Don't have the plaid polyester leisure suit of IPv6 networks! Paul Ebersman, IPv6 Evangelist NANOG56, Dallas, TX (21-24 Oct 2012)

Similar documents
But we ve always done it this

IPv6 and IPv4: Twins or Distant Relatives

There are more layers than just layer 3 Paul Ebersman, IPv6 NANOG57, Orlando, FL (04-06 Feb 2013)

IPv6: Problems above Layer 3 Paul Ebersman, IPv6 PLNOG10, Warsaw, 28 Feb 2013

IPv6: Are we there yet? NANOG 58 New Orleans Paul Ebersman IPv6

IPv6 deployment for Enterprise/Sysadmins Paul NAv6 Summit 2013, Denver, Apr 2013

DHCPv6 OPERATIONAL ISSUES Tom Coffeen 4/7/2016

Workshop on Scientific Applications for the Internet of Things (IoT) March

IPv6 Protocol Architecture

OSI Data Link & Network Layer

IPv6 Protocol & Structure. npnog Dec, 2017 Chitwan, NEPAL

Introduction to IPv6

IPv6 Security: Oxymoron or Oxycodone? NANOG 60 Atlanta Paul Ebersman IPv6

OSI Data Link & Network Layer

Internet Protocol v6.

Introduction to IPv6 - II

OSI Data Link & Network Layer

Setup. Grab a vncviewer like: Or

It's the economy, stupid: the transition from IPv4 to IPv6

Multi-requirement Extensions for DHCPv6 (draft-ren-dhc-mredhcpv6-00)

ECE 435 Network Engineering Lecture 14

ODL Summit Bangalore - Nov 2016 IPv6 Design in OpenDaylight

TCP/IP Protocol Suite

DHCPv6 Overview 1. DHCPv6 Server Configuration 1

Implementing DHCP for IPv6

Networking Potpourri: Plug-n-Play, Next Gen

Learning/Playing with IPv6 at home. Keith Garner, Gradebook Team Lead

IPv6 address configuration and local operation

Enterprise IPv6 Deployment Security and other topics

Chapter 7: IP Addressing CCENT Routing and Switching Introduction to Networks v6.0

A Practical (and Personal) Perspective on IPv6 for Servers. Geoff Huston June 2011

Step 2. Manual configuration of global unicast and link-local addresses

Rocky Mountain IPv6 Summit April 9, 2008

DHCPv6 (RFC3315 RFC4361)

IPv6 Security Safe, Secure, and Supported.

Internet Protocol, Version 6

Subnet Masks. Address Boundaries. Address Assignment. Host. Net. Host. Subnet Mask. Non-contiguous masks. To Administrator. Outside the network

IPv6 Client IP Address Learning

OSPFv3-Based Home Networking draft-arkko-homenet-prefix-assignment-02.txt. Jari Arkko, Ericsson Acee Lindem, Ericsson Benjamin Paterson, Cisco

The Netwok Layer IPv4 and IPv6 Part 2

Network layer: Overview. Network layer functions IP Routing and forwarding NAT ARP IPv6 Routing

COE IPv6 Roadmap Planning. ZyXEL

Internet Engineering Task Force (IETF) Obsoletes: 3315, 3633, 3736, 4242, 7083, 7283, 7550 B. Volz

CSEP 561 Internetworking. David Wetherall

Configuring a DHCP Server DHCP Operation

Network layer: Overview. Network Layer Functions

IPv6 Technical Challenges

Using IPv6. Daniel Hagerty

IPv6 Next generation IP

SLAACers. IPv6 Accountability without DHCPv6. Library and Information Services School of Oriental and African Studies London. Networkshop 39, 2011

Why IPv6? Roque Gagliano LACNIC

DNS, DHCP and Auto- Configuration. IPv6 Training Day 18 th September 2012 Philip Smith APNIC

RMIT University. Data Communication and Net-Centric Computing COSC 1111/2061. Lecture 2. Internetworking IPv4, IPv6

DHCPv6 Based IPv6 Access Services

Internet Network Protocols IPv4/ IPv6

ISO 9001:2008. Pankaj Kumar Dir, TEC, DOT

Patrick Grossetete Cisco Systems Cisco IOS IPv6 Product Manager 2003, Cisco Systems, Inc. All rights reserved.

