IPv6 Next Generation Internet Protocol

1
IPv6 Next Generation Internet Protocol

• How do you get ready?
• Dont get left out!
• Presented by Pete Morasca, Thomas Jefferson High
  School Science Technology
• NCSSSMST Conference, Philadelphia
• JOSTI 2007

2
Is this for real?

• IRS, DOE, other Federal departments are mandated
  to implement by 2008
• Microsofts next generation OS and Server OS
  (VISTA, LONGHORN) have IPv6 automatically
  built-in
• Router manufacturers already have their OS
  routing the new protocol and transition mechanisms

3
OUTLINE

• MAJOR FACTORS DRIVING THE NEED
• MAJOR CONCERNS IT-TEAM/ISP/APPS
• ADDRESSING/SUBNETTING
• COEXISTENCE AND MIGRATION
• ROUTING
• NAME RESOLUTION / DNS SERVERS
• SETTING UP A TEST LAB

4
MAJOR FACTORS DRIVING THE NEED

• Large address space The 128-bit address space for
  IPv6 provides ample room to provide every device
  on the present and foreseeable future Internet
  with a globally reachable address.
• Efficient routing With a streamlined IPv6 header
  and addressing that supports hierarchical routing
  infrastructures, IPv6 routers on the Internet can
  forward IPv6 traffic faster than their IPv4
  counterparts.
• Ease of configuration IPv6 hosts can configure
  themselves by either interacting with a Dynamic
  Host Configuration Protocol for IPv6 (DHCPv6)
  server or by interacting with their local router
  and using stateless address autoconfiguration.
  Stateful DHCPv6 is not really needed with a good
  router
• Enhanced security The IPv6 standards solve some
  of the security issues of IPv4 by providing
  better protection against address and port
  scanning attacks and by requiring that all IPv6
  implementations support Internet Protocol
  security (IPsec) for cryptographic protection of
  IPv6 traffic.

5
MAJOR CONCERNS FOR IT-TEAM / ISP / APPS

• IT? Easier than IPv4 static or dynamic address
  assignment, just run the install mechanism, the
  router will do all the work
• Router engineer needs to learn the most
• ISPs need to agree on routing native IPv6 or at
  least tunnelling it. Assigning IPv6 addresses is
  more important
• APPS? Some will not care, others need to use the
  new protocol. Example Internet Explorer, will
  first use IPv6 address, then revert to IPv4 (can
  slow things down in a migration period)

6
ADDRESSING/SUBNETTING

• Where do global addresses come from? The
  Hierarchy. TJs next hop is Virginia Tech so they
  gave us our global subnet
• 128 bit addresses (3.4x1038), 109 with IPv4
• 7x1023 global addresses for each square meter of
  the earths surface
• Link-local addresses (no router) similar to
  169.254.0.0/16 used by microsoft
• Site-local addresses similar to the private
  10.0.0.0/8 and 192.168.0.0/16

7

• 200104680CC0000002E081FFFE25FA65 is
  www.tjhsst.edu
• Shorten 2001468cc02E081FFFE25FA65
• Tjs network is 2001468cc0/48
• 2001468cc000000000000000000001
• 164 subnets inside of TJ 65,000
• 1616 nodes on each subnet 1019
• Link-local addresses have a prefix FE80/64 no
  traffic is forwarded thru a router
• Site-local addresses have a prefix FEC0/48
  traffic forwards thru internal routers but not
  thru the border router to the world

8

• Instead of statefully using 2001468cc000000000
  000000000001 the router will assign an address
  that has embedded, the ethernet (MAC) address
  according to a special algorithm that presumes
  the /64 mask for the network
• Thus subnets are best, but not required to be
  masked /64
• The new address might look like
  2001468cc0000129096fffec3380a
• note that an IPCONFIG /ALL at a DOS prompt shows
  a MAC address of 00-90-96-c3-38-0a and note the
  underscore fffe above

9

• An example of a CISCO config
• Interface Vlan1
• Description Schools student network
• ipv6 address 2001468cc01/64

10

• Other than the Unicast addresses, IPv6 uses
  Multicast, Anycast addresses (no Broadcast!!!)
• A multicast address is used for one-to-many
  interfaces, an anycast is used for one-to-one-of
  many, usually by routers to communicate via
  shortest distance

11
CREATING A LIST OF SUBNETTED NETWORK PREFIXES

• s the number of bits chosen for subnetting
• m the prefix length of the network being
  subnetted
• F the value of the subnet (in hex)
• f m 48 the number of bits within the subnet
  already fixed
• n 2s the number of network prefixes obtained
• i 216-(fs) the incremental value between each
  successive subnet (in hex)
• l 48 f s the prefix length of the subnets

12

• The first new subnetted prefix
• 48-bit prefix from ISPF/l
• The next new subnetted prefix
• 48-bit prefix from ISPFi/l
• etc. to a total of n

13
Example 1 (8 school district)

• s 3
• m48
• F0000
• f 48 48 0
• n 23 8
• i 216 (0 3) 213 8192 2000h
• l 48 0 3 51

14
Subnet 2001468CC0/48

• 2001468CC00000/51
• 2001468CC02000/51
• 2001468CC04000/51
• 2001468CC06000/51
• 2001468CC08000/51
• 2001468CC0A000/51
• 2001468CC0C000/51
• 2001468CC0E000/51

15
Example 2 (one router network)

• s 16
• m48
• F0000
• f 48 48 0
• n 216 65536
• i 216 (0 16) 20 1 0001h
• l 48 0 3 64

16
Subnet 2001468CC0/48

• 2001468CC00000/64
• 2001468CC00001/64
• 2001468CC00002/64
• 2001468CC00003/64
• 2001468CC00004/64
• 2001468CC00005/64
• 2001468CC00006/64
• on up to 2001468CC0FFFF/64

17
COEXISTENCE AND MIGRATION

• ISATAP addresses
• Teredo addresses
• Installing IPv6

18

• ISATAP addresses
• Intra-site Automatic Tunnel Addressing Protocol
  (ISATAP) addresses are composed of a valid 64-bit
  unicast address prefix and the interface
  identifier 05EFEw.x.y.z (where w.x.y.z is a
  unicast IPv4 address assigned to an interface).
  An example of a link-local ISATAP address is
  FE805EFE131.107.4.92. ISATAP is defined in the
  Internet draft titled "Intra-Site Automatic
  Tunnel Addressing Protocol (ISATAP)"
  (draft-ietf-ngtrans-isatap-x.txt at
  http//www.ietf.org/internet-drafts/). For more
  information, see ISATAP in this white paper.

19
Host-to-Host Tunneling
20

• Teredo addresses
• Teredo addresses use the prefix 3FFE831F/32.
  An example of a Teredo address is
  3FFE831FCE4976018000EFFF62C3FFFE. Beyond
  the first 32 bits, Teredo addresses are used to
  encode the IPv4 address of a Teredo server,
  flags, and the encoded version of a Teredo
  client's external address and port. Teredo is
  defined in the Internet draft titled "Teredo
  Tunneling IPv6 over UDP through NATs"
  (draft-huitema-v6ops-teredo-0x.txt at
  http//www.ietf.org/internet-drafts/). For more
  information, see Teredo

21

• Teredo is an address assignment and automatic
  tunneling technology that provides unicast IPv6
  connectivity across the IPv4 Internet. 6to4 is
  another automatic tunneling technology that
  provides unicast IPv6 connectivity across the
  IPv4 Internet. However, 6to4 works well when a
  6to4 router exists at the edge of the site. The
  6to4 router uses a public IPv4 address to
  construct the 6to4 prefix and acts as an IPv6
  advertising and forwarding router. The 6to4
  router encapsulates and decapsulates IPv6 traffic
  sent to and from site nodes.

22

• Teredo is designed as a last resort transition
  technology for IPv6 connectivity. If native IPv6,
  6to4, or Intrasite Automatic Tunnel Addressing
  Protocol (ISATAP) connectivity is present, the
  host does not act as a Teredo client. As more
  IPv4 edge devices are upgraded to support 6to4
  and IPv6 connectivity becomes ubiquitous, Teredo
  will be used less and less until finally it is
  not used at all.

23
Installing IPv6

• 1.Log on to the computer with a user account that
  has privileges to change network
  configuration.2.Click Start, click Control Panel,
  and then double-click Network Connections.3.Right-
  click any local area connection, and then click
  Properties. 4.Click Install. 5.In the Select
  Network Component Type dialog box, click
  Protocol, and then click Add. 6.In the Select
  Network Protocol dialog box, click Microsoft
  TCP/IP version 6, and then click OK. 7.Click
  Close to save changes to your network connection.

24

• Alternately, from the Windows Server 2003
  desktop, click Start, point to Programs, point to
  Accessories, and then click Command Prompt. At
  the command prompt, type netsh interface ipv6
  install.
• The IPv6 protocol for Windows Vista and Windows
  Server Longhorn is installed and enabled by
  default. It appears as the Internet Protocol
  Version 6 (TCP/IP) component on the Configure tab
  when you obtain the properties of a connection or
  adapter in the Connections and Adapters folder
  (available from the Network Center).

25

• Alternately, from the Windows XP or Windows
  Server 2003 desktop, click Start, point to
  Programs, point to Accessories, and then click
  Command Prompt. At the command prompt, type netsh
  interface ipv6 uninstall.

