IPv6 host-os-details-v2

© 2012 Cisco and/or its affiliates. All rights reserved. 1

Cisco “Tech Session” IPv6 Host OS Configurations

Tim Martin

CCIE #2020

Solutions Architect

Spring 2015


•  IPv6 Network Provisioning •  Microsoft IPv6 •  Linux IPv6 •  Apple IPv6 •  Mobile OS IPv6 •  Summary


IPv6

IPv4 Address Depletion

2011

National IPv6 Strategies STEM

Mandate

Infrastructure Evolution

4G, DOCSIS 3.0, CGN

IPv6 OS, Content & Applications

Pref. by App’s in W7, S2008, OSX


Similar to IPv4 New in IPv6

Manually configured StateLess Address AutoConfiguration SLAAC EUI64

SLAAC Privacy Extensions

Assigned via DHCPv6

*Secure Neighbor Discovery SeND


00 90 27 FF FE 17 FC 0F

OUI Device Identifier

00 90 27 17 FC 0F

02 90 27 FF FE 17 FC 0F

0000 00U0 U= 1 = Universel/unique

0 = Local/not unique U bit must be flipped

FF FE 00 90 27 17 FC 0F


•  Generated on unique 802 using MD5, then stored for next iteration •  Enabled by default in Windows, Android, iOS, Mac OS/X, Linux •  Temporary or Ephemeral addresses for client application (web browser)

Recommendation: Good for the mobile user, but not for your organization/corporate networks (Troubleshooting and accountability)

7

2001 DB8

/32 /48 /64

Random Generated Interface ID 0000 1234


DHCPv6 Server 2001:db8::feed:1

DHCPv6 Solicit

•  Source – FE80::1234, Destination - FF02::1:2

•  Client UDP 546, Server UDP 547

•  Original Multicast Encapsulated in Unicast (Relay)

•  DUID – Different from v4, used to identify clients

•  ipv6 dhcp relay destination 2001:db8::feed:1

DHCPv6 Relay

DHCPv6 Relay

SOLICIT (any servers)

ADVERTISE (want this address)

REQUEST (I want that address)

REPLY (It’s yours)


•  Router solicitations (RS) are sent by nodes at bootup

•  Routers forward packets as well as provide provisioning services

RS

ICMP Type 133 IPv6 Source FE80::A IPv6 Destination FF02::2 Opt. 1 SLLA SRC Link Layer Address

RA

ICMP Type 134 IPv6 Source FE80::2

IPv6 Destination FE80::A Data Options, subnet prefix,

lifetime, autoconfig flag

RS RA

A


•  M-Flag – Stateful DHCPv6 to acquire IPv6 address

•  O-Flag – Stateless DHCPv6 in addition to SLAAC

•  Preference Bits – Low, Med, High

•  Router Lifetime – Must be >0 for Default

•  Options - Prefix Information, Length, Flags

•  L bit – Only way a host get a On Link Prefix

•  A bit – Set to 0 for DHCP to work properly

Type: 134 (RA) Code: 0 Checksum: 0xff78 [correct] Cur hop limit: 64 ∞ Flags: 0x84 1… …. = Managed (M flag) .0.. …. = Not other (O flag) ..0. …. = Not Home (H flag) …0 1… = Router pref: High Router lifetime: (s)1800 Reachable time: (ms) 3600000 Retrans timer: (ms) 1000 ICMPv6 Option 3 (Prefix Info) Prefix length: 64 ∞ Flags: 0x80 1… …. = On link (L Bit) .1.. …. = No Auto (A Bit) Prefix: 2001:0db8:4646:1234::/64

RA


RA

type = 134 code = 0 checksum

hop limit M|O|H|pref router lifetime reachable time

retransmit timer

options (variable)

•  ICMPv6 – Type, Code, Checksum, Data

•  Data – Body of the Message Type (Required)

•  Option 1 – Source MAC, Option 5 – MTU

•  Option 3 – Prefix and Host Provisioning

•  Option 25 – Recursive DNS Servers, DNS Search List


•  Tentative – Address in verification process (DAD) •  Preferred – Address can be used for communication •  Valid – Address can be used, may be Preferred or Deprecated •  Deprecated – Address can be used on existing connections •  Invalid – Address is not available for use

Valid

Deprecated Preferred Tentative Invalid Preferred Lifetime

Valid Lifetime


• Maintained for each interface connected on a host • Host uses the PL & DRL to work out the destination for outbound packet • Then it saves the result in the DC • The DC resolves the destination address to the next hop address • Hosts uses neighbor discovery to get the link address and updates the NC

Default Router List (DRL)

Prefix List (PL)

Destination Cache (DC)

Neighbor Cache (NC)


Prefix List (PL) Valid Timer

FE80::/10 ∞

2001:DB8:4646:34::/64 322486

Destination Cache (DC) Neighbor PMTU

FE80::34:1 FE80::34:1 1500

2001:DB8:4646:34::1 2001:DB8:4646:34::1 9000

2001:DB8:4646:555::22 FE80::34:1 1500

2001:DB8:4646:717::98 FE80::34:1 1500

2001:DB8:4646:34::38 2001:DB8:4646:34::38 9000

Default Router List (DRL)

Preference

FE80::34:1 H

FE80::34:11 M

• Prefix List – contains on link prefixes and validation timers • Default Router List – must be a neighbor usable to the host • Destination Cache – resolves next hop IPv6 address and – May contain path MTU & RTT information – Can be updated by ICMPv6 redirect message


Neighbor Link Layer Is Router State

FE80::34:1 00-00-0C-83-5C-3E 1 Reachable

2001:DB8:4646:34::1 00-00-0C-83-5C-3E 0 Stale

2001:DB8:4646:34::38 04-48-9A-16-37-FB 0 Stale

FF02::1 33-33-00-00-00-01 0 ~

• Mapping of the neighbors IPv6 address to it’s link layer address • Neighbor Cache Entry (NCE) created in response to neighbor discovery messages • Includes the status of the “R” flag in the returned NA’s • Keeps track of Neighbor Unreachability Detection (NUD) – State, number of unanswered probes, event timers


•  Incomplete – Pending address resolution, NS message outstanding

•  Reachable – Recently used mapping, Can be refreshed by ULP

•  Stale – Not currently communicating, waiting for next queued packet

•  Delay –Using stale binding, awaiting (ULP) return traffic

•  Probe – Sending Unicast NS to node (after Delay timer, 3x1 sec)

•  Delete – If no response to probe state, removal can occur


IPv6 is enabled by default and is preferred in Windows (this has been the case since Windows Vista and Server 2008)

If you are running Windows you have likely already deployed IPv6 You just didn’t know it – oops

By default Windows is dual-stacked

Windows has built in transition technologies in the operating system – but I recommend that you turn them off

Microsoft considers turning off IPv6 to be an unsupported configuration

All current software solutions from Microsoft can run on IPv6 only or dual-stack networks w/ little to no modification

18


Since Windows Vista and Server 2008 there has been a new networking stack in the Windows Operating System

Network Interface Layer

Transport Layer (TCP/UDP)

Application Layer

Network Interface Layer

Application Layer

TCP/UDP TCP/UDP

IPv6 IPv4 IPv6 IPv4

Older TCP/IP Networking Stack (Dual-Stack) New TCP/IP Networking Stack (Dual IP Layer)

Yes, this is confusing as heck, the older OS versions of Windows call their IPv6 solution dual-stack. It is not the same

dual-stack as when we refer in the generic way to running IPv4 and IPv6 on

the same network.

19


C:\Documents and Settings\>netsh netsh>interface ipv6 netsh interface ipv6>show address Querying active state... Interface 5: Local Area Connection Addr Type DAD State Valid Life Pref. Life Address --------- ---------- ------------ ------------ ----------------------------- Public Preferred 29d23h58m25s 6d23h58m25s 2001:0db8:2301:1:202:8a49:41ad:a136 Temporary Preferred 6d21h48m47s 21h46m 2001:0db8:2301:1:bd86:eac2:f5f1:39c1 Link Preferred infinite infinite fe80::202:8a49:41ad:a136 netsh interface ipv6>show route Querying active state... Publish Type Met Prefix Idx Gateway/Interface Name ------- -------- ---- ------------------------ --- --------------------- no Autoconf 8 2001:0db8:2301:1::/64 5 Local Area Connection no Autoconf 256 ::/0 5 fe80::20d:bdff:fe87:f6f9


•  Scope, Preferred over Deprecated, Native over Transitional, Temporary over Public •  Must support application override API, Choice of v6 over v4 is application dependent •  RFC 7078 defines override using DHCPv6, option

Public Preferred 2001:0db8:2301:1:202:8a34:bead:a136 Temporary Preferred 2001:0db8:2301:1:bd86:ea49:41f1:39c1 Link Preferred fe80::202:8a34:bead:a136

IPv6 Prefix Range Precedence Label ::1/128 50 0 ::/0 40 1 2002::/16 30 2 ::/96 20 3 ::ffff:0:0/96 10 4

© 2012 Cisco and/or its affiliates. All rights reserved. 22 22

DNS Server!

2001:db8:1::1!

IPv4

IPv6

192.168.0.3!

www IN A 192.168.0.3 www IN AAAA 2001:db8:1::1

•  In a dual stack case, an application can: Query DNS for IPv4 and/or IPv6 records Parallel connection request vs. serial Winner makes the “eyes” happy

•  Give IPv6 300ms Head Start. Lookup & Connect Retrieve and Display

RFC 6555


•  Probes for IPv4 and IPv6 connectivity every time a network event occurs,

•  Cache of already known networks, 30 days unless an interface status changes

•  Need to spoof NCSI in lab environment

IPv4 IPv6 DNS query to dns.msftncsi.com 131.107.255.255 fd3e:4f5a:5b81::1

HTTP GET http://www.msftncsi.com/ncsi.txt http://ipv6.msftncsi.com/ncsi.txt

Content of ncsi.txt Microsoft NCSI Microsoft NCSI

23


2001:470:4801:a3:5c07:2212:a5dc:e68e is from DHCPv6 There are no other Global IPv6 addresses on the host Notice the last 64 do NOT match Link-local which was locally generated and the Global was given via DHCPv6

24


Because we can have ambiguity on link-local addresses, Scope ID is used to link neighbors table to a specific interface

fe80::cd87:5dd6:cf39:dd08 fe80::80d4:29c9:2b3c:a0e2 %12 %13

25


C:\ >ipconfig Tunnel adapter ISATAP Adapter Media State : Media disconnected Connection DNS Suffix : foo.com Tunnel adapter Teredo Adapter Media State : Media disconnected Connection-specific DNS Suffix : Tunnel adapter 6TO4 Adapter: Media State : Media disconnected Connection-specific DNS Suffix :

Can be disabled via Registry, GPO, Powershell, etc.

ß  Used within administrative domain (IP41) ::0:5efe:w.x.y.z/96 – Private v4 ::200:5efe:w.x.y.z/96 – Global v4

ß  Used with RFC 1918 address’s (UDP3544) 2001:0:{srvr v4}:{flags}:{udp}:{nat v4}

ß  Used with global IPv4 address’s (IP41) 2002:xw.x.y.z::


RFC 4429 - http://tools.ietf.org/html/rfc4429

Was designed to make the process of DAD faster

It does this by Removing the RetransTimer delay when doing address configuration Interoperability w/ hosts doing non-optimistic DAD Not increasing the address collision probability Improving the resolution for address collisions Minimizing disruption in the case of collisions

Basically, the OS starts using the IPv6 address immediately (assumes it is good)

And the DAD process still happens to confirm that is the case

27


Don’t forget to specify IPv6 subnets in Active Directory And map them to the appropriate Sites

28


When building out a server cluster in Windows Server 2012 and newer it will default to IPv6 for the cluster failover link

It will establish its failover heartbeat communications using link-local IPv6 addresses

If you need a cluster to run in a cloud service that does not support IPv6 you must convert the failover heartbeat link to IPv4

Pay attention when you P2V a cluster – it will NOT covert the failover link

29


Microsoft no longer tests software with IPv4 ONLY networks

Microsoft has standardized on dual stack support

There are only four products that have limited IPv6 support

Azure – In the works but no timeline has been given Forefront TMG – EOS and it won’t get IPv6 support Lync (update – now has IPv6 support)* Windows Phone 7 (but 8 w/ updates has IPv6 support)*

http://aka.ms/ipv6compat

30


•  Since Kernel version 2.6.12 (2005) Linux has had IPv6 support If you are using older versions of Linux you will likely have unpredictable behavior

•  DHCPv6 client support is mixed for different versions – mileage will vary

edit /etc/dhcp/dhclient.conf to modify behavior or turn off DHCPv6 client

•  IPv6 temporary addresses are enabled by default Ubuntu server and client in 12.04 and 14.04 LTS

32


Ubuntu – check for an IPv6 address: ip -6 addr show dev eth0 cat /proc/net/if_inet6

Ubuntu – check for IPv6 temporary addresses: sudo sysctl –a | grep tempaddr

Ubuntu – check for your IPv6 address Ifconfig eth0 | grep “inet6 addr:”

Ubuntu – check for IPv6 neighbors: ip -6 neigh show

33


Linux still just uses route to manage everything: Route –A inet6 –n

Linux will use the link-local IPv6 address as the next hop with SLAAC and DHCPv6

If you set up things Manually double check your default gateway

34


Edit the /etc/sysctl.conf file to change host behavior: #turn on IPv6 forwarding (not routing per say) net.ipv6.conf.all.forwarding=1 #turn off auto configuration (SLAAC) net.ipv6.conf.all.autoconf=0 #turn off RA learning – don’t recommend net.ipv6.conf.all.accept_ra=1

For manual configuration use the above settings

The default /etc/sysctl.conf file will do the right IPv6 behavior for a client

35


Ubuntu - Turning off privacy addressing: # Disable IPv6 Privacy Extensions net.ipv6.conf.all.use_tempaddr = 0 net.ipv6.conf.default.use_tempaddr = 0

Turning it back on: # Enable IPv6 Privacy Extensions net.ipv6.conf.all.use_tempaddr = 2 net.ipv6.conf.default.use_tempaddr = 2

36


Basic commands ping6 ifconfig traceroute6 route –A inet6 netstat -nr –A inet6 dig @ 2001:470:1f05:9a4::1 www.cav6tf.org AAAA ssh root@fe80::<lower64>%eth0 or ssh root@<prefix:address>

Remember try the [2001:db8:cafe::1] format if the command fails

Howto reference: http://tldp.org/HOWTO/html_single/Linux+IPv6-HOWTO/ https://wiki.kubuntu.org/IPv6

37


Ubuntu and REHL default behaviors are similar

The Linux OS does standard RFC 6724

It is up to applications if they implement and use RFC 6555

Chrome and Firefox both have Happy Eyeballs support

There is no specific OS build support for RFC 6555 like OSX or Windows

38


Since Mac OS X v10.2 (Jaguar – May 2002) Apple has had IPv6 support in some form in the OS

Older versions likely have unpredictable behavior

IPv6 support was viable until 10.6.7 (Snow Leopard – August 2009) Essentially the first “usable” and “predictable” OS version with IPv6

Relatively solid support in the Geography releases Kernel fix finally addresses ICMPv6 rate limiting

40


DHCPv6 client support was added in 10.7 (Lion – July, 2011)

IPv6 privacy addresses are enabled by default in 10.7

SLAAC and manual address configuration are supported

41


Choose Apple menu > System Preferences, and then click Network If the Network Preference is locked, click on the lock icon and enter your Admin password to make further changes Choose the network service you want to use with IPv6, such as Ethernet or AirPort. Click Advanced, and then click TCP/IP Click on the Configure IPv6 pop-up menu (typically set to Automatically) and select Manually Enter the IPv6 address, router address, and prefix length you received from your network administrator or Internet service provider. Your router address may be referred to as your gateway address by some ISPs Reference: http://support.apple.com/kb/HT4667

42


(2001:db8:46:1::)

2001:db8:46:1::/64

2001:db8:46:1::

43


tmartin# ifconfig -L en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500

ether b8:e8:56:19:f3:8a inet6 fe80::bae8:56ff:fe19:f38a%en0 prefixlen 64 scopeid 0x4 inet6 2001:db8:46:1:bae8:56ff:fe19:f38a prefixlen 64 autoconf pltime 267 vltime 267 inet6 2001:db8:46:1:883e:b6a2:863:e31b prefixlen 64 autoconf temp pltime 267 vltime 267 nd6 options=1<PERFORMNUD>

DNS server updated via option (25) from the previous RA

Preferred/Valid lifetimes updated via option (3) from the previous RA

44


tmartin$ netstat -rnf inet6 Routing tables Internet6: Destination Gateway Flags Netif Expire default fe80::250:f1ff:fe00:0%en0 UGc en0 ::1 ::1 UHL lo0 2001:db8:46:1::/64 link#4 UCS en0 2001:db8:46:1:883e:b6a2:8863:e31b b8:e8:56:19:f3:8a UHL lo0 2001:db8:46:1:bae8:56ff:fe19:f38a b8:e8:56:19:f3:8a UHL lo0 fe80::%lo0/64 fe80::1%lo0 UcI lo0 fe80::1%lo0 link#1 UHLI lo0 fe80::250:f1ff:fe00:0%en0 0:50:f1:0:0:0 UHLIr en0 fe80::bae8:56ff:fe19:f38a%en0 b8:e8:56:19:f3:8a UHLI lo0 ff01::%lo0/32 ::1 UmCI lo0 ff01::%en0/32 link#4 UmCSI en0 ff02::%lo0/32 ::1 UmCI lo0 ff02::%en0/32 link#4 UmCI en0

45


tmartin# ndp -a Neighbor Linklayer Address Netif Expire St Flgs Prbs 2001:db8:46:1:654:53ff:fe12:f103 4:54:53:12:f1:3 en0 23h44m39s S 2001:db8:46:1:883e:b6a2:8863:e31b b8:e8:56:19:f3:8a en0 permanent R 2001:db8:46:1:bae8:56ff:fe19:f38a b8:e8:56:19:f3:8a en0 permanent R localhost (incomplete) lo0 permanent R fe80::250:f1ff:fe00:0%en0 0:50:f1:0:0:0 en0 13s R R Homework.local 4:54:53:12:f1:3 en0 23h44m33s S tmartin-m-90a6.local b8:e8:56:19:f3:8a en0 permanent R

46


tmartin# netstat -f inet6 Active Internet connections Proto Recv-Q Send-Q Local Address Foreign Address (state) tcp6 0 0 2001:db8:46:1:.62472 edge-star6-shv-1.https ESTABLISHED tcp6 0 0 2001:db8:46:1:.62469 edge-star6-shv-0.https ESTABLISHED tcp6 0 0 2001:db8:46:1:.62468 2001:559:0:41::1.https ESTABLISHED tcp6 0 0 2001:db8:46:1:.62467 2001:559:0:56::b.https ESTABLISHED tcp6 0 0 2001:db8:46:1:.62458 2600:1404:a::174.https ESTABLISHED tcp6 0 0 2001:db8:46:1:.62457 xx-fbcdn6-shv-04.https ESTABLISHED tcp6 0 0 2001:db8:46:1:.62456 2600:1404:a::174.https ESTABLISHED tcp6 0 0 2001:db8:46:1:.62442 2607:f8b0:400f:8.https ESTABLISHED tcp6 0 0 2001:db8:46:1:.62337 edge-star6-shv-1.https ESTABLISHED udp6 0 0 *.55815 *.* udp6 0 0 *.58881 *.* udp6 0 0 *.52460 *.* udp6 0 0 *.64250 *.*

47


Apple utilizes mDNS (ff02::fb) for name resolution

AirPlay, AirPrint, File share and other Bonjour services by default

mDNS works for both IPv4 and IPv6

RFC 6762 - http://tools.ietf.org/html/rfc6762

Details at http://en.wikipedia.org/wiki/Multicast_DNS

Bonjour browser free, mDNS browser paid app

48


tmartin# netstat -g Link-layer Multicast Group Memberships Group Link-layer Address Netif 33:33:ff:63:e3:1b <none> en0 33:33:0:0:0:1 <none> en0 33:33:ff:19:f3:8a <none> en0 33:33:0:0:0:fb <none> en0 IPv6 Multicast Group Memberships Group Link-layer Address Netif ff02::fb%lo0 <none> lo0 ff02::2:ffb8:7d5b%lo0 <none> lo0 ff01::1%lo0 <none> lo0 ff02::1%lo0 <none> lo0 ff02::1:ff00:1%lo0 <none> lo0 ff02::1:ff63:e31b%en0 33:33:ff:63:e3:1b en0 ff02::1%en0 33:33:0:0:0:1 en0 ff02::1:ff19:f38a%en0 33:33:ff:19:f3:8a en0 ff02::fb%en0 33:33:0:0:0:fb en0

49


•  Provides cloud based file and screen sharing services •  IPv6 must be enabled, ULA (0xFD) is configured with EUI-64 host id •  Dynamic DNS Service Discovery, NAT traversal using Port Map Protocol •  IPSec for integrity, Kerberos for authentication •  RFC 6281

IPv4 Header UDP Header ESP Header IPv6 Header

50


Apple applications uses multiple methods getaddrinfo (Chrome, ~Firefox) CFSocketStream (Safari)

OSX often results in looking at RTT of cached destinations Uses that table to make connection call Can have varied results

Possible that the legacy protocol is chosen when IPv6 is working Approximately 50% of the time, largely because no head start Hampering the experience

51


Android has some limitations on Wi-Fi due to the fact it does not have a DHCPv6 client included in the base build by default

Therefore, on Wi-Fi networks, SLAAC must be enabled for an Android handset or tablet to obtain an IPv6 address

Android supports RFC 6106 so it can learn the IPv6 address of the DNS resolver via the RA

Android supports 464xlat allowing it to operate on an IPv6 only mobile network

Tablet and phones should have the same behavior and supported functions

53


Kindle Fire supports IPv6 because it is based on Android and has Wi-Fi IPv6 support via SLAAC

The Kindle Paperwhite and other Kindle e-readers not based on Android do not have IPv6 support

This may be due to the experimental browser support in the e-reader and not the OS but I know of no tools to be able to test to determine if that is the case

Because some models of the Kindle Fire have a 4G cellular option it has the same potential for 464xlat allowing it to operate on an IPv6 only mobile network – I have not had the chance to test and validate this behavior

54


Apple iOS has a DHCPv6 client for Wi-Fi and can display IPv6 information in the settings | Wi-Fi

Unfortunately there are sometimes display issues with getting the full IPv6 address to display along with the full DNS name resolver IPv6 addresses

iOS supports both SLAAC and DHCPv6

At this time iOS 8 does not support 464xlat

Therefore, iOS currently is not able to run on an IPv6 only mobile network

55


•  As of iOS 9, all iPhone/iPad apps will support IPv6! •  Use the networking frameworks (for example, “NSURLSession”) •  Avoid use of IPv4-specific APIs •  Avoid hard-coded IP addresses

“If your application doesn’t work properly with IPv6, it will simply not function on those networks, those carriers and for those customers.”

- Sebastien Marineau VP Core OS


•  Gain Operational Experience now

•  Security enforcement is possible

•  Control IPv6 traffic as you would IPv4

•  “Poke” your Provider’s

•  IPv6 is here now are you?

59

IPv6 host-os-details-v2

Internet

Transcript of IPv6 host-os-details-v2