Internet Protocol v6 October 25, 2016 v6@nkn.in
Table of Content Why IPv6? IPv6 Address Space Customer LAN Migration
Why IPv6? IPv6 Address Space Customer LAN migration
IPv4 DASH BOARD THE REASON For IPv6 The IANA pool of available IPv4 addresses was exhausted on 3 February, 2011. APNIC is allocating IPv4 Addresses from its last /8 IPv4 block. Microsoft has managed to purchase 666,624 IP addresses from the bankrupt Canadian company Nortel for $7.5m. This works out to $11.25/IP. An exact list of blocks isn't available.
Address Distribution IETF IANA RIR ISP Regional Internet Registries (RIRs) distribute IPv4, IPv6, and AS numbers to the Internet community End User
RIRs
Why IPv6? IPv6 Address Space Customer LAN migration
IPv6 Address Space IPv6 Address is of 128 bits This means, total 340 282 366 920 938 463 463 374 607 431 768 211 456 IPv6 addresses are possible About 3.4 10 38 (340 trillion trillion trillion) unique IPv6 addresses. This means, we can roughly assigned 48,000 trillion trillion IPv6 addresses to every person Or, 6.7 10 23 address to per m 2 of land
How a IPv6 Address Space Look? x:x:x:x:x:x:x:x where x represents 16 bits written in hexadecimal format 2001:4408:0000:0000:C1C0:0000:ABCD:0786 Case insensitive 2001:4408:0000:0000:c1c0:0000:abcd:0786 Block of zero s can be replaced with (::) but only once 2001:4408::C1C0:0000:ABCD:0786 Leading zero s can be omitted and but not the trailing one 2001:4408::C1C0:0000:ABCD:786 In URL, it is enclosed in brackets http://[2001:4408::c1c0:0000:abcd:786]/index.html http://[2001:4408::c1c0:0000:abcd:786]:8080/index.html
How a IPv6 Address Space Look? 128 bit address Network Portion Interface ID gggg:gggg:gggg: ssss: xxxx:xxxx:xxxx:xxxx Global Unicast Identifier Global Routing Prefix n <= 48 bits Subnet ID 64 n bits Host 2405:8a00:0000: 0001: 0000:0000:0000:A100 Example (Full Format) 2405:8a00:0: 1 :: A100 Abbreviated format
IPv6 Address Scope Interface expected to have multiple addresses IPv6 node MUST support multicast Addresses have scope Link Local (FE80::/10) Unique Local (FC00::/7) Global (2000::/3) Global Unique Local Link Local
IPv6 Address Types Types of IPv6 Addresses Unicast A unicast address identifies a single network interface. Multicast Address of a set of interfaces. One-to-many delivery to all interfaces in the set Anycast An anycast address is assigned to a group of interfaces, usually belonging to different nodes. No more Broadcast addresses Link Local
IPv6 Addresses Unicast and Multicast NKN-SP-LAN#show ipv6 int Vlan196 is up, line protocol is up IPv6 is enabled, link-local address is FE80::6E20:56FF:FEC5:47DF No Virtual link-local address(es): Description: "LAN SAGEMENT 2 10.1.196.1 " Global unicast address(es): 2001:4408:5205:196::1, subnet is 2001:4408:5205:196::/64 Joined group address(es): FF02::1 Global FF02::2 All nodes FF02::1:2 FF02::1:FF00:1 All routers FF02::1:FFC5:47DF MTU is 1500 bytes ICMP error messages limited to one every 100 milliseconds ICMP redirects are enabled ICMP unreachable are sent ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds (using 30000) ND advertised reachable time is 0 (unspecified) ND advertised retransmit interval is 0 (unspecified) ND router advertisements are sent every 200 seconds ND router advertisements live for 1800 seconds ND advertised default router preference is High Hosts use DHCP to obtain routable addresses. Link-Local Solicit node multicast Address
