HardCore IPv6 Routing - No Feard2zmdbbm9feqrf.cloudfront.net/2014/usa/pdf/BRKCRT-2000.pdfHardCore IPv6 Routing - No Fear ... IPv6 Certification Agenda • CCNA ... • An IPv6 router

HardCore IPv6 Routing - No Fear

BRKCRT-2000

Donnie Moss, Global Solutions Architect

CCIE#14074

© 2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public

Agenda

• Introduction

• IPv6 Basics

• IPv6 Addressing Best Practices

• IPv6 Network Side

• IPv6 Routing Protocol Configuration

• What Next?

• Conclusion

3


IPv6 Certification Agenda

• CCNA

• Describe the technological requirements for running IPv6 in conjunction with IPv4 (including: protocols, dual stack, tunneling, etc.).

• Describe IPv6 addresses

4



CCNP

• Implement an IPv6 based solution, given a network design and a set of requirements – Determine network resources needed for implementing IPv6 on a network – Create an IPv6 implementation plan – Create an IPv6 verification plan – Configure IPv6 routing – Configure IPv6 interoperation with IPv4 – Verify IPv6 solution was implemented properly using show and debug commands – Document verification results for an IPv6 implementation plan

• Implement an IPv4 or IPv6 based redistribution solution – Create a redistribution implementation plan based upon the results from a redistribution analysis – Create a redistribution verification plan – Configure a redistribution solution – Verify that a redistribution was implemented – Document results of a redistribution implementation and verification plan – Identify the differences between implementing an IPv4 and IPv6 redistribution solution

5



CCIE

• Implement IPv6 Implement IP version 6 (IPv6) addressing and different addressing types Implement IPv6 neighbor discovery Implement basic IPv6 functionality protocols Implement tunneling techniques Implement OSPF version 3 (OSPFv3) Implement EIGRP version 6 (EIGRPv6) Implement filtering and route redistribution

• Implement IPv6 multicast, PIM, and related multicast protocols, such as Multicast Listener Discovery (MLD)

6

IPv6 Basics


Short History Of IP

8

1990

1991

1992

1993

1994

1995

1996

1997

1998

1999

2000

Prediction of the exhaustion of IPv4 Class B by 1994.

ROAD group formed to address routing.

Prediction of the exhaustion of IPv4 addresses by 2005-2011.

IPng Proposals solicitation (RFC 1550).

CATNIP, SIPP, TUBA analyzed. SIPP+ chosen. IPng wg started.

First specification: RFC 1883.

First attempt for provider-based address format.

First IPv6 exchange: 6tap.

Registries assign IPv6 prefixes. IPv6Forum formed.

Major vendors bundle IPv6 in their mainstream product line.

6bone started.


What is an IPv6 address?

• IPv6 Address are 128 Bits (IPv4 was 32)

– Each Address is Broken into 16 Octets

– Each Pair of Octets is called a group

• Address numbers are HEX

– Valid Characters are 0-9 and A-F

– Lower case is used to avoid confusion

– Addresses are 4 Hex Characters per Group

– Each Group is Seperated by a :

• Example: abf1:dc71:0000:0000:0000:8375:7887:1109:0510

10


IPv6 Addresses • IPv6 addresses are 128 bits long

– 8 groups of four HEX characters

– Separated by a colon (:)

– 50% for networks, 50% for interfaces(To support future EUI-64 MAC functionality)

nnnn:nnnn:nnnn: xxxx:xxxx:xxxx:xxxx

Global Routing Prefix

3 bits 48 bits Subnet ID

48 – 64

bits

Host

ssss:

2400:0000:134A: 0000:0000:0000:8A21 00A1:

Network Portion Interface ID

Global Unicast Identifier Example

2400:0:134A:: :8A21

A1: Abbreviated Format

11


What is an IPv6 address?

• When noting an IPv6 Address with a port number [square brackets] go around the address

– Example: [d3f1:0071:0000:0000:0000:8375:7887:1109:0510]:80

• Those are long address?

– To shorten address the longest run of all zeros can be shorted to :: • That reduces our example to : d3f1:0071::8375:7887:1109:0510/128

– To shorten more leading “zeros” from each group can be omitted • That reduces our example to: d3f1:0071::8375:7887:1109:510/128

12


Are all addresses created equal?

