IPv6 and IPv4: Twins or Distant Relatives

Similar documents
But we ve always done it this

Don't have the plaid polyester leisure suit of IPv6 networks! Paul Ebersman, IPv6 Evangelist NANOG56, Dallas, TX (21-24 Oct 2012)

There are more layers than just layer 3 Paul Ebersman, IPv6 NANOG57, Orlando, FL (04-06 Feb 2013)

IPv6: Problems above Layer 3 Paul Ebersman, IPv6 PLNOG10, Warsaw, 28 Feb 2013

IPv6 deployment for Enterprise/Sysadmins Paul NAv6 Summit 2013, Denver, Apr 2013

IPv6: Are we there yet? NANOG 58 New Orleans Paul Ebersman IPv6

ODL Summit Bangalore - Nov 2016 IPv6 Design in OpenDaylight

Introduction to IPv6 - II

IPv6 Technical Challenges

Introduction to IPv6

Workshop on Scientific Applications for the Internet of Things (IoT) March

Network Management. IPv6 Bootcamp. Zhiyi Huang University of Otago

IPv6 Protocol Architecture

OSI Data Link & Network Layer

IPv6 Protocol & Structure. npnog Dec, 2017 Chitwan, NEPAL

DHCPv6 OPERATIONAL ISSUES Tom Coffeen 4/7/2016

Rocky Mountain IPv6 Summit April 9, 2008

Transitioning to IPv6

Configuring IPv6 for Gigabit Ethernet Interfaces

Setup. Grab a vncviewer like: Or

TCP/IP Protocol Suite

OSI Data Link & Network Layer

OSI Data Link & Network Layer

IPv6 Security: Oxymoron or Oxycodone? NANOG 60 Atlanta Paul Ebersman IPv6

IPv6 Protocols and Networks Hadassah College Spring 2018 Wireless Dr. Martin Land

Practical IPv6 for Windows Administrators

Internet Protocol, Version 6

Index Terms- IPv4, IPv6

DHCPv6 Overview 1. DHCPv6 Server Configuration 1

It's the economy, stupid: the transition from IPv4 to IPv6

Configuring IPv6 basics

Results of a Security Assessment of the Internet Protocol version 6 (IPv6)

IPv6 Feature Facts

Learning/Playing with IPv6 at home. Keith Garner, Gradebook Team Lead

IPv6 Next generation IP

IPv6 address configuration and local operation

DHCPv6 (RFC3315 RFC4361)

Step 2. Manual configuration of global unicast and link-local addresses

The Netwok Layer IPv4 and IPv6 Part 2

Internet Engineering Task Force (IETF) Obsoletes: 3315, 3633, 3736, 4242, 7083, 7283, 7550 B. Volz

Internet Protocol v6.

IPv6 Stateless Autoconfiguration

IPv6 Concepts. Improve router performance Simplify IP header Align to 64 bits Address hierarchy with more levels Simplify routing tables

Athanassios Liakopoulos

IPv6 It starts TODAY!

ISO 9001:2008. Pankaj Kumar Dir, TEC, DOT

TD#RNG#2# B.Stévant#

IPv6. IPv4 & IPv6 Header Comparison. Types of IPv6 Addresses. IPv6 Address Scope. IPv6 Header. IPv4 Header. Link-Local

IPv6 Client IP Address Learning

Chapter 7: IP Addressing CCENT Routing and Switching Introduction to Networks v6.0

IPv6 CONSORTIUM TEST SUITE Address Architecture Conformance Test Specification

IPv6 Neighbor Discovery

HPE ArubaOS-Switch IPv6 Configuration Guide YA/YB.16.02

IPv6 Protocols & Standards

Tutorial: IPv6 Technology Overview Part II

IPv6 Security Fundamentals

Operation Manual IPv6 H3C S3610&S5510 Series Ethernet Switches Table of Contents. Table of Contents

IPv4/v6 Considerations Ralph Droms Cisco Systems

IPv6 Neighbor Discovery

Foreword xxiii Preface xxvii IPv6 Rationale and Features

SECURITY IN AN IPv6 WORLD MYTH & REALITY. RIPE 68 Warsaw May 2014 Chris Grundemann

IPv6 Neighbor Discovery

Security Considerations for IPv6 Networks. Yannis Nikolopoulos

DHCPv6 Based IPv6 Access Services

Security in an IPv6 World Myth & Reality

UNDERSTANDING IPv6. Youngsong Mun 1 and Hyewon K. Lee 2 'Soongsil University, Seoul, Korea; 2 Daejin University, Kyungki, Korea.

