Title: Internet2 IPv6 Workshop Honolulu, HI January 2004
1Internet2 IPv6 WorkshopHonolulu, HIJanuary
2004
2Acknowledgements
- Grover Browning
- Bill Cerveny
- Dale Finkelson
- Michael Lambert
- Bill Manning
- Bill Owens
- Rick Summerhill
3IPv6 Addressing
4Overview of Addressing
- Historical aspects
- Types of IPv6 addresses
- Work-in-progress
- Abilene IPv6 addressing
5Historical Aspects of IPv6
- IPv4 address space not big enough
- Cant get needed addresses (particularly outside
Americas) - Routing table issues
- Resort to private (RFC1918) addresses
- Competing plans to address problem
- Some 64-bit, some 128-bit
- Current scheme unveiled at Toronto IETF (July
1994)
6Private Address Space
- Led to the development of NAT.
- Increased use of NAT has had an effect on the
uses the Internet may be put to. - Due to the loss of transparency
- Increasingly could lead to a bifurcation of the
Internet. - Application rich
- Application poor
- Affects our ability to manage and diagnose the
network.
7Types of IPv6 Addresses
- Like IPv4
- Unicast
- An identifier for a single interface. A packet
sent to a unicast address is delivered to the
interface identified by that address. - Multicast
- An identifier for a set of interfaces (typically
belonging to different nodes). A packet sent to
a multicast address is delivered to all
interfaces identified by that address. - Anycast
- An identifier for a set of interfaces (typically
belonging to different nodes). A packet sent to
an anycast address is delivered to one of the
interfaces identified by that address (the
"nearest" one, according to the routing
protocols' measure of distance). - Specified in the v6 address architecture RFC 3513.
8What is not in IPv6
- Broadcast
- There is no broadcast in IPv6.
- This functionality is taken over by multicast.
- A consequence of this is that the all 0s and all
1s addresses are legal. - There are others also, as we will see later.
9Interface Identifiers
- 64-bit field
- Guaranteed unique on subnet
- Essentially same as EUI-64
- Formula for mapping IEEE 802 MAC address into
interface identifier - Used in many forms of unicast address
10Interface Identifiers
- IPv6 addresses of all types are assigned to
interfaces, not nodes. - An IPv6 unicast address refers to a single
interface. Since each interface belongs to a
single node, any of that node's interfaces'
unicast addresses may be used as an identifier
for the node. - The same interface identifier may be used on
multiple interfaces on a single node.
11Interface Identifiers
- EUI-64 from Mac addresses
- 00-02-2D-02-82-34
- 02022dfffe028234
- The Rules are
- Insert fffe after the first 3 octets
- Last 3 octets remain the same
- Invert the 2nd to the last low order bit of the
first octet. - Universal/local bit
12Interface Identifiers
- Privacy addresses
- Some concern was expressed about having ones MAC
address be public. - The response was to standardize privacy addresses
(RFC 3041). - These are random 64-bit numbers.
- May change for different connections
- Right now can be seen in Windows XP and 2000.
13Interface Identifiers
- A host is required to recognize the following
addresses as identifying itself - Its link-local address for each interface
- Assigned unicast and anycast addresses
- Loopback address
- All-nodes multicast addresses
- Solicited-node multicast address for each of its
unicast and anycast addresses - Multicast addresses of all other groups to which
the node belongs.
14Interface Identifiers
- A router is required to recognize
- All addresses it must recognize as a host, plus
- The subnet-router anycast addresses for the
interfaces it is configured to act as a router on - All other anycast addresses with which the router
has been configured - All-routers multicast addresses
15Representation of Addresses
- All addresses are 128 bits
- Write as sequence of eight groups of four hex
digits (16 bits each) separated by colons - Leading zeros in group may be omitted
- A contiguous all-zero group may be replaced by
- Only one such group can be replaced
16Examples of Writing Addresses
- Consider
- 3ffe3700020000ff0000000000000001
- This can be written as
- 3ffe3700200ff0001 or
- 3ffe3700200ff1
- All three reduction methods are used here.
17Types of Unicast Addresses
- Unspecified address
- All zeros ()
- Used as source address during initialization
- Also used in representing default
- Loopback address
- Low-order one bit (1)
- Same as 127.0.0.1 in IPv4
18Types of Unicast Addresses
- Link-local address
- Unique on a subnet
- Auto configured
- High-order FE80/10
- Low-order interface identifier
- Routers must not forward any packets with
link-local source or destination addresses.
19Types of Unicast Addresses
- Site-local address
- Unique to a site
- High-order FEC0/10
- Low-order subnet and interface identifiers
- Used when a network is isolated and no global
address is available - Subject of much debate in the IETF have been
deprecated (subject of IESG/IAB appeal)
20Types of Unicast Addresses
- Mapped IPv4 addresses
- Of form FFFFa.b.c.d
- Used by dual-stack machines to communicate over
IPv4 using IPv6 addressing in system calls - Compatible IPv4 addresses
- Of form a.b.c.d
- Used by IPv6 hosts to communicate over automatic
tunnels
21Address Deployment
- There have been many discussions of how to make
use of the immense IPv6 address space. - Suggestions included
- Provider-Independent (PI)
- Provider-Assigned (PA)
- Geographical
- At least for now, PA addressing was selected.
- It is important to understand the difference
between allocation and assignment.
22Provider-Assigned Unicast Addresses
- Aggregatable global unicast address
23Types of Unicast Addresses
- Aggregatable global unicast address
- Used in production IPv6 networks
- Goal minimize global routing table size
- From range 2000/3
- Three fields in /64 prefix (old usage)
- 16-bit Top Level Aggregator (TLA)
- 8-bit reserved
- 24-bit Next Level Aggregator (NLA)
- 16-bit Site Level Aggregator (SLA)
24Unicast Address Terminology
- TLA, NLA, SLA no longer used in RFCs
- Instead we have
- Global routing prefix
- Subnet identifier
- Doesnt affect basic ideas
25Top-Level Aggregators
- Allocated by RIRs to transit providers
- They in turn allocate to customers.
- In practice, RIRs have adopted a slow-start
strategy - Start by allocating /32s
- Expand to /29s when sufficient use in /32
- Eventually move to /16s
26Abilene Allocation
- Allocated 2001468/32
- The bit-level representation of this is
- 0010 0000 0000 0001 0000 0010 0110 1000
- This leaves 32 bits of network space available.
- We will see later how this is to be used.
27NLAs and SLAs
- NLAs used by providers for subnetting
- Allocate blocks to customers
- Can be multiple levels of hierarchy
- SLAs used by customers for subnetting
- Analogous to campus subnets
- Also can be hierarchical
- Minimum size is /48
28Current Practice and Aggregation
- The overarching goal of the PA addressing scheme
is aggregation. - As you move up the provider chain all addresses
are aggregated into larger blocks. - If implemented completely the result would be a
default-free zone with a very small number of
prefixes only those assigned by the RIRs.
29Other Unicast Addresses
- Original provider-based
- Original geographically-based
- GSE (88)
- Tony Hains Internet Draft for provider-independen
t (geographically-based) addressing
30Anycast Address
- Interfaces (I gt 1) can have the same address.
The low-order bits (typically 64 or more) are
zero. - A packet sent to that address will be delivered
to the topologically-closest instance of the set
of hosts having that address.
31Multicast Address
- From FF00/8
- 1111 1111 flgs (4) scop (4) group id (112)
- Flags
- 000t
- t0 means this is a well-known address
- t1 means this is a transitory address
- Low-order 112 bits are group identifier, not
interface identifier - Scope and Flags are independent of each other
- Well-known and local is different from well-known
and global
32Multicast address scope
- 0 reserved
- 1 interface-local scope
- 2 link-local scope
- 3 reserved
- 4 admin-local scope
- 5 site-local scope
- 6 (unassigned)
- 7 (unassigned)
-
- 8 organization-local scope
- 9 (unassigned)
- A (unassigned)
- B (unassigned)
- C (unassigned)
- D (unassigned)
- E global scope
- F reserved
33Abilene IPv6 Addressing
- Two prefixes allocated
- 3ffe3700/24 on 6bone (deprecated)
- 2001468/32
- 6bone addressing is not in use any more
- Being phased out globally
- Current addressing allocation scheme was built on
the assumption of /35 being available. - This is being reviewed (Were lying. We havent
thought about it at all!)
34Allocation Procedures
- GigaPoPs allocated /40s
- Expected to delegate to participants
- The minimum allocation is a /48
- No BCP (yet) for gigaPoP allocation procedures
- Direct connectors allocated /48s
- Will (for now) provide addresses to participants
behind gigaPoPs which havent received IPv6
addresses - See http//ipv6.internet2.edu/faq.shtml for
details
35Registration Procedures
- Providers allocated address space must register
suballocations - ARIN allows rwhois or SWIP
- For now, Abilene will use SWIP
- Will eventually adopt rwhois
- GigaPoPs must also maintain registries
- Will probably have central Abilene registry
36Obtaining Addresses
- If you are a gigaPoP or a direct connect send a
note to the Abilene NOC (noc_at_abilene.iu.edu) with
a request. - Will set the wheels in motion
- If you connect to a gigaPoP you should obtain
your address block from that gigaPoP talk to
them first - Remember the minimum you should receive is a
/48. - More is OK if you can negotiate for a larger
block.
37Allocation Schemes
- CIDR representation and IPv6 allocations
38IPv4 Subnet Masking
- Originally the network size was based on the
first few bits (classful addressing) - Getting rid of address classes was painful!
- routing protocols, stacks, applications
- Modern IPv4 allows subnet boundaries anywhere
within the address (classless addressing) - But decimal addresses still make figuring out
subnets unnecessarily difficult. . .
39CIDR
- In IPv4 you would see representations like
- 129.93.0.0/16
- 129.93.0.0 255.255.240.0
- 129.93.0.0/20
- At the bit level this is
- 10000001.01011101.11110000.00000000
40Reasons for CIDR
- To try to preserve the address space.
- To control the growth of the routing table.
41IPv6 Notation
- In IPv6 every address is written
- IPv6 address / prefix length
- For example
- 20010468/35
- 20010468/32
- At the bit level
- 0010 0000 0000 0001 0000 0100 0110 1000 000
0/35 - 0010 0000 0000 0001 0000 0100 0110 1000
0/32
42Allocation Strategies Example
- We wish to allocate /48s out of the /35.
- Which are available
- 200104680000 through
- 200104681fff
- Recall that the bit structure is
- 0010 0000 0000 0001 0000 0100 0110 1000 000
0000000000000 - 0010 0000 0000 0001 0000 0100 0110 1000 000
1111111111111 - So there are 8192 /48s in a /35
43Why Allocation?
- To try to control the growth of the routing table
in the default-free zone. - It is a necessary consequence of using a
provider-based aggregatable address scheme. - It makes the address space more manageable.
44How would allocations work?
- Suppose you wish to give out /40s in the /35.
- 20010468000 0 0000 or 20010468/40
- 20010468000 1 1111 or 200104681f00/40
- Thus there are 32 /40s in the /35, each of which
has 256 /48s. - 5 bits
- 8 bits
45How would allocations work?
- The same idea holds for /41s or /42s.
- 20010468000 000000 or 20010468/41
- 20010468000 111111 or 200104681f80/41
- 20010468000 0000000 - 000 1111111
- 20010468/42 200104681fd0/42
46Mixed Allocations
- The interesting case is how to handle mixed
allocations. - Some sites need a /40, others a /42. How can you
handle this case? - See
- RFC 3531 (Marc Blanchet)
- A flexible method for managing the assignment of
bits of an IPv6 address block - A perl script is included.
47Example
- A provider has been assigned the 3ffe0b00/24
prefix and wants to assign prefixes to its
connected networks. Assume 8 bits for NLAs.
NLA2 will use 10 bits for subNLAs. - TLA assigning to NLAs using leftmost bits
- 10000000 assigned to NLA1
- 01000000 assigned to NLA2
- NLA2 assigning to its subNLAs using centermost
bits - 0000010000 assigned to subNLA1
- 0000100000 assigned to subNLA2
- subNLAs use centermost bits and site nets
assigned using rightmost bits. - Putting all bits together for subNLA3
- TLA
NLA2 subNLA3 - 0011 1111 1111 1110 0000 1011 0100 0000 0000
1100 00 -
lt-------gt lt------gt
48Mixed Allocations
- Here is the assignment
- Take 3ffe3700/32. Out of that allocate
- 34 2
- 37 3
- 38 5
49Router Configuration
50Cisco Router Configuration
- Rule 1 What would v4 do?
- Enable routing
- ipv6 unicast-routing
- Configure interfaces
- ipv6 address
- Configure routing protocols
51Cisco Configs
- LAN Interface
- interface Ethernet0/0
- ip address 192.168.1.254 255.255.255.0
- ipv6 address 200146812312/64
52Cisco Configs
- Tunnel Interface
- interface Tunnel1
- description IPv6 to Abilene
- no ip address
- no ip redirects
- no ip proxy-arp
- ipv6 address 3FFE3700FF1052/64
- tunnel source ATM2/0.1
- tunnel destination 192.168.193.14
- tunnel mode gre
53Cisco Configs
- ATM PVC
- interface ATM2/0.3 point-to-point
- description My GigaPoP
- no ip redirects
- no ip proxy-arp
- pvc MyGigaPoP 3/66
- ubr 155000
- encapsulation aal5snap
- !
- ipv6 address 2001468FF5551/64
54Cisco Configs
- IGP - most sites will use RIPng for now, but
IS-IS is also available. OSPFv3 is available in
IOS 12.3. - ipv6 router rip ipsix
- redistribute connected
- interface Ethernet1/0
- ipv6 rip ipsix enable
- ipv6 rip ipsix default-information orig
- Static
- ipv6 route ltprefixgt ltnexthopgt
55Cisco Configs
- BGP - added to your existing IPv4 BGP config
- router bgp 64555
- bgp router-id 192.168.2.1
- neighbor Abilene-v6 peer-group
- neighbor Abilene-v6 remote-as 11537
56Cisco Configs
- BGP continued. . .
- address-family ipv6 unicast
- neighbor Abilene-v6 activate
- neighbor Abilene-v6 soft-reconfiguration in
- neighbor Abilene-v6 prefix-list to-Abilene-v6
out - neighbor 20014685552006 peer-group
Abilene-v6 - network 20014684ff/48
- aggregate-address 20014684ff/48 summary-only
- exit-address-family
57Cisco Configs
- BGP continued. . .
- ipv6 route 20014684ff/48 Null0
- !
- ipv6 prefix-list to-Abilene-v6 seq 10 permit
20014684ff/48
58Cisco Configs
- Securing Console Access
- ipv6 access-list V6VTY permit 20014684ff/48
any - . . .
- !
- line vty 0 4
- ipv6 access-class V6VTY in
59Juniper Router Configuration
- Rule 1 What would v4 do?
- Enable routing already there. . .
- Configure interfaces
- family inet6 address
- Configure routing protocols and RIBs
60Juniper Configs
- Interface (physical)
- interfaces
- fe-0/1/0
- unit 0
- family inet6
- address 20014681231/64
-
-
-
61Juniper Configs
- Interface (tunnel)
- interfaces
- gr-0/3/0
- unit 0
- tunnel
- source 192.168.2.2
- destination 192.168.45.2
-
- family inet6
- mtu 1514 / note Cisco vs.
Juniper - address 20014681231/64
-
-
62Juniper Configs
- Router Advertisement - not enabled by default
- protocols
- router-advertisement
- interface fe-0/3/0.0
- prefix 2001468123/64
-
-
63Juniper Configs
- Routing setup
- routing-options
- interface-routes
- rib-group
- inet6 ifrg6
-
- rib inet6.0
- aggregate
- route 20014684ff/48
-
-
64Juniper Configs
- Routing setup continued. . .
- rib-groups
- ifrg6
- import-rib inet6.0 inet6.2
-
-
- router-id 192.168.2.1
65Juniper Configs
- IGP RIPng, IS-IS, and OSPFv3 are available
- protocols
- ripng
- group local
- export redist-direct
- neighbor fe-0/1/0.0
-
-
-
- policy-options
- policy-statement redist-direct
- from protocol direct
- then accept
-
66Juniper Configs
- BGP
- protocols
- bgp
- group Abilene-v6
- type external
- family inet6
- unicast
-
- export to-Abilene-v6
- peer-as 11537
- neighbor 20014685552006
-
-
67Juniper Configs
- BGP continued. . .
- policy-options
- policy-statement to-Abilene-v6
- term accept-aggregate
- from
- route-filter 20014684ff/48
exact -
- then accept
-
- term reject
- then reject
-
-
68Cisco Show Commands
- show bgp
- show bgp summary
- show bgp ipv6 unicast neighbor ltaddrgt routes
- show bgp ipv6 unicast neighbor ltaddrgt advertised
- show ipv6 route
- show ipv6 interface
- show ipv6 neighbors
69Juniper Show Commands
- show bgp summary
- show route advert bgp ltaddrgt
- show route rece bgp ltaddrgt
- show route table inet6.0 (terse)
- show interfaces
- show ipv6 neighbors
70Lab Basic IPv6 Functionality
71Enable IPv6 functionality on each router using
addresses allocated by Internet2 or your lab
router's "upstream" IPv6 provider. Send and
receive BGP IPv6 routes.