Networking Fundamentals IPv6 APNIC 44. TAICHUNG, TAIWAN 7-14 September 2017

Implementing DHCP for IPv6

Configuring IPv6 for Gigabit Ethernet Interfaces

Implementing DHCP for IPv6

Planning for Information Network

IPv6 Specifications to Internet Standard

IPv6 Protocols and Networks Hadassah College Spring 2018 Wireless Dr. Martin Land

Best Current Operational Practice for operators: choose. Jordi Palet

IPv6 Deployment at the University of Pennsylvania

IP - The Internet Protocol

IPv6: An Introduction

Transitioning to IPv6

IPv6: Are we really ready to turn off IPv4?

CSC 4900 Computer Networks: Network Layer

Security Considerations for IPv6 Networks. Yannis Nikolopoulos

IPv6 Access Services: DHCPv6 Relay Agent

Configuring IPv6. Information About IPv6. Send document comments to CHAPTER

IPv6 Security Course Preview RIPE 76

Insights on IPv6 Security

IPv6 tutorial. RedIRIS Miguel Angel Sotos

Understanding IPv6. Shannon McFarland CCIE #5245 Principal Engineer. #clmel BRKRST-1069

Last time. Network layer. Introduction. Virtual circuit vs. datagram details. IP: the Internet Protocol. forwarding vs. routing

IPv4/v6 Considerations Ralph Droms Cisco Systems

DHCP and DDNS Services

IPv6 Access Services: DHCPv6 Prefix Delegation

IPv6 Security (Theory vs Practice) APRICOT 14 Manila, Philippines. Merike Kaeo

IPv6 Protocols & Standards. ISP/IXP Workshops

TDC 563 Protocols and Techniques for Data Networks

TD#RNG#2# B.Stévant#

IPv6 Basics. APNIC Training Bali, Indonesia February, Jordi Palet - 1

Network Management. IPv6 Bootcamp. Zhiyi Huang University of Otago

IPv6. IPv4 & IPv6 Header Comparison. Types of IPv6 Addresses. IPv6 Address Scope. IPv6 Header. IPv4 Header. Link-Local

TR-177 IPv6 in the context of TR-101

IPv6 Associated Protocols. Athanassios Liakopoulos 6DEPLOY IPv6 Training, Skopje, June 2011

IPv6 Protocols & Standards

Recent IPv6 Security Standardization Efforts. Fernando Gont

IPv6. (Internet Protocol version 6)

CS-435 spring semester Network Technology & Programming Laboratory. Stefanos Papadakis & Manolis Spanakis

Insights on IPv6 Security

IPv6 It starts TODAY!

Advanced Computer Networking. CYBR 230 Jeff Shafer University of the Pacific. IPv6

CCENT Study Guide. Chapter 14 Internet Protocol Version 6 (IPv6)

IPv6 Security. David Kelsey (STFC-RAL) IPv6 workshop pre-gdb, CERN 7 June 2016

Transcription:

Don't have the plaid polyester leisure suit of IPv6 networks! Paul Ebersman, IPv6 Evangelist NANOG56, Dallas, TX (21-24 Oct 2012) 1

Lots of Changes 2

Change is good Well, change is inevitable Many constraints from IPv4 now gone Classful vs CIDR 3

Routing Efficiencies Fixed header size Extension header chain Flow labels in header No intermediate fragmentation (PMTUD) No checksums 4

Network Efficiencies No broadcast Multicast NS/Solicited Node, no ARP ICMPv6 5

Be an architect 6

Sane Subnetting You can get enough IPv6 space Do the architecture you want, not the one you re stuck with Use GUA space everywhere, make NAT a choice Map your subnets to your process/provisioning or business model Do a scheme that aggregates and makes ACLs sane 7

Prefix Lengths /48 is minimum routable chunk /64 for all non-p2p subnets /127 for p2p links (RFC 6164) /128 for loopbacks Use /64 each for p2p/lb, pair for each routing domain 8

Sample /32 Plan by Geography 2001:db8:abcd::/36 City: 4 bits = 16 possible locations 2001:db8:abcd::/40 Hub: 4 bits = 16 possible hubs per city 2001:db8:abcd::/48 Floor: 8 bits = 256 floors per hub. 2001:db8:abcd:12xx::/56 Switch: 8 bits = 256 Switches per floor. 2001:db8:abcd:1234::/64 VLAN: 8 bits = 256 VLANs per switch. 9

Subnets, not hosts 10

18 quintillion Addresses > L2 capacity RIR/ISP allocations based on subnets Enjoy your nibbles while you may 11

Use the whole /64! IPv4 address shortages made pool size precious IPv6 has plenty Protect from brute force scans Do pay attention, though 12

1918/NAT. Die die die. 13

How did it ever make sense? Shortage of IPv4 for consumers IPv6 not widely available Desperation Mushrooms? 14

Why is it still around? Still not enough IPv4 The It s more secure myth Have bent/twisted apps (Skype) 15

How naked is the emperor? NAT!= security Debugging/logging hard Breaks end to end 16

But we *like* to suffer No NAT66. Yet Stateful FW also painful ULA ~= RFC 1918 17

I m a Mac 18

DUID > Mac address Mac address as ID is flawed: Not always unique Can be altered Multi-interface hosts confuse things But it s what most of the eyeballs on the Internet are ID ed by currently DUID (DHCP Unique Identifier) is the replacement in IPv6 19

What DUIDs do right One DUID per DHCP server or client One Identity Association (IA) per network interface on a host A host can DHCP for all interfaces via DUID/ IA as unique key 20

Identity Associations Types: IA_TA: temporary address(es), i.e. privacy addrs IA_NA: non-temporary address(es), i.e. not privacy addrs IA_PD: prefix delegation 21

Where DUIDs don t work Anyone using mac address for identification or filtering Anyone trying to correlate IPv4 and IPv6 to the same machine/user Persistent storage of DUID may cause surprises 22

Interface ID generation EUI-64 uses the mac address and an algorithm to generate interface ID Windows7/Vista randomly generates interface ID by default Servers and LINUX/UNIX mostly use EUI-64 23

But I do dual stack How to correlate all addrs to same client: hwaddr draft in ietf circuit-id/remote-id 24

DHCP. Or not. 25

The good old days With IPv4, only two methods: Static DHCPv4 26

More choices! Classic: static StateLess Address Auto Configuration (SLAAC) Stateless DHCPv6 Stateful (full DCHPv6) 27

SLAAC SLAAC == StateLess Address AutoConfiguration Uses Router Advertisement (RA) messages Network policy moved to the edge 28

Not in RA Messages RDNS server NTP or other configuration RFC 6106 for RDNS in RA Lack of client support 29

DHCPv6 public or private (temporary) addresses RDNS server, NTP, TFTP, Vendor options Update DNS with A/PTR But no default route! 30

Differences DHCPv6 Filter/control access Update IP address management system Update A/PTR records in DNS Further from client, more centralized Handles more complex configs, phones, printers, etc. 31

Differences SLAAC Local/fast Light weight Decentralized No logging, A/PTR updates or IPAM updates 32

Your priorities Do you have auditing or logging requirements? Centralized or distributed management Technical level of support staff Range of different gear? 33

Centralized model Need auditing Need access control Senior technical staff not everywhere DHCPv6 is your friend 34

Coffee House Baristas are not networking folks Customers just need it to work No logging, lease churn would be burden Small range of client machines SLAAC! 35

DHCPv4-like DHCPv6 Send RA messages with A=0, O/M=1 DHCP for all configurations except default route DHCP server does A/PTR and IPAM updates 36

Coffee House Setup Send RA messages with A/O=1, M=0 Send RDNS in RA messages DHCP server does no leases, just gives DNS for clients that can t do RFC 6106 37

PD 38

Prefix Delegation Dynamic Heirarchical Networks DHCPv6 reconfigure and your network Vendor support Potentially cool 39

ICMP 40

ICMPv6 Required for: DAD Finding routers (RA/SLAAC) Finding servers (DHCP) PMTUD Connectivity (echo request/response) Network errors 41

ICMPv6 Filtering Filter it all and you don t have a useful network ICMPv6 much more detailed/precise in types and functions RFC 4890 has excellent filtering practices 42

Reverse/PTR goo 43

How did this all start? ftp (ftp.uu.net, ftp.wustl.edu) SMTP Security devices Silly web things 44

How did we do it IPv4 By hand (ow) Scripts $GENERATE IPAM 45

How would that work for IPv6 A single subnet is a /64 A /64 has 18 quintillion (4 bil x 4 bil) addrs A PTR record has 34 labels in IPv6 Anyone got a computer with enough disk or RAM to hold one /64 zone file? 46

So what are we left with? Admit that PTRs are pointless Pre-populate (assuming FTL travel ) Pre-populate statics for routers & big servers As previous plus DHCP server adding clients Lie on the fly (if not doing DNSSEC) 47

The nice thing about standards 48

We re not done yet Over 200 RFCs relating to IPv6 But over 200 drafts in active revision too More drafts added every IETF (3 meetings/year) 49

What can we do? Participate! Make sure your vendors participate and implement the new standards Pick your battles 50

Q&A 51

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback