IPv6 for Cert Nuts

IPv6 for Cert Nuts BRKCRT-9344

Scott Morris & Keith Barker

© 2013 Cisco and/or its affiliates. All rights reserved. BRKCRT-9344 Cisco Public

Tour Guide

Scott Morris, CCIEx4 #4713, CCDE #2009::13, JNCIEx2 – CCIE Route & Switch, ISP/Dial, Security, Service Provider

– Cisco Certified Design Expert

– Juniper Networks JNCIE-M #153 and JNCIE-ER #102

– CISSP, CCVP and several other random things!

– Email: [email protected]

– Twitting: @ScottMorrisCCIE

3


Tour Guide

Keith Barker, CCIEx2 #6783, CCDP, CCSI – CCIE Route & Switch, Security – Cisco Certified Design Professional – CISSP and several other random things! – Email: [email protected] – Twitting: @KeithBarkerCCIE

4


Journey

IPv6 Certification Agenda Addressing & Formats Configuration Basics Headers Neighbor Discovery Transition & Deployments Routing Advanced Stuff

5


IPv6 Agenda

Setting the stage – Why the mastery of IPv6 skills is so important in the real world – What we know…or think we know, can be a factor in our mastery Key elements in successful execution out knowledge

– What is important for certification? – Where do certs end and the real world begin? Implementing the protocol(s) that we know and love already Extending our IPv6 knowledge

– How a network will work start to finish

6


IPv6 Certification Agenda

CCNA Describe the technological requirements for running IPv6 in conjunction with

IPv4 (including: protocols, dual stack, tunneling, etc.). Describe IPv6 addresses

7


IPv6 Certification Agenda CCNP Implement an IPv6 based solution, given a network design and a set of requirements

– Determine network resources needed for implementing IPv6 on a network – Create an IPv6 implementation plan – Create an IPv6 verification plan – Configure IPv6 routing – Configure IPv6 interoperation with IPv4 – Verify IPv6 solution was implemented properly using show and debug commands – Document verification results for an IPv6 implementation plan

Implement an IPv4 or IPv6 based redistribution solution

– Create a redistribution implementation plan based upon the results from a redistribution analysis – Create a redistribution verification plan – Configure a redistribution solution – Verify that a redistribution was implemented – Document results of a redistribution implementation and verification plan – Identify the differences between implementing an IPv4 and IPv6 redistribution solution

8


IPv6 Certification Agenda

CCIE Implement IPv6

Implement IP version 6 (IPv6) addressing and different addressing types Implement IPv6 neighbor discovery Implement basic IPv6 functionality protocols Implement tunneling techniques Implement OSPF version 3 (OSPFv3) Implement EIGRP version 6 (EIGRPv6) Implement filtering and route redistribution Implement IPv6 multicast, PIM, and related multicast protocols, such as

Multicast Listener Discovery (MLD)

9

IPv6 Overview


Short History Of IP

11

1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000

Prediction of the exhaustion of IPv4 Class B by 1994. ROAD group formed to address routing. Prediction of the exhaustion of IPv4 addresses by 2005-2011. IPng Proposals solicitation (RFC 1550). CATNIP, SIPP, TUBA analyzed. SIPP+ chosen. IPng wg started. First specification: RFC 1883.

First attempt for provider-based address format. First IPv6 exchange: 6tap. Registries assign IPv6 prefixes. IPv6Forum formed. Major vendors bundle IPv6 in their mainstream product line.

6bone started.


IPv4 Versus IPv6 - Ringside

12

IPv4 IPv6 32-bit (4-byte) address supports 4,294,967,296 addresses

128-bit (16-byte) address supports 2128 (about 3.4×1038) addresses

NAT can be used to extend address space limitations

Does not support NAT by design

Administrators must use DHCP or static configuration to assign IP addresses to hosts

Hosts use stateless address autoconfiguration to assign an IP address to themselves

IPsec support is optional IPsec support is necessary

Options are integrated into the base header Improved support for options using extension headers and overall simplification of the header format


IPv6 Addressing IPv4 32-bits

IPv6 128-bits

232 = 4,294,967,296 2128 = 340,282,366,920,938,463,463,374,607,431,768,211,456 (340 undecillion IPv6 addresses) 2128 = 232 * 296

296 = 79,228,162,514,264,337,593,543,950,336 times the number of IPv4 addresses (79 octillion addresses, or 79 trillion trillion for the arithmophobes)

13


340,282,366,920,938,463,374,607,432,768,211,456 (IPv6 Address Space – 340 Undecillion)

vs.

4,294,967,296 (IPv4 Address Space - 4 Billion)

So How Big Is The IPv6 Address Space?

14

Let’s assume that an atom represents 4 Billion Addresses

You would need 80,000 Kgs of Atoms to represent IPv6!!!!

.

An Atom

An 80 Tonne Whale (Lots of Atoms)

IPv6 Addressing


IPv6 Addresses IPv6 addresses are 128 bits long

– Segmented into 8 groups of four HEX characters – Separated by a colon (:) – 50% for network ID, 50% for interface ID – Network portion is allocated by Internet registries 2^64 (1.8 x 1019) – Still leaves us with ~ 3 billion network prefixes for each person on earth

16

nnnn:nnnn:nnnn: xxxx:xxxx:xxxx:xxxx

Global Routing Prefix n <= 48 bits

Subnet ID 64 – n bits

Host

ssss:

2001:1A6E:134A: 0000:0000:0000:1E2A 00A1:

Network Portion Interface ID

Global Unicast Identifier Example

2001:0:0: ::1E2A A1:

Full Format

Abbreviated Format


IPv6 Address and Simplification

17

• Base format (16-byte)

• Compact Format:

• Literal representation (e.g. used when browsing to IPv6 address directly and not through the DNS name) – [2001:660:3003:2:a00:20ff:fe18:964c]

2001:0660:3003:0001:0000:0000:6543:210F

2001:0660:3003:0001:0000:0000:6543:210F 2001:0660:3003:0001:0000:0000:6543:210F 2001:660:3003:1:0:0:6543:210F 2001:660:3003:1:0:0:6543:210F 2001:660:3003:1::6543:210F

6DISS Courtesy Slide


IPv6 Address Representation

Example: – Address: 2001:0DB8:0000:0000:FFFF:0000:0000:0ADC

– The following are correct representations: 2001:db8::FFFF:0:0:ADC 2001:db8:0:0:FFFF::ADC

– The following is an incorrect representation: 2001:db8::FFFF::ADC

18

Important to identify good vs. bad for exams!


Comparison of Address Type Syntax (CATS)

IPv4 Address

HOST: 156.50.20.1 NET: 156.50.0.0/16

IPv6 Address

FE80::20B:60FF:FEA7:D81A 2001:0:0:A1::/64

Network Operator

I need some Catnip… HEX is a curse…

19


Required Host Addresses

An IPv6 host interface requires the following IPv6 addresses for proper operation: – A link-local address – Loopback address – All-nodes multicast address – Any additional unicast and anycast addresses (configured automatically or manually) – Solicited-node multicast address for each of its unicast and anycast addresses – Multicast addresses of all other groups to which the host belongs

20


Required Router Addresses

An IPv6 router interface is required to identify the following IPv6 addresses for proper operation: – All valid host addresses – All-Routers multicast addresses – Subnet-router anycast addresses for all interfaces for which it is configured to act as a

router (prefix:: ; interface id=0) – Other unicast or anycast configured addresses – All other Anycast addresses with which the router has been configured. – All-Routers Multicast Addresses – Multicast Addresses of all other groups to which the router belongs.

21


Address Types Summary

22

Binary Prefix IPv6 Notation

Unspecified 00 … 0 (128 bits) ::/128

Loopback 00 … 1 (128 bits) ::1/128

Multicast 1111 1111 FF00::/8

Link-local unicast 1111 1110 10 FE80::/10

Unique local unicast 1111 110 FC00::/7

Global unicast Everything else

Currently allocated space is

2000::/3


Allocated Real World Usage

So, let’s look at things: – 2^128 addresses total – 2000::/3 is actually allocated – That means 2^125 addresses for Global Unicast Addressing All networks are at least /64’s per standard 125 – 64 = 61. So 2^61 possible networks in the currently allocated global space.

2^61 = 2,305,843,009,213,693,952 or 2.3 QUINTILLION networks.

/48 is typical allocation to enterprise customer 2^45 = 35,184,372,088,832 or 35 TRILLION enterprises

Current IPv4 BGP table is ONLY 400,000 routes and people complain

23

!

IPv6 Addressing: Formats


PI and PA Allocation Process

25

Registries

Level Four Enterprise

IANA

ISP Org

Provider Assigned

http://www.ripe.net/ripe/policies/proposals/2006-01.html http://www.ripe.net/ripe/policies/proposals/2006-05.html

2000::/3

/48

2000::/3

/48

/12

/32

/12

Provider Independent

http://www.ripe.net/ripe/policies/proposals/2006-01.html





Link-Local Addresses

Link-local addresses: – Have a limited scope of the link – Are automatically configured with the interface ID

Interface ID 0 128 bits

1111 1110 10

FE80::/10

10 bits

64 bits

EUI-64 Format

26


EUI-64 Format Addressing

27

EUI-64 address is formed by inserting "FFFE" and OR’ing a bit identifying the uniqueness of the MAC address.

U/L bit always inverts from what it was

00 90 27

00 90 27

00 90 27

02 90 27

17 FC 0F

17 FC 0F

17 FC 0F

17 FC 0F FF FE

FF FE

FF FE

000000X0 where X= 1 = unique

0 = not unique X = 1

Ethernet MAC address (48 bits)

64 bits version

Uniqueness of the MAC

Eui-64 address


IPv6 Privacy Extensions (RFC 3041/4941)

IEEE 24 bits OUI can be used to identify hardware – http://standards.ieee.org/regauth/oui/oui.txt Temporary addresses for IPv6 host client application,

e.g. web browser – Inhibit device/user tracking – Random 64 bit interface ID, then run Duplicate Address Detection

before using it – Rate of change based on local policy

2001 /32 /48 /64 /23

Interface ID

Recommendation: Use Privacy Extensions for External Communication but not for Internal

Networks (Troubleshooting and Attack Trace Back) RFC4941

28


Site-Local Addresses

29

Site-local addresses: – Have a limited scope of the site – Contain the inside topology of the site with the subnet ID – Subnet ID may contain octets 2 & 3 of IPv4 address!

Deprecated, but still reserved space, and still potential in exams!

Interface ID 0

1111 1110 11

FEC0::/10 Subnet id

128 bits

10 bits 16 bits


Unique Local Addresses

There are two types of Unique Local Address (ULA) ranges – Local self-assigned ranges FD00::/8 No centralized control, the “ID” field is randomized (“almost unique”)

– Centrally-assigned (global) ranges FC00::/8 Assigned to entity by RIR’s

30


Unique-Local Addresses

31

Unique-local addresses (RFC4193): – Have a limited scope of the site – Contain the inside topology of the site with the subnet ID – 40-bit Global ID is assigned to company for unique identification – Subnet ID may contain octets 2 & 3 of IPv4 address!