26
ROUTING
27

• ip name-server 198.38.31.9
• ip name-server 20012F00880011
• !
• !
• ipv6 unicast-routing
• ipv6 dhcp pool IPv6-dhcp-pool
• dns-server 2001468CC002E081FFFE25FAE8
• dns-server 20012F00880011
• domain-name tjhsst.edu
• !

28

• interface FastEthernet2/0
• description Systems Lab IPv6 only
• no ip address
• duplex auto
• speed auto
• ipv6 address 2001468CC0/64
• ipv6 nd other-config-flag
• ipv6 dhcp server IPv6-dhcp-pool
• !
• interface FastEthernet2/1
• description LAN IPv6 only
• no ip address
• duplex auto
• speed auto
• ipv6 address 2001468CC01/64
• ipv6 nd other-config-flag
• ipv6 dhcp server IPv6-dhcp-pool
• !

29

• interface ATM3/0.1 point-to-point
• description Network VA and Internet-1
• ip address 63.170.115.114 255.255.255.252
• ip access-group 104 in
• atm pvc 1 0 34 aal5snap
• !
• interface ATM3/0.2 point-to-point
• description Abilene Internet-2
• ip address 65.172.70.210 255.255.255.252
• ip access-group 104 in
• atm pvc 2 0 33 aal5snap
• ipv6 address 2001468CFE30012/64
• ipv6 traffic-filter IPv6-103 in
• !

30

• router bgp 3140
• bgp log-neighbor-changes
• neighbor 2001468CFE30011 remote-as 7066
• neighbor 63.170.115.113 remote-as 7066
• neighbor 63.170.115.113 description Network
  Virginia
• neighbor 65.172.70.209 remote-as 7066
• neighbor 65.172.70.209 des Network Virginia
  Internet 2
• neighbor 157.130.61.57 remote-as 701
• !

31

• !
• address-family ipv4
• no neighbor 2001468CFE30011 activate
• neighbor 63.170.115.113 activate
• neighbor 63.170.115.113 route-map
  nwv-local-pref-110 in
• neighbor 65.172.70.209 activate
• neighbor 65.172.70.209 route-map
  i2-local-pref-120 in
• neighbor 157.130.61.57 activate
• neighbor 157.130.61.57 route-map redundant out
• no auto-summary
• no synchronization
• network 198.38.16.0 mask 255.255.240.0
• exit-address-family
• !
• address-family ipv6
• neighbor 2001468CFE30011 activate
• network 2001468CC0/48
• exit-address-family
• !

32

• ipv6 route 2001468CC0/48 Null0
• !
• ipv6 access-list IPv6-103
• deny ipv6 2001468CC0/48 any
• permit tcp any host 2001468CC002E081FFFE25
  FA65 eq www
• permit tcp any any eq 22
• permit tcp any any established
• deny tcp any any
• permit udp any any eq ntp
• permit udp any any eq domain
• permit icmp any any echo-reply
• permit icmp any any time-exceeded
• permit icmp any any unreachable
• permit icmp any any
• deny ipv6 any any
• !

33
NAME RESOLUTION / DNS SERVERS

• DNS Infrastructure
• A Domain Name System (DNS) infrastructure is
  needed for successful coexistence because of the
  prevalent use of names (rather than addresses) to
  refer to network resources. Upgrading the DNS
  infrastructure consists of populating the DNS
  servers with records to support IPv6
  name-to-address and address-to-name resolutions.
  After the addresses are obtained using a DNS name
  query, the sending node must select which
  addresses are used for communication.

34

• Address Records
• The DNS infrastructure must contain the following
  resource records (populated either manually or
  dynamically) for the successful resolution of
  domain names to addresses
• A records for IPv4-only and IPv6/IPv4 nodes
• AAAA records for IPv6-only and IPv6/IPv4 nodes

35

• Pointer Records
• The DNS infrastructure must contain the following
  resource records (populated either manually or
  dynamically) for the successful resolution of
  address to domain names (reverse queries)
• PTR records in the IN-ADDR.ARPA domain for
  IPv4-only and IPv6/IPv4 nodes
• PTR records in the IP6.ARPA domain for IPv6-only
  and IPv6/IPv4 nodes (optional).

36
SETTING UP A TEST LAB

• Keep in mind that IPv6, even though looks more
  complex, and is, actually is easier to set up and
  maintain than IPv4 because of it design and
  architecture
• The schools central router, and routers
  engineer, along with the ISP play important roles
  in IPv6 functioning with ease and little local
  IT-Team intervention
• Go to the following URL link, and continue on to
  a great experience
• http//www.tjhsst.edu/pamorasca/ipv6test.html