IPv6 Address Type Unicast address scope Link local: Non routable exists on L2 domain (FE80::/10) FE80:0000:0000:0000:xxxx:xxxx:xxxx:xxxx Unique-Local (ULA) Routable with an administrative domain (similar to RFC 1918) (FC00::/7) FC00:gggg:gggg: ssss: xxxx:xxxx:xxxx:xxxx Global Routable across the Internet (2000::/3) 2000:gggg:gggg: Multicast addresses begin with FF00::/8 FF00: ssss: xxxx:xxxx:xxxx:xxxx XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX
IPv6 Address Types Address Type IPv6 Binary Prefix IPv6 Prefix IPv4 Prefix Unspecified 000 0 (128 bits) ::/128 0.0.0.0/0 Loopback 000..01 (128 bits) ::1/128 127.0.0.1 Unique Local Address 1111 110 FC00::/7 RFC 1918 {10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16} Link-local Unicast 1111 1110 10 FE80::/10 --- Multicast 1111 1111 FF00::/8 224.0.0.0-239.255.255.255 Global Unicast 001 2000::/3 Class A, B & C
IPv4 & IPv6 Header Comparison IPv4 Header IPv6 Header Version IHL Type of Service Total Length Version Traffic Class Flow Label Identification Flags Fragment Offset Payload Length Next Header Hop Limit Time to Live Protocol Header Checksum Source Address Source Address Destination Address Legend - field s name kept from IPv4 to IPv6 - fields not kept in IPv6 - Name & position changed in IPv6 - New field in IPv6 Destination Address
IPv4 Header The IPv4 packet header consists of 14 fields, of which 13 are required. The 14th field is optional (red background in table) and aptly named: options. Internet Header Length (IHL) The second field (4 bits) is the Internet Header Length (IHL), which is the number of 32-bit words in the header. The minimum value for this field is 5 (RFC 791), which is a length of 5 32 = 160 bits = 20 bytes. Being a 4-bit value, the maximum length is 15 words (15 32 bits) or 480 bits = 60 bytes.
Control Protocol(s) IPv4 Control Protocols: ARP (for Ethernet) ICMP IGMP IPv6 Control Protocols: ICMPv6 (IPv6 Next Header Value 58) Must be fully implemented and supported
MULTICAST IPv6 node MUST support Multicast All node with similar addresses share the same solicited-node multicast addresses Solicited-node multicast address format: Globally-assigned prefix FF02::1:FF00:0/104 low-order 24 bits of a node address Example: a node 2405:8A00:100:200::A101:3258 joins the multicast group FF02::1:FF01:3258 FF02:0:0:0:0:1:FF01:3258 (expanded form)
RSERVED MULTICAST ADDRESSES Address Scope Use FF01::1 Node-local All Nodes FF01::2 Node-local All Routers FF02::1 Link-local All Nodes FF02::2 Link-local All Routers FF05::2 Site-local All Routers FF02::1:FFxx:xxxx Link-local Solicited-Node
MAXIMUM TRANSMISSION UNIT (MTU) MTU is the maximum size of IP packet that can be transmitted without fragmentation. In IPv6, MTU must be of at least 1280 bytes while in IPv4 it was only 68 bytes. IPv6 uses Path MTU discovery protocol to find the smallest MTU and works on that MTU there on. PATH MTU DISCOVERY Settle down at 1300 Bytes 9000 4000 1500 1300 Path MTU discovery is mandatory in IPv6 because Routers doesn t perform fragmentation in IPv6. IPv6:- Fragmentation is handled by the Source through Path MTU discovery.
Anycast The same anycast address is assigned to a group of interfaces (nodes) A packet sent to an anycast address is delivered to the nearest interface (node) having this address Allow to increase the service reliability Allocated from the unicast address space
Why IPv6? IPv6 Address Space Customer LAN migration IPv6 Address Allocation Address Assignment Security
Customer LAN Migration to IPv6 IPv6 Address Allocation Address Assignment Security
Customer LAN Migration to IPv6 IPv6 Address Allocation Address Assignment Security
NKN IPv6 Address Space NKN has got 2405:8A00::/32 IPv6 address block from APNIC. NKN is allocating /48 block to every connected member institute. /48 is the minimum number required for multihoming. Each and every institute can do a multihoming using NKN IPv6 address block. NKN IPv6 ANYCAST DNS SERVER 2405:8A00:AA::AA
Address allocation plan for an Institute Each Institute got /48 v6 address block from NKN From this block, user has the flexibility to have 2^16 (i.e., 65536) LANs in its network Each LAN will have 2^64 global IP addresses for client allocation User also has the option to have Unique local addresses in its LAN and do the NATing at the firewall FC00::/7 is the ULA segment But if you are thinking that using ULA will provide you an add-on security feature then think again Not a recommended practice but implementation depends on user requirement
v6 Address Allocation in NKN 2405:8a00:8000::/35 2405:8a00:8000::/48 2405:8a00:8001::/48.. 2405:8a00:8002::/48 2405:8a00:9fff::/48 BANGLURU NKN POP 2405:8a00 0::/32 NKN IPv6 Addr ress Block 2405:8a00:6000::/35 2405:8a00:4000::/35 2405:8a00:6000::/48 2405:8a00:6001::/48.. 2405:8a00:6002::/48 2405:8a00:7fff::/48 2405:8a00:4000::/48 2405:8a00:4001::/48 2405:8a00:4002::/48.. 2405:8a00:5fff::/48 MUMBAI NKN POP HYD. NKN POP NKN has got a 2405:8a00::/32 IPv6 block from APNIC. We divide this /32 block into Eight /35 blocks. First /35 block, is used for NKN Network Infrastructure use. Rest Seven /35 block is assigned to NKN seven super core POPs. Every Super core will aggregating multiple institute. We have assigned /48 block of IPv6 to every Institute from respected super core block of /35. 2405:8a00:2000::/35 2405:8a00:2000::/48 2405:8a00:2001::/48.. 2405:8a00:2002::/48 2405:8a00:3fff::/48 DELHI NKN POP
IPv6 Address Allocation to Institutes NKN allocates /48 to every Institute. For Example: Consider a case of Delhi : Block 2405:8a00:2000::/35 is allocated to Delhi NKN POP. From the given blocks, we will use multiples of /48 blocks for institutes. 2405:8a00:2000::/48 2405:8a00:2000::/35 2405:8a00:2001::/48 2405:8a00:2002::/48....... /48 Blocks Address Block 2405:8a00:2000::/35 is allocated to Delhi Super Core NKN POP. First block of this /35 is 2405:8a00:2000::/48 is allocated to Institute 1. Second block of this /35 is 2405:8a00:2001::/48 is allocated to Institute 2. 2405:8a00:3fff::/48
Customer LAN Migration to IPv6 IPv6 Address Allocation Address Assignment Security
IPv6 Address Assignment Similar to IPv4 New in IPv6 Manually configured Stateless configuration 1 2 Router Solicitation Router Announcement (/64 prefix, timers, etc ) 1 2 Assigned via DHCP 3 DHCPv6 Request 4 DHCPv6 Reply RS RA IPv6 Address = /64 prefix + EUI-64 (e.g. MAC address) Auto-generated pseudo-random number (rfc3041) 1 2 Router Solicitation Router Announcement IPv6 Address = /64 prefix + Random 64 bits (rfc3041)
IPv6 Address Assignment Various IPv6 address assignment methods are as follows: Manual Assignment Stateless Address Autoconfiguration (SLAAC) Stateless DHCPv6 Stateful DHCPv6 DHCPv6 Prefix Delegation(DHCPv6-PD)
IPv6 Address Assignment Various IPv6 address assignment methods are as follows: Manual Assignment Stateless Address Autoconfiguration (SLAAC) Stateless DHCPv6 Stateful DHCPv6 DHCPv6 Prefix Delegation(DHCPv6-PD)
Stateless Address Auto-configuration (SLAAC) The network should have at least one IPv6 router configured to send periodic Router Advertisements (RA) announcements. IPv6 host when connected to the network sends a ICMPv6 Router Solicit (RS) message and picks up ICMPv6 RA as a response from IPv6 router. The IPv6 host uses a combination of IPv6 prefix received in RA message and its link layer address to form a IPv6 address.
SLAAC Continue. Subnet Prefix + Interface-ID At boot time, an IPv6 host build a Link-Local address, then its global IPv6 address(es) from RA Auto-configuration with no collisions Offers plug and play RA Message Sends Network-Type Information 1. Router Advertisement (RA) sent with A-Flag = ON (Default behavior) ICMP type = 134 Src = Router link layer address Dst = All node multicast address (ff02::1) Data = link-layer address of Router Prefix = 2405:8a00:1::/64
EUI-64 Addressing format Extended Unique Identifier Interface-ID can be manually configured Using stateless autoconfiguration This format expands the 48 bit MAC address to 64 bits by inserting FFFE into the middle 16 bits U bit is inverted when using EUI- 64 format 00 26 B9 9B 95 49 00 26 B9 9B 95 49 FF FE 00 26 B9 FF FE 9B 95 49 1 = Unique 000000U0 Where U= 0 = Not Unique U = 1 02 26 B9 FF FE 9B 95 49 EUI-64 Format
Auto-generated pseudo-random number (rfc3041) Auto- generating 64 bit interface identifier using random algorithm Keeping privacy How to Disable: C:\> netsh interface ipv6 set privacy state=disable C:\> netsh interface ipv6 set global randomizeidentifiers=disabled
Why not SLAAC? Does not provide DNS/NTP servers to be used by client No authorization to obtain address on the network Attack on Router Discovery Attack on Address Configuration (Rogue RA) Attack on Address Resolution DoS with DAD is always possible ( just like ARP spoofing in IPv4)
IPv6 Address Assignment Various IPv6 address assignment methods are as follows: Manual Assignment Stateless Address Autoconfiguration (SLAAC) Stateless DHCPv6 Stateful DHCPv6 DHCPv6 Prefix Delegation(DHCPv6-PD)
Stateless DHCPv6 Host is configured an address based on SAC but other information like DNS will be received via DHCPv6 DHCP server must be preconfigured with other configuration like DNS. Router/L3 in between DHCP server and host must be preconfigured as relay router Host will receive: List of DHCPv6 Servers Network address (using SAC) List of DNS etc (using DHCPv6) Domain search list option (using DHCPv6) Edge Router(R1) L2 Switch DHCPv6 Server Edge Router(R2) L3 Switch L2 Switch
Stateless DHCPv6 1. Router Advertisement (RA) sent, containing link prefix, with A-Flag = ON (Default behavior) also with O-Flag = ON Core Router DHCPv6-Serv-1 DHCPv6-Relay-3 DHCPv6-Client-1 2. Client auto-configures address based on prefix option in RA, then sends DHCPv6 SOLICIT Stateless DHCPv6 normally combines stateless autoconfiguration for address assignment, DHCPv6 exchange for all other configuration settings.
IPv6 Address Assignment Various IPv6 address assignment methods are as follows: Manual Assignment Stateless Address Autoconfiguration (SLAAC) Stateless DHCPv6 Stateful DHCPv6 DHCPv6 Prefix Delegation(DHCPv6-PD)
Stateful DHCPv6 DHCP server must be preconfigured with pool of IP prefixes. Router/L3 in between DHCP server and host must be preconfigured as relay router Host will receive: List of DHCPv6 Servers Network address List of DNS etc Domain search list option Edge Router (R1) L2 Switch DHCPv6 Server Edge Router (R2) L3 Switch L2 Switch
Stateful DHCPv6 RA s can be used to control DHCPv6 Client Behavior 1. Router Advertisement (RA) sent with M-Flag = ON with A-Flag = OFF Core Router DHCPv6-Serv-1 DHCPv6-Relay-1 DHCPv6-Relay-3 DHCPv6-Client-1 2. Client sends DHCPv6 SOLICIT
Example: Stateful DHCPv6 DHCPv6 Address Assignment 2405:8a00:1000:1::2/64 L2 Switch DHCPv6 Server Edge Router(R1) Pool of /64 prefixes from 2405:8a00::/32 2405:8a00:1000:1::/64 2405:8a00:1000:2::/64 L3 Switch Proxy 2405:8a00:1000:1::1/64 2405:8a00:1000:2::1/64 2405:8a00:1000:1::2/64
IPv6 Address Assignment Various IPv6 address assignment methods are as follows: Manual Assignment Stateless Address Autoconfiguration (SLAAC) Stateless DHCPv6 Stateful DHCPv6 DHCPv6 Prefix Delegation(DHCPv6-PD)
DHCPv6- Delegation Model rfc3633 DHCP server will delegate prefix addresses to Edge router Edge router (which act as a delegation client for a DHCP server) will act as a DHCP server for Host same as in stateful/ stateless DHCPv6. DHCP server must be preconfigured with prefix address to be delegated to Edge router. Router in between Edge Router and DHCP server must be preconfigured as relay router Intermediary routers/l3 between end system and edge routers must be preconfigured as relay router. Host will receive: List of DHCPv6 Servers Network address List of DNS etc Domain search list option PE Edge Router (R1) L2 Switch PE DHCPv6 Server Edge Router (R2) L3 Switch L2 Switch
Example: DHCPv6 Delegation Model: Stateful / Stateless Pool of /64 prefixes from 2405:8a00::/32 DHCPv6 Address Delegation 2405:8a00:1000:0001::/56 DHCPv6 Server 2405:8a00:1000:1::/56 2405:8a00:1000:256::/56 DHCPv6 Address Assignment 2405:8a00:1000:0001::2/64 Edge Router acting as DHCP Server L2 Switch 2405:8a00:1000:0001::1/64 L3 Switch Proxy 2405:8a00:1000:0001::2/64 2405:8a00:1000:0002::1/64
DHCP Deployment Strategy Stateful DHCPv6 without Delegation Central DHCPv6 server assigning address to all end clients Each L3/ Router s routed ports/svis preconfigured with static /64 addresses Each L3/ Router configured as relay Each client is assigned a DHCPv6 address based on L3 segment DHCPv6 Delegation model Stateful DHCPv6 Central DHCP server delegating /56 prefixes to Edge routers Edge router in turn acting as DHCPv6 server for downstream clients.
Open Source IP Registrar (OSIR) OSIR is a full feature solution that provides Dynamic Host Configuration Protocol (DHCP) service and delivers client management feature. Auto Installation Failover Management Link Management OSIR Client Management Lease Management Policy Management https://osiradmin.nkn.in
Customer LAN Migration to IPv6 IPv6 Address Allocation Address Assignment Security
IPv6 What to look out and how to assess??
WATCH OUT?? Network Infrastructure: Routers Bandwidth Shapers Switches Layer2 Layer3 Devices Data Centre Devices : Load Balancers Firewall IPS/IDS Virtual Machines ( VMWARE/ ZEN) Blade management consoles IP KVM Clients: PC s on the LAN Servers Proxy/ UTM Network Printers Display System Antivirus/ HIPS
WATCH OUT?? Software Stacks: Windows/Linux/Solaris/ AIX IIS6 & above / Apache 2 & above AAA server Bind 9.5 & above Database ( Transaction Log ) Logging Server ( Syslog / Special tools like Web trends) Infrastructure: Power/Infra management S/W UPS management Console Building Management System Access Control System Cameras Digital Video Recorders Wi-Fi Systems: WIFI controllers AAA Servers
IPv6 Supported Devices Operating System: Windows XP(service Pack2), Windows Vista, Windows 7, Windows 8 Linux RHEL5, RHEL6, Fedora12 and above Cisco Routers: IOS 12.2 and above Juniper routers Junos 6.0R2 and above
Best Deployment Practices Deployment Strategy at LAN side All clients should be configured with global IP addresses, thus no NAT scenario Block all sessions initiated from outside on non-server segments Block all irrelevant neighbor discovery protocol messages from outside the LAN except DHCPv6. e.g NS, NA,RS, RA All standard security portfolios of IPv4 should also be implemented for IPv6 Use L2 switches with L3 capabilities to stop rogue Routers and DHCPv6 servers from spoofing the LAN
Security IPv6 IPv4 Vulnerabilities IPv6 Vulnerabilities Specific IPv4 Issues Specific IPv6 Issues
Thank You