.1
Addresses I AADDR Op>on
The IAADDR Option permit to carry the IPv6 Dynamic Addresses allocated by the Server. Like the Prefixes advertised to the RA which permit deriving IPv6 Addresses for the interfaces, the IAADDR Option has a a Preferred Lifetime and a Valid Lifetime for each allocated Address. This permits IPv6 to manage the dynamic addresses Lifecycle like the addresses derived from Prefixes contained in the RA. See the figure for more details about the states of a dynamic Address. Remember that an Address must remain in the Preferred State if we want to use it, so Preferred and Valid Lifetime must be chosen carefully. The IAADDR IPv6 Dynamic Address Option must be encapsulated in one of the following IA_NA or IA_TA. We can see the IAADDR Options with a yellow background and Red letters in both IA_NA and IA_TA figures. 1.2.8.2.2 I A_NA Op>on The IA_NA is used to encapsulate Non-Temporary Addresses. There are two timers associated with the Refreshing of IPv6 Addresses. T1 is the timer when to query the DHCPv6 Server which has allocated the Address. T2 is the Timer to query any DHCPv6 Server for an Address. Care should be taken in setting T1 or T2 to 0xffffffff ("infinity"). A client will never attempt to extend the lifetimes of any addresses in an IA with T1 set to 0xffffffff. A client will never attempt to use a Rebind message to locate a different server to extend the lifetimes of any addresses in an IA with T2 set to 0xffffffff. 1.2.8.2.3 I A_TA Op>on The IA_TA is used to encapsulate Temporary Addresses (Privacy Extension RFC4941). There is no Timer associated with it.
1.2.8.4 Op>on Request Op>on (ORO) The ORO is used to provide the list of the Options which are requested by a client or need to be reconfigured from the server. For instance, if the Client requested the Domain Name, it is in the ORO Option. "A client MAY include an Option Request option in a Solicit, Request, Renew, Rebind, Confirm or Information-request message to inform the server about options the client wants the server to send to the client. A server MAY include an Option Request option in a Reconfigure option to indicate which options the client should request from the server." http://tools.ietf.org/html/rfc3315#section-22.7 Example of a Captured ORO: 1.2.9
Status Code Op5on
It is used to report the status of an operation. If it does not appear where it should, success is assumed. 1.2.10 Preference Op5on It is possible for the servers to give a level of preference when multiple servers are available. When the client receives multiple ADVERTISE messages, the client will prefer the server with the highest Preference. Elapsed Time Option This is used by the client to measure the duration of an exchange. For instance, if an exchange lasts too long, the client may use a secondary server. 1.2.11 Relay 1.2.11.1 Relay Message Op>on It contains the DHCP message encapsulated by the replay in a Relay-Forward or a Relay-Reply Message. 1.2.11.2 Interface-‐ID Op>on This option may be added by a Relay to add the Interface-Id by which the message was received. It will use it to forward the reply back to the right interface. 1.2.12 Authen5ca5on Op5on Used for DHCP message Authentication. Useful to avoid Rogue DHCP Servers.
60
1.2.13 Server Unicast Op5on The server sends this option to a client to indicate to the client. This way the client can bypass any Relay and send messages directly to the server. RFC3115 Section 18.1. "Use of unicast may avoid delays due to the relaying of messages by relay agents, as well as avoid overhead and duplicate responses by servers due to the delivery of client messages to multiple servers. Requiring the client to relay all DHCP messages through a relay agent enables the inclusion of relay agent options in all messages sent by the client. The server should enable the use of unicast only when relay agent options will not be used." 1.2.14 Rapid Commit Op5on This option permits some transactions to be only 2 ways: Solicit, Reply instead of 4. It is set in the Solicit message by the client. 1.2.15 User Class Op5on This option permits one to configure a multiple class of users that do not need the same parameters. For instance, some clients may need a SIP server address and some don't. 1.2.16 Vendor 1.2.16.1 Vendor Class Op>on This option set by the client tells the server on which Vendor the client is running. 1.2.16.2 Vendor-‐Specific Informa>on Op>on This Option allows some Vendor-Specific information to be exchanged between the Client and the Server. 1.2.17 Reconfigure 1.2.17.1 Reconfigure Message Op>on This Option is used when a server has been reconfigured. It is asking the client to send a message to get a new config. In a Reconfigure message, this Option tells the client if it must respond with a Renew message to request an address or an Information-Request message to request Other Information. 1.2.17.2 Reconfigure Accept Op>on A client uses this message to tell the server if it accepts the Reconfigure message. The server uses this option to tell the client whether to accept or not the Reconfigure message.
61
1.3
DHCPv6 Startup
The DHCPv6 messages used during the initialization to request Addresses and/or Other Information are the following. 1.3.1
Client & Server(s) are on the same link
1.3.1.1 Solicit The client first sends a Solicit discovery message. It is not a reservation request when an address is needed, just a discovery to figure out which server around is available and could provide the information needed.