- Ensure your router interfaces are configured with
IPv6 addresses - Ping a neighboring router using IPv6 ICMP.
- Verify that you are sending IPv6 BGP routes to
neighboring routers, where appropriate. - Verify you are receiving IPv6 BGP routes.
- Verify connectivity around the workshop lab.
- If your workshop lab is connected to the global
IPv6 Internet, verify you can ping and traceroute
to a host on the global IPv6 Internet. - Verify lab client computer (laptop) is receiving
router advertisements.
72Multihoming
73Multihoming Issues
- Many sites are multihomed in the current Internet
- reliability
- stability which provider will stay in business?
- competition
- AUP commodity vs. RE
- In IPv4 we can use provider-independent
addresses, or poke holes in the aggregation - But all IPv6 addresses are provider-assigned!
74Multihoming
2001897/35
2001468/35
ISP1 (UUNET)
ISP2 (Abilene)
University of Smallville
20014681210/48
20018970456/48
75Problems With Multiple Addresses
- If the host or app chooses from several global
addresses, that choice overrides policy, may
conflict with routing intentions and can break
connectivity - Address selection rules are complex and
controversial see RFC 3484
76Problems With PI Addressing
- Current protocols can only control routing table
growth if routes are aggregated. - Only about 12,000 sites are multihomed today, but
that number is constantly increasing. - The address space is so large that routing table
growth could easily exceed the capability of the
hardware and protocols.
77What To Do?
- IPv6 cant be deployed on a large scale without
multihoming support nobody is disputing this. - It seems likely that there will be short-term
fixes to allow v6 deployment, and long-term
solutions. - IETF multi6 working group
- One RFC (3582) specifying goals
- Lots of hot air on list
- For now, we have some options. . .
78Get PI Space
- The RIRs have revised their rules for allocating
PI space the key is that you must plan to assign
200 /48s within 2 years. - This isnt as hard as it sounds, but it is
probably something only gigaPoPs or large
university systems can do (exercise in
creativity). - This breaks when commodity providers start
offering IPv6 (unless the gigaPoP aggregates all
the commodity providers as well as RE).
79Poke Holes
- The standard practice in IPv4 is to get addresses
from one ISP, and advertise that space to all of
our providers, effectively making it a PI
address. - In the v6 world, most providers probably wont
advertise a foreign prefix to their peers, but
will carry it within their own network. - Requires that one ISP be designated as the
transit provider, and others are effectively
peers.
80Poke Holes
2001897/35
2001468/35
ISP1 (Transit)
ISP2...N (Peers)
20018970456/48
20018970456/48
University of Smallville
81IPv6 Under the Hood
82Basic Headers
83Basic Headers
- Fields
- Version (4 bits) only field to keep same
position and name - Class (8 bits) was Type of Service (TOS),
renamed - Flow Label (20 bits) new field
- Payload Length (16 bits) length of data,
slightly different from total length - Next Header (8 bits) type of the next header,
new idea - Hop Limit (8 bits) was time-to-live, renamed
- Source address (128 bits)
- Destination address (128 bits)
84Basic Headers
- Simplifications
- Fixed length of all fields, not like old options
field IHL, or header length irrelevant - Remove Header Checksum rely on checksums at
other layers - No hop-by-hop fragmentation fragment offset
irrelevant MTU discovery - Add extension headers next header type (sort of
a protocol type, or replacement for options) - Basic principle Routers along the way should do
minimal processing
85Extension Headers
- Extension Header Types
- Routing Header
- Fragmentation Header
- Hop-by-Hop Options Header
- Destinations Options Header
- Authentication Header
- Encrypted Security Payload Header
86Extension Headers
87Extension Headers
88Extension Headers
- Fragmentation Header
- I thought we dont fragment?
- Can do at the sending host
- Insert fragment headers
89Extension Headers
- Options Headers in General
- The usual next header and length
- Any options that might be defined
90Extension Headers
- Destinations Options Header
- Act The Action to take if unknown option
- 00 Skip Over
- 01 Discard, no ICMP report
- 10 Discard, send ICMP report even if multicast
- 11 Discard, send ICMP report only if unicast
- C Can change in route
- Number is the option number itself
91Extension Headers
- Hop-by-Hop Extension Header
- The usual format of an options header
- An example is the jumbo packet
- Payload length encoded
- Cant be less than 65,535
- Cant be used with fragmentation header
92Extension Headers
- Extension Header Order
- Hop-by-Hop options Header
- Destination options Header (1)
- Routing Header
- Fragment Header
- Authentication Header
- Destination Options Header (2)
- Upper Layer Header, e.g. TCP, UDP
- How do we know whether or not we have an upper
layer header, or an extension header? - Both are combined into header types
93Header Types
- Look in packet for next header
- Can be Extension Header
- Can be something like ICMP, TCP, UDP, or other
normal types
94Header Types
95Header Types
96Header Types
97ICMP
- Completely Changed note new header type
- Now includes IGMP
- Types organized as follows
- 1 4 Error messages
- 128 129 Ping
- 130 132 Group membership
- 133 137 Neighbor discovery
- General Format
98ICMP
99ICMP
- Error Messages (Types 1 4) Some Examples
- Destination Unreachable
- Code 0 No route to destination
- Code 1 Cant get to destination for
administrative reasons - Code 2 Not Assigned
- Code 3 - Address unreachable
- Code 3 Port Unreachable
- Packet Too Big
- Code 0, Parameter is set to MTU of next hop
- Allows for MTU determination
- General Format
100ICMP
- Ping
- Similar to IPv4
- Echo Request, set code to 0
- Echo Reply sent back
- General Format
101Multicast
- Multicast (and Anycast) built in from the
beginning - Scope more well-defined 4 bit integer
- Doesnt influence well-defined groups
102Multicast
- A Few Well-Defined Groups
- Note all begin with ff, the multicast addresses
- Much of IGMP is from IPv4, but is in ICMP now
103Changes from IPv4 to IPv6
- Expanded addressing capabilities
- Header format simplification
- Improved support for extensions and options
- Flow labeling capability
- Authentication and privacy capabilities
104Stateless Autoconfiguration
105Why does this matter?
- Manual configuration of individual machines
before connecting them to the network should not
be required. - Address autoconfiguration assumes that each
interface can provide a unique identifier for
that interface (i.e., an "interface token") - Plug-and-play communication is achieved through
the use of link-local addresses - Small sites should not need stateful servers
- A large site with multiple networks and routers
should not require the presence of a stateful
address configuration server. - Address configuration should facilitate the
graceful renumbering of a site's machines
106Stateless Autoconfiguration
Generate a link local address
Verify this tentative address is OK. Use a
neighbor solicitation with the tentative address
as the target. ICMP type 135
If the address is in use a neighbor advertisement
message will be returned. ICMP type 136
If no response, assign the address to the
interface. At this point the node can
communicate on-link.
Fail and go to manual configuration or choose a
different interface token.
107Stateless Autoconfiguration
Assign address to interface.
Node joins the All Routers multicast group.
FF021
Sends out a router solicitation message to that
group. ICMP type 133
Router responds with a router advertisement. ICMP
type 134
108Stateless Autoconfiguration
Look at the managed address configuration"
flag
If M 1 stop and do stateful config
If M 0 proceed with stateless configuration
If O 1 use stateful configuration for other
information
Look at "other stateful configuration" flag
If O 0 finish
109Router Solicitation
Type 133
Code 0
Checksum
Reserved
Possible optionSource Link Layer Address
110Router Advertisement
Type 134
Code 0
Checksum
Cur. Hop Limit
M O Reserved
Router Lifetime
Reachable Time
Retransmission Timer
- Possible options
- -Source Link Layer Address
- MTU
- Prefix Information
111Neighbor Solicitation
Type 135
Code 0
Checksum
Reserved
Target Address
Possible option Source Link Layer Address
112Neighbor Advertisment
Type 136
Code 0
Checksum
R S O
Reserved
Target Address
Possible option Source Link Layer Address
113Prefix Option
Type
Length
Prefix Length
L A Reserved
Valid Lifetime
Preferred Lifetime
Reserved
Prefix List
114Router Solicitation OptionsPrefix Information
- This should include all prefixes the router is
aware of - Flag bits
- On-link 1
- Prefix is specific to the local site
- Autonomous Configuration bit 1
- Use the prefix to create an autonomous address
115Router Solicitation OptionsPrefix Information
- Valid Lifetime
- 32-bit unsigned integer. The length of time in
seconds before an address is invalidated. - Preferred Lifetime
- 32-bit unsigned integer. The length of time in
seconds before an address is depreciated.
116Stateless Autoconfig
- Routers are to send out router advertisements at
regular intervals to the all-hosts address. - This should update lifetimes.
- Note that stateless autoconfig will only
configure addresses. - It will not do all the host configuration you may
well want to do.
117Stateful Configuration
- When you do not wish to have stateless
configuration done you will need to provide a
configuration server (DHCP most likely) to
provide configuration information to the hosts as
they come up.
118Neighbor Solicitation
119Neighbor Solicitation
- This protocol solves a set of problems related to
the interaction between nodes attached to the
same link. It defines mechanisms for solving each
of the following problems...
120Problems Solved by Neighbor Solicitation
- Router Discovery How hosts locate routers that
reside on an attached link. - Prefix Discovery How hosts discover the set of
address prefixes that define which destinations
are on-link for an attached link. (Nodes use
prefixes to distinguish destinations that reside
on-link from those only reachable through a
router.) - Parameter Discovery How a node learns such link
parameters as the link MTU or such Internet
parameters as the hop limit value to place in
outgoing packets.
121Problems Solved by Neighbor Solicitation
- Address Autoconfiguration How nodes
automatically configure an address for an
interface. - Address resolution How nodes determine the
link-layer address of an on-link destination
(e.g., a neighbor) given only the destination's
IP address. - Next-hop determination The algorithm for mapping
an IP destination address into the IP address of
the neighbor to which traffic for the destination
should be sent. The next hop can be a router or
the destination itself.
122Problems Solved by Neighbor Solicitation
- Neighbor Unreachability Detection How nodes
determine that a neighbor is no longer reachable.
For neighbors used as routers, alternate default
routers can be tried. For both routers and hosts,
address resolution can be performed again. - Duplicate Address Detection How a node
determines that an address it wishes to use is
not already in use by another node. - Redirect How a router informs a host of a better
first-hop node to reach a particular destination.
123ICMP Packet Types
- Neighbor Discovery defines five different ICMP
packet types a pair of Router Solicitation and
Router Advertisement messages, a pair of Neighbor
Solicitation and Neighbor Advertisement messages,
and a Redirect message. The messages serve the
following purposes...
124ICMP Packet Types
- Router Solicitation When an interface becomes
enabled, hosts may send out Router Solicitations
that request routers to generate Router
Advertisements immediately rather than at their
next scheduled time. - Router Advertisement Routers advertise their
presence together with various link and Internet
parameters either periodically, or in response to
a Router Solicitation message. Router
Advertisements contain prefixes that are used for
on-link determination and/or address
configuration, a suggested hop limit value, etc.