DNS, DHCP and Auto- Configuration. IPv6 Training Day 18 th September 2012 Philip Smith APNIC

The state of IPv6 (and IPv4)

MBC. Auto. Address. Networks. Mesh. uto- configuration for Wireless. Keecheon Kim. Konkuk University Seoul, Korea

Guide to TCP/IP Fourth Edition. Chapter 6: Neighbor Discovery in IPv6

IPv6 Autoconfiguration. Stateless and Stateful. Rabat, Maroc Mars 2007

CSCI-1680 Network Layer:

Internet Control Message Protocol

IPv6 Security (Theory vs Practice) APRICOT 14 Manila, Philippines. Merike Kaeo

Configuring IPv6. Information About IPv6. Send document comments to CHAPTER

ArubaOS-Switch IPv6 Configuration Guide for YA/YB.16.04

On Distributed Communications, Rand Report RM-3420-PR, Paul Baran, August

debug ip ospf database external default-metric subnet area 0 stub distribute-list in Serial0/1

IPv6 Associated Protocols. Athanassios Liakopoulos 6DEPLOY IPv6 Training, Skopje, June 2011

Internet of Things (IOT) Things that you do not know about IOT

On Distributed Communications, Rand Report RM-3420-PR, Paul Baran, August 1964

Radware ADC. IPV6 RFCs and Compliance

IPv6 Bootcamp Course (5 Days)

Internet Engineering Task Force. C. Perkins Nokia Research Center Ted Lemon Nominum Bernie Volz Ericsson R. Droms(ed.) Cisco Systems 22 Apr 2002

IPv6 Protocols & Standards. ISP/IXP Workshops

IPv6 for the InfoSec Pro On the Go. Allan Stojanovic University of Toronto #include disclaimer.h

Avaya Networking IPv6 Using Fabric Connect to ease IPv6 Deployment. Ed Koehler Director DSE Ron Senna SE Avaya Networking Solutions Architecture

Dynamic Host Configuration Protocol for IPv6 (DHCPv6)

SLAACers. IPv6 Accountability without DHCPv6. Library and Information Services School of Oriental and African Studies London. Networkshop 39, 2011

Using IPv6. Daniel Hagerty

IPv6 is Internet protocol version 6. Following are its distinctive features as compared to IPv4. Header format simplification Expanded routing and

Internet Engineering Task Force. C. Perkins Nokia Research Center Ted Lemon Nominum Bernie Volz Ericsson R. Droms(ed.) Cisco Systems May

The OSI model of network communications

ECE 435 Network Engineering Lecture 14

Planning for Information Network

Implementing DHCP for IPv6

IPv6 tutorial. RedIRIS Miguel Angel Sotos

Understanding IPv6. Shannon McFarland CCIE #5245 Principal Engineer. #clmel BRKRST-1069

Multi-requirement Extensions for DHCPv6 (draft-ren-dhc-mredhcpv6-00)

IPv6 Neighbor Discovery

Transcription:

IPv6 and IPv4: Twins or Distant Relatives Paul Ebersman, IPv6 Evangelist NANOG54, San Diego (5-8 Feb 2012) 1

What you ll see immediately More addresses 340 undecillion Bigger, beefier addresses 2001:db8:dead:beef::1 Lots more addresses per interface More magic 2

7 Layer View (Sorta) 3

Routing Efficiencies Fixed header size Extension header chain Flow labels in header No intermediate fragmentation PMTUD 4

Network Efficiencies No broadcast Multicast NS/Solicited Node, no ARP ICMPv6 5

Address Types Unicast Multicast Anycast 6

Address Scope Link Local Global Unicast Unique Local Transition Misc (Site Local, Reserved, Special) 7

Link Local Local (broadcast) Domain fe80::/64 Similar to APIPA (169.254.0.0/16) Reusable on all interfaces 8

Global Unicast Globally routable Unique Public Use em everywhere! 9

Unique Local Not globally routable Not unique (but registerable ) Replacement for RFC1918 (if you must) 10

More addresses per interface! Use em; we ll make more Multiple default routes Quiescence How do it know? (RFC 3484) 11

Subnet Planning 12

Sane Subnetting You can get enough IPv6 space Do the architecture you want, not the one you re stuck with Use GUA space everywhere, make NAT a choice Map your subnets to your process/provisioning or business model Do a scheme that aggregates and makes ACLs sane 13

Sample /32 Plan by Geography 2001:db8:abcd::/36 City: 4 bits = 16 possible locations 2001:db8:abcd::/40 Hub: 4 bits = 16 possible hubs per city 2001:db8:abcd::/48 Floor: 8 bits = 256 floors per hub. 2001:db8:abcd:12xx::/56 Switch: 8 bits = 256 Switchs per floor. 2001:db8:abcd:1234::/64 VLAN: 8 bits = 256 VLANs per switch. 14

Prefix Lengths /48 is minimum routable chunk /64 for all non-p2p subnets /127 for p2p links (RFC 6164) /128 for loopbacks Use /64 each for p2p/lb, pair for each routing domain 15

Multi-homing and PI addresses If you qualified in v4, you still do If PI space would have been useful in v4, it still is If you didn t understand it in v4, v6 won t help you 16

SLAAC vs DHCP 17

SLAAC SLAAC == StateLess Address AutoConfiguration Uses Router Advertisement (RA) messages Network policy moved to the edge 18

Interface ID generation EUI-64 uses the mac address and an algorithm to generate interface ID Windows7/Vista randomly generates interface ID by default Servers and LINUX/UNIX mostly use EUI-64 19

MAC-Address to Interface ID 20

SLAAC Sequence Client configures link-local address Generates 64 bit host ID (EUID from MAC, random) Uses link local prefix and EUID to generate tentative address ( such as fe80::028c:f5ff:fe05:4235) Does DAD (Duplicate Address Detection) Sends a multicast Neighbor Solicitation message containing its new tentative address to the solicited node address If no other node responds with a Neighbor Advertisement using that address, the host configures itself with that address 21

SLAAC Sequence cont. Host now looks for Router Advertisement (RA) Messages Sends multicast Router Solicitation message Listens for RA messages Configures itself based on contents of RA message, including doing DHCPv6 22

RA Message Contents Local prefix(es), including A (autonomous address configuration) flag Router info Router's link-level address Lifetime of route Router priority Flags: M (ManagedAddress) flag and O (OtherConfiguration) flag Maximum Transmission Unit (MTU) of upstream link 23

Not in RA Messages RDNS server NTP or other configuration RFC 6106 for RDNS in RA Lack of client support 24

No Choice Must run both RA and DHCPv6 for most sites No DHCPv6 without an RA message with M or O flag on Many options not available to clients without DHCPv6 No default gateway in DHCPv6 Must configure DHCP and edges 25

DHCPv6 features Not BOOTP! J No broadcast! New ports (546, 547) Vendor options in TLV tuples Reconfigure now secure 26

DHCPv6 vs DHCPv4 messages 27

Use the whole /64! IPv4 address shortages made pool size precious IPv6 has plenty Protect from brute force scans Do pay attention, though 28

Failover is so 5 minutes ago Drivers in IPv4 for failover: Changing client IP address was user noticeable Lack of large enough pools If you use up 18 quintillion addrs Fragility of keeping state High availability more useful 29

Reconfigure Client and server must support and be configured for it Now has security With quiescence and reconfigure, renumbering is easy (mostly) 30

DUID > Mac address Mac address as ID is flawed: Not always unique Can be altered Multi-interface hosts confuse things But it s what most of the eyeballs on the Internet are ID ed by currently DUID (DHCP Unique Identifier) is the replacement in IPv6 31

DUID issues Yes, mac addresses sucks. DUIDs suck differently. Can t correlate v4 and v6 addrs to same host Can t get mac address from DUID Persistent storage of DUID may cause surprises 32

What DUIDs do right One DUID per DHCP server or client One Identity Association (IA) per network interface on a host A host can DHCP for all interfaces via DUID/ IA as unique key 33

Identity Associations Types: IA_TA: temporary address(es), i.e. privacy addrs IA_NA: non-temporary address(es), i.e. not privacy addrs IA_PD: prefix delegation 34

Prefix Delegation Delegate a prefix to a device Device can delegate longer prefixes to its own clients Likely scenario is home/cpe routers Lots of potential but not lots of gear available now 35

ICMPv6 36

ICMPv6 Required for: DAD Finding routers (RA/SLAAC) Finding servers (DHCP) PMTUD Connectivity (echo request/response) Network errors 37

ICMPv6 Filtering Filter it all and you don t have a useful network ICMPv6 much more detailed/precise in types and functions RFC 4890 has excellent filtering practices 38

Security 39

Security Most issues much the same as IPv4 Misconfiguration more likely than malice Untested code and lack of experience Security vendor claims must be validated 40

Security improvement claims Subnet size makes brute force scanning pointless (if you really use it ) Privacy addresses IPSec 41

Security realities Bad host numbering schemes IPSEC: Good news: just like IPv4 Bad news: just like IPv4 Exception: Microsoft DirectAccess 42

Security homework Test all your firewall and security appliances for IPv6 ACLs for IPv6 Detect various tunneling (ISATAP, Teredo, 6in4, 6to4, etc) Make sure all your NMS and logging deal with IPv6, both for transport and data 43

Q & A 44

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback