7.2 : IPv6 : étude du protocole
Comment ça “tombe en marche” ?Quels nouveaux mécanismes ?La coexistence avec IPv4 et/ou la transition
2014Eric Levy-Abégnoli (Cisco)Stéphane Frati (Unice)
Ce document ne peut être reproduit sans l’autorisation de [email protected] et [email protected]
Comment ça “tombe en marche” ?
Avec IPv6, on veut maintenant une solution pérenne qui réalise tout ce que IPv4 n’avait pas intégré et compensé par « des astuces » ou protocoles complémentaires
Fin du dernier chapitre (vœux) Une grande plage d’adresse (« découpable » sans trop de pertes) pour
adresser plusieurs dizaines ou centaines de machines au m² Un grand degré d’automatisation car il faut que cela « ça tombe en
marche » au moins pour des communications locales Une limitation des trafics de broadcasts Une simplification et une plus grande flexibilité du protocole si on le peu Plus de robustesse pour plus de sécurité dans ce monde actuels de
« hackers »
Ce document ne peut être reproduit sans l’autorisation de [email protected] et [email protected]
Pénurie d’adresses IPv4
http://www.lunil.com/fr/actualite.php?id_article=1037
s
Ce document ne peut être reproduit sans l’autorisation de [email protected] et [email protected]
Solutions
Translation d’adresses IP
NAT: network address translation
Devait être une solution temporaire…
… retarde l’adoption d’IPv6
Attention: pas du tout automagique !!! configurations++
IPv6
Adressage passe de 32 à 128 bits
Combien d’adresses possibles ?
Ce document ne peut être reproduit sans l’autorisation de [email protected] et [email protected]
De v4 à v6: que gagne-t-on d’un point de vue nombre d’adresses disponibles ?
IPv4
En hexa xxxx
32 bits = 4,3 milliards d’adresses
Grand nombre mais … insuffisant !
IP v6 4x32 bits= 3,4*10^38 adresses
En hexa xxxx.xxxx.xxxx.xxxx
15’000 adresses par m2… ça devrait suffire pendant quelques années….
IPv4 32-bits
IPv6 128-bits
Ce document ne peut être reproduit sans l’autorisation de [email protected] et [email protected]
IPv6 Addressing IPv4 32-bits
IPv6 128-bits
32= 4,294,967,296
128 = 340,282,366,920,938,463,463,374,607,431,768,211,456
128= 2
32 96* 2
962
= 79,228,162,514,264,337,593,543,950,336 times thenumber of possible IPv4 Addresses
(79 trillion trillion)
2
2
2
IPv4 32-bits
IPv6 128-bits
Ce document ne peut être reproduit sans l’autorisation de [email protected] et [email protected]
Benefits of 128 bit Addresses
Room for many levels of structured hierarchy and routing aggregation
Easier address management and delegation than IPv4
Easy address auto-configuration
Ability to deploy end-to-end IPsec (encryption)(NATs removed as unnecessary)
Ce document ne peut être reproduit sans l’autorisation de [email protected] et [email protected]
IPv6 Address Representation and Simplification
• Base format (16-bytes)
• Compact Format:
• Literal representation (e.g. used when browsing to IPv6 address directly and not through the DNS name)
[2001:660:3003:2:a00:20ff:fe18:964c]
2001:0660:3003:0001:0000:0000:6543:210F
2001:0660:3003:0001:0000:0000:6543:210F2001:0660:3003:0001:0000:0000:6543:210F2001:660:3003:1:0:0:6543:210F2001:660:3003:1:0:0:6543:210F2001:660:3003:1::6543:210F
6DISS Courtesy Slide
Ce document ne peut être reproduit sans l’autorisation de [email protected] et [email protected]
IPv6 Addresses
IPv6 addresses are 128 bits long Segmented into 8 groups of four HEX characters Separated by a colon (:) 50% for network ID, 50% for interface ID Network portion is allocated by Internet registries 2^64 (1.8 x 1019) Still leaves us with ~ 3 billion network prefixes for each person on earth
gggg:gggg:gggg:ssss:xxxx:xxxx:xxxx:xxxx
Global Routing Prefixn <= 48 bits
Subnet ID64 – n bits
Host
ssss:
2001:0000:0000:00A1:0000:0000:0000:1E2A00A1:
Network Portion Interface ID
Global Unicast Identifier Example