Interface ID Global ID

1111 1100

FC00::/7 Subnet id

128 bits

8 bits 16 bits

http://www.sixxs.net/tools/grh/ula/


Generating Unique Local Prefixes

32


Aggregated Global Unicast Addresses

33

Aggregatable Global Unicast addresses are: – Addresses for generic use of IPv6 – Structured as a hierarchy to keep the aggregation

Interface ID TLA NLAs SLA

001

64 bits 3 13 24 bits 16 bits 8

Provider Site Host

RES

NLA1 NLA2 NLAn

RFC 2374 RFC 3587

http://www.sixxs.net/tools/grh/dfp/ http://www.sixxs.net/tools/grh/dfp/arin/


IPv6 Aggregation

34

– Larger address space enables: – Aggregation of prefixes announced in the global routing table – Efficient and scalable routing

ISP

2001:0410::/35 Customer

no 2 IPv6 Internet

2001::/16 2001:0410:0002:/48

2001:0410:0001:/48

Customer no 1

Only announces the /35 prefix


Allocation Strategies

We wish to allocate /48’s out of the /35. Which are available:

– 2001:0468:0000 through – 2001:0468:1fff Recall the the bit structure is:

– 0010 0000 0000 0001: 0000 0100 0110 1000: 000 | 0:0000:0000:0000 – 0010 0000 0000 0001: 0000 0100 0110 1000: 000 | 1:1111:1111:1111 So there are 8,192 /48’s in a /35 Same thought process as IPv4 subnetting!

35


How Would Allocations Work?

Suppose you wish to give out /40’s in the /35. – 2001:0468:000 | 0 0000 | or 2001:0468::/40 – 2001:0468:000 | 1 1111 | or 2001:0468:1f00::/40 Thus there are 32 /40’s in the /35 each of which has 256 /48’s.

– 5 bits – 8 bits

36


How Would Allocations Work?

The same idea holds for /41’s or /42’s. – 2001:0468:000 | 0:0000:0 | or 2001:0468::/41 – 2001:0468:000 | 1:1111:1 | or 2001:0468:1f80::/41 – 2001:0468:000 | 0:0000:00 - :000 | 1:1111:11 – 2001:0468::/42 – 2001:0468:1fd0::/42

37


Mixed Allocations

The interesting case is how to handle mixed allocations. Some sites need a /40 others a /42. How can you handle this case. See

– draft-ietf-ipngwg-ipaddressassign-02 – A flexible method for managing the assignment of bits of an IPv6 address block – A perl script is included.

38


Example

A TLA has been assigned the 3ffe:0b00/24 prefix and wants to assign prefixes to its connected networks. Assume 8 bits for NLA’s. NLA2, will use 10 bits for subNLA’s. – TLA assigning to NLAs using lefmost bits: 10000000 : assigned to NLA1 01000000 : assigned to NLA2

– NLA2 assigning to its subNLAs using centermost bits: 0000010000 : assigned to subNLA1 0000100000 : assigned to subNLA2

– subNLAs use centermost bits and site nets assigned using rightmost bits. Putting all bits together for subNLA3:

– TLA |NLA2 |subNLA3 – 0011 1111 1111 1110 0000 1011 0100 0000 0000 1100 00

» <-------> <------> 39


Mixed Allocations

Here is the assignment: – Take 3ffe:3700::/32. Out of that allocate 34 = 2 37 = 3 38 = 5

40


IPv6 Multihoming

41


Multicast

42

Interface ID 0

1111 1111

128 bits

8 bits

Flag

8 bits

Scope F F Flag =

0 if permanent

1 if temporary

Scope =

1 = node 2 = link 5 = site 8 = organization E= global


IPv6 Multicast MAC Address Conversion

43

IPv6 Multicast Address

Corresponding Ethernet Address

Multicast Prefix for Ethernet

Multicast

• IPv6 multicast address to MAC address: – 33:33:(least significant 32 bits from IPv6)

FF22 DEAD

FF 22 DE AD 33 33

FF02 0000 0000 0000 0000 0001


Group ID

Multicast Addresses

44

Multicast is used in the context of one-to-many. A multicast scope is new in IPv6.

1111 1111

8 Bits

Flags

8 Bits

Scope F F Flags = 4 Bits = “0”, “R”, “P”, ”T”

Scope =

1 = interface-local 2 = link-local 3 = subnet-local 4 = admin-local 5 = site-local 8 = organization E = global

112 Bits


Multicast Assigned Addresses

Meaning Scope

FF02::1 All nodes Link-local

FF02::2 All routers Link-local

FF02::9 All RIP routers Link-local

FF02::1:FFXX:XXXX Solicited-node Link-local

FF05::101 All NTP servers Site-local

FF05::1:3 All-DHCP servers Site-local

45

FF0x:: is reserved (x = 0..F). Inside this range, the following are assigned:


IPv6 over Ethernet

– IPv6 has a specific Ethernet protocol ID – Different from the IPv4 one

Destination Ethernet Address IPv6 header and payload 0x86DD Source Ethernet

Address

46


IPv6 Addresses – Examples

cat6500-1>sh ipv6 int vlan 200 Vlan200 is up, line protocol is up IPv6 is enabled, link-local address is FE80::2D0:D3FF:FE81:9000 Description: --- To Core --- Global unicast address(es): 2001:DB8:12::1, subnet is 2001:DB8:12::/64 Joined group address(es): FF02::1 FF02::2 FF02::5 FF02::D FF02::16 FF02::1:FF00:1 FF02::1:FF81:9000

All nodes

All routers

OSPF Routers

All PIM Routers

All MLDv2 capable Routers

Global

Link-Local

47


IPv6 Interface Identifier

48

CR-IT-SW3#sh int gi 1/0/3 | in bia GigabitEthernet1/0/3 is up, line protocol is up Hardware is Gigabit Ethernet, address is 000c.3a3e.82de (bia 000c.3a3e.82de) CR-IT-SW3#

CR-IT-SW3#sh ipv6 interface gi 1/0/3 GigabitEthernet1/0/3 is up, line protocol is up IPv6 is enabled, link-local address is FE80::20C:3aFF:FE3E:82DE [TEN] Global unicast address(es): 2001:DB8:24:0:20C:3aFF:FE3E:82DE, subnet is 2001:DB8:24::/64 [EUI/TEN] Joined group address(es): FF02::1 FF02::2 FF02::1:FFAE:84C7 CR-IT-SW3#

CR-IT-SW3#sh run int gi 1/0/3 ! interface GigabitEthernet1/0/3 no switchport ip address 10.149.24.1 255.255.255.0 ipv6 address 2001:DB8:24::/64 eui-64 !


IPv6 Interface Identifier

49

CR-IT-SW3#sh int gi 1/0/3 | in bia GigabitEthernet1/0/3 is up, line protocol is up Hardware is Gigabit Ethernet, address is 000c.3a3e.82de (bia 000c.3a3e.82de) CR-IT-SW3#

CR-IT-SW3#sh ipv6 interface gi 1/0/3 GigabitEthernet1/0/3 is down, line protocol is down IPv6 is enabled, link-local address is FE80::20C:3AFF:FE3E:82DE [TEN] Global unicast address(es): 2006:149:24:0:20C:3AFF:FE3E:82DE, subnet is 2006:149:24::/64 [EUI/TEN] 2006:149:25::1, subnet is 2006:149:25::/64 [TEN] Joined group address(es): FF02::1 FF02::2 CR-IT-SW3#

CR-IT-SW3#sh run int gi 1/0/3 ! interface GigabitEthernet1/0/3 no switchport ip address 10.149.24.1 255.255.255.0 ipv6 address 2006:149:24::/64 eui-64 ipv6 address 2006:149:25::1/64 !


Windows 7 – Interface Identifier

50

C:\>netsh int ipv6 sh addr Interface 1: Loopback Pseudo-Interface 1 Addr Type DAD State Valid Life Pref. Life Address --------- ----------- ---------- ---------- ------------------------ Other Preferred infinite infinite ::1 Interface 12: isatap.{7218C71C-E509-4EF9-AB57-C08863056588} Addr Type DAD State Valid Life Pref. Life Address --------- ----------- ---------- ---------- ------------------------ Other Deprecated infinite infinite fe80::5efe:10.109.109.6%12 Interface 13: Local Area Connection* 9 Addr Type DAD State Valid Life Pref. Life Address --------- ----------- ---------- ---------- ------------------------ Public Preferred infinite infinite 2001:0:5ef5:73bc:a2:3ac1:f592:92f9 Other Preferred infinite infinite fe80::a2:3ac1:f592:92f9%13 Interface 11: Local Area Connection Addr Type DAD State Valid Life Pref. Life Address --------- ----------- ---------- ---------- ------------------------ Temporary Preferred 6d23h49m31s 6d23h49m31s 2001:db8:9:cafe:a133:5fb8:31df:864a Public Preferred 29d23h59m49s 6d23h59m49s 2001:db8:9:cafe:b407:e685:fb14:c12d Other Preferred infinite infinite fe80::b407:e685:fb14:c12d%11

Windows 7 doesn’t use the EUI-64 technique by default when forming its interface identifier, but uses their randomly-generated interface identifiers

IPv6 Addressing: Scoping


Types of Addresses

Unicast Multicast Anycast

52


Unicast Addresses

Unicast addresses are used in a one-to-one context. IPv6 unicast addresses:

– Global unicast addresses – Unique local addresses – Link-local addresses

53


IPv6 Address Types Three types of unicast address scopes

54

FC00:GGGG:GGGG:

xxxx:xxxx:xxxx:xxxx ssss:

FE80:0000:0000:0000: xxxx:xxxx:xxxx:xxxx

2000:GGGG:GGGG:

xxxx:xxxx:xxxx:xxxx ssss:

FFfs: xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx

• Interface “expected” to have multiple addresses and life-time parameters

Link-Local – Non routable exists on single layer 2 domain (FE80::/64)

Unique-Local (ULA) – Routable with an administrative domain (FC00::/7)

Global – Routable across the Internet (2000::/3)

• Multicast addresses begin with FF00::/8

• Other address types have come and gone (deprecated)

IPv6 Addressing: Special Addresses


Special Use IPv6 Addresses

Examples – Can you identify? – FF02:0:0:0:0:0:0:1 => FF02::1 – FF15:0:0:0:0:0:1:c001 => FF15::1:c001 – 0:0:0:0:0:0:0:1 => ::1 – 0:0:0:0:0:0:0:0 => ::

56


Special Use IPv6 Addresses

Other examples: 2001:0000::/29 through 2001:01F8::/29 are reserved

– 2001::/32 is used for Teredo tunneling – 2001:2::/48 is used for the Benchmarking Methodology Working Group of the IETF – 2001:10::/28 is used for the Overlay Routable Cryptographic Hash Identifiers

(ORCHID) – 2001:db8::/32 is the official range designated for training and documentation 2002::/16 is set aside for Automatic 6to4 Tunneling

57


IPv4 Addresses As IPv6 Addresses

Format: – IPv4-compatible (deprecated) 0:0:0:0:0:0:192.0.2.100 = ::192.0.2.100 = ::C000:0264

– IPv4-mapped (used often in MBGP for Next-Hop information) 0:0:0:0:0:FFFF:192.0.2.100 = ::FFFF:C000:0264

58


Representing IPv6 Addresses in URLs

59

In a URL, the address is enclosed in brackets: –http://[2001:DB8:1003::E]:8080/index.html Cumbersome for users

–Mostly for diagnostic purposes Use fully qualified domain names

RFC 2732 - Format for Literal IPv6 Addresses in URLs http://www.faqs.org/rfcs/rfc2732.html

IPv6 Addressing: Anycast


Anycast Addresses

Anycast: – Used in the context of one-to-nearest – Assigned to more than one interface – Allocated from the unicast address space

Interface ID Prefix

128-n Bits n Bits

61


IPv6 Addressing: Anycast Addresses

BGP Announces 2001:100:100:100::/64

SA = 2001:200:200:200::1 DA = 2001:100:100:100::1

2001:100:100:100::1 Host 1

2001:200:200:200::1

2001:100:100:100::1

2001:100:100:100::1

BGP Announces 2001:100:100:100::/64

BGP Announces 2001:100:100:100::/64

R1

R4

R2 R3

62

IPv6 Addressing: Configuration


Basic IPv6 Commands

R1(config)# ipv6 unicast-routing R1(config-if)# ipv6 address (#) R1(config)# ipv6 route (net/vlsm) (node#)

– Ipv6 route ::/0 3ffe:b00:c18:1:260:3eff:fe47:1530 Show ipv6 neighbors Ping (ipv6-addr)

64


L2 to L3 Mapping

Don’t forget that this is another protocol! – Any interface using manual mapping needs to be updated – Frame-relay map ipv6 …… – Dialer map ipv6 …… – Etc.

65


Static Name to Host Address Entries

Name to address resolution just like IPv4 – Ipv6 host (name) (ipv6-address) Can specify up to four addresses You can run DHCP server and DNS server in IPv6 No concept of secondary addresses in IPv6, all are valid options

66

IPv6 Headers: Packet Headers


IPv6 Structure

The IPv6 header has the following improvements: – Fixed length of 40 bytes – Simple, more efficient processing – Extension headers handle additional options – Several IPv4 fields have been removed: Header length, identification, flags, fragment offset, and header checksum

Version (4) Traffic Class Flow Label (20)

Payload Length (16) Next Header (8) Hop Limit (8) Source Address (128)

Destination Address (128)

40 bytes

(8)

68


IPv4 Header Versus IPv6 Header IPv4 Header

IPv6 Header Version Traffic

Class Flow Label

Payload Length Next Header Hop Limit

Source Address Destination Address

Version IHL TOS Total Length

Identification Flags Fragment Offset

Time to Live Protocol Header Checksum

Source Address Destination Address Options Padding

Key Fields the same in IPv4 and IPv6 Fields removed in IPv6 Name and position changed in IPv6 New field in IPv6

69

IPv6 Headers: Extension Headers


IPv6 Extension Headers

Simple packet headers provide faster processing – IPv6 deals with IP options using extension headers IPv6 defines six extension headers:

– Hop-by-hop options header – Routing header – Fragment header – Destination options header – Authentication header – Encrypted security payload header

71


IPv6 Header Manipulation

Unlimited size of header chain (spec-wise) can make filtering difficult Potential DoS with poor IPv6 stack implementations

– More boundary conditions to exploit – Can I overrun buffers with a lot of extension headers?

72

Perfectly Valid IPv6 Packet According to the Sniffer

Destination Options Header Should Be the Last

Header Should Only Appear Once

Destination Header Which Should Occur at Most Twice

See also: http://www.cisco.com/en/US/technologies/tk648/tk872/technologies_white_paper0900aecd8054d37d.html


Parsing the Extension Header Chain

Finding the layer 4 information is not trivial in IPv6 – Skip all known extension header – Until either known layer 4 header found => SUCCESS – Or unknown extension header/layer 4 header found... => FAILURE

73

IPv6 hdr HopByHop Routing AH TCP data

IPv6 hdr HopByHop Routing AH Unknown L4 ???

IPv6 hdr HopByHop Unk. ExtHdr AH TCP data

IPv6 Domain Naming System


Basic Ideas

DNS in IPv6 is much like DNS in IPv4 Keep files and delegations as simple as possible. Can use IPv4 as transport for DNS for now. Modern versions of Bind will work – Bind9 is stable and works with IPv6. There is work on dynamic DNS in progress, but we don’t need to worry about

that for now.

75


IPv4 IPv6

Hostname to IP address

A record: www.abc.test. A 192.168.30.1

IPv6 and DNS

AAAA record: www.abc.test. AAAA 2001:db8:C18:1::2

IP address to hostname

PTR record: 2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.0.8.1.c.0. 8.b.d.0.1.0.0.2.ip6.arpa. PTR www.abc.test.

PTR record: 1.30.168.192.in-addr.arpa. PTR

www.abc.test.

76


DNS server

Router A

B

DNS Query in IOS

77

DNS resolver picks IPv6 AAAA record first

IPv6 stacks on Windows XP, Linux, FreeBSD, etc. also pick IPv6 address before IPv4 address if both exist

Query=“www.example.org” TYPE=“AAAA”

Resp=“2001:db8:1::1” Type=“AAAA”

OR

Resp=“NONE”

Query=“www.example.org” TYPE=“A”

Resp=“192.168.0.3” Type=“A”


DNS Example – AAAA Queries

78

A and AAAA Queries for www.google.com

IPv6 Transport Preferred

Response IPv4 and IPv6 Addresses


DNS Extensions for IPv6

DNS has been extended to support IPv6 – RFC 3363—Representing Internet Protocol version 6 (IPv6) Addresses in the Domain

Name System (DNS) – RFC 3596—DNS Extensions to Support IP version 6 Extensions include:

– New record types for IPv6 addresses have been proposed (A6, AAAA) – New domain for reverse name resolution (IPv6.ARPA) – Hierarchical method to support easy network renumbering

79


DNS Example (IPv4-Only)

DNS Request (h.root-servers.net) (QTYPE=A)

IPv4 A Response (128.63.2.53)

H.ROOT-SERVERS.NET. 210892 IN A 128.63.2.53

Sample DNS Response

IPv4-Only Host DNS Server

80


DNS Example (IPv6-Only)

DNS Request (h.root-servers.net) (QTYPE=AAAA)

IPv6 AAAA Response (2001:500:1::803f:235 )

IPv4-Only Host DNS Server

H.ROOT-SERVERS.NET. 210892 IN AAAA 2001:500:1::803f:235

Sample DNS Response

81


DNS Example (Dual-Stack)

DNS Server

Dual-Stack Host DNS Request (h.root-servers.net) (QTYPE=AAAA, A)

I prefer IPv6 addresses

IPv6 AAAA Response (2001:500:1::803f:235 ) IPv4 A Response (128.63.2.53)

H.ROOT-SERVERS.NET. 210892 IN AAAA 2001:500:1::803f:235 H.ROOT-SERVERS.NET. 210892 IN A 128.63.2.53

Sample DNS Response

82


DNS Issues

Upgrade DNS servers to support IPv6 Adding AAAA record for a specific server to the DNS Server requires ALL

services to be IPv6 aware – LDAP or AD IPv6 Aware – All Services running on the Server Interim solution is to use a temporary name (see Google IPv6 start in 2008)

– ipv6.google.com vs. www.google.com

83


Forward Lookups

Uses AAAA records for assign IPv6 addresses to names. Multiple addresses possible for any given name – for example, in a multi-

homed situation. Can assign A records and AAAA records to a given name/domain. Can also assign separate domains for IPv6 and IPv4. Don’t be afraid to experiment!

84


Sample Forward Lookup File

85

;; domain.net (use your favorite naming scheme) $TTL 86400 @ IN SOA ns1.domain.edu. root.domain.edu. ( 2011061101 ; serial - YYYYMMDDXX 21600 ; refresh - 6 hours 1200 ; retry - 20 minutes 3600000 ; expire - long time 86400) ; minimum TTL - 24 hours ;; Nameservers IN NS ns1.domain.net. IN NS ns2.domain.net. ;; Hosts with just A records host1 IN A 100.100.100.1 ;; Hosts with both A and AAAA records host2 IN A 1.100.100.2 IN AAAA 2001:468:100:1::2 :: Separate domain $ORIGIN ip6.domain.net host1 IN AAAA 2001:468:100:1::1


Reverse Lookups

Reverses should be put in for both ip6.int and ip6.arpa domains. The ip6.int domains has been deprecated, but some hosts still use them. Can use same file for both – use the @ notation and point to the same file in

the named.conf file. File uses nibble format – see examples on next slide.

86


Sample Reverse Lookup File

87

;; 1.0.0.0.0.0.1.0.8.6.4.0.1.0.0.2.rev (use your favorite naming scheme ;; These are reverses for 2001:468:100:1::/64) ;; File can be used for both ip6.arpa and ip6.int. $TTL 86400 @ IN SOA ns1.domain.net. root.domain.net. ( 2011061101 ; serial - YYYYMMDDXX 21600 ; refresh - 6 hours 1200 ; retry - 20 minutes 3600000 ; expire - long time 86400) ; minimum TTL - 24 hours ;; Nameservers IN NS ns1.domain.net. IN NS ns2.domain.net. 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR host1.ip6.domain.net 2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR host2.domain.net ;; ;; Can delegate to other nameservers in the usual way ;;

IPv6 Host Addressing


Auto-Configuration

• Larger address space enables: the use of link-layer addresses inside the address space auto-configuration with "no collisions" offers "plug and play"

Sends network-type information (prefix, default route, …)

Host autoconfigured address is: prefix received + link-layer address

Mac address: 00:2c:04:00:FE:56

89


Renumbering

– Larger address space enables: renumbering, using auto-configuration and multiple addresses

Sends NEW network-type information (prefix, default route, …)

Host auto-configured address is: NEW prefix received + SAME link-layer address

Mac address: 00:2c:04:00:FE:56

90

IPv6 Neighbor Discovery


Neighbor Discovery Parameters

92

Router advertisements • Default router

• IPv6 network prefix

• Lifetime of advertisement

Autoconfiguring IPv6 hosts


Types of Discovery

Router Discovery: How hosts locate routers that reside on an attached link. Prefix Discovery: How hosts discover the set of address prefixes that define

which destinations are on-link for an attached link. (Nodes use prefixes to distinguish destinations that reside on-link from those only reachable through a router.) Parameter Discovery: How a node learns such link parameters as the link MTU

or such Internet parameters as the hop limit value to place in outgoing packets.

93


What do you Do with that?

Address Autoconfiguration: How nodes automatically configure an address for an interface. Address resolution: How nodes determine the link-layer address of an on-link

destination (e.g., a neighbor) given only the destination's IP address. Next-hop determination: The algorithm for mapping an IP destination address

into the IP address of the neighbor to which traffic for the destination should be sent. The next-hop can be a router or the destination itself.

94


What About Changes?

Neighbor Unreachability Detection: How nodes determine that a neighbor is no longer reachable. For neighbors used as routers, alternate default routers can be tried. For both routers and hosts, address resolution can be performed again. Duplicate Address Detection: How a node determines that an address it wishes

to use is not already in use by another node. Redirect: How a router informs a host of a better first-hop node to reach a

particular destination.

95


ND Summary

Neighbor Discovery defines five different ICMP packet types: A pair of Router Solicitation and Router Advertisement messages, a pair of Neighbor Solicitation and Neighbor Advertisements messages, and a Redirect message. The messages serve the following purpose: Router Solicitation: When an interface becomes enabled, hosts may send out

Router Solicitations that request routers to generate Router Advertisements immediately rather than at their next scheduled time.

96


Types and Comparison

Router Advertisement: Routers advertise their presence together with various link and Internet parameters either periodically, or in response to a Router Solicitation message. Router Advertisements contain prefixes that are used for on-link determination and/or address configuration, a suggested hop limit value, etc. (Like SAP in IPX) Neighbor Solicitation: Sent by a node to determine the link-layer address of a

neighbor, or to verify that a neighbor is still reachable via a cached link-layer address. Neighbor Solicitations are also used for Duplicate Address Detection. (Like ARP in IPv4) Neighbor Advertisement: A response to a Neighbor Solicitation message. A

node may also send unsolicited Neighbor Advertisements to announce a link-layer address change. (Like gratuitous ARP in IPv4) Redirect: Used by routers to inform hosts of a better first hop for a destination.

(Like ICMP Redirect in IPv4) 97


Neighbor Discovery Configuration

98

LAN1: 3000:b00:c18:1::/64

LAN2: 3000:b00:c18:2::/64

RA

RA

Fa0/0

Fa0/1

Fa0/0

interface FastEthernet0/0 ipv6 nd prefix 3000:b00:c18:1::/64 43200 43200 ipv6 nd ra-lifetime 0 interface FastEthernet0/1 ipv6 nd prefix 3000:b00:c18:2::/64 43200 43200

interface FastEthernet0/0 ipv6 nd prefix 3000:b00:c18:1::/64 43200 43200

R2

R1

IPv6 Internet


Prefix Renumbering

99

NEW network prefix: 3ffe:b00:c18:2::/64 Deprecated prefix: 3ffe:b00:c18:1::/64

Hosts:

Autoconfigured IPv6 hosts

deprecated address 3ffe:b00:c18:1:260:8ff:fede:8fbe preferred address 3ffe:b00:c18:2:260:8ff:fede:8fbe

Router configuration after renumbering:

Router advertisements with expiration dates

OR:

interface FastEthernet0/0 ipv6 nd prefix 3ffe:b00:c18:1::/64 43200 0 ipv6 nd prefix 3ffe:b00:c18:2::/64 43200

interface FastEthernet0/0 ipv6 nd prefix 3ffe:b00:c18:1::/64 at Sep 1 2012 23:59 Sep 1 2012 23:59 ipv6 nd prefix 3ffe:b00:c18:2::/64 43200 43200

IPv6 & ICMPv6


ICMP

Completely Changed – note new header type

Now includes IGMP

Types organized as follows – 1 – 4 Error messages – 128 – 129 Ping – 130 – 132 Group membership – 133 – 137 Neighbor discovery

General Format

101


ICMP Type Description 1 Destination Unreachable 2 Packet Too Big 3 Time Exceeded 4 Parameter Problem 128 Echo Request 129 Echo Reply 130 Group Membership Query 131 Group Membership Report 132 Group Membership Reduction 133 Router Solicitation 134 Router Advertisement 135 Neighbor Solicitation 136 Neighbor Advertisement

137 Redirect

102


ICMPv6

Not compatible with IPv4 ICMP – Completely new protocol specification Incorporates the IPv4 IGMP functionality Identified by a new protocol code: next-header type

– IPv4 ICMP is protocol code 1 – IPv4 IGMP is protocol code 2 – IPv6 ICMP is next-header type 58 RFC 2463—Replaced by RFC 4884

103


HSRP for v6 First Hop Router Redundancy

104

Modification to Neighbor Advertisement, Router Advertisement, and ICMPv6 redirects

Virtual MAC derived from HSRP group number and virtual IPv6 link-local address

HSRP Standby

HSRP Active

GLBP for v6 Modification to Neighbor Advertisement, Router

Advertisement—GW is announced via RAs

Virtual MAC derived from GLBP group number and virtual IPv6 link-local address

GLBP AVF, SVF

GLBP AVG, AVF

Neighbor Unreachability Detection (NUD) For rudimentary HA at the first HOP

Hosts use NUD “reachable time” to cycle to next known default gateway (30s by default)

RA Sent Reach-time = 5,000 msec


Neighbor Discovery

Neighbor Discovery

DAD

NUD

Redirects

Address Resolution (~ARP)

Router Discovery

Neighbor Discovery Types

105


Neighbor Discovery

IPv4 uses ARP to resolve local addresses – Relies on broadcasts IPv6 does not have the concept of broadcasts

– Still need a method to resolve local addresses – Use solicited-node multicast instead IPv6 uses ICMPv6 the following types of message:

– Neighbor solicitation – Neighbor advertisement – Router solicitation – Router advertisement

106


Neighbor Solicitation

107

I need to reach IPv6 address FEC0::2003:210:A4FF:FEA6:69D0

Neighbor solicitation (ICMP Type 135) to solicited node multicast address

I have that address! Neighbor advertisement

(ICMP Type 136) to neighbor solicitation

source address

Solicited node multicast address allows the host to reach all nodes with matching last 24 bits (derived from DA)

Host 1 Host 2


Solicited Node Multicast Address

Layer 3 multicast group derived from the IPv6 address Minimizes the number of hosts that see the neighbor solicitation Fixed prefix (FF02:0:0:0:0:1:FF00:0/104) + last 24 bits of the host’s IPv6

address

108

FEC0::2003:210:A4FF:FEA6:69D0 Unicast address

FF02:0:0:0:0:1:FFA6:69D0 Solicited multicast address

• All nodes with the same final 24 bits of their IPv6 addresses receive packets to this multicast address


Duplicate Address Detection

109

Send NS

I have that address! NA to all-nodes multicast

Select new address or display error and do not participate on the network (RFC2462)

Host 1 Host 2


Autoconfiguration

IPv6 hosts can configure their own addresses automatically Similar in function to IPv4 DHCP Two methods:

– Stateless autoconfiguration – Stateful autoconfiguration Common ICMPv6 messages to both:

– Router advertisements – Router solicitations

110


Router Advertisement

111

Used to configure hosts Periodically sent to the all-nodes multicast group Also sent in response to a router solicitation message Options can contain:

– MTU – On-link prefixes and lifetimes – Layer 2 address of the advertising router

32 bits

Type=134 Code Checksum

Reachable Time Hop Limit M O RSV Router lifetime

Retransmit Timer Options


Type Length Prefix Length L A Reserved Valid Lifetime

Preferred Lifetime Reserved

Prefix

Router Advertisement—Prefix Option

112


Router Solicitation

113

Sent by hosts to locate on-link routers

Usually sent to the all-routers multicast group

Source address can be: – Unspecified – Local address

Router solicitation message consists of five fields

Type=133 Code Checksum Reserved Options 32 bits


Stateless Autoconfiguration

Basic host address configuration IPv6 Stateless Address Autoconfiguration

– RFC 4862—September 2007

114



115

Generate a link local address

Verify this tentative address Is ok. Use a neighbor solicitation

with the tentative address as the target. ICMP type 135

If the address is in use

a neighbor advertisement Message will be returned.

ICMP type 136

If no response Assign the address to the Interface. At this point the Node can communicate

On-link.

Fail and go to manual Configuration or choose A different interface token



116

Assign address to Interface.

Node joins the All Routers Multicast group. FF02::1

Sends out a router Solicitation message to That group.

ICMP type 133

Router responds with a Router advertisement.

ICMP type 134


Stateless Autoconfiguration Look at the “managed address

configuration" flag

If M= 0 proceed with Stateless configuration

If M=1 stop and Do statefull config.

Look at "other stateful configuration" flag

If O = 0 finish

If O= 1 use statefull Configuration for other information

117



118

Build link-local address Join all-nodes multicast group Join solicited node multicast group Send NS My address is unique! Send RS No routers!

Try stateful configuration

Link-local only

Host 1



119

Build link-local address

Join all-nodes multicast group

Join solicited node multicast group

Send NS

My address is unique!

Send RS

Send RA

Build on-link addresses


Router Solicitation Options

Valid Lifetime – 32-bit unsigned integer. The length of time in seconds before an address is

invalidated. Preferred Lifetime

– 32-bit unsigned integer. The length of time in seconds before an address is deprecated.

120


Stateless autoconfig

Routers are to send out router advertisements at regular intervals at the all hosts address. – This should update lifetimes. Note that stateless autoconfig will only configure addresses.

– It will not do all the host configuration you may well want to do.

121


Stateful Autoconfiguration

IPv4 DHCP does more than manage addressing… Provides optional services:

– DNS – WINS server – Boot server – NETBIOS node type – Many others… Stateful autoconfiguration and Dynamic Host Configuration Protocol for IPv6

(DHCPv6) meet the demand – draft-ietf-dhc-dhcpv6-28.txt

122


Stateful Autoconfiguration (1 of 2)

123




Send NS


Send RS

Send RA (M bit = 0, O bit = 1)

Build on-link addresses



124

Send DHCP request to FF05::1:3 (All DHCP Servers)

Send DHCP reply (Unicast)

Read options and configure parameters



125




Send NS


Send RS

Send RA (M bit = 1)

Can’t build addresses!



126

Send DHCP request To FF02::1:2 (All DHCP Agents)

Send DHCP reply (Unicast—can be relayed)

Read options and configure addresses and parameters

IPv6 Neighbor Discovery: Configuration


Router Advertisement

R3

R2

FEC0:0:0:2003::/64

FEC0:0:0:2000::/64

fe-0/0/0

::1

fe-0/0/1

::1

fe-0/0/1

::2

Enable router advertisement on this network

Host Host R1

fe-0/0/1

::2

128

IPv6 Transition Mechanisms


IPv6 is a Floating Process

Always watch the IPv6 Working Group of the IETF http://tools.ietf.org/wg/ipv6/ Currently revisions to over 30 different RFC standards Great place to see current status listing 16 current draft standard versions as well Nice doc for SPs at:

– https://cisco-support-vm-prod.hosted.jivesoftware.com/docs/DOC-13985

130

http://tools.ietf.org/wg/ipv6/

https://cisco-support-vm-prod.hosted.jivesoftware.com/docs/DOC-13985


A Transition Plan for the Internet

Transition is expected to take several years – Estimates for IPv4 address exhaustion: 2011–2012 IPv4 will not disappear

– Legacy protocol support issues – Protocols rarely disappear completely Transition enablers

– Vendors must provide IPv6 features and functionality comparable to IPv4 – Application vendors must add support for IPv6 – Customers must drive the transition Moving to IPv6 will not be painless

– Any attempt at a complete cutover date is doomed to fail! – Gradual transition schemes are necessary

131


IETF Transition Schemes

IETF Network Working Group has several suggestions – IP Next Generation Transition Working Group (ngtrans) – http://www.ietf.org/html.charters/ngtrans-charter.html Basic Transition Mechanisms for IPv6 Hosts and Routers (RFC 4213) Suggested methods include:

– Dual-stack approach – Tunneling Static Dynamic

– Network Address Translation–Protocol Translation (NAT-PT) – (RFC 2766)

132

IPv6 Deployments: Dual Stack Deployment


Dual Stack

Both IPv4 and IPv6 stacks are enabled.

Applications can talk to both.

Choice of the IP version is based on name lookup and application preference.

134


Host Running Dual Stack

In a dual stack case, an application that: – Is IPv4- and IPv6-enabled – Asks the DNS for all types of addresses – Chooses one address and, for example, connects to the IPv6 address

DNS Server

www.xyz.com A and AAAA = * ?

2001:DB8:CAFE::1 2001:DB8:CAFE::1 10.1.1.1

IPv6

IPv4

135

http://www.a.com


IPv6 using Dual Stack Backbone

All P + PE routers are capable of IPv4+IPv6 support Two IGPs supporting IPv4 and IPv6 Memory considerations for larger routing tables Native IPv6 multicast support All IPv6 traffic routed in global space Good for content distribution and global services (Internet)

IPv4/IPv6 Core

CE

IPv6 IPv4

PE P P PE CE IPv4

IPv6

IPv6 configured interface

IPv4 configured interface

Some or all interfaces in cloud dual configured

IPv6 + IPv4 Core IPv4 + IPv6 Edge IPv4 and/or IPv4 edge Dual Stack App

136


Dual Stack Configuration

IPv4/IPv6 Core

CE

IPv6 IPv4

PE P P PE CE IPv4

IPv6

IPv6 + IPv4 Core IPv4 + IPv6 Edge IPv4 and/or IPv4 edge Dual Stack App

ipv6 unicast-routing interface Ethernet0 ip address 192.168.99.1 255.255.255.0 ipv6 address 2001:db8:213:1::1/64

137


Dual-Stack Approach

Most devices are already configured with IPv4 As IPv6 is deployed:

– IPv6 software will be installed as a second Network Layer stack – IPv6 addresses will be configured on all devices Host will be responsible for deciding:

– When to use the IPv4 address – When to use the IPv6 address DNS has been updated to help! RFC 3363—Representing Internet Protocol Version 6 (IPv6) Addresses

in the Domain Name System (DNS)

138

IPv6 Multicast


IPv4 and IPv6 Multicast Comparison Service IPv4 Solution IPv6 Solution

Addressing Range 32-bit, Class D 128-bit (112-bit Group)

Routing Protocol Independent, All IGPs and MBGP

Protocol Independent, All IGPs and MBGP with v6 mcast SAFI

Forwarding PIM-DM, PIM-SM, PIM-SSM, PIM-bidir, PIM-BSR

PIM-SM, PIM-SSM, PIM-bidir, PIM-BSR

Group Management IGMPv1, v2, v3 MLDv1, v2

Domain Control Boundary, Border Scope Identifier

Interdomain Solutions MSDP across Independent PIM Domains

Single RP within Globally Shared Domains

Static RP, BSR, No Auto-RP

Embedded RP 140

IPv6 Quality of Service


Quality of Service IPv6 QoS

– Same architectural models as IPv4 – Differentiated Services (Traffic Class field) – Integrated Services (RSVP)

IPv6 traffic class – Value defined per applications, same DSCP for

applications over both IPv4 and IPv6 – decision to differentiate per protocol is an operational one

IPv6 flow label (RFC 3697) – A new 20-bit field in the IPv6 basic header – Its value cannot be changed by intermediate devices – No RFC regarding flow label usage yet

Transition – Mapping between IPv6 DSCP & IPv4 ToS or MPLS EXP

Version Traffic Class Flow Label

Payload Length Next Header Hop Limit

Source Address

Destination Address

142


Exercise with QoS

IPv6 QoS This is an excellent opportunity to look at QoS as it stands currently within your

network What will change with IPv6 deployment? What needs to change with IPv6 deployment? All of life is merely a matter of perspective!

143

IPv6 Security: Differences to IPv4


IPv6 Security

145

SHARED ISSUES

IPv4 Vulnerabilities IPv6 Vulnerabilities


Measuring the Length of a /64 Subnet…

…it will take almost 2 years for this light to reach the other end of the line

This line will be 1.2 million times longer than the distance from Earth to Sun

If we put all the available addresses in a line, with a density of one address per millimeter… …and turn on a flashlight on one end of this line…

2 years

146


Reconnaissance in IPv6

Public servers will still need to be DNS reachable – More information collected by Google... Increased deployment/reliance on dynamic DNS

– More information will be in DNS Using peer-to-peer clients gives IPv6 addresses of peers Administrators may adopt easy-to-remember addresses (::10,::20,::BAD:F00D,

::C5C0 or simply IPv4 last octet for dual stack) By compromising hosts in a network, an attacker can learn new addresses to

scan Transition techniques (see further) derive IPv6 address from IPv4 address

– can scan again

147


Remote Scanning Happens *Today*

Ports: 22/tcp, 25/tcp, 53/udp, 443/tcp and 9511/tcp, protocol 128. “Easy” host IDs: :: to ::2ff, ::1000 to ::10ac, ::2000 to ::2111 ::1:0 to ::1:1ff, ::500, ::aaa, ::fff ::1337, ::3128, ::2525, ::5353, ::6667, ::8000, ::aaaa, ::abcd, ::babe, ::café, ::beef, ::ffff ::[0-9]:25, ::[0-9]:53, ::[0-9]:80

148

Source: http://lists.cluenet.de/pipermail/ipv6-ops/2010-November/004367.html

http://lists.cluenet.de/pipermail/ipv6-ops/2010-November/004367.html


Scanning: Lessons Learned

Use infrastructure ACLs to protect the routers – iACL on the edge to deny packets to your routers – Implies having a good addressing plan Secure the hosts that have easy to guess addresses

– Avoid running unnecessary services – Regularly scan your hosts to check – Temporarily block unknown addresses with failed SSH logins

149


Reconnaissance in IPv6? Easy with Multicast!

No need for reconnaissance anymore 3 site-local multicast addresses

– FF05::2 all-routers, FF05::FB mDNSv6, FF05::1:3 all DHCP servers Several link-local multicast addresses

– FF02::1 all nodes, FF02::2 all routers, FF02::F all UPnP, ... Some deprecated (RFC 3879) site-local addresses but still used

– FEC0:0:0:FFFF::1 DNS server

150

2001:db8:2::50

2001:db8:1::60

2001:db8:3::70

Attacker FF05::1:3

Source Destination Payload

DHCP Attack

http://www.iana.org/assignments/ipv6-multicast-addresses/


Preventing Reconnaissance with IPv6 Multicast

The site-local/anycast addresses must be filtered at the border in order to make them unreachable from the outside ACL block ingress/egress traffic to

– Block FEC0::/10 (deprecated site-local addresses) – Permit mcast to FF02::/16 (link-local scope) – Permit mcast to FF0E::/16 (global scope) – Block all mcast

151

Organization A

Organization B ipv6 access-list NO_RECONNAISSANCE deny any fec0::/10 permit any ff02::/16 permit any ff0e::/16 deny any ff00::/8 permit any any


Finding Some Hosts on the Local LAN…

152


Virii and Worms in IPv6

Viruses and email, IM worms: IPv6 brings no change Other worms:

– IPv4: reliance on network scanning – IPv6: not so easy (see reconnaissance) => will use

alternative techniques

153

Worm developers will adapt to IPv6 IPv4 best practices around worm detection and mitigation

remain valid


He Only Wanted Some Free Smilies…

Users tricked to click on deceptive links “Free IQ test” Social networks are explored by

miscreants Social engineering and XSS are protocol-

independent

154


L3 Spoofing in IPv6

155

uRPF Remains the Primary Tool for Protecting Against L3 Spoofing

Access Layer

Spoofed IPv6 Source Address

X IPv6 Intranet/Internet

No Route to Src Addr prefix => Drop

Access Layer

Spoofed IPv6 Source Address

X IPv6 Intranet/Internet

No Route to Src Addr prefix out the packet inbound interface => Drop

uRPF Loose Mode

uRPF Strict Mode ipv6 verify unicast source reachable-via rx

ipv6 verify unicast source reachable-via any


Preventing Routing Header Attacks

Apply same policy for IPv6 as for Ipv4: – Block Routing Header type 0 Prevent processing at the intermediate nodes

– no ipv6 source-route – Windows, Linux, Mac OS: default setting At the edge

– With an ACL blocking routing header RFC 5095 (Dec 2007) RH0 is deprecated

– Default IOS changed in 12.4(15)T to ignore and drop RH0 – ASA drops RH0 by default

156


IPv4 Broadcast Amplification: Smurf

157

ICMP REQ D=160.154.5.255 S= 172.18.1.2

160.154.5.0

Attempt to Overwhelm Destination

ICMP REPLY D=172.18.1.2 S=160.154.5.19

ICMP REPLY D=172.18.1.2 S=160.154.5.18

ICMP REPLY D=172.18.1.2 S=160.154.5.17

ICMP REPLY D=172.18.1.2 S=160.154.5.16

ICMP REPLY D=172.18.1.2 S=160.154.5.15

ICMP REPLY D=172.18.1.2 S=160.154.5.14

172.18.1.2

Belgian Schtroumpf


IPv6 and Broadcasts

There are no broadcast addresses in IPv6 Broadcast address functionality is replaced with appropriate link local multicast

addresses – Link Local All Nodes Multicast—FF02::1 – Link Local All Routers Multicast—FF02::2 – Link Local All mDNS Multicast—FF02::FB

– Note: anti-spoofing also blocks amplification attacks because a remote attacker cannot

masquerade as his victim

158

http://iana.org/assignments/ipv6-multicast-addresses/


IPv6 and Other Amplification Vectors

IOS implements correctly RFC 4443 ICMPv6 – No ping-pong on a physical point-to-point link Section 3.1 – No ICMP error message should be generated in response to a packet with a multicast

destination address Section 2.4 (e.3) – Exceptions for Section 2.4 (e.3) – packet too big message – the parameter problem message

159

•Rate Limit egress ICMP Packets •Rate limit ICMP messages generation •Secure the multicast network (source specific multicast) •Note: Implement Ingress Filtering of Packets with IPv6 Multicast Source Addresses


IPv6 Attacks with Strong IPv4 Similarities

Sniffing – IPv6 is no more or less likely to fall victim to a sniffing attack than IPv4 Application layer attacks

– The majority of vulnerabilities on the Internet today are at the application layer, something that IPSec will do nothing to prevent

Rogue devices – Rogue devices will be as easy to insert into an IPv6 network as in IPv4 Man-in-the-Middle Attacks (MITM)

– Without strong mutual authentication, any attacks utilizing MITM will have the same likelihood in IPv6 as in IPv4

Flooding – Flooding attacks are identical between IPv4 and IPv6

160


By the Way: It Is Real IPv6 Hacking Tools

Sniffers/packet capture – Snort – TCPdump – Sun Solaris snoop – COLD – Wireshark – Analyzer – Windump – WinPcap

Scanners – IPv6 security scanner – Halfscan6 – Nmap – Strobe – Netcat

DoS Tools – 6tunneldos – 4to6ddos – Imps6-tools

Packet forgers – Scapy6 – SendIP – Packit – Spak6

Complete tool – http://www.thc.org/thc-ipv6/

161

Let the Games Begin

http://www.thc.org/thc-ipv6/


IPv6 Privacy Extensions (RFC 3041)

Temporary addresses for IPv6 host client application, e.g. web browser

– Inhibit device/user tracking – Random 64 bit interface ID, then run Duplicate Address Detection

before using it – Rate of change based on local policy

2001

/32 /48 /64 /23 Interface ID

Recommendation: Use Privacy Extensions for External Communication but not for Internal Networks (Troubleshooting and Attack Trace Back)

162


The IPsec Myth: End-to-End will Save the World

IPv6 mandates the implementation of IPsec IPv6 does not require the use of IPsec Some organizations believe that IPsec should be used to secure all flows...

– Interesting scalability issue (n2 issue with IPsec) – Need to trust endpoints and end-users because the network cannot secure the traffic:

no IPS, no ACL, no firewall – IOS 12.4(20)T can parse the AH – Network telemetry is blinded: NetFlow of little use – Network services hindered: what about QoS?

163

Recommendation: do not use IPsec end to end within an administrative domain. Suggestion: Reserve IPsec for residential or hostile environment or high profile targets.


IPv4 to IPv6 Transition Challenges

16+ methods, possibly in combination Dual stack

– Consider security for both protocols – Cross v4/v6 abuse – Resiliency (shared resources) Tunnels

– Bypass firewalls (protocol 41 or UDP) – Can cause asymmetric traffic (hence breaking stateful firewalls)

164


Dual Stack Host Considerations

Host security on a dual-stack device – Applications can be subject to attack on both IPv6 and IPv4 – Fate sharing: as secure as the least secure stack... Host security controls should block and inspect traffic from both IP versions

– Host intrusion prevention, personal firewalls, VPN clients, etc.

165

Dual Stack Client

IPv4 IPsecVPN with No Split Tunneling

Does the IPsec Client Stop an Inbound IPv6 Exploit?

IPv6 HDR IPv6 Exploit


No IPv6 Network = No Problem? Wrong!

IPv6 enabled by default on all modern OSes Applications prefer IPv6 addresses “Blackhat” may not be malicious (Windows with ICS) Time to think about deploying IPv6

166

IPv4 Internet

Client Dualstack Server

IPv4-only segment

Inject RA

IPv6 I have IPv6 ! Let’s use it !


IPv6 Tunneling Summary

RFC 1933/2893 configured and automatic tunnels

RFC 2401 IPSec tunnel

RFC 2473 IPv6 generic packet tunnel

RFC 2529 6over4 tunnel

RFC 3056 6to4 tunnel

RFC 5214 ISATAP tunnel

MobileIPv6 (uses RFC2473)

RFC 4380 Teredo tunnels

RFC5569 6RD

Only allow authorized endpoints to establish tunnels

Static tunnels are deemed as “more secure,” but less scalable

Automatic tunneling mechanisms are susceptible to packet forgery and DoS attacks

These tools have the same risk as IPv4, just new avenues of exploitation

Automatic IPv6 over IPv4 tunnels could be secured by IPv4 IPSec

167


IPv6 in IPv4 Tunnel

L3-L4 Spoofing in IPv6 over IPv4 Tunnels

Most IPv4/IPv6 transition mechanisms have no authentication built in => an IPv4 attacker can inject traffic if spoofing on IPv4 and

IPv6 addresses

168

Public IPv4 Internet

Server B Server A

Tunnel Termination

Tunnel Termination

IPv6 Network IPv6 Network

IPv6 ACLs Are Ineffective Since IPv4 & IPv6 Is Spoofed Tunnel Termination Forwards the Inner IPv6 Packet

IPv4

IPv6

IPv6 Security: Access-List Filtering


Cisco IOS IPv6 Extended Access Control Lists

Very much like in IPv4 – Filter traffic based on Source and destiion addresses Next header presence Layer 4 information

– Implicit deny all at the end of ACL – Empty ACL means traffic allowed – Reflexive and time based ACL Known extension headers (HbH, AH, RH, MH, destination, fragment) are scanned

until: – Layer 4 header found – Unknown extension header is found Side note for 7600 & other switches:

– No VLAN ACL – Port ACL on Nexus-7000, Cat 3750 (12.2(46)SE), Cat 4K (12.2(54)SG), – Cat 6K (12.2(33)SXI4)

170


IOS IPv6 Extended ACL Can match on

– Upper layers: TCP, UDP, SCTP port numbers – TCP flags SYN, ACK, FIN, PUSH, URG, RST – ICMPv6 code and type – Traffic class (only six bits/8) = DSCP – Flow label (0-0xFFFFF)

IPv6 extension header – routing matches any RH, routing-type matches specific RH – mobility matches any MH, mobility-type matches specific MH – dest-option matches any, dest-option-type matches specific destination options – auth matches AH – Can skip AH (but not ESP) since IOS 12.4(20)T

fragments keyword matches – Non-initial fragments (same as IPv4) – And the first fragment if the L4 protocol cannot be determined

undetermined-transport keyword matches (only for deny) – Any packet whose L4 protocol cannot be determined: fragmented or unknown extension header

171


Cisco IOS IPv6 ACL

172

Filtering Inbound Traffic to one Specific Destination Address

Prefix: 2001:db8:2c80:1000::/64

IPv6 Internet

2001:db8:2c80:1000::1

others

Serial 0

ipv6 access-list MY_ACL remark basic anti-spoofing permit any 2001:db8:2c80:1000::1/128 deny 2001:db8:2c80:1000::/64 any interface Serial 0 ipv6 traffic-filter MY_ACL in


IPv6 ACL Implicit Rules - RFC 4890

Implicit entries exist at the end of each IPv6 ACL to allow neighbor discovery: Nexus 7000 also allows RS & RA

173

permit icmp any any nd-na permit icmp any any nd-ns deny ipv6 any any


IPv6 ACL Implicit Rules

174

The beginner’s mistake is to add a deny log at the end of IPv6 ACL

Solution, explicitly add the implicit ACE

! Now log all denied packets deny IPv6 any any log ! Hey . . . I forget about these implicit lines permit icmp any any nd-na permit icmp any any nd-ns deny ipv6 any any

. . . ! Now log all denied packets permit icmp any any nd-na permit icmp any any nd-ns deny ipv6 any any log


Example: Rogue RA & DHCP Port ACL

175

ipv6 access-list ACCESS_PORT

remark Block all traffic DHCP server -> client

deny udp any eq 547 any eq 546

remark Block Router Advertisements

deny icmp any any router-advertisement

permit any any

Interface gigabitethernet 1/0/1

switchport

ipv6 traffic-filter ACCESS_PORT in

Note: Nexus-7000 and Cat 3750 12.2(46)SE, Catalyst 6500 12.2(33)SXI4, Catalyst 4500 12.2(54)SG

IPv6 Security: Prefix-List Filtering


Creation of Prefix Lists

Like many things, from a command-line perspective the only thing that changes is “ip” changes to “ipv6” Cisco = ipv6 prefix-list (name) (prefix) (modifiers) At a binary level, IPv6 works the same as IPv4 does Same rules, different protocol!

177

IPv6 Routing Protocols


Routing: The IPv4 – IPv6 Parallel RIP

RIPv2 for IPv4 RIPng for IPv6 Distinct but similar protocols with RIPng taking advantage of IPv6 specificities

OSPF OSPFv2 for IPv4 OSPFv3 for IPv6 Distinct but similar protocols with OSPFv3 being a cleaner implementation that takes advantage of IPv6 specificities

IS-IS Extended to support IPv6 Natural fit to some of the IPv6 foundational concepts Supports Single and Multi Topology operation

EIGRP Extended to support IPv6 (IPv6_REQUEST_TYPE, IPv6_METRIC_TYPE, IPv6_EXTERIOR_TYPE) Some changes reflecting IPv6 characteristics

BGP New MP_REACH_NLRI, MP_UNREACH_NLRI, AFI=2 with SAFI for Unicast/ /Label/VPN Peering over IPv6 or IPv4 (route maps)

For all intents and purposes, IPv6 IGPs are similar to their IPv4 counterparts

IPv6 IGPs have additional features that could lead to new designs 179


Routing Protocols Static Routes

– BFD

RIPng – Graceful Restart and NSR

OSPFv3 – IPv6 EH authentication – IPSec encryption (ESP Header) – Overloading – Graceful Restart and NSR – BFD (9.3) – P2P interface (9.4) – OSPF Rib-group for IPv6 – Realm support (IPv4 support) but without TE support

IS-IS – Authentication – Unicast Mesh Groups – Multicast Mesh Groups – Graceful Restart and NSR – BFD for dual stack interface (not for v6-only) – ISIS Rib-groups for ipv6

Multitopology IS-IS – Unicast – Multicast

BGP – Authentication – BGP peering to IPv6 endpoints – IPv6 routes over IPv4 peering – IPv6 Prefix Limits – Interface counters – Graceful Restart and NSR

BGPv6 supported families: – family inet6 unicast – family inet6 multicast – family inet6 labeled-unicast – Inet4 unicast (not supported)

Routing Policy – IPv6 multicast scoping – IPv6 address family – IPv6 prefixes – IPv6 route destination address

180


Routing Protocols

IPv6 PIM – Multicast Address Support – PIMv2 – PIM Anycast RP – Statically Defined RP – Embedded RP Addresses – Source-Specific Multicast (SSM) – Multicast Listener Discovery (v1 and

v2) – Bootstrap Router (BSR) for IPv6 – Disable IPv6 PIM independently from

IPv4 (9.6)

L3VPN Multicast – NG MVPN: IPv6 multicast (2H2009)

MPLS Protocols • IPv6 Tunneling over MPLS LSPs • RSVP-TE for IPv6 (not scheduled

yet) • LDP for IPv6 (not scheduled yet)

MPLS VPNs • 6PE, 6VPE • VRF Table-label

181

IPv6 Routing Protocols: Static Routes


Static Route Example

R1(config)# ipv6 route fde7:0e06:ef31::/48 null0 R1#sh ipv6 route static IPv6 Routing Table - Default - 2 entries Codes: C - Connected, L - Local, S - Static, U - Per-user Static route B - BGP, M - MIPv6, R - RIP, I1 - ISIS L1 I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary, D - EIGRP EX - EIGRP external O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2 ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2 S FDE7:E06:EF31::/48 [1/0] via Null0, directly connected R1# R1(config)# ipv6 route 2300:0106:aa23::/48 fa0/0 R1(config)#do sh ipv6 route static | begin ^S S 2300:106:AA23::/48 [1/0] via FastEthernet0/0, directly connected S FDE7:E06:EF31::/48 [1/0] via Null0, directly connected R1(config)#

183


Static Options All static parameters are optional

Parameters are like any other static route

R1(config)#ipv6 route 2300:0106:aa23::/48 fa0/0 ?

