introduction to ipv6 v1.3
TRANSCRIPT
Agenda IPV6 Introduction Limitation of IPV4 Features of IPV6 Difference between IPV4 and
IPV6 Benefit in case of deploying IPV6 IPV6 address syntax and packet Types of IPv6 addresses. ICMPv6 Path MTU Discovery Neighbor Discovery Protocol Tunnelling DHCPv6 RIPng OSPFv3
BGP4+IPv6 Filtering (Access Control Lists)IPv6 firewall HandlingIPv4-v6 Co-existence/TransitionIPv6 Support – Operating SystemsIPv6 Deployment AnalysisDeployment Issues
IPv6
• An Internet Layer protocol for packet-switched internetworks. Designated as the successor of IPv4
Limitation of IPv4
• Recent exponential growth of the Internet and the impending exhaustion of the IPv4 address space
• Need for simpler configuration: Most current IPv4 implementations are either manually configured or use a stateful address configuration protocol such as Dynamic Host Configuration Protocol (DHCP).
• No security at the Internet layer
• Need better support for prioritized and real-time delivery of data
Features of IPv6
• Simplification of header format: The IPv6 header is much simpler than the IPv4 header and has a fixed
length of 40 bytes. This allows for faster processing. It basically accommodates two times16 bytes for the Source and Destination address and only 8 bytes for general header information.
• Large address space : • IPv6 has 128-bit (16-byte) source and destination addresses
• Improved support for options and extensions IPv4 integrates options in the base header, whereas IPv6 carries
options in so called extension headers, which are inserted only if they’re needed. Again, this allows for faster processing of packets. The base specification describes a set of six extension headers, including headers for routing, Mobile IPv6, and quality of service and security.
• Efficient and hierarchical addressing and routing infrastructure• Stateless and stateful address configuration
Features of IPV6 (contd.)
• Better support for prioritized delivery : • Traffic Class field and Flow Label field in header helps in supporting
prioritized delivery.• New protocol for neighboring node interaction :
• The Neighbor Discovery protocol replaces and extends the Address Resolution Protocol, ICMPv4 Router Discovery, and ICMPv4 Redirect messages with efficient multicast and unicast Neighbor Discovery messages.
.
Difference between IPv6 and IPv4
IPv4• Source and destination addresses
are 32 bits (4 bytes) in length.
• IPsec header support is optional
• No identification of packet flow for prioritized delivery handling by routers is present within the IPv4 header.
• Fragmentation is performed by the sending host and at routers, slowing router performance.
IPv6• Source and destination addresses
are 128 bits (16 bytes) in length.
• IPsec header support is required.
• Packet flow identification for prioritized delivery handling by routers is present within the IPv6 header using the Flow Label field.
• Fragmentation is performed only by the sending host.
Difference between IPv6 and IPv4 (contd.)
IPv4• Has no link-layer packet-size
requirements, and must be able to reassemble a 576-byte packet
• Header includes a checksum.
• Header includes options.
• ARP uses broadcast ARP Request frames to resolve an IPv4 address to a link-layer address.
IPv6• Link layer must support a 1280-
byte packet and be able to reassemble a 1500-byte packet.
• Header does not include a checksum.
• All optional data is moved to IPv6 extension headers.
• ARP Request frames are replaced with multicast Neighbor Solicitation messages.
Difference between IPv6 and IPv4 (contd.)
IPv4• Broadcast addresses are used to
send traffic to all nodes on a subnet.
• Must be configured either manually or through DHCP for IPv4.
IPv6• There are no IPv6 broadcast
addresses. Instead, a link-local scope all-nodes multicast address is used.
• Does not require manual configuration or DHCP for IPv6.
Benefits in the case to deploy IPv6
• Solves the Address Depletion Problem
• Solves the Disjoint Address Space Problem
• Solves the International Address Allocation Problem
• Restores End-To-End Communication
• Uses Scoped Addresses and Address Selection
• Has More Efficient Forwarding
• Has Support for Security and Mobility
IPv6 Address Syntax An IPv6 address has 128 bits, or 16 bytes. The address is divided into eight 16-bithexadecimal blocks separated by colons. For example:2001:DB8:0000:0000:0202:B3FF:FE1E:8329To make life easier, some abbreviations are possible. For instance, leading zeros in a
16-bit block can be skipped. The example address now looks like this:2001:DB8:0:0:202:B3FF:FE1E:8329A double colon can replace consecutive zeros or leading or trailing zeros within the
address. If we apply this rule, our address looks as follows:2001:DB8::202:B3FF:FE1E:8329.More than one double-colon abbreviation in an address is invalidSo the IPv6 address 2001:DB8:0000:0056:0000:ABCD:EF12:1234 can be represented in the following ways (note the two possible positions for the double colon):2001:DB8:0000:0056:0000:ABCD:EF12:12342001:DB8:0:56:0:ABCD:EF12:12342001:DB8::56:0:ABCD:EF12:12342001:DB8:0:56::ABCD:EF12:1234
IPv6 Address Syntax (contd.) IPv6 address in binary form
001000000000000100001101101110000000000000000000001011110011101 0000001010101010000000001111111111111110 001010001 0 01110001011010
Divided along 16-bit boundaries0010000000000001 0000110110111000 0000000000000000 0010111100111011 0000001010101010 0000000011111111 1111111000101000 1001110001011010
Each 16-bit block is converted to hexadecimal and delimited by using colons
2001:0DB8:0000:2F3B:02AA:00FF:FE28:9C5A
Suppress leading zeros within each block 2001:DB8:0:2F3B:2AA:FF:FE28:9C5A
Prefix Representation
Representation of prefix is just like CIDR In this representation you attach the prefix length Like IPv4 address:198.10.0.0/16 IPv6 address is represented the same way: 2001:db8:12::/40
IPv6 Packet Format
IPv4 & IPv6 header comparison
Packet Description Version
Version 6 (4-bit IP version). Traffic class
Packet priority (8-bits). Priority values subdivide into ranges: traffic where the source provides congestion control and non-congestion control traffic.