125ICMP Packet Types
- Neighbor Solicitation Sent by a node to
determine the link-layer address of a neighbor,
or to verify that a neighbor is still reachable
via a cached link-layer address. Neighbor
Solicitations are also used for Duplicate Address
Detection. - Neighbor Advertisement A response to a Neighbor
Solicitation message. A node may also send
unsolicited Neighbor Advertisements to announce a
link-layer address change. - Redirect Used by routers to inform hosts of a
better first hop for a destination.
126Whats missing?
- Need MTU discovery
- Need host requirements (see Neighbor Discovery)
127Transition and Tunnels
128Transition
- There are really two types of cases that need to
be addressed. - Network layer
- How can we get v6/v4 packets across v4/v6
networks? - Host layer
- How can a v6/v4 host access content on a v4/v6
host?
129Network layer transition
130Tunnels
- Information from one protocol is encapsulated
inside the frame of another protocol. - This enables the original data to be carried over
a second non-native architecture. - 3 steps in creating a tunnel
- Encapsulation
- Decapsulation
- Management
131Tunnels
- There are at least 4 tunnel configurations
- Router to router
- Host to router
- Host to host
- Router to host
- Required information
- v4 address of the tunnel endpoints
- Note that private addresses will not work here.
132Tunnels
- How the addresses are known determines the type
of tunnel. - Configured tunnel
- Automatic tunnel
- Multicast tunnel
133Configured tunnel
- These can be unidirectional or bidirectional.
- Bidirectional looks like a point-to-point link
- The administrator configures the tunnel.
- Examples of this would be the pre-native Abilene
backbone and some types of tunnel brokers.
134Automatic Tunnel
- A tunnel is created without the intervention of a
network administrator. - Typically this involves the v4 address of the
endpoint being contained within the v6 address. - ISATAP and 6to4 are examples
- 6to4 uses 2002/16 plus the 32 bit v4 address to
form a /48. - ISATAP treats the v4 network as layer 2
transport. - v4 address is in the interface identifier
135Dual Stack
- Obvious.
- This is likely to be the predominant
network-layer transition tool. - It appears that when all the tools using tunnel
mechanisms were being developed, no one thought
viable dual-stack routers would show up as
quickly as they in fact have. - Most backbones could be dual-stack very easily,
and will be when there is a demand.
136Transition
- Tunnels will remain useful as a tool for
connecting isolated hosts in home networks to v6
nets.
137Host level transition
- This is where transition could bog down.
- How do you make web and other servers
transparently accessible to either v6 or v4
hosts? - There are several approaches.
- Dual stack
- Bump-in-the-stack
- NAT-like devices
- Translators
138Translators
- Within Linux variants there is a tool called
Faithd. - This is a transport layer translator.
- There are also header translators out there
- SIIT
- Nat-PT
- Socks
- Various application specific translators
139Summary
- This is neither as hard as it was once thought
nor as easy as we might like to make it. - Dual Stack will be viable much sooner then was
thought. - It is merely an act of faith and will to convert
existing servers to v6-capable versions.
140Automatic Tunnels and Relays
141Outline
- Reasons for IPv6 in IPv4 Tunnels
- Tunnel Types
- 6to4 Tunnel Implementation Scenarios
- 6to4 Security Issues
- Recommendations
142Possible Reasons for IPv6 in IPv4 Tunnels
- Networks in the path between an IPv6-capable host
and WAN dont support IPv4/IPv6 dual-stack
environment - Local network support organizations dont support
dual-stack environment
143Configured Tunnels
- Configured tunnels connect IPv4/IPv6 dual-stack
hosts or networks to larger IPv6 networks. - Local network administrators arrange for a tunnel
between IPv6 networks across IPv4-only networks. - This was default dual-stack architecture on
Abilene until 2002 there are still some
configured tunnels supported by the Abilene NOC.
144Automatic IPv6-in-IPv4 tunnel
- A dual-stack host or network automatically
creates a tunnel across an IPv4-only network - Tunnel Types
- 6to4 Most commonly deployed automatic tunnel
format - ISATAP Intranet automatic tunnel format not
designed for public networks - Teredo Promising, but still in early discussions
in IETF
1456to4 Tunnel IPv4 Packet Format
- 0 1 2
3 - 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
2 3 4 5 6 7 8 9 0 1 - ----------------------
---------- - Version IHL Type of Service
Total Length - ----------------------
---------- - Identification Flags
Fragment Offset - ----------------------
---------- - Time to Live Protocol 41
Header Checksum - ----------------------
---------- - Source Address
- ----------------------
---------- - Destination Address
- ----------------------
---------- - Options
Padding - ----------------------
---------- - IPv6 header and payload ...
/ - ---------------------------------------
-------- - Source RFC 3056, Connection of IPv6 Domains via
IPv4 Clouds
146IPv6 Address Format in 6to4
For example, a Windows XP system with IPv4
address 207.75.164.119 would have a 6to4 IPv6
address of 2002cf4ba477cf4ba477
1476to4 Implementation Scenarios (1 of 2)
- Both host A and host B are on IPv4-only networks
and both are capable of IPv6 6to4 tunneling
IPv4/IPv6 dual-stack Internet
IPv4
IPv6
IPv4-only LAN
IPv4-only LAN
Host A 192.168.15.1/24 2002c0a80f011
Host B 192.168.17.1/24 2002c0a811011
1486to4 Implementation Scenarios (1 of 2)
- Both host A and host B are on IPv4-only networks
and both are capable of IPv6 6to4 tunneling
IPv4/IPv6 dual-stack Internet
IPv4
IPv6
Host A creates IPv6 packet with destination
address 2002c0a811011 and encapsulates it in
IPv4 packet with destination address 192.168.17.1
IPv4-only LAN
IPv4-only LAN
Host A 192.168.15.1/24 2002c0a80f011
Host B 192.168.17.1/24 2002c0a811011
1496to4 Implementation Scenarios (1 of 2)
- Both host A and host B are on IPv4-only networks
and both are capable of IPv6 6to4 tunneling
IPv4/IPv6 dual-stack Internet
IPv4
IPv6
IPv4-only LAN
IPv4-only LAN
Host A 192.168.15.1/24 2002c0a80f011
Host B 192.168.17.1/24 2002c0a811011
1506to4 Implementation Scenarios (1 of 2)
- Both host A and host B are on IPv4-only networks
and both are capable of IPv6 6to4 tunneling
IPv4/IPv6 dual-stack Internet
IPv4
IPv6
IPv4-only LAN
IPv4-only LAN
Host A 192.168.15.1/24 2002c0a80f011
Host B 192.168.17.1/24 2002c0a811011
1516to4 Implementation Scenarios (1 of 2)
- Both host A and host B are on IPv4-only networks
and both are capable of IPv6 6to4 tunneling
IPv4/IPv6 dual-stack Internet
IPv4
IPv6
IPv4-only LAN
IPv4-only LAN
Host A 192.168.15.1/24 2002c0a80f011
Host B 192.168.17.1/24 2002c0a811011
1526to4 Implementation Scenarios (1 of 2)
- Both host A and host B are on IPv4-only networks
and both are capable of IPv6 6to4 tunneling
IPv4/IPv6 dual-stack Internet
IPv4
IPv6
IPv4-only LAN
IPv4-only LAN
Host A 192.168.15.1/24 2002c0a80f011
Host B 192.168.17.1/24 2002c0a811011
1536to4 Implementation Scenarios (1 of 2)
- Both host A and host B are on IPv4-only networks
and both are capable of IPv6 6to4 tunneling
IPv4/IPv6 dual-stack Internet
IPv4
IPv6
IPv4-only LAN
IPv4-only LAN
Host B decapsulates IPv6 packet from IPv4 packet
and processes IPv6 packet
Host A 192.168.15.1/24 2002c0a80f011
Host B 192.168.17.1/24 2002c0a811011
1546to4 Implementation Scenarios (1 of
2)Observations
- Encapsulated IPv6 packets travel IPv4 routing
path. - No tunneling equipment or IPv6 infrastructure
required between hosts
1556to4 Implementation Scenarios (2 of 2)
- Host A is on a native IPv6 network and host B is
on an IPv4-only network, but is itself capable of
IPv6 6to4 tunneling
IPv4/IPv6 dual-stack Internet
IPv4
6to4 Relay Router
IPv6
IPv4/IPv6 dual-stack LAN
IPv4-only LAN
Host A 192.168.15.1/24 2001468142025/64
Host B 192.168.17.1/24 2002c0a811011
1566to4 Implementation Scenarios (2 of 2)
- Host A is on native IPv6 network, host B is on
IPv4-only network, but is itself capable of IPv6
6to4 tunneling
IPv4/IPv6 dual-stack Internet
IPv4
6to4 Relay Router
IPv6
IPv4/IPv6 dual-stack LAN
IPv4-only LAN
Host A creates IPv6 packet to 2002c0a811011
Host A 192.168.15.1/24 2001468142025/64
Host B 192.168.17.1/24 2002c0a811011
1576to4 Implementation Scenarios (2 of 2)
- Host A is on native IPv6 network, host B is on
IPv4-only network, but is itself capable of IPv6
6to4 tunneling
IPv4/IPv6 dual-stack Internet
IPv4
6to4 Relay Router
IPv6
Relay router advertises IPv6 route 2002/16
IPv4/IPv6 dual-stack LAN
IPv4-only LAN
Host A 192.168.15.1/24 2001468142025/64
Host B 192.168.17.1/24 2002c0a811011
1586to4 Implementation Scenarios (2 of 2)
- Host A is on native IPv6 network, host B is on
IPv4-only network, but is itself capable of IPv6
6to4 tunneling
IPv4/IPv6 dual-stack Internet
IPv4
6to4 Relay Router
IPv6
IPv4/IPv6 dual-stack LAN
IPv4-only LAN
Host A 192.168.15.1/24 2001468142025/64
Host B 192.168.17.1/24 2002c0a811011
1596to4 Implementation Scenarios (2 of 2)
- Host A is on native IPv6 network, host B is on
IPv4-only network, but is itself capable of IPv6
6to4 tunneling
IPv4/IPv6 dual-stack Internet
IPv4
6to4 Relay Router
IPv6
IPv4/IPv6 dual-stack LAN
IPv4-only LAN
Host A 192.168.15.1/24 2001468142025/64
Host B 192.168.17.1/24 2002c0a811011
1606to4 Implementation Scenarios (2 of 2)
- Host A is on native IPv6 network, host B is on
IPv4-only network, but is itself capable of IPv6
6to4 tunneling
IPv4/IPv6 dual-stack Internet
IPv4
6to4 Relay Router
IPv6
IPv4/IPv6 dual-stack LAN
IPv4-only LAN
Host A 192.168.15.1/24 2001468142025/64
Host B 192.168.17.1/24 2002c0a811011
1616to4 Implementation Scenarios (2 of 2)
- Host A is on native IPv6 network, host B is on
IPv4-only network, but is itself capable of IPv6
6to4 tunneling
IPv4/IPv6 dual-stack Internet
IPv4
6to4 Relay Router
IPv6
IPv4/IPv6 dual-stack LAN
IPv4-only LAN
Relay router encapsulates IPv6 packet in IPv4
packet and sends IPv4 packet to dest. address
192.168.17.1
Host A 192.168.15.1/24 2001468142025/64
Host B 192.168.17.1/24 2002c0a811011
1626to4 Implementation Scenarios (2 of 2)
- Host A is on native IPv6 network, host B is on
IPv4-only network, but is itself capable of IPv6
6to4 tunneling
IPv4/IPv6 dual-stack Internet
IPv4
6to4 Relay Router
IPv6
IPv4/IPv6 dual-stack LAN
IPv4-only LAN
Host A 192.168.15.1/24 2001468142025/64
Host B 192.168.17.1/24 2002c0a811011
1636to4 Implementation Scenarios (2 of 2)
- Host A is on native IPv6 network, host B is on
IPv4-only network, but is itself capable of IPv6
6to4 tunneling
IPv4/IPv6 dual-stack Internet
IPv4
6to4 Relay Router
IPv6
IPv4/IPv6 dual-stack LAN
IPv4-only LAN
Host A 192.168.15.1/24 2001468142025/64
Host B 192.168.17.1/24 2002c0a811011
1646to4 Implementation Scenarios (2 of 2)
- Host A is on native IPv6 network, host B is on
IPv4-only network, but is itself capable of IPv6
6to4 tunneling
IPv4/IPv6 dual-stack Internet
IPv4
6to4 Relay Router
IPv6
IPv4/IPv6 dual-stack LAN
IPv4-only LAN
Host A 192.168.15.1/24 2001468142025/64
Host B 192.168.17.1/24 2002c0a811011
1656to4 Implementation Scenarios (2 of 2)
- Host A is on native IPv6 network, host B is on
IPv4-only network, but is itself capable of IPv6
6to4 tunneling
IPv4/IPv6 dual-stack Internet
IPv4
6to4 Relay Router
IPv6
IPv4/IPv6 dual-stack LAN
IPv4-only LAN
Host B decapsulates IPv6 packet from IPv4 packet
and processes IPv6 packet
Host A 192.168.15.1/24 2001468142025/64
Host B 192.168.17.1/24 2002c0a811011
1666to4 Implementation Scenarios (2 of 2)Reverse
Direction
- Host A is on native IPv6 network, host B is on
IPv4-only network, but is itself capable of IPv6
6to4 tunneling
IPv4/IPv6 dual-stack Internet
IPv4
6to4 Relay Router
IPv6
IPv4/IPv6 dual-stack LAN
IPv4-only LAN
Host A 192.168.15.1/24 2001468142025/64
Host B 192.168.17.1/24 2002c0a811011
1676to4 Implementation Scenarios (2 of 2)Reverse
Direction
- Host A is on native IPv6 network, host B is on
IPv4-only network, but is itself capable of IPv6
6to4 tunneling
IPv4/IPv6 dual-stack Internet
IPv4
6to4 Relay Router
IPv6
Host B creates IPv6 packet with dest. addr.
2001468142025 and encapsulates it in IPv4
packet with dest. addr. 192.88.99.1
IPv4/IPv6 dual-stack LAN
IPv4-only LAN
Host A 192.168.15.1/24 2001468142025/64
Host B 192.168.17.1/24 2002c0a811011
1686to4 Implementation Scenarios (2 of 2)Reverse
Direction
- Host A is on native IPv6 network, host B is on
IPv4-only network, but is itself capable of IPv6
6to4 tunneling
IPv4/IPv6 dual-stack Internet
IPv4
6to4 Relay Router
IPv6
Relay router advertises anycast IPv4 route
192.88.99.0/24
IPv4/IPv6 dual-stack LAN
IPv4-only LAN
Host A 192.168.15.1/24 2001468142025/64
Host B 192.168.17.1/24 2002c0a811011
1696to4 Implementation Scenarios (2 of 2)Reverse
Direction
- Host A is on native IPv6 network, host B is on
IPv4-only network, but is itself capable of IPv6
6to4 tunneling
IPv4/IPv6 dual-stack Internet
IPv4
6to4 Relay Router
IPv6
IPv4/IPv6 dual-stack LAN
IPv4-only LAN
Host A 192.168.15.1/24 2001468142025/64
Host B 192.168.17.1/24 2002c0a811011
1706to4 Implementation Scenarios (2 of 2)Reverse
Direction
- Host A is on native IPv6 network, host B is on
IPv4-only network, but is itself capable of IPv6
6to4 tunneling
IPv4/IPv6 dual-stack Internet
IPv4
6to4 Relay Router
IPv6
IPv4/IPv6 dual-stack LAN
IPv4-only LAN
Host A 192.168.15.1/24 2001468142025/64
Host B 192.168.17.1/24 2002c0a811011
1716to4 Implementation Scenarios (2 of 2)Reverse
Direction
- Host A is on native IPv6 network, host B is on
IPv4-only network, but is itself capable of IPv6
6to4 tunneling
IPv4/IPv6 dual-stack Internet
IPv4
6to4 Relay Router
IPv6
IPv4/IPv6 dual-stack LAN
IPv4-only LAN
Host A 192.168.15.1/24 2001468142025/64
Host B 192.168.17.1/24 2002c0a811011
1726to4 Implementation Scenarios (2 of 2)Reverse
Direction
- Host A is on native IPv6 network, host B is on
IPv4-only network, but is itself capable of IPv6
6to4 tunneling
IPv4/IPv6 dual-stack Internet
IPv4
6to4 Relay Router
IPv6
Relay router decapsulates IPv6 packet and
forwards packet to IPv6 destination address
IPv4/IPv6 dual-stack LAN
IPv4-only LAN
Host A 192.168.15.1/24 2001468142025/64
Host B 192.168.17.1/24 2002c0a811011
1736to4 Implementation Scenarios (2 of 2)Reverse
Direction
- Host A is on native IPv6 network, host B is on
IPv4-only network, but is itself capable of IPv6
6to4 tunneling
IPv4/IPv6 dual-stack Internet
IPv4
6to4 Relay Router
IPv6
IPv4/IPv6 dual-stack LAN
IPv4-only LAN
Host A 192.168.15.1/24 2001468142025/64
Host B 192.168.17.1/24 2002c0a811011
1746to4 Implementation Scenarios (2 of 2)Reverse
Direction
- Host A is on native IPv6 network, host B is on
IPv4-only network, but is itself c