2001:0:0: ::1E2AA1:
Full Format
Abbreviated Format
Ce document ne peut être reproduit sans l’autorisation de [email protected] et [email protected]
IPv6 Address Types
FC00:gggg:gggg:
xxxx:xxxx:xxxx:xxxx
ssss:
FE80:0000:0000:0000:
xxxx:xxxx:xxxx:xxxx
2000:GGGG:GGGG:
xxxx:xxxx:xxxx:xxxx
ssss:
FFfs: xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx
Three types of unicast address scopes
• Interface “expected” to have multiple addresses and life-time parameters
Link-Local – Non routable exists on single layer 2 domain (FE80::/64)
Unique-Local (ULA) – Routable with an administrative domain (FC00::/7)
Global – Routable across the Internet (2000::/3)
• Multicast addresses begin with FF00::/8
Ce document ne peut être reproduit sans l’autorisation de [email protected] et [email protected]
Provider Assigned (PA) Addresses and prefixes assigned to subscribers from prefix pool assigned to
service provider
PA provides prefix and route aggregation
This is good because Internet routing table size is minimized
Provider Independent (PI) Addresses and prefixes assigned to subscribers independent of provider pool
PI allows subscriber to change between service providers; PA requires renumbering of subscriber network
Allows multi-homing with same address space
This is not so good – eventually we have same problem as IPv4 Routing tables may grow excessively
Unique-Local Addressing (ULA) Addresses and Prefixes assigned to subscribers for local communications
Not routable on the Internet
IPv6 addresses (prefix) can be allocated in three ways
Ce document ne peut être reproduit sans l’autorisation de [email protected] et [email protected]
Aggregation
Larger address space enables:aggregation of prefixes announced in the global routing table
efficient and scalable routing
Only announces the /32 prefix
2001:DB8:0002::/48
2001:DB8:0001::/48
Customer
no 1
Customer
no 2
ISP
2001:DB8::/32IPv6 Internet
2001::/16
Ce document ne peut être reproduit sans l’autorisation de [email protected] et [email protected]
Multiple Addresses
Larger address space enables:multiple simultaneous addresses for hosts and networks
support of multi-homing
Only announce
its /32 prefix
Only announces
its /32 prefix
2001:DB8:0002:/48
2001:DB9:0001:/48
Customer
no 2
ISP
2001:DB8::/32
ISP
2001:DB9::/32
IPv6 Internet
2001::/16
Ce document ne peut être reproduit sans l’autorisation de [email protected] et [email protected]
Registries
Level FourEnterprise
IANA
PI and PA Allocation Process
ISP Org
Provider Assigned
2000::/3
/48
2000::/3
/48
/12
/32
/12
Provider Independent
Exemple: votre provider vous fournit le préfixe 2001:DB8:1234::/48 pour toute votre entreprise…
On vous donne un /48… …vous devez construire vos /64
Avec les 4 Hex == 16 bits
En fonction du nombre de:
Sites
Sous-sites
Sous-réseaux
A= 4 sites; 4 sous-sites; 4096rsx
B= 16 sites; 16 sous-sites; 256rsx
C= 16 sites; 256 sous-sites; 16rsx
Ce document ne peut être reproduit sans l’autorisation de [email protected] et [email protected]
Comment a fait RENATER ?
la hiérarchisation des adresses IPv6 est obligatoire (pour ensuite pouvoir agréger…)
RENATER a reçu du RIPE NCC(Europe) un /32 en tant qu’opérateur 2001:660::/32
Les 16 bits suivants définissent l'identifiant du NoeudRENATER (8 bits) et l’identifiant du site (8bits) /48
Restent 16 bits pour attribuer à 65.535 réseaux /64
http://2005.jres.org/paper/98.pdf
Ce document ne peut être reproduit sans l’autorisation de [email protected] et [email protected]
Ce document ne peut être reproduit sans l’autorisation de [email protected] et [email protected]
Prefix (higher 64bits) is OK now !How about the lower 64bits?
• Manual…
• EUI64
• ISATAP, v4-mapped, etc.
• Privacy extensions
• CGA
• ….
Note: Network types and Interface ID types are relatively independent.
Ce document ne peut être reproduit sans l’autorisation de [email protected] et [email protected]
What type of addressing should I deploy internal to my network? It depends Each interface can have multiple addresses intended for different
purposes. For this reason, RFC3484 provides a standardized method to choose source and destination IPv6 addresses with which to attempt connections
Source Address Selection (SAS)
ULA, ULA + Global or Global
Ce document ne peut être reproduit sans l’autorisation de [email protected] et [email protected]
Unique Local Addresses (ULA) – FC00::/7 Globally unique prefix with high probability of uniqueness and is intended for local communications,
usually inside a site
Prefix FC00::/7 is reserved by IANA for ULA (bit 8 determines if locally or centrally assigned, so ULA or ULA-Central).
Global-only – 2000::/3 Recommended approach but the old-school security folks that believe topology hiding is essential in
security will bark at this option
ULA + Global Allows for the best of both worlds BUT at a price – much more address management with DHCP, DNS,
routing and security
Source Address Selection (SAS) does not always work as it should
ULA, ULA + Global or Global
Unique-Local Addressing (ULA)
FD9C:58ED:7D73:3000::/64
ULA SpaceFD9C:58ED:7D73::/48
Corporate
Backbone
Internet
FD9C:58ED:7D73:2800::/64
• Viable solution for enterprise intranet
– No renumbering
– most of the enterprises run a web proxy at their edge which does ULA-Global (or even ULA to IPv4)
– Works as it does today with IPv4
• But removes the advantages of not having a NAT (i.e. application interoperability, global multicast, end-to-end connectivity)
– A NAT supporting IPv6 or a proxy is required to access IPv6 hosts on the Internet – must run filters to prevent any SA/DA in ULA range from being forwarded
RFC4193
Global – 2001:DB8:CAFE::/48
ULA – Internal
FD9C:58ED:7D73:2::/64
Global-only
2001:DB8:CAFE:3000::/64
Global – 2001:DB8:CAFE::/48
Corporate
Backbone
Internet
2001:DB8:CAFE:2800::/64
Global – 2001:DB8:CAFE::/48
• Global is used everywhere
• No issues with SAS
• No requirements to have NAT for ULA-to-Global translation
• Easier management of DHCP, DNS, Security, etc…
• Only downside is breaking the habit of believing that topology hiding is a good security method
• But if PA Prefixes, a change of ISP requires renumbering (and potential disruption)
2001:DB8:CAFE:2::/64
ULA + Global
2001:DB8:CAFE:3000::/64FD9C:58ED:7D73:3000::/64
Global – 2001:DB8:CAFE::/48ULA – FD9C:58ED:7D73::/48
Corporate
Backbone
Internet
2001:DB8:CAFE:2800::/64FD9C:58ED:7D73:2800::/64
Global – 2001:DB8:CAFE::/48
• Both ULA and Global are used internally except for internal-only hosts
• Source Address Selection (SAS) is used to determine which address to use when communicating with other nodes internally or externally
– In theory, ULA talks to ULA and Global talks to Global – SAS ‘should’ work this out
• Easier to renumber w/o disruption
• But– Define a filter/policy that ensures your
ULA prefix does not ‘leak’ out onto the Internet and ensure that no traffic can come in or out that has a ULA prefix in the SA/DA fields
– Management overhead for DHCP, DNS, Routing, Security, etc…
2001:DB8:CAFE:2::/64FD9C:58ED:7D73::2::/64
Ce document ne peut être reproduit sans l’autorisation de [email protected] et [email protected]
Multicast Use
• Broadcasts in IPv4 Interrupts all computers on the LAN even if the intent of the
request was for one or two computers
Can completely hang up a network ("broadcast storm")
• Broadcasts in IPv6 Are not used and replaced by multicast
• Multicast Enables the efficient use of the network
Multicast address range is much larger
Ce document ne peut être reproduit sans l’autorisation de [email protected] et [email protected]
Multicast Use - Examples:
FF02::1 (All nodes on link),
FF02::2 (All routers on link),
FF02::3 (All hosts),
FF02::5 (All OSPF routers),
FF02::6 (All OSPF DR),
FF02::9 (All RIP routers),
FF02::B (Mobile agents),
FF02::D (All PIM routers),
FF02::16 (All MLDv2 routers),
FF02::1:2 (All DHCP agents),
FF05::1:3 (All DHCP routers),
FF05::1:4 (All DHCP relays)
Ce document ne peut être reproduit sans l’autorisation de [email protected] et [email protected]
Quels nouveaux mécanismes ?
Ce document ne peut être reproduit sans l’autorisation de [email protected] et [email protected]
Anything else than a bigger address?
• Simpler header
• Flow label
• Fragmentation by originator only (PMTU discovery)
• Many areas have been “re-engineered”Link operations
Mobility
Security
DNS
DHCP (prefix delegation)
Ce document ne peut être reproduit sans l’autorisation de [email protected] et [email protected]
IPv6 Header
• The IPv6 header is redesigned
• Minimize header overhead and reduce the header process for the majority of the packets
• Less essential and optional fields are moved to extension headers
IPv6 and IPv4 headers are not interoperable!
Ce document ne peut être reproduit sans l’autorisation de [email protected] et [email protected]
IP: Head to Head
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Version| IHL |Type of Service| Total Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Identification |Flags| Fragment Offset |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Time to Live | Protocol | Header Checksum |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Destination Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Options | Padding |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
V4
Ce document ne peut être reproduit sans l’autorisation de [email protected] et [email protected]
IP: Head to Head
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Version| Traffic Class | Flow Label |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Payload Length | Next Header | Hop Limit |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
+ +
| |
+ Source Address +
| |
+ +
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
+ +
| |
+ Destination Address +
| |
+ +
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
V6
Ce document ne peut être reproduit sans l’autorisation de [email protected] et [email protected]
IPv4 and IPv6 Header Comparison
Version HLType of Service
Total Length
Identification FlagsFragment
Offset
Time to Live
Protocol Header Checksum
Source Address
Destination Address
Options Padding
VersionTraffic Class
Flow Label
Payload LengthNext
HeaderHop Limit
Source Address
Destination Address
IPv4 Header IPv6 Header
Field’s Name Kept from IPv4 to IPv6
Fields Not Kept in IPv6
Name and Position Changed in IPv6
New Field in IPv6
Ce document ne peut être reproduit sans l’autorisation de [email protected] et [email protected]
Extension Headers (RFC2460)
Processed only by node identified in IPv6 Destination Address field => much lower overhead than IPv4 options
exception: Hop-by-Hop Options header
Eliminated IPv4’s 40-octet limit on options
In IPv6, limit is total packet size, or Path MTU in some cases
Ce document ne peut être reproduit sans l’autorisation de [email protected] et [email protected]
Covers ICMP (v4) featuresError control, Administration, …
- Used to run link operations- Used to control multicast
operations
ICMPv6 (rfc2463)
New Features !
New ULP value
Ce document ne peut être reproduit sans l’autorisation de [email protected] et [email protected]
ICMPv6
ICMPv6 Type ICMPv6 Code
ICMPv6 Data
Checksum
IPv6 basic header
ICMPv6 packet
Next Header = 58
ICMPv6 packet
ICMPv6 packet
Ce document ne peut être reproduit sans l’autorisation de [email protected] et [email protected]
…vers un dédoublement…
ICMP v4 + ARP
IP v4192.168….
ICMP v6
IP v62001:000…
ETHERNET ou WIRELESS ou …
Espérons qu’il ne faudra pas dédoubler vers le haut de la pile jusqu’au niveau
applicatif !......
Ce document ne peut être reproduit sans l’autorisation de [email protected] et [email protected]
What are link operations?IPv6 Neighbor Discovery
Operations contained within the link boundaries, necessary for a node to communicate with its neighbors, including the link exit points.
• It encompass:
• Address configuration parameters
• Address initialization
• Address resolution
• Default gateway discovery
• Local network configuration
• Neighbor reachability tracking
In IPv4: ARP + ICMP + DHCP (≈always)In IPv6: ND (Neighbor Discovery) + DHCP (optional)
Ce document ne peut être reproduit sans l’autorisation de [email protected] et [email protected]
Fundamentals On Neighbor Discovery
Defined in:
RFC 4861 Neighbor Discovery for IP Version 6 (IPv6)
RFC 4862 IPv6 Stateless Address Auto-configuration
RFC 3971 Secure Neighbor Discovery etc.
Used for:
Router discovery
IPv6 Stateless Address Auto Configuration (SLAAC)
IPv6 address resolution (replaces ARP)
Neighbor Unreachability Detection (NUD)
Duplicate Address Detection (DAD)
Redirection
Operates above ICMPv6
Relies heavily on (link-local scope) multicast, combined with Layer 2 Multicast
Works with ICMP messages and messages “options”
Ce document ne peut être reproduit sans l’autorisation de [email protected] et [email protected]
Router Discovery
ICMP Type = 133 (Router Solicitation)
Src = Host link-local addressDst = All-routers multicast address (FF02::2)Query = please send RA
ICMP Type = 134 (Router Advertisement)
Src = Router link-local addressDst = All-nodes multicast address (FF02::1)Data = router lifetime, retranstime, autoconfig flagOption = Prefix, lifetime
RS
RA
Use B as default gateway
Find default/first-hop routers
Discover on-link prefixes which destinations are neighbors
Messages: Router Advertisements (RA), Router Solicitations (RS)
BA
Ce document ne peut être reproduit sans l’autorisation de [email protected] et [email protected]
Stateless Auto-Configuration
Stateless, based on prefix information delivered in Router Advertisements
Messages: Router Advertisements , Router Solicitations
ICMP Type = 133 (Router Solicitation)
Src = Host link-local addressDst = All-routers multicast address (FF02::2)Query = please send RA
ICMP Type = 134 (Router Advertisement)
Src = Router link-local addressDst = All-nodes multicast address (FF02::1)Data = router lifetime, retranstime, autoconfig flagOptions = Prefix X,Y,Z, lifetime
RS
RA
Source traffic with X::x, Y::y, Z::z
Computes X::x, Y::y, Z::z and DAD them NS
Ce document ne peut être reproduit sans l’autorisation de [email protected] et [email protected]
Duplicate Address Detection
ICMP type = 135 (Neighbor Solicitation)
Src = UNSPEC = 0::0 Dst = Solicited-node multicast address of AData = AQuery = Does anybody use A already?
NS
Node A can start using address A
BA C
Verify address uniqueness
Probe neighbors to verify nobody claims the address
Messages: Neighbor Solicitation, Neighbor Advertisement
Ce document ne peut être reproduit sans l’autorisation de [email protected] et [email protected]
Address Resolution
ICMP type = 135 (Neighbor Solicitation)
Src = ADst = Solicited-node multicast address of BData = B Option = link-layer address of AQuery = what is B’s link-layer address? ICMP type = 136 (Neighbor Advertisement)
Src = one B’s IF address Dst = A Data = B
Option = link-layer address of B
NS
NA
A and B can now exchange packets on this link
BA C
Resolves IP address into MAC address
Creates neighbor cache entry
Messages: Neighbor Solicitation, Neighbor Advertisement
Ce document ne peut être reproduit sans l’autorisation de [email protected] et [email protected]
Layer-2 Address Resolution for IPv4
• IPv4 uses ARP
• ARP is based on Broadcasts
ARP Request
ARP Reply
Source IPv4 Address10.1.1.1
Destination IPv4 address255.255.255.255
10.1.1.1.1/24 10.1.1.1.2/24
DataWhat is the MAC address of 10.1.1.2 ??
Source Address 10.1.1.2
Destination IPv4 address10.1.1.1DataMAC address of 10.1.1.2
Router 1 Router 2
Broadcast causes interrupt on ALLstations on the L2 Broadcast domain
Ce document ne peut être reproduit sans l’autorisation de [email protected] et [email protected]
Layer-2 Address Resolution for IPv6
• Based on IPv6 Neighbor Discovery Protocol
• Part of ICMPv6
• Broadcast is replaced with Solicited Node Multicast address
• Every IPv6 device will join all Solicited Node Multicast addresses based on its assigned IPv6 unicast addresses
104 bits of fixed and well-known fixed format
Ce document ne peut être reproduit sans l’autorisation de [email protected] et [email protected]
2001:db8::1/64 2001:db8::2/64
Router 1 Router 2
I will Join my Solicited Node Multicast address:
2001:db8:0000:0000:0000:0000:0000:0001/64
FF02::1:FF
Last 24 Bits104 Well known fixed bits
00:0001
I will Join my Solicited Node Multicast address:
2001:db8:0000:0000:0000:0000:0000:0002/64
FF02::1:FF
Last 24 Bits
00:0002
Layer-2 Address Resolution for IPv6 (Cont.)