This is why the Request and the Reply bypass the Relay. The Server provides a block, for instance 2001:db8:678::/48, which can be used and subnetted by the DHCP-PD client.
1.4
DHCPv6 Configura5on Management
"A client uses Request, Renew, Rebind, Release and Decline messages during the normal life cycle of addresses. It uses Confirm to validate addresses when it may have moved to a new link. It uses Information-Request messages when it needs configuration information but no addresses." (Section 18.1 RFC3115).
The destination address is the All Servers and Relays Link-local Multicast Address ff02::1:2, Source is the Workstation Link-local Address.
1.4.1
The information needed by the client is in the Option Request Object (ORO).
Once the Address has been allocated, it must be maintained and Refreshed as soon as required. IA_NA and IA_PD Addresses are provided with the DHCP timers, which trigger the process.
1.3.1.2 Adver>ze The Server(s) reply(ies) with an Advertise including all the available resources matching the client ORO. This is sent back to the Link-Local address of the Client.
T1 and T2 are provided. These 2 timers must be set consistently with the Preferred and Valid Addresses. Remember that an address MUST remain as a Preferred Address. So the T1/T2 Timers Prefixes must be set accordingly.
1.3.1.3 Request The Request is sent to the All Servers and Relays Link-local Multicast Address ff02::1:2, Source is the Workstation Link-local Address. The DUID of the Server is used to identify which server we want to use. 1.3.1.4 Reply The Server provides the Reservation if an address has been requested and Information or Information Only if this is what we have requested (Information-Request)
1.3.2
Client & Server(s) use a Relay
If the Server is not located on the same link than the client needs a Relay in between. The Relay will encapsulate the request to the Server as Unicast Messages of any kind, Anycast or a Well-known Multicast site-local ff05::1:3. The Relay encapsulates the request in a Relay-Forward to the Server, and the server encapsulates its response in in Relay-Reply Message
1.3.3
DHCP-‐PD Startup Example
IPv6 Addresses come with two Timers, the Preferred and the Valid Timers. For Static Addresses, these timers are usually set to Infinity which is ALL ONEs. For Dynamic Addresses, they must be refreshed to reset these timers for the Addresses or Derived Addresses remain in the Preferred State. In figure 6.18 we can see how these timers are Reset with Unsolicited RA. With DHCPv6, the Preferred Timers and Valid Timers must also be Refreshed when the DHCPv6 RENEWs its reservation. These timers are included in the IAADDR Option which is encapsulated in the IA_NA or IA_PD Option. Both IA_NA and IA_TA Options have also two timers related to DHCPv6 protocol. When T1 expires, the client sends RENEW to the server from which it has learned its configuration. If the client Timesout for the RENEW with the Server which had provided the initial configuration, it will send a REBIND to all the available servers. RFC3115. Section 18.1.4. "The message exchange is terminated when the valid lifetimes of all the addresses assigned to the IA expire (see section 10), at which time the client has several alternative actions to choose from. For example: The client may choose to use a Solicit message to locate a new DHCP server and send a Request for the expired IA to the new server. The client may have other addresses in other IAs, so the client may choose to discard the expired IA and use the addresses in the other IAs." 1.4.2
In this example, the client sends a solicit with an IA_PD requesting a Prefix from the server. It is forwarded by the Relay. The server Advertises a Prefix and gives the Server Unicast Option for the Client to send its request in a Unicast message.
Address Refreshment ini5ated by the Client
A client may have mooved
http://tools.ietf.org/html/rfc3315#section-18.1.3
62
1.5.2 In any situation when a client may have moved to a new link, the client MUST initiate a Confirm/Reply message exchange.
Option Server ID, Client ID, IA_NA with IAADDR and Domain Search List
For Example: The client reboots.
Adver5se Message
1.6
SUMMARY
The client is physically connected to a wired connection. The client returns from sleep mode. The client using a wireless technology changes access points. 1.4.3
A client doesn't need an Address anymore
The client sends a Release Message to the Server 1.4.4
A client detect a D UPlicated Address
The client sends a Decline Message to the Server. 1.4.5
Server Configura5on has changed
The Server must inform the client with a RECONFIGURE message. The RECONFIGURE message includes the Reconfigure Message Option to tell the client if it must send a Renew providing Addresses or an Information-Request not providing Address(es).
1.4.6
Constants
1.4.7
DHCP Reliability
Because UDP does not provide reliablity, it must be provided by the Application. The client begins the message exchange by transmitting a message to the server. The message exchange terminates when either the client successfully receives the appropriate response or responses from a server or servers, or when the message exchange is considered to have failed according to the retransmission mechanism described below.
1.5 1.5.1
Capture Example Solicit Message
63
2
2.1
DNS Introduc5on
DNS was introduced in RFC1035. The objects of DNS are organized as a tree structure. The root is the ".".
2.1.2
Top Level Domain Servers
They return the address of the NS for a User domain for example fredbovy.com. The full list is at http://www.iana.org/domains/root/db/ There are two kinds of TLD: 2.1.2.1 The Generic Top-‐Level-‐Domains (gTLD) .com, .edu, .net, .mil, But there are also some other registered gTLDs:
It is transported by IPv6 then encapsulated over UDP port 53 for most messages but for some exchanges like zone-transfer where TCP is more appropriate.
• The .org domain is intended to serve the noncommercial community.
The initial RFC1035 had a serious limitation for IPv6, which is the UDP size limit of 512 octets.
• The .biz domain is reserved for businesses.
So we had actually two problems to solve:
• The .coop domain is reserved for cooperative associations.
The Maximum Size of 512 bytes for UDP Messages How to Code IPv6 Names to Addresses and vice-versa
• The .int domain is only used for registering organizations established by international treaties between governments.
Many Objects are used for DNS:
• The .museum domain is reserved for museums.
NS for Name Servers, MX for Mail Exchange. DNS is playing a key role on Mail routing in the Internet, A for IPv4 Addresses, AAAA for IPv6 Addresses.
• The .name domain is reserved for individuqals.
• The .aero domain is reserved for members of the air transport industry.
And more...
• The .pro domain is being established; it will be restricted to credited professionals and related entities.
2.1.1
2.1.2.2 The Country Code Top-‐Level-‐Domains (ccTLD) There is one for each country: .us, .ca, .fr, .uk.
Servers hierarchy
2.1.1.1 R OOT Servers At the very top, we have the ROOT Servers.
2.1.3
They manage the list of each Top-Level domain Servers like .com or .uk and they return their addresses.
To increase performance and reliability of DNS, there is more than one DNS server for each domain.
13 IPv4 anycast addresses are used and last time I checked 9 IPv6 Addresses were also ready:
2.1.3.1 Primary or Master D NS Server The Master Zone file describing the zone (Zone config file) is located on the Primary server.
13 ipv4 addresses can be sent in a 512 (436) bytes UDP message ! Remember that 512 octets were the size limit for an UDP message in RFC 1035! Adding 13 IPv6 addresses was certainly going over the limit (800+ bytes)! There is actually 200+ physical servers around the globe. Domain root-servers.net: a.root-servers.net through m.root-servers.net In Europe RIPE Servers k.root-servers.net are located in Amsterdam, Athens, Doha, Frankfurt, London and Milan. IPv4:193.0.14.129, IPv6:2001:7fd::1 IPv6 addresses are already supported by 9 of the 13 root-servers Requirements of a Root Server are in RFC2870 http://www.iana.org/domains/root/
The Authorita5ve Domain Servers
2.1.3.2 Secondary or Slave D NS Server The Secondary Server is synchronized with the Primary thanks to Zone Transfer over TCP. 2.1.3.3 Caching only Servers The Caching Server is used to cache the answer on a local Server so when the same query is requested, it will be available locally.
2.2
Clients Query Modes
The are two modes for Clients to resolve the IPv6 Name to Address: 2.2.1
Itera5ve (supported by all N S)
This mode actually involves more the requester than the local NS.
64
2.2.2
Recursive
The Recursive mode actually involves more the Local Server than the Requester.
If no response is received, network and firewall administrators should first determine if a security policy other than the vendor's default processing for DNS messages is blocking large response messages or large UDP messages. If no policy other than the vendor's default processing is configured, note the implementation and version and contact your vendor to determine if an upgrade or hot fix is available.
2.4
2.3
Support of I Pv6 for D NS
DNSSEC
DNSSEC is an effort to make DNS more secure with some Authentication of the messages. DNSSEC is detailed in RFC4033, RFC4034 and RFC4035. A discussion of operational practices relating to DNSSEC can be found in RFC4641. In DNSSEC a secure response to a query is one which is cryptographically signed and validated. No Protection against DoS attack
2.3.1
EDNS0
RFC1035 specifies the maximum DNS UDP message to 512 bytes 13 IPv4 anycast addresses was used to represent 200+ Servers for the announce to fit in a 512 bytes message, 436 bytes actually to leave room for some options. With only 5 IPv6 addresses added to the Additional Section of the DNS Type NS response message root server operators return during the priming exchange, the size of the response message increases from 436 bytes to 576 bytes.
DNSSEC adds new Resource Record types: Resource Record Signature (RRSIG), DNS Public Key (DNSKEY), Delegation Signer (DS) and Next Secure (NSEC) A signed zone will contain the 4 additional security-related records DNSSEC requires support for EDNS0 (RFC2671) and DNSSEC OK (DO) EDNS bit EDNS0 (RFC 3225) Root Zone is Signed http://data.iana.org/root-anchors/draft-icann-dnssec-trust-anchor.html
9 Root Servers have been assigned IPv6 addresses When all 13 root name servers are assigned IPv6 addresses, the priming response will increase in size to 811 bytes ! 2.3.2
Priming Exchange
The priming exchange is done when the list of Root Servers are requested. Conditions for the successful completion of a priming exchange: Resolvers and any intermediate systems that are situated between resolvers and root name servers must be able to process DNS messages containing Type AAAA resource records. Additionally, Resolvers must use DNS Extensions (EDNS0, RFC 2671) to notify root name servers that are able to process DNS response messages larger than the 512 byte maximum DNS message size specified in RFC1035. Intermediate systems must be configured to forward UDP-encapsulated DNS response messages larger than the 512 byte maximum DNS message size specified in RFC1035 to resolvers that issued the priming request. 2.3.3
Test E DNS0 Implementa5on
To test the action a firewall implementation takes when it receives a UDP-encapsulated DNS response message larger than 512 bytes, a network or firewall administrator can perform the following DNS lookup using: This command should elicit a 699 bytes response that contains AAAA resource records
65
2.5 2.5.1
Configura5on of D NS Bind Server on Linux Zones and Zones Files
A Zone file translates the domain names into addresses. A Zone File contains: Data that describes the zone authority known as the Start of the Authority (S0A) Resource Record. All the hosts within the zones. A Resource Record for an IPv4 Address AAAA Resource Record for an IPv6 Address Data that describes global information for the zone. MX Resource Records for the domain’s mail servers and NS Resource Records for the Name Servers In the case of a subdomain delegation, the name servers responsible for this subdomain. A Zone file looks like this:
2.5.2
Reverse-‐Mapping Zone
2.5.3
Transport of I Pv6 Informa5on in I Pv6
DNS requests must be transported in IPv6 DNS Root servers and Top-level domains must support IPv6 9 of the 13 root-servers are IPv6 ready ! DNS messages larger than 512 bytes are supported since DNS Extension 0 (EDNS0. RFC2671) The old Firewalls were blocking the DNS UDP messages bigger than 512 Octets. It has been fixed for a long time, but if you are at a customer site which has not upgraded its Sw for a long time too, you may hit this issue.
66
2.6
Dynamic D NS
DNS Servers can be updated dynamically An address allocated with DHCPv6 or SLAAC automatically updates the DNS Servers by sending Updates to the Servers. So this is not only possble with Servers doing both DHCPv6 and DNS. The Authentication process between the client and the servers is not defined by the RFC but is left to the convenience of the designers. Dynamic Updates in the Domain Name System (DNS UPDATE): http://tools.ietf.org/html/RFC2136 Secure Domain Name System (DNS) Dynamic Update: http://tools.ietf.org/html/RFC3007 Operational Considerations and Issues with IPv6 DNS: http://tools.ietf.org/html/rfc4472
2.7
Capture of D NS Traffic
67
Multicast
8
IPv6 Multicast is not very different from its IPv4 Counterpart. Only the non scalable protocols have been removed like PIM-DM or MSDP and the others have been ported with a new name sometime like MLD instead of IGMP.
Chapter 8
Multicast
1
Introduction
IPv6 Multicast is not very different from the IPv6 Counterpart. Only the non scalable protocols have been removed: PIM-DM, and the other have been ported with a new name sometime like MLD instead of IGMP.
Topic 1. Introduction 2. Protocol Independent Multicast (PIM) 1. PIM Sparse Mode or ASM 2. PIM Source Specific Multicast (SSM)
PIM is used for the routing of Multicast and for the receivers management, IGMP has been ported as MLD. The very long addresses of IPv6 allowed the Embedded RP which is great not to have to configure the RP on each router. The IPv6 multicast router configuration can then be summarized in only one command on CISCO IOS®: “ipv6 multicastrouting”and that’s it. When multicast users are connected with Layer switches, MLD Snooping should be used where IGMP snooping was for IPv4.
3. PIM BIDIR 3. Embedded Rendez-vous Point 4. Multicast on Layer 2
The common rule for all Multicast routing is the Reverse Path Forwarding or RPF. This rule says that a packet MUST always be received on the interface which has the best cost to get back to the Source Address of the packet. Otherwise we say that RPF fails and packet get silently dropped. This is a basic rule to avoid Multicast Routing loops.
69
Préfixe
FF02
IPv6 Multicast Part 2
http://www.ipv6forlife.com/Tutorial/IPv6Multicast-Part2.html
Interface Identifier
O
0001
FF
24 bits
128 bits
! Unicast Address ! 805B:2D9D:DC28::FC57:D4C8:1FFF ! Prefix ! FF02:0:0:0:0:1:FF ! Solicited-node multicast adress ! FF02:0:0:0:0:1:FFC8:1FFF
IPv6 Multicast Part 3
http://www.ipv6forlife.com/Tutorial/IPv6Multicast-Part3.html On the other hands, the Powerpoint Presentations can be found in PPS Slideshow format from IPv6 for Life Web Site and in PDF from the Public Slideshare Server so you can also download it from there.
! Automatically configured for each unicast
Solicited Node IPv6 Multicast Address Just remember the Solicited Node Multicast address example which is derived from the Unicast address for the ND MAC Address Resolution Protocol. Other example of Applications which use Multicast are NTP or DHCP. For this Chapter you will need a Web connection and a Display unit supporting Flash® Presentation for these presentations: IPv6 Multicast Part 1
http://www.ipv6forlife.com/Tutorial/IPv6Multicast-Part1.html
70
2
Protocol Independent Multicast
PIM is Independent because it does not build a separate Unicast Routing Table to run the RPF. Instead it uses the existing routing table but the same good old RPF rule still applies. At the beginning there was two flavors PIM Dense Mode and PIM Sparse Mode. The first one has not been ported to IPv6 because it was clearly not scalable. On the other hand PIM-SM is still in use for IPv6 Networks. With PIM-SM, the Multicast Receivers are not supposed to know the addresses of the Sources when they register to listen for a particular Group with the local MLD Querier. The Multicast sources do not need any signaling to send any traffic. This must be managed by its directly connected router that we call a PIM Designated Router or PIM-DR. So we need a place somewhere in the network for any Source, thanks to its PIM-DR to meet the receivers thanks to the local MLD Querier. This meeting place is called a Rendez-Vous Point. For a detailed presentation of PIM-SM Operations and other topic addressed in this chapter, please use this presentation: http://www.ipv6forlife.com/Docs/MulticastIPv6.pps
Slideshare.com, look for Fred Bovy, IPv6 For Life Presentations. PIM-SM is also explained in these short Flash Presentations: IPv6 Multicast Part 1
http://www.ipv6forlife.com/Tutorial/IPv6Multicast-Part1.html IPv6 Multicast Part 2
http://www.ipv6forlife.com/Tutorial/IPv6Multicast-Part2.html IPv6 Multicast Part 3
http://www.ipv6forlife.com/Tutorial/IPv6Multicast-Part3.html
With PIM-SSM, the Receivers know the address of the Source. When the receiver register with the MLD Querier, it provides both the Group address it wants to listen to and the IPv6 unicast address of the source. So there is no need for a Rendez-Vous Point and its associated shared tree. We are always on the Shortest-Path Tree.
PIM-BIDIR is actually the Shortest Path Tree of PIM-SM (see the Flash Presentation but the Sources can also Receive and the Receivers can also Send.
This presentation and other is also located on the public site 71
3
Embedded Rendez-Vous Point
The Embedded-RP is also fully covered in the PPT Slideshow given earlier. But it is really easy to explain quickly. The idea is to code a 128 address in another /128 so what we do is that we only advertise a prefix which can be up to /64 long and then using only 4 bit we can code 16 RP from this prefix. For the Prefix let’s see how it is coded. We got a Prefix length whoch is here 30hex or 48 decimal. Prefix is 2001:db8:9abc::/48
FF7E:0130:2001:db8:9abc::4321 Rendez-Vous Point Address
2001:db8:9abc::1 o RFC3956 Embedded RP Address The IPv6 Address FLAGS are R, P and T. T is for Temporary address. R and P are both an Embedded RP information. The we see that the RP Address is 1, so the full address for this RP will be 2001:db8:9abc::1.
FF7E:0130:2001:db8:9abc::4321 Plen = 30 Hex = 48 dec 2001:db8:9abc::
Then on the CISCO routers you just need to go on each router and type the coommand “ipv6 multicast-routing”and that’s it! Your work is done, the customer can sign the papers and you can get back home early today!
Embedded RP Prefix and for the rest, let’s see this now:
72
4
IPv6 Multicast on Layer 2
IPv6 is encapsulate in Ethernet Frame using a prefix MAC Address of 33:33 instead of 01:00:5e for IPv4. Then we find the last 32 bits of the IPv6 Address.
! IPv6 Multicast Address ! FF02:0:0:0:0:1:FF90:FE53 ! 128 bits
FF02:0:0:0:0:1:FF90:FE53
! Mac Address ! 33:33:FF:90:FE:53 ! 48 bits
33:33:FF:90:FE:53
MLD Snooping
IPv6 Encapsulation in Ethernet When switches are used we use MLD Snooping to only forward traffic on the p2p links with attached interested Receivers. This is only possible because now switching is performed in the silicium with fast ASICS because this feature requires that the switch looks in the MLD Packet to find the unsolicited reports MLD messages to figure out that there is a receiver
73
33:33 This is the MAC address prefix for IPv6 encapsulated address. The next 32 bits are the IPv6 last IPv6 address bits.
Related Glossary Terms Faire glisser ici les termes connexes
Index
Rechercher un terme
Chapter 8 - Multicast
ASICS A chip which perform a special task in the silicium like Layer 2 switching in our case.
Related Glossary Terms Faire glisser ici les termes connexes
Index
Rechercher un terme
Chapter 8 - Multicast
ASM Any Source Multicast. This is another name for PIM Sparse Mode (see PIM)
Related Glossary Terms Faire glisser ici les termes connexes
Index
Rechercher un terme
Chapter 8 - Multicast
BIDIR Bi-directional. This is for PIM BIDIR which is actually the PIM-SM Shared Tree where Sources can Receive and Receivers can Send.
Related Glossary Terms Faire glisser ici les termes connexes
Index
Rechercher un terme
Chapter 8 - Multicast
CCIE Cisco Certified Internet Expert. It started with number 1023. With #3013 I deserve the CISCO dinosaur distinction. When I was younger and I passed at first attempts both the written and the lab test, cheating was impossible and the answers were not available for $20 from the Web. It was a Great distinction! And you must be recertified every two years. Again it is not so old that you can get the answers before taking it and I had to take the written test every two years since 97 to be still active. I also find in the field many consultant who say that they are CCIE but they only have the written exam or they are not recertified for 10 years but they get hired as cheap “CCIE”! This is really unfair!
Related Glossary Terms Faire glisser ici les termes connexes
Index
Rechercher un terme
Chapter 1 - Preface
Cost This is the metric of Link-State Routing protocol. The lower the path cost is the better the route will be. The lowest path cost is used for routing.
Related Glossary Terms Faire glisser ici les termes connexes
Index
Rechercher un terme
Chapter 8 - Multicast
DAD Duplicate Address Detection, the Neighbor Discovery process to check that an address is not in use before using it. This is enabled by default on LAN interface on CISCO routers but disable on Serial interfaces.
Related Glossary Terms Faire glisser ici les termes connexes
Index
Rechercher un terme
Chapter 5 - ICMPv6 & ND
DHCP Dynamic Host Control Protocol used to configure the workstations with IPv6 address and/or Other information. With IPv6 there are much more variation than IPv4 because IPv6 has a Stateless built-in Autoconfiguration feature with Neighbor Discovery Protocol (RFC 4862, RFC 4861). So DHCPv6 can be used for Other information but address. This is Stateless DHCPv6. DHCPv6 can also be used to provide a Site Prefix instead of individual Addresses. The prefix can then be subnetted. This is DHCP Prefix Delegation or DHCP-PD.
Related Glossary Terms Faire glisser ici les termes connexes
Index
Rechercher un terme
Chapter 8 - Multicast
DHCP-PD DHCP Prefix Delegation. See DHCP.
Related Glossary Terms Faire glisser ici les termes connexes
Index
Rechercher un terme
Chapter 7 - Addresses, Names & Services
DHCPv6 DHCP for IPv6. See DHCP.
Related Glossary Terms Faire glisser ici les termes connexes
Index
Rechercher un terme
Chapter 5 - ICMPv6 & ND
Embedded RP This is a method to code the PIM-SM Rendez-Vous Point in the group address. With Embedded RP you only need ONE command to have your multicast Routing configured on a CISCO IOS® Router, “ipv6 multicast-routing”.
Related Glossary Terms Faire glisser ici les termes connexes
Index
Rechercher un terme
Chapter 8 - Multicast
IGMP Internet Group Membership Protocol. The protocol to manage the signaling between the Receivers and the Multicast Last Hop Router, the IGMP Querier. For IPv6 it has been renamed MLD. (see MLD).
Related Glossary Terms Faire glisser ici les termes connexes
Index
Rechercher un terme
Chapter 8 - Multicast Chapter 8 - Multicast
IOS® Internetwork Operating System, the historical CISCO Operating System. A Great survivor pretty much like me! A big Monolith with a round-robin scheduler to manage the processes. A simple OS written and programmable in plain C Code. A basic Time Shared Scheduler which can be interrupted to switch a packet in “Real-time” when it is possible to make it shortly. Otherwise the incoming packet is punted to be switched later on. This is IOS and we love it!
Related Glossary Terms Faire glisser ici les termes connexes
Index
Rechercher un terme
Chapter 1 - Preface
IPAM IP Address Management Tools. With IPv4, many Service PRoviders were using Spreadsheet to manage their IPv4 addresses using home made macros and everybody was very happy. The 128 bits addresses of IPv6 made it impossible and new Software were introduced to manage these very long addresses. IPAM was born. The next step was to link these big databases with DNS and DHCP et voila! Today it is just insane or just impossible to plan any decent network without an IPAM to manage your IPv6 Addresses and node names.
Related Glossary Terms Faire glisser ici les termes connexes
Index
Rechercher un terme
Chapter 7 - Untitled
IPv4 Internet Protocol version 4. The protocol which started the Internet in the late 70s. Like Jim Morrison or Jimmy Hendrix IPv4 will die one day as it is clearly not designed to sustain the Internet of 2012. It was requested by the USA Department of Defense (DoD) to build a Private Internet when a few thousands hosts was just the impossible boundary that will never get reached. For the DoD and the 70s Mainframes technology, IPv4 with its 32 bits was here to last forever!
Related Glossary Terms Faire glisser ici les termes connexes
Index
Rechercher un terme
Chapter 8 - Multicast
IPv6 Internet Protocol version 6. The protocol developed in the 90s to scale the y2k Internet and replace IPv4 forever. http://www.tcpipguide.com/free/t_IPv6AddressSizeandAddressSpace-2.htm
“Since IPv6 addresses are 128 bits long, the theoretical address space if all addresses were used is 2128 addresses. This number, when expanded out, is 340,282,366,920,938,463,463,374,607,431,768,211,456, which is normally expressed in scientific notation as about 3.4*1038 addresses. That's about 340 trillion, trillion, trillion addresses. As I said, it's pretty hard to grasp just how large this number is. Consider: " ◦" It's enough addresses for many trillions of addresses to be assigned to every human being on the planet.
" ◦" The earth is about 4.5 billion years old. If we had been assigning IPv6 addresses at a rate of 1 billion per second since the earth was formed, we would have by now used up less than one trillionth of the address space.
" ◦" The earth's surface area is about 510 trillion square meters. If a typical computer has a footprint of about a tenth of a square meter, we would have to stack computers 10 billion high blanketing the entire surface of the earth to use up that same trillionth of the address space.”
Related Glossary Terms Faire glisser ici les termes connexes
Index
Rechercher un terme
Chapter 8 - Multicast
MAC MAC Addresses are used at Layer 2 to address an Ethernet workstation on a LAN.
Related Glossary Terms Faire glisser ici les termes connexes
Index
Rechercher un terme
Chapter 8 - Multicast
MLD Multicast Listener Discovery. MLD is IGMP ported to IPv6. MLDv1 is IGMPv2 and MLDv2 is IGMPv3. This is the signaling between the Receiver and the last hop router. Hosts use MLD to tell the local router that they want to receive a Group. Then the MLD Router propagate the MLD exchange with PIM protocol to build the Shared or Shortest Path Tree.
Related Glossary Terms Faire glisser ici les termes connexes
Index
Rechercher un terme
Chapter 8 - Multicast Chapter 8 - Multicast
MLD Snooping Does for IPv6 what IGMP snooping was doing for IPv4. It listens the Multicast traffic and looks into the MLD packet to find the control packet of a Receiver saying that it wanna join a given group. Then the switch will only forward the Multicast on the port where it knows that it has a receiver interested by this Group.
Related Glossary Terms Faire glisser ici les termes connexes
Index
Rechercher un terme
Chapter 8 - Multicast
MSDP Multicast Source Discovery Protocol. A protocol above TCP that was used to join two separate shared Tree. It was useful when you had multiple Rendez-Vous Point for the Source a Rendez-Vous point will find the Receivers registered on another RP. It was used by the Service Provider to setup Redundant RPs with a feature called Anycast RP. Problem is that MSDP sessions must be full meshed leading to a O(n)2 Complexity. They were configuring 2 RPs in each country for Redundancy. For 40 Countries you had to configure (80*79)/2 MSDP over TCP sessions and reasonable size routers were not supporting that much MSDP Sessions and collapsed. MSDP and Anycast RP using MSDP have not been ported to IPv6.
Related Glossary Terms Faire glisser ici les termes connexes
Index
Rechercher un terme
NAT Network Address Translation. A workaround which broke the peer to peer IP capability which was a key driver in th 80s for people to switch to TCP/IP. Just before they switch to TCP/IP, IBM proposed SNA LU6.2 based APPN Solution to move from a hierarchical model to a peer-to-peer. In the early 80s, Peer-to-peer and downsizing to port application from Mainframes down to Mini or RISC and Micro Computers was the way to go! But in the 90s Peer-to-Peer was broken by NAT which is breaking many applications and is a security weakness seen as a security feature by some NAT proponents! They are grasping IPv4 and NAT as if their life would have no reason to be without NAT! NAT was never a security feature. The best Security is true end-to-end security which does not work if someone change anything in the original Address. Because you cannot be identified from your address anymore = no security. Someone who does some really bad things using a NATed address will never get caught.
Related Glossary Terms Faire glisser ici les termes connexes
Index
Rechercher un terme
Chapter 2 - Introduction to IPv6
ND Neighbor Discovery Protocol defined in RFC 4861 is a key protocol for IPv6.