Flow label QoS management (20 bits). For real time applications
Payload length Payload length in bytes (16 bits).
Next header Specifies the next encapsulated protocol.
Hop limit Replaces the time to live field of IPv4 (8 bits).
Source and destination addresses 128 bits each.
Comparison between IPv4 and IPv6 packet header
Types of IPv6 addresses
Unicast
• A unicast address uniquely identifies an interface of an IPv6 node. A packet sent to a unicast address is delivered to the interface identified by that address.
Multicast
• A multicast address identifies a group of IPv6 interfaces. A packet sent to a multicast address is processed by all members of the multicast group.
Anycast
• An anycast address is assigned to multiple interfaces (usually on multiple nodes).
• A packet sent to an anycast address is delivered to only one of these interfaces, usually the nearest one.No more broadcast Address
Unicast IPv6 Addresses
Global unicast
addresses
Link-local addresses
Site-local addresses
Unique local addresses
Special addresses
Global Unicast Addresses
• Equivalent to public IPv4 addresses• Globally routable and reachable • Scope is the entire IPv6 Internet
Link-local Unicast Addresses
Link-Local Addresses Used For: • Mandatory Address for Communication between two IPv6 device (Like
ARP but at Layer 3).• Automatically assigned by Router as soon as IPv6 is enabled.• Also used for Next-Hop calculation in Routing Protocols.• Only Link Specific scope.• Remaining 54 bits could be Zero or any manual configured value.
Site-local Unicast Addresses Do not have a global scope and can be reused. Scope is site. Used between nodes communicating with other nodes in the same
organization Not automatically configured and must be assigned either through
stateless or stateful address auto configuration This is specially used for two purpose, for the replacement of ARP, and
DAD.
Unique Local Addresses
• Provide a private addressing alternative to global addresses for intranet traffic
• Address unique across all the sites of the organization• Used For Local communications and Inter-site VPNs• Not routable on the Internet
Special IPv6 Addresses
• Unspecified address • The unspecified address (0:0:0:0:0:0:0:0 or ::) is used only to indicate
the absence of an address• Used as a source address when a unique address has not yet been
determined• Never assigned to an interface or used as a destination address. • Equivalent to the IPv4 unspecified address of 0.0.0.0
• Loopback Address• The loopback address (0:0:0:0:0:0:0:1 or ::1) is assigned to a loopback
interface, enabling a node to send packets to itself.• Equivalent to the IPv4 loopback address of 127.0.0.1 • Packets addressed to the loopback address must never be sent on a
link or forwarded by an IPv6 router
Multicast IPv6 Addresses
• Cannot be used as source addresses or as intermediate destinations in a Routing extension header
Multicast IPv6 Addresses (contd.)
• Flag• first low-order bit is the Transient (T) flag.0 -> permanent address. 1->
temporary address• second low-order bit is for the Prefix (P) flag, which indicates whether
the multicast address is based on a unicast address prefix. • The third low-order bit is for the Rendezvous Point Address (R) flag,
which indicates whether the multicast address contains an embedded rendezvous point address.
Scope• Indicates the scope of the IPv6 network for which the multicast traffic
is intended to be delivered .Ex 2-> link local scope,5->site local scope, E-> global scope
Solicited-Node Address
• Facilitates the efficient querying of network nodes during link-layer address resolution
• IPv6 uses the Neighbor Solicitation message to perform link-layer address resolution which uses solicited-node multicast address
• The solicited-node multicast address is constructed from the prefix FF02::1:FF00:0/104 and the last 24 bits (6 hexadecimal digits) of a unicast IPv6 address
Anycast Address Assignment
• Routers along the path to the destination just process the packets based on network prefix.
• Routers configured to respond to anycast packets will do so when they receive a packet send to the anycast address.
• Anycast allows a source node to transmit IP datagrams to a single destination node out of a group destination nodes with same subnet id based on the routing metrics
Type prefixes for IPv6 addresses
IPv6 Address hierarchy
Hierarchical Addressing and Aggregation
ICMPv6 ICMPv6, while similar in strategy to ICMPv4, has changes that makes it
more suitable for IPv6. ICMPv6 has absorbed some protocols that were independent in version 4.
One of the fundamental differences between IPv6 ND and its IPv4 counterpart suite of protocols (ARP, IPCP, and so on) is the positioning in the IP protocol stack. Although IPv4 same-link-related protocols are split between ARP/RARP, right above the link layer, and ICMP, running above IP, IPv6 ND is implemented entirely within ICMPv6.
Comparison of network layers in version 4 and version 6
Path MTU Discovery (PMTUD) for IPv6
Fragmentation in IPv6 is not performed by intermediary routers.
The source node may fragment packets by itself only when the path MTU is smaller than the packets to deliver.
Example of PMTUD for IPv6 used by a source node.
Example of PMTUD for IPv6 used by a source node.(cont)
First, the source node that sends the first IPv6 packet to a destination node uses 1500 bytes as the MTU value (1). Then, the intermediary Router A replies to the source node using an ICMPv6 message Type 2, Packet Too Big, and specifies 1400 bytes as the lower MTU value in the ICMPv6 packet (2). The source node then sends the packet but instead uses 1400 bytes as the MTU value; the packet passes through Router A (3). However, along the path, intermediary Router B replies to the source node using an ICMPv6 message Type 2 and specifies 1300 bytes as the MTU value (4). Finally, the source node resends the packet using 1300 bytes as the MTU value. The packet passes through both intermediary routers and is delivered to the destination node (5). The session is now established between source and destination nodes, and all packets sent between them use 1300 bytes as the MTU value (6).
Neighbor Discovery (ND) Protocol built on top of ICMPv6 (RFC 2463) The Neighbor Discovery Protocol (ND) is a protocol in the Internet
Protocol Suite used with Internet Protocol Version 6 (IPv6). It operates at the Network Layer of the Internet model and is responsible for address autoconfiguration of nodes, discovery of other nodes on the link, determining the Link Layer addresses of other nodes, duplicate address detection, finding available routers and Domain Name (DNS) servers, address prefix discovery, and maintaining reachability information about the paths to other active neighbor nodes
Combination of IPv4 protocols (ARP, ICMP, IGMP,…)
IPv6 nodes use Neighbor Discovery for the following purposes
Router discovery: hosts can locate routers residing on attached links. Prefix discovery: hosts can discover address prefixes that are on-link
for attached links. Parameter discovery: hosts can find link parameters (e.g., MTU). Address autoconfiguration: stateless configuration of addresses of
network interfaces. Address resolution: mapping between IP addresses and link-layer
addresses. Next-hop determination: hosts can find next-hop routers for a
destination. Neighbor unreachability detection (NUD): determine that a neighbor is
no longer reachable on the link. Duplicate address detection (DAD): nodes can check whether an
address is already in use. Redirect: router can inform a node about better first-hop routers.
ICMPv6 Messages Defined for NDP Router Solicitation Router Advertisement Neighbor Solicitation Neighbor Advertisement Redirect
Router Solicitation (RS) When an interface becomes enabled, hosts may send out Router
Solicitations that request routers to generate Router Advertisements immediately rather than at their next scheduled time.
RS is ICMPv6 type 133 and Code 0 Source address of the IPv6 Packet encapsulating the RS can be one of the
two1. IPv6 address of the originating interface2. Unspecified address ::/0 (All Zeros) if the host interface has not yet been assigned an IPv6 address
The destination address is the All-Routers multicast address which is FF02::2The options field can carry the following information1. Link layer address of the RS originating interface2. If the source IPv6 address is sent as unspecified then the link layer address is not included in the options field
Router Advertisement (RA) Routers advertise their presence together with various link and Internet
parameters either periodically, or in response to a Router Solicitation message.
RA is ICMPv6 Type 134 and Code 0. Source address of the Ipv6 packet encapsulating the RA is always IPv6 Link-
Local address of the interface. The Destination address can be either the link-local address of the host which
sent an RS requesting for an RA or ALL-Nodes multicast address FF02::1 for the RA generated periodically by the router with the default being 600Seconds (can be set between 4 and 1800 seconds) and the minimum period between advertisement of RAs is 200 Seconds by default).
Unsolicited RAs are to be generated periodically by the router to make the presence of the router known on the link. The Period between transmission of the RAs can be between 4 and 1800 seconds, and the default is 600 seconds. Also the minimum period between advertisement of RAs is 200 seconds by default.
Neighbor Solicitation (NS) Sent by a node to determine the link-layer address of a neighbor, or to verify
that a neighbor is still reachable via a cached link-layer address. Neighbor Solicitations are also used for Duplicate Address Detection.
NS is ICMPv6 Type 135 and Code 0 Source address of the IPv6 Packet encapsulating the NS can be one of the two
1. IPv6 address of the originating interface2. Unspecified address ::/0 (All Zeros) if the NS is sent for Duplicate Address Detection
The destination address of NS can be one of the two1. Solicited-Node Multicast Address corresponding to the the target address2. The Target address itselfnote: Target address is the IPv6 address of the target of the solicitation and is never a multicast address.
Options Field of the NS can contain the link-layer address of the interface originating the NS
Neighbor Advertisement (NA) A response to a Neighbor Solicitation message. A node may also send
unsolicited Neighbor Advertisements to announce a link-layer address change.. NA is ICMPv6 Type 136 and Code 0 Source Address of the IPv6 packet encapsulating the NS is always the IPv6
address of the originating interface. The Destination address can be one of the Two
1. Source address of the packet containing the NS for which the NA is being sent in response.2. All-Nodes Multicast Address FF02::1
Flags:R: The Router Flag, is set when the originator of the NA is a router.S: The Solicited Flag, is set when the NA is being sent in response to an NSO: The override Flag, is set to indicate that the information in this NA should override any existing neighbor cache entry and update the link layer address. When O bit is cleared the NA will not override the existing neighbor cache entry
Neighbor Advertisement (NA) (contd.) Target Address: IS the address to which the NA is directed to, so it will be
the source address of the NS to which the NA is being sent to as a response.If the NA is being sent as an Unsolicited NA (that is not in response to any NS), then the target address is the originator's address. An Unsolicited NA is sent only to advertise a change, that is if the node has changed its link layer address then to advertise it , an unsolicited NA is sent, and therefor lists its own address as the target address.
The Options field of the NA can contain the target link-layer address, the link layer address of the NA's originating interface.
Redirect Used by routers to inform hosts of a better first hop for a destination Redirect is ICMPv6 Type 137 and Code 0. Source Address of the IPv6 packet encapsulating the Redirect message is always
the Link-Local IPv6 address of the interface which has originated the Redirect. The Destination address is always the source address of the packet which triggered
the Redirect. The Target address of the Redirect is usually the Link-Local address of another
router on the same link. The Destination address Field in the Redirect message will contain the IPv6 address
of the destination that will be redirected to the target address. The Options field will contain the link layer address of the target. The Options field will have a value of Type/Length/Value (TLV) triplets. The TLV
consists of 8-Bit Type which specifies the type of information its carrying, 8 Bit length which specifies the length in units of 8 octets of the value field, and it also contains the variable length value field.
The Redirect message can contain a max value of 1280 bytes.
Router Advertisement Flow
Address ResolutionThe neighbor solicitation and neighbor advertisement packets are used to
perform several critical node operations: Link-layer address resolution Duplicate address detection (DAD) Neighbor unreachability detection (NUD)
Address-Resolution Flow
Differences between IPv6 ND and its IPv4 counterpart suite of protocols
One of the fundamental differences between IPv6 ND and its IPv4 counterpart suite of protocols (ARP, IPCP, and so on) is the positioning in the IP protocol stack. Although IPv4 same-link-related protocols are split between ARP/RARP, right above the link layer, and ICMP, running above IP, IPv6 ND is implemented entirely within ICMPv6.
IPv6 and DNS
IPv4 IPv6
Hostname toIP address
A record:www.abc.test. A 192.168.30.1
AAAA record:www.abc.test AAAA 3FFE:B00:C18:1::2
IP address tohostname
PTR record:1.30.168.192.in-addr.arpa. PTR www.abc.test.
PTR record:2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.0.8.1.c.0.0.0.b.0.e.f.f.3.ip6.arpa PTR www.abc.test.
DHCPv6
Dynamic Host Configuration Protocol (DHCP) has been updated to support IPv6. DHCPv6 can provide stateful autoconfiguration to IPv6 hosts. DHCPv6 handles the addressing architecture and new features of the IPv6 protocol as follows: It enables more control on nodes than stateless autoconfiguration. It can be used concurrently on networks where stateless
autoconfiguration is available. It can provide IPv6 addresses to hosts in the absence of routers on a
network. It can be used to delegate /48 or /64 prefixes to Customer Premises
Equipment (CPE) routers such as a home gateway. DHCPv6 Addressing
All_DHCP_Agents: ff02::1:2 All_DHCP_Servers: ff05::1:3
IPv6 auto-configuration
IP configuration in IPV6 is carried out by IPV6 auto-configuration
IPv6 auto-configuration Stateless
nodes configure addresses themselves with information from routers (if available);
no managed addresses Stateful
nodes use DHCPv6 to obtain addresses. Duplicate address detection (DAD) used to avoid duplicated
addresses
DHCPv6 Basic Message Format
Msg-type Transaction-id0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7
Options (variable)
• SOLICIT• ADVERTISE• REQUEST• CONFIRM• RENEW• REBIND• REPLY
• RELEASE• DECLINE• RECONFIGURE• INFORMATION-REQUEST• RELAY-FORW• RELAY-REPL
DHCPv6 Message Type Options
Message Type MeaningSOLICIT(1) A client sends a Solicit message to locate servers.
ADVERTISE (2) A server sends an Advertise message to indicate that it is available for DHCP service, in response to a Solicit message received from a client.
REQUEST (3) A client sends a Request message to request configuration parameters, including IP addresses, from a specific server.
REPLY (4) A server sends a Reply message containing assigned addresses and configuration parameters in response to a Solicit, Request, Renew, Rebind message received from a Client.
RENEW (5) A client sends a Renew message to the server that originally provided the client's addresses and configuration parameters to extend the lifetimes on the addresses assigned to the client.
REBIND (6) A client sends a Rebind message to any available server to extend the lifetimes on the addresses assigned to the client.
DHCPv6 to DHCPv4 Message Comparison
DHCP Messages Messages exchanged using UDP
Client port – udp/546 Server Port – udp/547
Client uses Link-Local address or addresses determined using other methods to transmit and receive DHCP messages.
Server receives messages from clients using a reserved, Link-Scoped multicast address.
DHCP Multicast Addresses All_DHCP_Relay_Agents_and_Servers
Link-scoped multicast address used by a client to communicate with on-link relay agents and servers
FF02::1:2 All_DHCP_Servers
Site-scoped multicast address used by a relay agent to communicate with servers
FF05::1:3
DHCPv6 option format and base option
Option-code Option length 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7
Options data(option –len octets)
• Client Identifier• Server Identifier• Identity Association for Non-temporary Addresses• Identity Association for Temporary Addresses• IA Address• Option Request• Preference• Elapsed Time• Relay Message
• Authentication• Server Unicast• Status Code• Rapid Commit• User Class• Vendor Class• Vendor-specific Information• Interface-Id• Reconfigure Message• Reconfigure Accept
DHCP Unique Identifer (DUID)
Each DHCP client and server has a DUID. DHCP servers use DUIDs to identify clients for the selection of configuration parameters and in client Identity Associations. Unique across all clients and servers Should not change over time (if possible) Must be < 128 octets long
Identity Association An identity association (IA) is a construct through which a server and client
can identify, group, and manage a set of related IP addresses. Client must associate at least one distinct IA with each network
interface requesting assignment of IP addresses from DHCP server (IAID)
Must be associated with exactly one interface Must be consistent across restarts by the client
DHCPv6 working
DHCP client
DHCP server
A
DHCP server
B
SOLICIT
ADVERTISE ADVERTISEREQUEST
RENEW
RELEASE
REPLY
REPLY
T I M E
Client select one advertise
server B Client Now use address and parameter for lifetime
Client renew life time
Client releases address when shutting down
DHCPv6 Client-Server Message Exchange
Dhcpv6 operation Client sends messages to link-local multicast address Server unicasts response to client Information-Request / Reply - provide client configuration information but
no addresses Confirm / Reply - assist in determining whether client moved Reconfigure - allow servers to initiate a client reconfiguration Basic client/server authentication capabilities in base standard. DHCP Unique Identifier (DUID) used to identify clients & servers Identity Association ID (IAID) used to identify a collection of addresses Relay Agents used when server not on-link Relay Agents may be chained
DHCPv6 Installation (Linux)Dhcpv6 server :
Update with dhcpv6-0.10-11_FC3.i386.rpm using # rpm -U dhcpv6-0.10-11_FC3.i386.rpm
Create a database directory #mkdir /var/db/dhcpv6
Copy sample server configuration file # cp dhcp6s.conf /etc/dhcp6s.conf
Start the server daemon using # dhcp6s –dDf eth0
DHCPv6 Installation (Linux) (contd.)
Dhcpv6 client :
Update with dhcpv6_client-0.10-11_FC3.i386.rpm using # rpm -U dhcpv6_client-0.10-11_FC3.i386.rpm
Copy sample client configuration file # cp dhcp6c.conf /etc/dhcp6c.conf
Start the client daemon using # dhcp6c –dDf eth0
DHCPv6 Configuration
In Fedora core 3 following files are configured :
Server configuration :
/etc/sysconfig/dhcp6s
/etc/dhcp6s.conf
File : /etc/sysconfig/dhcp6s
Specify the interface for dhcp6s
DHCP6SIF=eth0
DHCPv6 Server configuration...File : /etc/dhcp6s.conf interface eth0 {
server-preference 255;renew-time 60;rebind-time 90;prefer-life-time 130;valid-life-time 200;allow rapid-commit;link BBB {pool{range 2001:0E30:1402:2::4 to 2001:0E30:1402:2::ffff/64;prefix 2001:0E30:1402::/48;};};
};
DHCPv6 Client configuration In Fedora core 3 following files are configured :
Client configuration :
/etc/sysconfig/network-scripts/ifcfg-eth0
/etc/dhcp6c.conf
File : /etc/sysconfig/network-scripts/ifcfg-eth0
IPV6INIT=yes
DHCP6C=yes
File : /etc/dhcp6c.confinterface eth0 {#information-only;send rapid-commit;#request prefix-delegation;#request temp-address;address { 2001:0E30:1402:1:9656:3:4:56/64; };};
Testing DHCPv6
Start the server daemon in debug mode in foreground
#dhcp6s –dDf eth0
Restart the network service of client
#service network restart
See the address assignment
#ifconfig
RIPngRouting Information Protocol next generation (RIPng) is the counterpart of RIPv2, but for IPv6. As defined in RFC 2080, RIPng for IPv6, RIPng has most of the same capabilities of RIPv2
Distance vector—RIPng is a distance vector protocol based on the Bellman-Ford algorithm.
Radius of operation—Like RIP, RIPng is limited to a radius of 15 hops. UDP-based protocol—RIPng uses UDP datagrams to send and receive
routing information. Broadcast information—Periodic broadcasts can be sent using
multicast addresses to reduce traffic on nodes that are not listening to RIP messages.
Updates Added in RIPng
Destination prefix—Destination prefixes are based on 128-bit instead of 32-bit (as in IPv4).
Next-hop address—Next-hop addresses are based on 128-bit instead of 32-bit (as in IPv4).
Transport—RIPng messages are sent over IPv6 packets. UDP port number—The standard UDP port number for IPv6 is 521 instead
of 520, as in IPv4.This UDP port sends and receives routing information between RIPng routers.
Link-local address—RIPng updates are sent to adjacent RIPng routers using the link-local address FE80::/10 as the source address.
Multicast address—The standard multicast address used with RIPng is FF02::9, instead of 224.0.0.9 in IPv4. The FF02::9 represents the all-RIP-routers multicast address on the link-local scope.
OSPFv3The OSPFv3 specification is mainly based on OSPFv2, but with some enhancements. Adding IPv6 support in the OSPFv2 protocol required important rewrites of the code to remove the IPv4 dependencies, such as the multicast IPv4 addresses 224.0.0.5 and 224.0.0.6, which are not useful in IPv6. After having been updated to support IPv6, OSPFv3 can distribute IPv6 prefixes and run natively over IPv6. Both OSPFv2 and OSPFv3 can be used concurrently, because each address family has a separate SPF.
OSPFv3 has some similarities to OSPFv2
OSPFv3 uses the same basic packet types as OSPFv2 such as hello, DBD (also called DDP database description packets), LSR (link-state request), LSU (link-state update), and LSA (linkstate advertisement).
Mechanisms for neighbor discovery and adjacency formation are identical. Operations of OSPFv3 over the RFC-compliant nonbroadcast multiaccess
(NBMA) and point-to-multipoint topology modes are supported. LSA flooding and aging are the same for both OSPFv2 and OSPFv3.
Differences between OSPFv3 and OSPFv2 OSPFv3 runs over a link—The network statement in the router subcommand
mode of OSPFv2 is replaced by an OSPFv3 command to apply to the interface configuration. It is possible to have multiple instances per link.
Router ID—This 32-bit number indicates that the router is not IPv6-specific. The router ID number is still based on 32-bit. This router ID identifies the OSPFv3 router. As for BGP4+, when no IPv4 address is configured, a router ID must be set.
Link ID—This 32-bit number indicates that the links are not IPv6-specific. The link ID number is still based on 32-bit.
Link-local address—OSPFv3 uses IPv6's link-local addresses to identify the OSPFv3 adjacency neighbors.
New LSA types—The Link-LSA and Intra-Area-Prefix-LSA types are added in OSPFv3:
Link-LSA (LSA type 0x0008)—There is one Link-LSA per link. This new type provides the router's link-local address and lists all IPv6 prefixes attached to the link.
Differences between OSPFv3 and OSPFv2 (contd)
Intra-Area-Prefix-LSA (LSA type 0x2009)—There are multiple LSAs with different link-state IDs. The area flooding scope can be an associated prefix with the transit network referencing a Network-LSA, or it can be an associated prefix with a router or a stub referencing a Router-LSA.
Transport—OSPFv3 messages are sent over IPv6 datagrams, allowing the configuration across IPv6-over-IPv4 tunnels.
Multicast address—Two standard multicast addresses are used with OSPFv3: FF02::5—Represents all SPF routers on the link-local scope. This multicast
address is equivalent to 224.0.0.5 in OSPFv2. FF02::6—Represents all Designated Router (DR) routers on the link-local scope.
This multicast address is equivalent to 224.0.0.6 in OSPFv2. Security—OSPFv3 uses Authentication Headers (IPSec AH) and Encapsulating
Security Payload (IPSec ESP) extension headers as an authentication mechanism instead of the variety of authentication schemes and procedures defined in OSPFv2.
OSPF for IPv6 Packet Header
Fields of the OSPF header
• Version (1 byte) OSPF for IPv6 uses version number 3.
• Type (1 byte) Defines the type of OSPF messages.
• Packet length (2 bytes) This is the length of the OSPF protocol packet in bytes, including the OSPF
header.• Router ID (4 bytes)
The Router ID of the router originating this packet. Each router must have a unique Router ID, a 32-bit number normally represented in dotted decimal notation.The Router ID must be unique within the entire AS.
Fields of the OSPF header (contd)• Area ID (4 bytes) The Area ID identifies the area to which this OSPF packet belongs.
• Checksum (2 bytes) OSPF uses the standard checksum calculation for IPv6 applications. The
checksum is computed using the 16-bit one’s complement of the one’s complement sum over the entire packet. The checksum field in the OSPF packet header is set to 0.
• Instance ID (1 byte) Identifies the OSPF instance to which this packet belongs. The Instance ID
is an 8-bit number assigned to each interface of the router. The default value is 0. The Instance ID enables multiple OSPF protocol instances to run on a single link. If the receiving router does not recognize the Instance ID, it discards the packet. For example, routers A, B, C, and D are connected to a common link n. A and B belong to an AS different from the one to which C and D belong. To exchange OSPF packets, A and B will use a different Instance ID from C and D. This prevents routers from accepting incorrect OSPF packets. In OSPF for IPv4, this was done using the Authentication field, which no longer exists in OSPF for IPv6.
Two renamed LSAs1. Interarea prefix LSAs for area border routers (ABRs) (type 3)
Type 3 LSAs advertise internal networks to routers in other areas (interarea routes).
Type 3 LSAs may represent a single network or a set of networks summarized into one advertisement.
Only ABRs generate summary LSAs. In OSPF for IPv6, addresses for these LSAs are expressed as prefix,
prefix length instead of address, mask. The default route is expressed as a prefix with length 0.
2. Interarea router LSAs for ASBRs (type 4)Type 4 LSAs advertise the location of an ASBR. Routers that are trying to reach an external network use these
advertisements to determine the best path to the next hop. ASBRs generate type 4 LSAs
Two new LSAs1. Link LSAs (type 8)
Information which is only significant to two directly connected neighbors. Type 8 LSAs have link-local flooding scope and are never flooded beyond the link
with which they are associated. Link LSAs provide the link-local address of the router to all other routers
attached to the link. Link LSAs also inform other routers attached to the link of a list of IPv6 prefixes
to associate with the link, and allow the router to assert a collection of options bits to associate with the network LSA that will be originated for the link.
2. Intra-area prefix LSAs (type 9) Carries Prefixes for a referenced Link State ID. Prefix changes in OSPFv2 (sent in Router and Network LSAs) causes an SPF recalculation), but because they do not affect SPF tree, does not cause SPF
recalculation in OSPFv3. Makes OSPFv3 more scalable for large networks with large number of frequently
changing prefixes
Ospf areas and their routing updates
BGP Multiprotocol Extension for IPv6BGP4+
BGP-4 carries only three pieces of information that are truly IPv4-specific: NLRI (feasible and withdrawn) in the UPDATE message contains an IPv4
prefix. NEXT_HOP path attribute in the UPDATE message contains an IPv4
address. BGP Identifier is in the OPEN message and in the AGGREGATOR attribute.
To make BGP-4 available for other network layer protocols, the multiprotocol NLRI and its next hop information must be added. RFC 2858 extends BGP to supportmultiple network layer protocols. IPv6 is one of the protocols supported, as emphasized in a separate document (RFC 2545).
Changes in BGP for IPv6 support To accommodate the new requirement for multiprotocol support, BGP-4 adds two new attributes to advertise and withdraw multiprotocol NLRI. The BGP Identifier stays unchanged. BGP-4 routers with IPv6 extensions therefore still need a local IPv4 address. To establish a BGP connection exchanging IPv6 prefixes, the peering routers need to advertise the optional parameter BGP capability to indicate IPv6 support. BGP connections and route selection remain unchanged. Each implementer needs to extend the RIB to accommodate IPv6 routes. Policies need to take IPv6 NLRI and next hop information into consideration for route selection.
An UPDATE message advertising only IPv6 NLRI sets the unfeasible route length field to 0 and carries no IPv4 NLRI. All advertised or withdrawn IPv6 routes are carried within the MP_REACH_NLRI and MP_UNREACH_NLRI. The UPDATE must carry the path attributes ORIGIN and AS_PATH; in IBGP connections it must also carry LOCAL_PREF.
The NEXT_HOP attribute should not be carried. If the UPDATE message contains the NEXT_HOP attribute, the receiving peer must ignore it. All other attributes can be carried and are recognized.
Changes in BGP for IPv6 support (contd) An UPDATE message can advertise both IPv6 NLRI and IPv4 NLRI having
the same path attributes. In this case, all fields can be used. For IPv6 NLRI, however, the NEXT_HOP attribute should be ignored. IPv4 and IPv6 NLRI are separated in the corresponding RIB.
MP_REACH_NLRI path attributeThis optional nontransitive attribute allows the exchange of feasible IPv6
NLRI to a peer, along with its next hop IPv6 address. The NLRI and the next hop are delivered in one attribute.
MP_UNREACH_NLRI path attributeThis optional nontransitive attribute allows the sending peer to withdraw
multiple IPv6 routes that are no longer valid.
Establishing a BGP connection
IPv6 Filtering (Access Control Lists)
IPv6 Standard Access Control Lists• IPv6 access-lists (ACL) are used to filter traffic and restrict access to the
router• IPv6 prefix-lists are used to filter routing protocol updates.• IPv6 Standard ACL (Permit/Deny)
IPv6 source/destination addresses IPv6 prefix-lists On Inbound and Outbound interfaces
IPv6 Extended ACL Adds support for IPv6 option header and upper layer filtering Only named access-lists are supported for IPv6 IPv6 and IPv4 ACL functionality
Implicit deny any any as final rule in each ACL. A reference to an empty ACL will permit any any. ACLs are NEVER applied to self-originated traffic.
IPv6 ACL Implicit Rules Implicit permit rules, enable neighbor discovery The following implicit rules exist at the end of each IPv6 ACL to allow
ICMPv6 neighbor discovery:permit icmp any any nd-napermit icmp any any nd-nsdeny ipv6 any any
IPv6 firewall Handling
IPv6 architecture and firewall - requirements
• No need to NAT – same level of security with IPv6 possible as with IPv4 (security and privacy)
• Even better: e2e security with IPSec• IPv6 does not require end-to-end connectivity, but provides end-to-end
addressability• Support for IPv4/IPv6 transition and coexistence• Support for IPv6 header chaining• There are some IPv6-capable firewalls now Cisco ACL/PIX, iptables, ipfw,
Juniper NetScreen.
IPv6 firewall setup
Firewall must support ND/NAFirewall should support filtering dynamic routing protocolFirewall must support RS/RA if Stateless Address Auto-Configuration
(SLAAC) is usedFirewall must support MLD messages if multicast is required
IPv6 Firewall Filter RulesWhen you live in a dual-stack network, you will have two security concepts: one for the IPv4 world and another for the IPv6 world. And the two concepts do not have to match; they have to be designed according to the requirements of each protocol. Your firewalls may support both protocols, having two separate filter sets (one for each protocol), or you may have two boxes, one being the firewall for the IPv4 network and the other being the firewall for your IPv6 network.
Security provisions and firewall filters that should be considered Ingress filter at perimeter firewall for internally used addresses.
Filter unneeded services at the perimeter firewall. Deploy host-based firewalls for a defense in depth. Critical systems should have static, nonobvious (randomly generated) IPv6
addresses. Consider using static neighbor entries for critical systems (versus letting them participate in ND).
Hosts for Mobile IPv6 operations should be separate systems (to protect them by separate rules).
Ensure that end nodes do not forward packets with Routing Extension headers. Layer 3 firewalls should never forward link-layer multicast packets. Firewalls should support filtering based on Source and Destination address, IPv6
extension headers, and upper-layer protocol information. Check your network for external packets that did not enter through your main
perimeter firewall as an indication of “backdoor” connections of surreptitious tunneling.
IPv4-IPv6 Co-existence/TransitionA wide range of techniques have been identified and implemented, basically falling into three categories:
Dual-stack techniques, to allow IPv4 and IPv6 to co-exist in the same devices and networks
Tunneling techniques, to avoid order dependencies when upgrading hosts, routers, or regions
Translation techniques, to allow IPv6-only devices to communicate with IPv4-only devices
IPv6 tunneling Tunneling provides a way to use an existing IPv4 routing infrastructure to
carry IPv6 traffic. The key to a successful IPv6 transition is compatibility with the existing
installed base of IPv4 hosts and routers. Maintaining compatibility with IPv4 while deploying IPv6 streamlines the
task of transitioning the Internet to IPv6. While the IPv6 infrastructure is being deployed, the existing IPv4 routing
infrastructure can remain functional, and can be used to carry IPv6 traffic.
Ways of Tunneling Router-to-Router IPv6 or IPv4 routers interconnected by an IPv4
infrastructure can tunnel IPv6 packets between themselves. In this case, the tunnel spans one segment of the end-to-end path that the IPv6 packet takes.
Host-to-Router IPv6 or IPv4 hosts can tunnel IPv6 packets to an intermediary IPv6 or IPv4 router that is reachable through an IPv4 infrastructure. This type of tunnel spans the first segment of the packet's end-to-end path.
Host-to-Host IPv6 or IPv4 hosts that are interconnected by an IPv4 infrastructure can tunnel IPv6 packets between themselves. In this case, the tunnel spans the entire end-to-end path that the packet takes.
Router-to-Host IPv6/IPv4 routers can tunnel IPv6 packets to their final destination IPv6 or IPv4 host. This tunnel spans only the last segment of the end-to-end path.
There are two types of tunnels in IPv61. Automatic tunnels: Automatic tunnels are configured by using IPv4
address information embedded in an IPv6 address – the IPv6 address of the destination host includes information about which IPv4 address the packet should be tunneled to.
2. Configured tunnels: Configured tunnels must be configured manually. These tunnels are used when using IPv6 addresses that do not have any embedded IPv4 information. The IPv6 and IPv4 addresses of the endpoints of the tunnel must be specified.
Tunneling
Dual stack
Dual stack node means: Both IPv4 and IPv6 stacks enabled Applications can talk to both
IPv6 translation
Address and protocol translation mechanisms such as NAT-PT (Network Address translation – protocol translation) and SIIT (Stateless IP-ICMP translation) can be used to help an IPv6 host talk to an IPv4 host, by converting v6 packets into v4 and vice-versa.
IPv6 Support – Operating Systems
IPv6 Deployment Analysis
The Impact of IPv6 on Various Network Entities
How IPv6 affects layer 2 The layer 2 switches process packets based on MAC addresses which are
independent of IPv6. Implementing IPv6 over layer 2 networks should not need significant
changes to the layer 2 switches. However, IPv6 support for protocol VLANs may need hardware support. Functionality such as ACL (Access Control Lists) and MLD snooping (equivalent to IPv4 IGMP snooping) will need to take into account changes for IPv6.
How IPv6 affects layer 3 For layer 3 support, in addition to the basic IPv6 modules, the routing and
forwarding mechanism needs to be aware of IPv6. Hence, protocols such as RIPng and OSPFv3 will need to be deployed and the hardware will need to be IPv6 capable in order to do line rate processing of IPv6 packets.
A significant change to hardware and software functionality will be needed in routers to support IPv6.
The Impact of IPv6 on Various Network Entities (Contd)
What IPv6 means to the desktop/hosts The desktop operating system needs to support IPv6 in order to
deploy IPv6 on hosts. The enterprise and consumer applications need to be ported to IPv6
so that there is an application base for IPv6. New IPv6 applications will need to be developed that support end-to-end and peer-to-peer communications models on the Internet.
For hosts to communicate using IPv6, the necessary infrastructure needs to be in place to support IPv6. A transition plan needs to be formulated for the network and the strategy will figure out whether the transition will need specific software support from the host or whether it will be seamless. Again, depending on the network topology plan, DHCP or DNS support may be needed.
Deployment IssuesIPv6 technology promises to bring a number of benefits to network communications. But given the complexity of the entire IPv6 protocol family and the need for a robust infrastructure supporting the protocols, it would be wise for an enterprise to give thoughtful consideration to issues concerning IPv6 deployment. Protecting existing investment
Vendors need to protect existing investments in switches/routers/hosts. Thus they need a strategy which will maximize the returns on current investments
Return on investment (ROI)IPv6 will need software and hardware upgrades on hosts, switches and routers. It may need deployment of new applications. Also, IPv6 transition needs to be carefully planned and a pilot network is typically done to evaluate the strategy. All this requires time and adds to expenses. Hence, a clear business case needs to be made to trigger migration of enterprise networks to IPv6.
Deployment Issues (contd) Network planning
IPv6 can be deployed in two ways: having completely independent IPv6 and IPv4 networks or overlaying IPv4 and IPv6 networks. This strategy can affect the IPv6 features required on hosts, switches and routers.
Instability in some IPv6 featuresCertain standards like mobile IPv6, flow label are not stable yet, and this is necessary for successful deployment particularly to avoid interoperability issues.
Service provider support For enterprises which require IPv6 communication over the Internet, it
is necessary to look into what IPv6 services and applications are offered by the service providers.
IPv6 on Windows Full support
Windows XP SP 1 and later (Adv Net or SP2 recommended) Windows Server 2003 (no full application support)
SP2 additions Teredo client host-specific relay support IPv6 firewall
Autoconfiguration is working netsh interface ipv6 4 interface 1 – loopback interface 2 – ISATAP interface 3 - 6to4 interface interface 4... – real network interfaces interface 5 – Teredo interface
Thanks…