Ce document ne peut être reproduit sans l’autorisation de [email protected] et [email protected]
R1#sh ipv6 int e0
Ethernet0 is up, line protocol is up
IPv6 is enabled, link-local address is FE80::200:CFF:FE3A:8B18
No global unicast address is configured
Joined group address(es):
FF02::1
FF02::2
FF02::1:FF3A:8B18
MTU is 1500 bytes
ICMP error messages limited to one every 100 milliseconds
ICMP redirects are enabled
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds
ND advertised reachable time is 0 milliseconds
ND advertised retransmit interval is 0 milliseconds
ND router advertisements are sent every 200 seconds
ND router advertisements live for 1800 seconds
Hosts use stateless autoconfig for addresses.
R1#
Solicited-Node Multicast Address
Router Interface: Solicited-Node Multicast Address
Ce document ne peut être reproduit sans l’autorisation de [email protected] et [email protected]
NO BROADCAST !!!!
2001:db8::1/64Joined Multicast Group:FF02::1:FF00:1
2001:db8::2/64Joined Multicast Group:FF02::1:FF00:2
Router 1 Router 2
I would like to know the MAC address of Router 2
I just know the IPv6 addressand there isNO Broadcast
If somebody sends a packet to my Multicast group I will pickup the message
If somebody sends a packet to my Multicast group I will pickup the message
…Gee… I have a
Problem!
Layer-2 addressResolution for IPv6 (Cont.)
Ce document ne peut être reproduit sans l’autorisation de [email protected] et [email protected]
2001:db8::1/64Joined Multicast Group:FF02::1:FF00:1
2001:db8::2/64Joined Multicast Group:FF02::1:FF00:2
Router 1 Router 2
Yippie!!!!!
I can calculate the Solicited Node Multicast address of Router 2
Remote IPv6 Address:2001:db8::2
The Solicited Node Multicast AddressFF02::1::FF00:2
If I sent a packet to his Solicited Node Multicast Address he will see it
Layer-2 address Resolution for IPv6 (Cont.)
Ce document ne peut être reproduit sans l’autorisation de [email protected] et [email protected]
2001:db8::1/64Joined Multicast Group:FF02::1:FF00:1
2001:db8::2/64Joined Multicast Group:FF02::1:FF00:2
Router 1 Router 2
t=0t=1 I want to send a IPv6 packet to Router 2 with IPv6 address
2001:db8::2t=2 Lets calculate the Solicited Node Multicast Address
FF02::1::FF00:0002
Layer-2 address Resolution for IPv6 (Cont.)
Ce document ne peut être reproduit sans l’autorisation de [email protected] et [email protected]
2001:db8::1/64Joined Multicast Group:FF02::1:FF00:1
2001:db8::2/64Joined Multicast Group:FF02::1:FF00:2
Router 1 Router 2
t=0t=1 I want to send a IPv6 packet to Router 2 with IPv6 address
2001:db8::2t=2 Lets calculate the Solicited Node Multicast Address
t=3
Neighbor Solicitation
Neighbor Advertisement
t=5
t=4
IPv6 Traffic can be exchanged now
Neighbor SolicitationICMP type = 135
Src = A Dst = Solicited-node multicast of BData = link-layer address of A Query = what is your link address?
Neighbor AdvertisementICMP type = 136
Src = B Dst = AData = link-layer address of B
Layer-2 address Resolution for IPv6 (Cont.)
Ce document ne peut être reproduit sans l’autorisation de [email protected] et [email protected]
IPv6 routing
IPv6 still uses the longest-prefix match routing algorithm.
RIPv2, supports split-horizon with poisoned reverse RFC 2080)
OSPFv3 (RFC 2740, AF concept introduced)
ISIS (RFC 5308, new TLV for IPv6)
BGP4+ (RFC 2858 and RFC 2545, IPv6 as a separate AF)
Be carreful: If your IPv6 networks stops at your border router (because yourISP only provides you with IPv4), think about propagating routes on remotesites…
Ce document ne peut être reproduit sans l’autorisation de [email protected] et [email protected]
IPv6 Security
All implementations required to support authentication and encryption headers (“IPsec”)
Authentication separate from encryption for usein situations where encryption is prohibited or prohibitively expensive
Key distribution protocols (independent of IP v4/v6)Support for manual key configuration requiredNew set of problems/issues …
Ce document ne peut être reproduit sans l’autorisation de [email protected] et [email protected]
La coexistence avec IPv4 et/ou la transition
IPv6 Is this really going to happen. Ever?
Ce document ne peut être reproduit sans l’autorisation de [email protected] et [email protected]
IPv6 usage
Ce document ne peut être reproduit sans l’autorisation de [email protected] et [email protected]
FRANCE
AFNIC, the NIC for (among others) the .fr Top Level Domain, has implemented IPv6 operations
Renater, the French national academical network, is offering IPv6 connectivity including multicast support to their members.Free, a major French ISP, rolled-out IPv6 at end of year 2007Nerim, a small ISP, provides native IPv6 for all its clients since March 2003Orange: official support could be gone during 2013 -2014.OVH has implemented IPv6FDN, a small associative ISP, has been providing native IPv6 since November 2008SFR in beta since 2011Numericable since 2012 with a specific subscriptionBouygues Telecom may be in the end 2012
Ce document ne peut être reproduit sans l’autorisation de [email protected] et [email protected]
Traffic IPv6 (source google)https://www.google.com/intl/en/ipv6/statistics.html
Ce document ne peut être reproduit sans l’autorisation de [email protected] et [email protected]
Ce document ne peut être reproduit sans l’autorisation de [email protected] et [email protected]
Per country adoption (source google)
Ce document ne peut être reproduit sans l’autorisation de [email protected] et [email protected]
IPv6 still very small …
Global traffic: 13,880,694 (Akamai is 20% of Web content delivery)
mois/jour
Hit ipv6/s:
heure mois/jour
Hit ipv6/s:
Environments – Unmanaged
No administrative staff to manage configuration or policies
Devices need to be plug-n-play appliances
Network & hosts share administrative policies
Tool automation a primary concern
Environments – Managed Enterprise
Dedicated management staff & tools
Network & hosts share administrative policies
Applications will likely require recertification
Environments – Managed Service Provider
Dedicated management staff & tools
Network has different administrative policies than connected hosts or networks
Services as Dual-stack
Distributed tunnel relay service minimizes overhead
AAADNSSMTP
NAT-PTTunnel Relay
Ce document ne peut être reproduit sans l’autorisation de [email protected] et [email protected]
Transition environments
Telecommuter
Residential
Dual Stack or MPLS & 6PE
IPv6 over IPv4 tunnels or Dedicated data link layers
Cable
IPv6 over IPv4 Tunnels
IPv6 IX
IPv6 over IPv4 tunnels or Dedicated data link layers
DSL,FTTH,Dial
Aggregation
IPv6 over IPv4 tunnels or Dual stack
ISP’s
6Bone
6to4 Relay
Dual Stack
ISATAP
Enterprise
Enterprise
WAN: 6to4, IPv6 over IPv4, Dual Stack
Ce document ne peut être reproduit sans l’autorisation de [email protected] et [email protected]
IPv4-IPv6 Transition / Co-Existence
A wide range of techniques have been identified and implemented, basically falling into three categories:
Dual-stack techniques, to allow IPv4 and IPv6 to
co-exist in the same devices and networks
Tunneling techniques, to avoid order dependencies when upgrading
hosts, routers, or regions
Translation techniques, to allow IPv6-only devices to communicate
with IPv4-only devices
Expect all of these to be used, in combination…
Ce document ne peut être reproduit sans l’autorisation de [email protected] et [email protected]
Outils pour la cohexistence: Dual-stack…
ICMP v4 + ARP
IP v4192.168….
ICMP v6
IP v62001:000…
ETHERNET ou WIRELESS ou …
Tools – Dual Stack
Primary tool
Allows continued 'normal' operation with IPv4-only nodes
Address selection rules generally prefer IPv6
DSTM variant allows temporary use of IPv4 pool
IPv6 Enabled
IPv6 Enabled IPv4-Only
Internet
Ce document ne peut être reproduit sans l’autorisation de [email protected] et [email protected]
Dual-Stack Approach
When adding IPv6 to a system, do not delete IPv4 this multi-protocol approach is familiar and
well-understood (e.g., for AppleTalk, IPX, etc.)
note: in most cases, IPv6 will be bundled withnew OS releases, not an extra-cost add-on
Applications (or libraries) choose IP version to use when initiating, based on DNS response:
Prefer scope match first, when equal IPv6 over IPv4
when responding, based on version of initiating packet
This allows indefinite co-existence of IPv4 and IPv6, and gradual app-by-app upgrades to IPv6 usage
Tools – Tunneling
Nodes view IPv4 network as a logical NBMA link-layer
May be used in conjunction with dual-stack
IPv6 Enabled
IPv6 Enabled
IPv4-Only
Ce document ne peut être reproduit sans l’autorisation de [email protected] et [email protected]
Tunneling techniques
Tunneling provides a way to utilize an existing IPv4 routing infrastructure to carry IPv6 traffic.Router-to-Router, Host-to-Router, Host-to-Host
Configured : Prearranged addresses for both IPv4 & IPv6, manually configured
Tunnel Broker : Builds on configured tunnel via IPv4 auth scheme to establish mapping ; typically default route
6over4 : Any address, but requires IPv4 multicast for ND
Automatic : IPv4 address embedded in low 32 bits – requires default route to IPv4 (::/96) or injecting IPv4 table into IPv6 routing
Ce document ne peut être reproduit sans l’autorisation de [email protected] et [email protected]
IPv6 over IPv4 Tunnels
Several Tunnelling mechanisms defined by IETFApply to ISP and Enterprise WAN networks
6RD, GRE, Configured Tunnels, Automatic Tunnels using IPv4 compatible IPv6 Address, 6to4
Apply to CampusISATAP, 6over4
No impact on Core infrastructureEither IPv4 or MPLS
IPv4 Header
IPv6 Header Transport Header Data
IPv6 Header DataTransport Header
Ce document ne peut être reproduit sans l’autorisation de [email protected] et [email protected]
V4
Value & challenges with tunnels
V4network
v6network
Edge Dual-stack box
V6
Honenetwork
V6 V6
V4 V6 V6 V6
Honerouter
challenge
NEED AUTOMATIC TUNNEL
Tools – Translation (NAT)
Tool of last resort Allows for the case where
some components are IPv6-only while others are IPv4-only
Pay attention to scaling properties
Same application issues as IPv4/IPv4 translation
IPv6 Enabled
IPv4-Only
Ce document ne peut être reproduit sans l’autorisation de [email protected] et [email protected]
La coexistence IPv4/IPv6
Attention à la résistance au changement
On veut faire comme en IPv4 car « ça » on maîtrise…
Ex: DHCP server
Les adresses IP c’est bien: les noms de domaine c’est plus facile à retenir…
le DNS doit pouvoir répondre en IPv4 ET en IPv6
Ce document ne peut être reproduit sans l’autorisation de [email protected] et [email protected]
En TD et en TP
Manipuler les adresses IP(v4)v6: hex, bin,…
Découper un préfixe IPv6 pour une installation d’entreprise complète
Déploiement: c.f. « la vraie vie »…
Configuration routeur(s)
Utilisation DNS IPv6
Tunnel IPv6 dans IPv4
Ce document ne peut être reproduit sans l’autorisation de [email protected] et [email protected]
Annexes
Ce document ne peut être reproduit sans l’autorisation de [email protected] et [email protected]
https://kb.wisc.edu/ns/page.php?id=12364
Ce document ne peut être reproduit sans l’autorisation de [email protected] et [email protected]
Ce document ne peut être reproduit sans l’autorisation de [email protected] et [email protected]
http://www.zdnet.com/blog/networking/fixing-windows-7-ipv6-headaches/257
netsh interface ipv6 set global randomizeidentifiers=disabled
“It would also be nice if Windows 7 supported SEcureNeighbor Discovery (SEND) (RFC 3971 http://www.faqs.org/rfcs/rfc3971.html). SEND is the more secure version of NDP. You can use it to verify that the devices on are valid on your LAN.
Unfortunately, while again Microsoft helped write this specification, its software engineers haven't implemented it. “