Download - 7.1 : Pourquoi IPv6 - iutsa.unice.friutsa.unice.fr/~frati/ipv6_DUT/02-IPv6%20%20%e9... · Adressage passe de 32 à 128 bits Combien d‘adresses possibles ? ... IP v6 4x32 bits= 3,4*10^38

7.2 : IPv6 : étude du protocole

Comment ça “tombe en marche” ?Quels nouveaux mécanismes ?La coexistence avec IPv4 et/ou la transition

2014Eric Levy-Abégnoli (Cisco)Stéphane Frati (Unice)

Ce document ne peut être reproduit sans l’autorisation de [email protected] et [email protected]

Comment ça “tombe en marche” ?

Avec IPv6, on veut maintenant une solution pérenne qui réalise tout ce que IPv4 n’avait pas intégré et compensé par « des astuces » ou protocoles complémentaires

Fin du dernier chapitre (vœux) Une grande plage d’adresse (« découpable » sans trop de pertes) pour

adresser plusieurs dizaines ou centaines de machines au m² Un grand degré d’automatisation car il faut que cela « ça tombe en

marche » au moins pour des communications locales Une limitation des trafics de broadcasts Une simplification et une plus grande flexibilité du protocole si on le peu Plus de robustesse pour plus de sécurité dans ce monde actuels de

« hackers »

mailto:[email protected]



Pénurie d’adresses IPv4

http://www.lunil.com/fr/actualite.php?id_article=1037

s




Solutions

Translation d’adresses IP

NAT: network address translation

Devait être une solution temporaire…

… retarde l’adoption d’IPv6

Attention: pas du tout automagique !!! configurations++

IPv6

Adressage passe de 32 à 128 bits

Combien d’adresses possibles ?




De v4 à v6: que gagne-t-on d’un point de vue nombre d’adresses disponibles ?

IPv4

En hexa xxxx

32 bits = 4,3 milliards d’adresses

Grand nombre mais … insuffisant !

IP v6 4x32 bits= 3,4*10^38 adresses

En hexa xxxx.xxxx.xxxx.xxxx

15’000 adresses par m2… ça devrait suffire pendant quelques années….

IPv4 32-bits

IPv6 128-bits




IPv6 Addressing IPv4 32-bits

IPv6 128-bits

32= 4,294,967,296

128 = 340,282,366,920,938,463,463,374,607,431,768,211,456

128= 2

32 96* 2

962

= 79,228,162,514,264,337,593,543,950,336 times thenumber of possible IPv4 Addresses

(79 trillion trillion)

2

2

2

IPv4 32-bits

IPv6 128-bits




Benefits of 128 bit Addresses

Room for many levels of structured hierarchy and routing aggregation

Easier address management and delegation than IPv4

Easy address auto-configuration

Ability to deploy end-to-end IPsec (encryption)(NATs removed as unnecessary)




IPv6 Address Representation and Simplification

• Base format (16-bytes)

• Compact Format:

• Literal representation (e.g. used when browsing to IPv6 address directly and not through the DNS name)

[2001:660:3003:2:a00:20ff:fe18:964c]

2001:0660:3003:0001:0000:0000:6543:210F

2001:0660:3003:0001:0000:0000:6543:210F2001:0660:3003:0001:0000:0000:6543:210F2001:660:3003:1:0:0:6543:210F2001:660:3003:1:0:0:6543:210F2001:660:3003:1::6543:210F

6DISS Courtesy Slide




IPv6 Addresses

IPv6 addresses are 128 bits long Segmented into 8 groups of four HEX characters Separated by a colon (:) 50% for network ID, 50% for interface ID Network portion is allocated by Internet registries 2^64 (1.8 x 1019) Still leaves us with ~ 3 billion network prefixes for each person on earth

gggg:gggg:gggg:ssss:xxxx:xxxx:xxxx:xxxx

Global Routing Prefixn <= 48 bits

Subnet ID64 – n bits

Host

ssss:

2001:0000:0000:00A1:0000:0000:0000:1E2A00A1:

Network Portion Interface ID

Global Unicast Identifier Example

2001:0:0: ::1E2AA1:

Full Format

Abbreviated Format




IPv6 Address Types

FC00:gggg:gggg:

xxxx:xxxx:xxxx:xxxx

ssss:

FE80:0000:0000:0000:

xxxx:xxxx:xxxx:xxxx

2000:GGGG:GGGG:

xxxx:xxxx:xxxx:xxxx

ssss:

FFfs: xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx

Three types of unicast address scopes

• Interface “expected” to have multiple addresses and life-time parameters

Link-Local – Non routable exists on single layer 2 domain (FE80::/64)

Unique-Local (ULA) – Routable with an administrative domain (FC00::/7)

Global – Routable across the Internet (2000::/3)

• Multicast addresses begin with FF00::/8




Provider Assigned (PA) Addresses and prefixes assigned to subscribers from prefix pool assigned to

service provider

PA provides prefix and route aggregation

This is good because Internet routing table size is minimized

Provider Independent (PI) Addresses and prefixes assigned to subscribers independent of provider pool

PI allows subscriber to change between service providers; PA requires renumbering of subscriber network

Allows multi-homing with same address space

This is not so good – eventually we have same problem as IPv4 Routing tables may grow excessively

Unique-Local Addressing (ULA) Addresses and Prefixes assigned to subscribers for local communications

Not routable on the Internet

IPv6 addresses (prefix) can be allocated in three ways




Aggregation

Larger address space enables:aggregation of prefixes announced in the global routing table

efficient and scalable routing

Only announces the /32 prefix

2001:DB8:0002::/48

2001:DB8:0001::/48

Customer

no 1

Customer

no 2

ISP

2001:DB8::/32IPv6 Internet

2001::/16




Multiple Addresses

Larger address space enables:multiple simultaneous addresses for hosts and networks

support of multi-homing

Only announce

its /32 prefix

Only announces

its /32 prefix

2001:DB8:0002:/48

2001:DB9:0001:/48

Customer

no 2

ISP

2001:DB8::/32

ISP

2001:DB9::/32

IPv6 Internet

2001::/16




Registries

Level FourEnterprise

IANA

PI and PA Allocation Process

ISP Org

Provider Assigned

2000::/3

/48

2000::/3

/48

/12

/32

/12

Provider Independent



Exemple: votre provider vous fournit le préfixe 2001:DB8:1234::/48 pour toute votre entreprise…

On vous donne un /48… …vous devez construire vos /64

Avec les 4 Hex == 16 bits

En fonction du nombre de:

Sites

Sous-sites

Sous-réseaux

A= 4 sites; 4 sous-sites; 4096rsx

B= 16 sites; 16 sous-sites; 256rsx

C= 16 sites; 256 sous-sites; 16rsx


Comment a fait RENATER ?

la hiérarchisation des adresses IPv6 est obligatoire (pour ensuite pouvoir agréger…)

RENATER a reçu du RIPE NCC(Europe) un /32 en tant qu’opérateur 2001:660::/32

Les 16 bits suivants définissent l'identifiant du NoeudRENATER (8 bits) et l’identifiant du site (8bits) /48

Restent 16 bits pour attribuer à 65.535 réseaux /64

http://2005.jres.org/paper/98.pdf




Prefix (higher 64bits) is OK now !How about the lower 64bits?

• Manual…

• EUI64

• ISATAP, v4-mapped, etc.

• Privacy extensions

• CGA

• ….

Note: Network types and Interface ID types are relatively independent.




What type of addressing should I deploy internal to my network? It depends Each interface can have multiple addresses intended for different

purposes. For this reason, RFC3484 provides a standardized method to choose source and destination IPv6 addresses with which to attempt connections

Source Address Selection (SAS)

ULA, ULA + Global or Global




Unique Local Addresses (ULA) – FC00::/7 Globally unique prefix with high probability of uniqueness and is intended for local communications,

usually inside a site

Prefix FC00::/7 is reserved by IANA for ULA (bit 8 determines if locally or centrally assigned, so ULA or ULA-Central).

Global-only – 2000::/3 Recommended approach but the old-school security folks that believe topology hiding is essential in

security will bark at this option

ULA + Global Allows for the best of both worlds BUT at a price – much more address management with DHCP, DNS,

routing and security

Source Address Selection (SAS) does not always work as it should

ULA, ULA + Global or Global



Unique-Local Addressing (ULA)

FD9C:58ED:7D73:3000::/64

ULA SpaceFD9C:58ED:7D73::/48

Corporate

Backbone

Internet

FD9C:58ED:7D73:2800::/64

• Viable solution for enterprise intranet

– No renumbering

– most of the enterprises run a web proxy at their edge which does ULA-Global (or even ULA to IPv4)

– Works as it does today with IPv4

• But removes the advantages of not having a NAT (i.e. application interoperability, global multicast, end-to-end connectivity)

– A NAT supporting IPv6 or a proxy is required to access IPv6 hosts on the Internet – must run filters to prevent any SA/DA in ULA range from being forwarded

RFC4193

Global – 2001:DB8:CAFE::/48

ULA – Internal

FD9C:58ED:7D73:2::/64

Global-only

2001:DB8:CAFE:3000::/64


Corporate

Backbone

Internet

2001:DB8:CAFE:2800::/64


• Global is used everywhere

• No issues with SAS

• No requirements to have NAT for ULA-to-Global translation

• Easier management of DHCP, DNS, Security, etc…

• Only downside is breaking the habit of believing that topology hiding is a good security method

• But if PA Prefixes, a change of ISP requires renumbering (and potential disruption)

2001:DB8:CAFE:2::/64

ULA + Global

2001:DB8:CAFE:3000::/64FD9C:58ED:7D73:3000::/64

Global – 2001:DB8:CAFE::/48ULA – FD9C:58ED:7D73::/48

Corporate

Backbone

Internet

2001:DB8:CAFE:2800::/64FD9C:58ED:7D73:2800::/64


• Both ULA and Global are used internally except for internal-only hosts

• Source Address Selection (SAS) is used to determine which address to use when communicating with other nodes internally or externally

– In theory, ULA talks to ULA and Global talks to Global – SAS ‘should’ work this out

• Easier to renumber w/o disruption

• But– Define a filter/policy that ensures your

ULA prefix does not ‘leak’ out onto the Internet and ensure that no traffic can come in or out that has a ULA prefix in the SA/DA fields

– Management overhead for DHCP, DNS, Routing, Security, etc…

2001:DB8:CAFE:2::/64FD9C:58ED:7D73::2::/64


Multicast Use

• Broadcasts in IPv4 Interrupts all computers on the LAN even if the intent of the

request was for one or two computers

Can completely hang up a network ("broadcast storm")

• Broadcasts in IPv6 Are not used and replaced by multicast

• Multicast Enables the efficient use of the network

Multicast address range is much larger




Multicast Use - Examples:

FF02::1 (All nodes on link),

FF02::2 (All routers on link),

FF02::3 (All hosts),

FF02::5 (All OSPF routers),

FF02::6 (All OSPF DR),

FF02::9 (All RIP routers),

FF02::B (Mobile agents),

FF02::D (All PIM routers),

FF02::16 (All MLDv2 routers),

FF02::1:2 (All DHCP agents),

FF05::1:3 (All DHCP routers),

FF05::1:4 (All DHCP relays)




Quels nouveaux mécanismes ?




Anything else than a bigger address?

• Simpler header

• Flow label

• Fragmentation by originator only (PMTU discovery)

• Many areas have been “re-engineered”Link operations

Mobility

Security

DNS

DHCP (prefix delegation)




IPv6 Header

• The IPv6 header is redesigned

• Minimize header overhead and reduce the header process for the majority of the packets

• Less essential and optional fields are moved to extension headers

IPv6 and IPv4 headers are not interoperable!




IP: Head to Head

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

|Version| Traffic Class | Flow Label |

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

| Payload Length | Next Header | Hop Limit |

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

| |

+ +

| |

+ Source Address +

| |

+ +

| |

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

| |

+ +

| |

+ Destination Address +

| |

+ +

| |

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

0 1 2 3

0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1

V6




IPv4 and IPv6 Header Comparison

Version HLType of Service

Total Length

Identification FlagsFragment

Offset

Time to Live

Protocol Header Checksum

Source Address

Destination Address

Options Padding

VersionTraffic Class

Flow Label

Payload LengthNext

HeaderHop Limit

Source Address

Destination Address

IPv4 Header IPv6 Header

Field’s Name Kept from IPv4 to IPv6

Fields Not Kept in IPv6

Name and Position Changed in IPv6

New Field in IPv6




Extension Headers (RFC2460)

Processed only by node identified in IPv6 Destination Address field => much lower overhead than IPv4 options

exception: Hop-by-Hop Options header

Eliminated IPv4’s 40-octet limit on options

In IPv6, limit is total packet size, or Path MTU in some cases




Covers ICMP (v4) featuresError control, Administration, …

- Used to run link operations- Used to control multicast

operations

ICMPv6 (rfc2463)

New Features !

New ULP value




ICMPv6

ICMPv6 Type ICMPv6 Code

ICMPv6 Data

Checksum

IPv6 basic header

ICMPv6 packet

Next Header = 58

ICMPv6 packet

ICMPv6 packet




…vers un dédoublement…

ICMP v4 + ARP

IP v4192.168….

ICMP v6

IP v62001:000…

ETHERNET ou WIRELESS ou …

Espérons qu’il ne faudra pas dédoubler vers le haut de la pile jusqu’au niveau

applicatif !......




What are link operations?IPv6 Neighbor Discovery

Operations contained within the link boundaries, necessary for a node to communicate with its neighbors, including the link exit points.

• It encompass:

• Address configuration parameters

• Address initialization

• Address resolution

• Default gateway discovery

• Local network configuration

• Neighbor reachability tracking

In IPv4: ARP + ICMP + DHCP (≈always)In IPv6: ND (Neighbor Discovery) + DHCP (optional)




Fundamentals On Neighbor Discovery

Defined in:

RFC 4861 Neighbor Discovery for IP Version 6 (IPv6)

RFC 4862 IPv6 Stateless Address Auto-configuration

RFC 3971 Secure Neighbor Discovery etc.

Used for:

Router discovery

IPv6 Stateless Address Auto Configuration (SLAAC)

IPv6 address resolution (replaces ARP)

Neighbor Unreachability Detection (NUD)

Duplicate Address Detection (DAD)

Redirection

Operates above ICMPv6

Relies heavily on (link-local scope) multicast, combined with Layer 2 Multicast

Works with ICMP messages and messages “options”




Router Discovery

ICMP Type = 133 (Router Solicitation)

Src = Host link-local addressDst = All-routers multicast address (FF02::2)Query = please send RA

ICMP Type = 134 (Router Advertisement)

Src = Router link-local addressDst = All-nodes multicast address (FF02::1)Data = router lifetime, retranstime, autoconfig flagOption = Prefix, lifetime

RS

RA

Use B as default gateway

Find default/first-hop routers

Discover on-link prefixes which destinations are neighbors

Messages: Router Advertisements (RA), Router Solicitations (RS)

BA




Stateless Auto-Configuration

Stateless, based on prefix information delivered in Router Advertisements

Messages: Router Advertisements , Router Solicitations

ICMP Type = 133 (Router Solicitation)

Src = Host link-local addressDst = All-routers multicast address (FF02::2)Query = please send RA

ICMP Type = 134 (Router Advertisement)

Src = Router link-local addressDst = All-nodes multicast address (FF02::1)Data = router lifetime, retranstime, autoconfig flagOptions = Prefix X,Y,Z, lifetime

RS

RA

Source traffic with X::x, Y::y, Z::z

Computes X::x, Y::y, Z::z and DAD them NS




Duplicate Address Detection

ICMP type = 135 (Neighbor Solicitation)

Src = UNSPEC = 0::0 Dst = Solicited-node multicast address of AData = AQuery = Does anybody use A already?

NS

Node A can start using address A

BA C

Verify address uniqueness

Probe neighbors to verify nobody claims the address

Messages: Neighbor Solicitation, Neighbor Advertisement




Address Resolution

ICMP type = 135 (Neighbor Solicitation)

Src = ADst = Solicited-node multicast address of BData = B Option = link-layer address of AQuery = what is B’s link-layer address? ICMP type = 136 (Neighbor Advertisement)

Src = one B’s IF address Dst = A Data = B

Option = link-layer address of B

NS

NA

A and B can now exchange packets on this link

BA C

Resolves IP address into MAC address

Creates neighbor cache entry

Messages: Neighbor Solicitation, Neighbor Advertisement




Layer-2 Address Resolution for IPv4

• IPv4 uses ARP

• ARP is based on Broadcasts

ARP Request

ARP Reply

Source IPv4 Address10.1.1.1

Destination IPv4 address255.255.255.255

10.1.1.1.1/24 10.1.1.1.2/24

DataWhat is the MAC address of 10.1.1.2 ??

Source Address 10.1.1.2

Destination IPv4 address10.1.1.1DataMAC address of 10.1.1.2

Router 1 Router 2

Broadcast causes interrupt on ALLstations on the L2 Broadcast domain




Layer-2 Address Resolution for IPv6

• Based on IPv6 Neighbor Discovery Protocol

• Part of ICMPv6

• Broadcast is replaced with Solicited Node Multicast address

• Every IPv6 device will join all Solicited Node Multicast addresses based on its assigned IPv6 unicast addresses

104 bits of fixed and well-known fixed format




2001:db8::1/64 2001:db8::2/64

Router 1 Router 2

I will Join my Solicited Node Multicast address:

2001:db8:0000:0000:0000:0000:0000:0001/64

FF02::1:FF

Last 24 Bits104 Well known fixed bits

00:0001

I will Join my Solicited Node Multicast address:

2001:db8:0000:0000:0000:0000:0000:0002/64

FF02::1:FF

Last 24 Bits

00:0002

Layer-2 Address Resolution for IPv6 (Cont.)




R1#sh ipv6 int e0

Ethernet0 is up, line protocol is up

IPv6 is enabled, link-local address is FE80::200:CFF:FE3A:8B18

No global unicast address is configured

Joined group address(es):

FF02::1

FF02::2

FF02::1:FF3A:8B18

MTU is 1500 bytes

ICMP error messages limited to one every 100 milliseconds

ICMP redirects are enabled

ND DAD is enabled, number of DAD attempts: 1

ND reachable time is 30000 milliseconds

ND advertised reachable time is 0 milliseconds

ND advertised retransmit interval is 0 milliseconds

ND router advertisements are sent every 200 seconds

ND router advertisements live for 1800 seconds

Hosts use stateless autoconfig for addresses.

R1#

Solicited-Node Multicast Address

Router Interface: Solicited-Node Multicast Address




NO BROADCAST !!!!

2001:db8::1/64Joined Multicast Group:FF02::1:FF00:1


Router 1 Router 2

I would like to know the MAC address of Router 2

I just know the IPv6 addressand there isNO Broadcast

If somebody sends a packet to my Multicast group I will pickup the message

If somebody sends a packet to my Multicast group I will pickup the message

…Gee… I have a

Problem!

Layer-2 addressResolution for IPv6 (Cont.)






Router 1 Router 2

Yippie!!!!!

I can calculate the Solicited Node Multicast address of Router 2

Remote IPv6 Address:2001:db8::2

The Solicited Node Multicast AddressFF02::1::FF00:2

If I sent a packet to his Solicited Node Multicast Address he will see it

Layer-2 address Resolution for IPv6 (Cont.)






Router 1 Router 2

t=0t=1 I want to send a IPv6 packet to Router 2 with IPv6 address

2001:db8::2t=2 Lets calculate the Solicited Node Multicast Address

FF02::1::FF00:0002







Router 1 Router 2

t=0t=1 I want to send a IPv6 packet to Router 2 with IPv6 address

2001:db8::2t=2 Lets calculate the Solicited Node Multicast Address

t=3

Neighbor Solicitation

Neighbor Advertisement

t=5

t=4

IPv6 Traffic can be exchanged now

Neighbor SolicitationICMP type = 135

Src = A Dst = Solicited-node multicast of BData = link-layer address of A Query = what is your link address?

Neighbor AdvertisementICMP type = 136

Src = B Dst = AData = link-layer address of B





IPv6 routing

IPv6 still uses the longest-prefix match routing algorithm.

RIPv2, supports split-horizon with poisoned reverse RFC 2080)

OSPFv3 (RFC 2740, AF concept introduced)

ISIS (RFC 5308, new TLV for IPv6)

BGP4+ (RFC 2858 and RFC 2545, IPv6 as a separate AF)

Be carreful: If your IPv6 networks stops at your border router (because yourISP only provides you with IPv4), think about propagating routes on remotesites…




IPv6 Security

All implementations required to support authentication and encryption headers (“IPsec”)

Authentication separate from encryption for usein situations where encryption is prohibited or prohibitively expensive

Key distribution protocols (independent of IP v4/v6)Support for manual key configuration requiredNew set of problems/issues …




La coexistence avec IPv4 et/ou la transition

IPv6 Is this really going to happen. Ever?




IPv6 usage




FRANCE

AFNIC, the NIC for (among others) the .fr Top Level Domain, has implemented IPv6 operations

Renater, the French national academical network, is offering IPv6 connectivity including multicast support to their members.Free, a major French ISP, rolled-out IPv6 at end of year 2007Nerim, a small ISP, provides native IPv6 for all its clients since March 2003Orange: official support could be gone during 2013 -2014.OVH has implemented IPv6FDN, a small associative ISP, has been providing native IPv6 since November 2008SFR in beta since 2011Numericable since 2012 with a specific subscriptionBouygues Telecom may be in the end 2012



http://en.wikipedia.org/wiki/Domain_name_registry

http://en.wikipedia.org/wiki/.fr

http://en.wikipedia.org/wiki/Renater

http://en.wikipedia.org/wiki/Free_(ISP)

http://en.wikipedia.org/w/index.php?title=Nerim&action=edit&redlink=1

http://en.wikipedia.org/wiki/Orange_(brand)

http://en.wikipedia.org/wiki/OVH

http://en.wikipedia.org/wiki/French_Data_Network

http://en.wikipedia.org/wiki/SFR

http://en.wikipedia.org/wiki/Numericable

http://en.wikipedia.org/wiki/Bouygues_Telecom


Traffic IPv6 (source google)https://www.google.com/intl/en/ipv6/statistics.html




Per country adoption (source google)




IPv6 still very small …

Global traffic: 13,880,694 (Akamai is 20% of Web content delivery)

mois/jour

Hit ipv6/s:

heure mois/jour

Hit ipv6/s:



Environments – Unmanaged

No administrative staff to manage configuration or policies

Devices need to be plug-n-play appliances

Network & hosts share administrative policies

Tool automation a primary concern

Environments – Managed Enterprise

Dedicated management staff & tools

Network & hosts share administrative policies

Applications will likely require recertification

Environments – Managed Service Provider

Dedicated management staff & tools

Network has different administrative policies than connected hosts or networks

Services as Dual-stack

Distributed tunnel relay service minimizes overhead

AAADNSSMTP

NAT-PTTunnel Relay


Transition environments

Telecommuter

Residential

Dual Stack or MPLS & 6PE

IPv6 over IPv4 tunnels or Dedicated data link layers

Cable

IPv6 over IPv4 Tunnels

IPv6 IX

IPv6 over IPv4 tunnels or Dedicated data link layers

DSL,FTTH,Dial

Aggregation

IPv6 over IPv4 tunnels or Dual stack

ISP’s

6Bone

6to4 Relay

Dual Stack

ISATAP

Enterprise

Enterprise

WAN: 6to4, IPv6 over IPv4, Dual Stack




IPv4-IPv6 Transition / Co-Existence

A wide range of techniques have been identified and implemented, basically falling into three categories:

Dual-stack techniques, to allow IPv4 and IPv6 to

co-exist in the same devices and networks

Tunneling techniques, to avoid order dependencies when upgrading

hosts, routers, or regions

Translation techniques, to allow IPv6-only devices to communicate

with IPv4-only devices

Expect all of these to be used, in combination…




Outils pour la cohexistence: Dual-stack…

ICMP v4 + ARP

IP v4192.168….

ICMP v6

IP v62001:000…

ETHERNET ou WIRELESS ou …



Tools – Dual Stack

Primary tool

Allows continued 'normal' operation with IPv4-only nodes

Address selection rules generally prefer IPv6

DSTM variant allows temporary use of IPv4 pool

IPv6 Enabled

IPv6 Enabled IPv4-Only

Internet


Dual-Stack Approach

When adding IPv6 to a system, do not delete IPv4 this multi-protocol approach is familiar and

well-understood (e.g., for AppleTalk, IPX, etc.)

note: in most cases, IPv6 will be bundled withnew OS releases, not an extra-cost add-on

Applications (or libraries) choose IP version to use when initiating, based on DNS response:

Prefer scope match first, when equal IPv6 over IPv4

when responding, based on version of initiating packet

This allows indefinite co-existence of IPv4 and IPv6, and gradual app-by-app upgrades to IPv6 usage



Tools – Tunneling

Nodes view IPv4 network as a logical NBMA link-layer

May be used in conjunction with dual-stack

IPv6 Enabled

IPv6 Enabled

IPv4-Only


Tunneling techniques

Tunneling provides a way to utilize an existing IPv4 routing infrastructure to carry IPv6 traffic.Router-to-Router, Host-to-Router, Host-to-Host

Configured : Prearranged addresses for both IPv4 & IPv6, manually configured

Tunnel Broker : Builds on configured tunnel via IPv4 auth scheme to establish mapping ; typically default route

6over4 : Any address, but requires IPv4 multicast for ND

Automatic : IPv4 address embedded in low 32 bits – requires default route to IPv4 (::/96) or injecting IPv4 table into IPv6 routing




IPv6 over IPv4 Tunnels

Several Tunnelling mechanisms defined by IETFApply to ISP and Enterprise WAN networks

6RD, GRE, Configured Tunnels, Automatic Tunnels using IPv4 compatible IPv6 Address, 6to4

Apply to CampusISATAP, 6over4

No impact on Core infrastructureEither IPv4 or MPLS

IPv4 Header

IPv6 Header Transport Header Data

IPv6 Header DataTransport Header




V4

Value & challenges with tunnels

V4network

v6network

Edge Dual-stack box

V6

Honenetwork

V6 V6

V4 V6 V6 V6

Honerouter

challenge

NEED AUTOMATIC TUNNEL



Tools – Translation (NAT)

Tool of last resort Allows for the case where

some components are IPv6-only while others are IPv4-only

Pay attention to scaling properties

Same application issues as IPv4/IPv4 translation

IPv6 Enabled

IPv4-Only


La coexistence IPv4/IPv6

Attention à la résistance au changement

On veut faire comme en IPv4 car « ça » on maîtrise…

Ex: DHCP server

Les adresses IP c’est bien: les noms de domaine c’est plus facile à retenir…

le DNS doit pouvoir répondre en IPv4 ET en IPv6




En TD et en TP

Manipuler les adresses IP(v4)v6: hex, bin,…

Découper un préfixe IPv6 pour une installation d’entreprise complète

Déploiement: c.f. « la vraie vie »…

Configuration routeur(s)

Utilisation DNS IPv6

Tunnel IPv6 dans IPv4




Annexes




https://kb.wisc.edu/ns/page.php?id=12364




http://www.zdnet.com/blog/networking/fixing-windows-7-ipv6-headaches/257

netsh interface ipv6 set global randomizeidentifiers=disabled

“It would also be nice if Windows 7 supported SEcureNeighbor Discovery (SEND) (RFC 3971 http://www.faqs.org/rfcs/rfc3971.html). SEND is the more secure version of NDP. You can use it to verify that the devices on are valid on your LAN.

Unfortunately, while again Microsoft helped write this specification, its software engineers haven't implemented it. “



Download - 7.1 : Pourquoi IPv6 - iutsa.unice.friutsa.unice.fr/~frati/ipv6_DUT/02-IPv6%20%20%e9... · Adressage passe de 32 à 128 bits Combien d‘adresses possibles ? ... IP v6 4x32 bits= 3,4*10^38

Top Related