<1-254> Administrative distance

X:X:X:X::X IPv6 address of next-hop

multicast Route only usable by multicast

nexthop-vrf Nexthop IPv6 VRF

tag Tag value

unicast Route only usable by unicast

<cr>

184


Routing Policy

Configured in the same way as routing policy for IPv4 – Similar match conditions and actions – Create policy first… – …then apply to inteface (PBR), neighbor (BGP), or routing protocol One new match condition

– Match protocol ipv6 Routing table built the same as always! Nothing new to learn for IPv6 though process

185

IPv6 Routing Protocols: OSPFv3


OSPFv3

Changes from OSPFv2 – Per Link Processing – Addition of flooding scope – New Link LSA – Handling of unknown LSA types – Virtual Link Changes – Authentication changes

187


OSPFv3

Per Link Processing – IPv6 uses the term “link” instead of network or subnet to indicate communication Interfaces connect to links Adjacencies are formed on link local addresses

– Multiple IPv6 subnets can be assigned to a single link Two nodes can talk directly over a single link, even if they do not share a common IPv6 subnet Network address and mask do not impact the formation of adjacencies

188


OSPFv3

Flooding Scope – Each LSA now contains two bits indicating the flooding scope AS scope, LSA is flooded throughout the AS Area scope, LSA is flooded only within an area Link-local scope, LSA is flooded only on the local link

– These changes also impact the names of the LSAs Type 3 (Summary LSA) is now called the inter-area-prefix-LSA Type 4 (Autonomous System Border LSA) is now called the inter-area-router-LSA Other new LSAs have been added

189


OSPFv3

LSA Name LS Type code Flooding scope LSA Function code

Router LSA 0x2001 Area scope 1

Network LSA 0x2002 Area scope 2

Inter-Area-Prefix-LSA 0x2003 Area scope 3

Inter-Area-Router-LSA 0x2004 Area scope 4

AS-External-LSA 0x4005 AS scope 5

Group-membership-LSA 0x2006 Area scope 6

Type-7-LSA 0x2007 Area scope 7

Link-LSA 0x0008 Link-local scope 8

Intra-Area-Prefix-LSA 0x2009 Area scope 9

Flooding Scope

190


OSPFv3

Link LSA – Announces the IPv6 link local address to all the router(s) attached to the link This is needed for the next hop calculation

– Announce a list of IPv6 prefixes associated with the link This is used for a router attached to a LAN to announce its prefix to the DR so DR can include

this IPv6 address in its intra-area-prefix-LSA

– Announce the router’s options capability router to the DR The DR will then perform an “OR” operation on the options received from all the attached routers The final option field set in the network LSA

191


OSPFv3

Link LSA – Generated for every link that has two or more routers – Not be originated for virtual links – May be suppressed

192


OSPFv3

Handling Unknown LSA Types – Each LSA now contains an “unknown LSA” bit 0: Treat this LSA as a link local 1: Store and flood this LSA even if you don’t understand it

– This allows the deployment of new features in the future Routers that don’t understand the new feature will simply store and forward the LSA Features can be deployed at edges, within a flooding domain, etc., without the need to upgrade

all routers

193


OSPFv3

Virtual Link Requirements – At least one global/unique local IPv6 address in the transit area OSPFv3 normally sends LSAs with a link local source address This won’t work over a virtual link –the packet needs to be forwarded through the intervening area

– Advertisement of a /128 prefix If no /128 is available in the table, a /128 from within an existing prefix space will be used This provides most-specific reachability between the endpoints of the virtual link

194


OSPFv3

Authentication – OSPFv3 currently only supports IPsec for authentication Group keying is painful for IPsec There is current work in GDOI and other spaces to make group keying work better for this space

– There is current work in the OSPF working group to allow HMAC-SHA and other forms of “in packet” authentication

195


OSPFv3

196

Router1# interface POS1/1 ipv6 address 2001:410:FFFF:1::1/64 ipv6 enable ipv6 ospf 100 area 0 interface POS2/0 ipv6 address 2001:B00:FFFF:1::2/64 ipv6 enable ipv6 ospf 100 area 1 ipv6 router ospf 100 router-id 10.1.1.3 Router2# interface POS3/0 ipv6 address 2001:B00:FFFF:1::1/64 ipv6 enable ipv6 ospf 100 area 1 ipv6 router ospf 100 router-id 10.1.1.4

Configuration & Show Example

POS 3/0 2001:b00:ffff:1::1/64

2001:b00:ffff:1::2/64 POS 2/0

Area 1

Area 0

POS 1/1 2001:410:ffff:1::1/64

A

B


OSPFv3

Router2#sh ipv6 ospf int pos 3/0 POS3/0 is up, line protocol is up Link Local Address FE80::290:86FF:FE5D:A000, Interface ID 7 Area 1, Process ID 100, Instance ID 0, Router ID 10.1.1.4 Network Type POINT_TO_POINT, Cost: 1 Transmit Delay is 1 sec, State POINT_TO_POINT, Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5 Hello due in 00:00:02 Index 1/1/1, flood queue length 0 Next 0x0(0)/0x0(0)/0x0(0) Last flood scan length is 3, maximum is 3 Last flood scan time is 0 msec, maximum is 0 msec Neighbor Count is 1, Adjacent neighbor count is 1 Adjacent with neighbor 10.1.1.3 Suppress hello for 0 neighbor(s)


POS 3/0 2001:b00:ffff:1::1/64

2001:b00:ffff:1::2/64 POS 2/0

Area 1

Area 0

POS 1/1 2001:410:ffff:1::1/64

A

B

197


OSPFv3

Router2#sh ipv6 ospf neighbor detail Neighbor 10.1.1.3 In the area 1 via interface POS3/0 Neighbor: interface-id 8, link-local address FE80::2D0:FFFF:FE60:DFFF Neighbor priority is 1, State is FULL, 12 state changes Options is 0x630C34B9 Dead timer due in 00:00:33 Neighbor is up for 00:49:32 Index 1/1/1, retransmission queue length 0, number of retransmission 1 First 0x0(0)/0x0(0)/0x0(0) Next 0x0(0)/0x0(0)/0x0(0) Last retransmission scan length is 2, maximum is 2 Last retransmission scan time is 0 msec, maximum is 0 msec


POS 3/0 2001:b00:ffff:1::1/64

2001:b00:ffff:1::2/64 POS 2/0

Area 1

Area 0

POS 1/1 2001:410:ffff:1::1/64

A

B

198


OSPFv3

199

Router2#sh ipv6 route IPv6 Routing Table - 5 entries Codes: C - Connected, L - Local, S - Static, R - RIP, B – BGP, U - Per-user Static route I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2 OI 2001:410:FFFF:1::/64 [110/2] via FE80::2D0:FFFF:FE60:DFFF, POS3/0 C 2001:B00:FFFF:1::/64 [0/0] via ::, POS3/0 L 2001:B00:FFFF:1::1/128 [0/0] via ::, POS3/0 L FE80::/10 [0/0] via ::, Null0 L FF00::/8 [0/0] via ::, Null0


POS 3/0 2001:b00:ffff:1::1/64

2001:b00:ffff:1::2/64 POS 2/0

Area 1

Area 0

POS 1/1 2001:410:ffff:1::1/64

A

B


OSPFv3

Routing Considerations – New Routing Protocol New training, show commands, troubleshooting procedures Must run “dual stack” in the control plane

– Consider design carefully Be intentional about flooding domain boundaries Don’t just deploy “one big area” because you can, it’s simple, it’s a test, etc… Probably best to place ABRs in the same places as OSPFv2 just to facilitate management and

troubleshooting – IPv6 rollout must be contiguous Just like with the other IGPs…

200


Differences to OSPFv2 (1 of 2)

Differences: – Protocol processing per link, not per subnet – Removal of addressing semantics Router and network LSAs have no addressing Uses intra-area-prefix LSA

– Flooding scope is generalized Encoded in the LSA type

– Support for multiple instances per link Instance ID in OSPF header

201


Differences to OSPFv2 (2 of 2)

Differences (contd.): – Use of link-local addresses Used to originate packets

– Authentication removed Done at the IP (IPv6) layer

– LSA format changes New LSAs + renaming old ones

– Unknown LSA handling – Options field expanded V6 bit and R bit added

202


OSPFv3 LSA Types

LSA Function LS type Description Like OSPFv2

1 0x2001 Router LSA Type 1 Router LSAs

2 0x2002 Network LSA Type 2 Network LSAs

3 0x2003 Inter-Area-Prefix LSA Type 3 Summary LSAs

4 0x2004 Inter-Area-Router LSA Type 4 ASBR-Summary

5 0x4005 AS-External-LSA Type 5 AS-External LSA

6 0x2006 Group Membership LSA Type 6 Multicast

7 0x2007 Type-7 LSA Type 7 NSSA External

8 0x0008 Link LSA None

9 0x2009 Intra-Area-Prefix LSA Types 1 and 2

LSA Function U S2 S1

LS type field:

203


LSA Flooding Scope: Link-Local

Link LSAs are flooded on the local link only – Used to advertise link-local addresses to directly attached routers – Used to advertise IPv6 subnets on the link – Used by DR to collect option bits to associate with the network LSA

204

Link LSA


LSA Flooding Scope: Area

All LSAs, except link and AS-external, have area scope flooding – Router LSAs and intra-area-prefix LSAs are originated by each router – Network LSAs and intra-area-prefix LSAs are originated by each DR – Inter-area-prefix and inter-area-router are originated by ABR

205

Router LSA Network LSA Intra-Area-Prefix LSA

Inter-Area-Prefix Inter-Area-Router

ABR

Area 0 Area 1


LSA Flooding Scope: AS

AS-external LSAs are flooded throughout the entire OSPF AS – Originated by ASBR

206

Area 0

ASBR

Area 1 AS External LSA

OSPF routing domain RIP


Same As OSPFv2

Similarities: – One of the similarities is the RID – OSPFv3 maintains a 32-bit RID that represents the router in the link-state database – The RID is not related to an IPv6 address like it is in IPv4 – Requires explicit configuration (assuming no IPv4 addresses are present) because

IPv6 addressing cannot be used

207


Cisco IPv6 and OSPF

Customized globally – R1(config)# ipv6 router ospf (#) – R1(config-router)# area (#) range …….. Enabled on an interface

– R1(config-if)# ipv6 ospf (#) area-id (#) – R1(config-if)# ipv6 ospf (#) neighbor (addr)

208


IPv6 and OSPF

Authentication is interesting – Requires IPSec be used by OSPF – Authentication fields are no longer part of OSPF packet, but signaled to IPv6 security

209


IPv6 and OSPF - Security

Two methods, AH or ESP – Ipv6 ospf authentication – Ipv6 ospf encryption Examples (interface config)

– Ipv6 ospf authentication ipsec spi 500 md5 1234567890abcdef1234567890abcdef – Ipv6 ospf encryption ipsec spi 1001 esp null sha1

123456789A123456789B123456789C123456789D Examples (area config – encryption same format)

– Area 0 authentication ipsec spi 422 md5 1234567890abcdef1234567890abcdef

210


Router ID Selection

Router ID selection: – IPv6 networks preserve the 32-bit router ID This is not an IPv4 address, it just looks like one!

– You can set RID manually under routing-options, although an existing IPv4 address can be used The Junos OS uses the first non-127/8 address it finds as the RID lo0 is the first interface activated, so a non-127/8 configured here serves as the RID If the Junos software does not find a suitable address on lo0, it examines the next interface

activated (normally fxp0) – IPv6 functionality should not depend on another protocol being configured, so set RID

manually!

211

IPv6 Routing Protocols: MBGP


MP-BGP Basics

Path Vector Protocol – Carries sequence of AS numbers indicating path

Ties Autonomous Systems together via Peering

Multiple address families: ipv4, ipv6, unicast, multicast

SiSiSiSi

SiSi SiSi

SiSi

AS 101 AS 201

AS 301

Peering

213


BGP-4 Extensions for IPv6

TCP Interaction – BGP-4 runs on top of TCP – This connection could be setup either over IPv4 or IPv6 Router ID

– When no IPv4 is configured, an explicit bgp router-id needs to be configured – This is needed as a BGP Identifier, this is used as a tie breaker, and is send within the

OPEN message

214


Non Link Local Peering

Router A router bgp 1 no bgp default ipv4 unicast bgp router-id 1.1.1.1 neighbor 2001:db8:ffff:2::2 remote-as 2 address-family ipv6 neighbor 2001:db8:ffff:2::2 activate network 2003:3:2::/64 network 2003:3:3::/64

AS 1

AS 2

2001:db8:ffff:2/64

:1

:2

network 2003:3:2::/64 network 2003:3:3::/64

B

A

215


BGP-4 Extensions for IPv6 (RFC 2545)

BGP-4 carries only 3 pieces of information which is truly IPv4 specific: – NLRI in the UPDATE message contains an IPv4 prefix – NEXT_HOP path attribute in the UPDATE message contains a IPv4 address – BGP Identifier is in the OPEN message & AGGREGATOR attribute To make BGP-4 available for other network layer protocols, RFC 2858

(obsoletes RFC 2283) defines multi-protocol extensions for BGP-4 – Enables BGP-4 to carry information of other protocols e.g MPLS,IPv6 – New BGP-4 optional and non-transitive attributes: – MP_REACH_NLRI – MP_UNREACH_NLRI – Protocol independent NEXT_HOP attribute – Protocol independent NLRI attribute

216



Address Family Information (AFI) for IPv6 – AFI = 2 (RFC 1700) – Sub-AFI = 1 Unicast – Sub-AFI = 2 (Multicast for RPF check) – Sub-AFI = 3 for both Unicast and Multicast – Sub-AFI = 4 Label – Sub-AFI= 128 VPN

217



Next-hop contains a global IPv6 address or potentially a link local (for iBGP update this has to be changed to global IPv6 address with route-map) The value of the length of the next hop field on MP_REACH_NLRI attribute is

set to 16 when only global is present and is set to 32 if link local is present as well Link local address as a next-hop is only set if the BGP peer shares the subnet

with both routers (advertising and advertised)

218

AS1 AS2

B A C


BGP Overview

Path-vector EGP that uses multiple path attributes to select the active route – Originally designed for IPv4 – Extended to carry additional information Multicast VPNs IPv6

MBGP specifications – Multiprotocol extensions for BGP-4 RFC 4760—January 2007

– Use of BGP-4 multiprotocol extensions for IPv6 interdomain routing RFC 2545

219


MP-BGP and IPv6

Multiprotocol extensions for BGP4: – Adds new fields to identified the type of route being advertised – Make it possible to carry IPv6 routes on top of IPv4 BGP sessions IPv6-specific extensions:

– Scoped addresses: NEXT_HOP contains a global IPv6 address and potentially a link-local address (only when there is link-local reachability with the peer)

– NEXT_HOP and NLRI are expressed as IPv6 addresses and prefixes in the multiprotocol attributes

220


Address-Families are new RIBs

Address families began with MBGP to separate RIB entries Common address-families are

– IPv6 (unicast | multicast) – Nsap – IPv4 Multicast – Vpnv4 – Vpnv6 – Ipv4 unicast vrf (name) Default is IPv4 Unicast

221


Prior to Address Families

Router bgp 1001

– Neighbor 10.1.1.4 remote-as 1001 – Neighbor 10.1.1.4 update-source loopback 0

– Neighbor 10.1.1.4 route-map Bob in

– Neighbor 10.1.1.4 send-community – Network 10.1.100.0 mask 255.255.255.0 – Network 10.1.101.0 mask 255.255.255.0 – Redistribute static

222


Way to Think About the “Old” Way

Router bgp 1001 – [Connections] – Neighbor 10.1.1.4 remote-as 1001 – Neighbor 10.1.1.4 update-source loopback 0 – [address-family ipv4] – Neighbor 10.1.1.4 route-map Bob in – Neighbor 10.1.1.4 activate – Neighbor 10.1.1.4 send-community – Network 10.1.100.0 mask 255.255.255.0 – Network 10.1.101.0 mask 255.255.255.0 – Redistribute static

223


Activate Each Neighbor

Multiple neighbors can carry some or all of the supported families Activate each one Each RIB filters separately Each RIB name is important for NLRI information to be kept correctly Each RIB/Family information is separate Useful for running separate info over separate links/peering information

224


MBGP Configuration

AS 65001 AS 65002 Router2 Router1

Router1# interface FastEthernet0/0 ipv6 address 3FFE:B00:C18:2:1::F/64 router bgp 65001 no bgp default ipv4-unicast neighbor 3FFE:B00:C18:2:1::1 remote-as 65002 address-family ipv6 neighbor 3FFE:B00:C18:2:1::1 activate neighbor 3FFE:B00:C18:2:1::1 prefix-list bgp65002in in neighbor 3FFE:B00:C18:2:1::1 prefix-list bgp65002out out exit-address-family

3ffe:b00:c18:2:1::F 3ffe:b00:c18:2:1::1

225


MBGP Prefix Bidirectional Filtering

226

– Filtering BGP routing updates

3FFE:0B00:0001::/48 3FFE:0300::/32

3FFE:0B00::/24

Router2 Router1

3ffe:b00:c18:2:1::F 3ffe:b00:c18:2:1::1 Router1# router bgp 65001 no bgp default ipv4-unicast neighbor 3FFE:B00:C18:2:1::1 remote-as 65002 address-family ipv6 neighbor 3FFE:B00:C18:2:1::1 activate neighbor 3FFE:B00:C18:2:1::1 prefix-list bgp65002in in neighbor 3FFE:B00:C18:2:1::1 prefix-list bgp65002out out network 3FFE:B00::/24 exit-address-family ipv6 prefix-list bgp65002in seq 5 permit 3FFE::/16 le 24 ipv6 prefix-list bgp65002out seq 5 permit 3FFE::/16 le 24

3ffe:b00::/24


MBGP Config with Inbound Filtering

Configure BGP to accept legal prefixes only (prefix-list)

227

3ffe:b00:c18:2:1::f 3ffe:b00:c18:2:1::1

AS 65002

AS 65003 AS 65001

3ffe:b00:c18:2:1::2

router bgp 65001 no bgp default ipv4-unicast neighbor 3FFE:B00:C18:2:1::1 remote-as 65002 neighbor 3FFE:B00:C18:2:1::2 remote-as 65003 address-family ipv6 neighbor 3FFE:B00:C18:2:1::1 activate neighbor 3FFE:B00:C18:2:1::2 activate neighbor 3FFE:B00:C18:2:1::1 prefix-list Legal in neighbor 3FFE:B00:C18:2:1::2 prefix-list Legal in network 3FFE:B00::/24 exit-address-family ipv6 prefix-list Legal seq 5 permit 2001::/16 le 35 ipv6 prefix-list Legal seq 10 permit 3FFE::/17 ge 24 le 24 ipv6 prefix-list Legal seq 15 permit 3FFE:8000::/17 ge 28 le 28 ipv6 prefix-list Legal seq 20 permit 2002::/16

Appendices:

Additional Pseudo-Useful, but not Required Information

IPv6 ISP Deployments: General


IPv6 Static NAT

230

Fa0/0 IPv4 IPv6

network 172.18.30.1 3000:b00:ffff:1::1 192.168.199.1

A D

nat-pt# ipv6 unicast-routing interface FastEthernet0/1 ip address 192.168.199.1 255.255.255.0 ipv6 nat interface FastEthernet0/0 ipv6 address 3000:b00:ffff:1::/64 eui-64 no ip address ipv6 nat ipv6 nat prefix 3ffe:b00:ffff:ffff::/96 ipv6 nat v4v6 source 172.18.30.1 3000:b00:ffff:ffff::a ipv6 nat v6v4 source 3000:b00:ffff:1::1 192.168.199.2

NAT-PT

Fa0/1

Static NAT-PT configuration: 3000:b00:ffff:ffff::a 172.18.30.1

3000:b00:ffff:1::1 192.168.199.2


IPv6 Dynamic NAT

231

Fa0/0 IPv4 IPv6

network

3000:b00:ffff:1::1 192.168.199.1 A NAT-PT

Fa0/1 DNS D

172.18.31.1

ipv6 unicast-routing interface FastEthernet0/1 ip address 192.168.199.1 255.255.255.0 ipv6 nat interface FastEthernet0/0 ipv6 address 3000:b00:ffff:1::/64 eui-64 no ip address ipv6 nat ipv6 nat prefix 3000:b00:ffff:ffff::/96 ipv6 nat translation timeout 3600 ipv6 prefix-list v6-list permit 3000:b00:ffff::/48 ipv6 nat v6v4 pool v4-pool 192.168.199.50 192.168.199.100 prefix-length 24 ipv6 nat v6v4 source list v6-list pool v4-pool ipv6 nat v4v6 source 172.18.31.1 3000:b00:ffff:ffff::53


Questions & Answers

232


Recommended Reading

Continue your Networkers at Cisco Live learning experience with further reading from Cisco Press Check the Recommended Reading flyer for

suggested books

233

Available Onsite at the Cisco Company Store


Final Thoughts

Get hands-on experience with the Walk-in Labs located in World of Solutions, booth 1042 Come see demos of many key solutions and products in the main Cisco booth

2924 Visit www.ciscoLive365.com after the event for updated PDFs, on-demand

session videos, networking, and more! Follow Cisco Live! using social media:

– Facebook: https://www.facebook.com/ciscoliveus – Twitter: https://twitter.com/#!/CiscoLive – LinkedIn Group: http://linkd.in/CiscoLI

234

http://www.ciscolive365.com/

https://www.facebook.com/ciscoliveus

https://twitter.com/

http://linkd.in/CiscoLI


Maximize your Cisco Live experience with your free Cisco Live 365 account. Download session PDFs, view sessions on-demand and participate in live activities throughout the year. Click the Enter Cisco Live 365 button in your Cisco Live portal to log in.

Complete Your Online Session Evaluation

Give us your feedback and you could win fabulous prizes. Winners announced daily. Receive 20 Cisco Daily Challenge

points for each session evaluation you complete. Complete your session evaluation

online now through either the mobile app or internet kiosk stations.

235

IPv6 for Cert Nuts

Documents

Transcript of IPv6 for Cert Nuts