Related Glossary Terms Faire glisser ici les termes connexes
Index
Rechercher un terme
Chapter 5 - ICMPv6 & ND
NTP Network Time Protocol to synchronize all the system clocks in a Network.
Related Glossary Terms Faire glisser ici les termes connexes
Index
Rechercher un terme
Chapter 8 - Multicast
NUD Neighbor Unreachability Detection is a par of ND and is used to check that a NEighbor is still alive and clean up the entry if the node fails to reply.
Related Glossary Terms Faire glisser ici les termes connexes
Index
Rechercher un terme
Chapter 5 - ICMPv6 & ND
P2p Point-to-Point Network.
Related Glossary Terms Faire glisser ici les termes connexes
Index
Rechercher un terme
Chapter 8 - Multicast
PIM Protocol Independent Multicast Protocol. It is independent because it uses the default Unicast Routing Table to run RPF Algorithm instead of building a separate table.
Related Glossary Terms Faire glisser ici les termes connexes
Index
Rechercher un terme
Chapter 8 - Multicast
PIM-BIDIR PIM-BIDIR see PIM
Related Glossary Terms Faire glisser ici les termes connexes
Index
Rechercher un terme
Chapter 8 - Multicast
PIM-DM PIM Dense Mode†. Deprecated. It was not scalable. (See PIM)
Related Glossary Terms Faire glisser ici les termes connexes
Index
Rechercher un terme
Chapter 8 - Multicast Chapter 8 - Multicast
PIM-DR PIM Designated Router. The router which is directly connected to a Multicast Source. The highest priority wins. The highest IP address is used as a tie breaker. See PIM.
Related Glossary Terms Faire glisser ici les termes connexes
Index
Rechercher un terme
Chapter 8 - Multicast
PIM-SSM PIM Single Source Multicast. Only work with the Shortest Path Tree as the Receivers know the Source Address(es) when they register for a Group (see PIM).
Related Glossary Terms Faire glisser ici les termes connexes
Index
Rechercher un terme
Chapter 8 - Multicast
Querier MLD for IPv6 or IGMP for IPv4 Querier is the router which has directly connected Receivers. The Lowest IP Address is the Elected Querier when multiple candidate are available.
Related Glossary Terms Faire glisser ici les termes connexes
Index
Rechercher un terme
Chapter 8 - Multicast
RD PIM Rendez-Vous point is the place where the PIM-SM Source meets the Receivers.
Related Glossary Terms Faire glisser ici les termes connexes
Index
Rechercher un terme
Chapter 5 - ICMPv6 & ND
Rendez-Vous See PIM-SP
Related Glossary Terms Faire glisser ici les termes connexes
Index
Rechercher un terme
Chapter 8 - Multicast
Reverse Path Forwarding The Reverse Path Forwarding Rule is the IP Multicast universal rule. To avoid routing loops a multicast router checks each packet receive on each interface against the Source Address. The packet MUST be received on the Interface which has the best (lower) path cost to get back to the Source or it gets dropped whe RPF failed.
Related Glossary Terms Faire glisser ici les termes connexes
Index
Rechercher un terme
RPF See Reverse Path Forwarding
Related Glossary Terms Faire glisser ici les termes connexes
Index
Rechercher un terme
Chapter 8 - Multicast
SLAAC Stateless Address Auto Configuration. This is a process to get an interface automatically configured with address using NEighbor Discovery Protocol (RFC 4861). SLAAC is described in RFC 4862.
Related Glossary Terms Faire glisser ici les termes connexes
Index
Rechercher un terme
Chapter 5 - ICMPv6 & ND
SSM PIM Source Specific Multicast. (See PIM)
Related Glossary Terms Faire glisser ici les termes connexes
Index
Rechercher un terme
Chapter 8 - Multicast
Stateful Stateful means that a Server must keep some state for each allocation to manage the entry. For instance when DHCP allocate an Address, it keeps an entry for this allocated address and if the neighbor fails to RENEW the address, it will get back to the unused pool and will be allocated for another node. Stateful devices are easy target for DoS Attacks and should be protected with some mitigation technics to limit the effects of the attack!
Related Glossary Terms Faire glisser ici les termes connexes
Index
Rechercher un terme
Chapter 7 - Addresses, Names & Services
Stateless When DHCP is not used to allocate Addresses it is called Stateless DHCPv6 and only provides information, not addresses.
Related Glossary Terms Faire glisser ici les termes connexes
Index
Rechercher un terme
Chapter 7 - Addresses, Names & Services
ULA Unique Local Addresses are used when Private Addresses are needed. ULA can be centrally managed or locally administrated. The idea was not to repeat the IPv4 mistakes, We have 40 bits to make the ULA unique and avoir any risk of having overlapping addresses when we merge two networks.
Related Glossary Terms Faire glisser ici les termes connexes
Index
Rechercher un terme
Chapter 3 - IPv6 Addresses