• Types of IPv6 Address

– Unicast • One to one communication

• Ex: Client to Server

– Multicast • One to many (assigned grouping)

• Example: Video Server to a group of clients

– Anycast • One to many (assigned grouping)

• Could be used to find ‘nearest’ service

– NO BROADCAST IN IPv6

14


Special IPv6 Address

• Default Route

– IPv4: 0.0.0.0/0

– IPv6: ::/0

• Loop Back Address

– IPv4: 127.0.0.1

– IPv6: ::1/128

Binary Prefix IPv6 Notation

Unspecified SRC 00 … 0 (128 bits) ::/128

Loopback 00 … 1 (128 bits) ::1/128

Multicast 1111 1111 FF00::/8

Link-local unicast 1111 1110 10 FE80::/10

Unique local unicast 1111 110 FC00::/7

Global unicast Everything else

Currently allocated space is

2000::/3

15


Multiple Addresses Per Interface • An IPv6 host interface requires the following IPv6 addresses for proper

operation:

– A link-local address

– Loopback address

– All-nodes multicast address

– Any additional Global and or ULA unicast and anycast addresses (configured

automatically or manually)

– One Solicited-node multicast address for each of its unicast and anycast

addresses

– Multicast addresses of any other groups to which the host belongs

16


IPv6 Privacy Extensions (RFC 3041/4941)

• IEEE 24 bits OUI can be used to identify hardware

– http://standards.ieee.org/regauth/oui/oui.txt

• Temporary addresses for IPv6 host client application, e.g. web browser

– Inhibit device/user tracking

– Random 64 bit interface ID, then run Duplicate Address Detection

before using it

– Rate of change based on local policy (recommended is 1 day default min is 7 days)

– Now on By default in Win 7/8 and supported in OS X 10.8 Mountain Lion

2400 :0xxx

/32 /48 /64 /12

Interface ID

Recommendation: Use Privacy Extensions for

External Communication but not for Internal

Networks (Troubleshooting and Attack Trace Back)

RFC4941

:xxxx :ssss

17


Address Allocation

• ISP are being allocated /32’s

• Customer are being allocated /48’s

– Same as /16 in v4 terms

• Residential Customers are being assigned a /56

– 256 networks per home

18


Allocated Real World Usage 2^128 addresses total

2000::/3 is actually allocated

That means 2^125 addresses for Global Unicast Addressing

All networks are at least /64’s per standard

125 – 64 = 61. So 2^61 possible networks in the currently allocated global

space.

2^61 = 2,305,843,009,213,693,952 or 2.3 QUINTILLION networks.

/48 is typical allocation to enterprise customer (-3 for “set” bits)

2^45 = 35,184,372,088,832 or 35 TRILLION enterprises

In comparison, the current IPv4 BGP table is ONLY 400,000 routes and

people complain! 19


PA and PI Allocation Process

Registries

Level Four Enterprise

IANA

ISP Org

Provider Assigned

2000::/3

/48

2000::/3

/48

/12

/32

/12

Provider Independent

20


IPv6 Aggregation

ASEAN ISP

2401:04A0::/32 Customer B

APNIC

Region of the

IPv6 Internet

2400::/12 2401:04A0:0002:/48

2401:04A0:0001:/48

Customer A Only

announces

the /32

prefix

– Larger address space enables: • Aggregation of prefixes announced in the global routing table

• Efficient and scalable routing – In theory! (In 1995 Theory!)

21


IPv6 Multihoming

22


LIR Allocation Strategies (ISPs)

• Your LIR (ISP) is assigned 2401:04FF::/32

• We wish to allocate /48’s out of the /32.

• Which are available:

– 2401:E4FF:0000 through

– 2401:E4FF:f f f f

• Recall the the bit structure is:

– 0010 0100 0000 0001: 1110 0100 1111 1111:| 0000 0000 0000 0000

– 0010 0100 0000 0001: 1110 0100 1111 1111:| 1111 1111 1111 1111

• So there are 65,535 /48’s in a /32

• Same thought process as IPv4 subnetting!

23


Sub Allocation Strategies (ISPs)

• Some ISPs want to allocate smaller blocks to residential & or SME’s

• We wish to allocate /56’s out of some /48’s.

• What could this look like?

– 2401:E4FF:1xxx to 1fff for residential customers

• Sums to 2401:E4FF:1000/36 for router advertisement

• Recall the the bit structure is:

– 0010 0100 0000 0001: 1110 0100 1111 1111:| 0001 0000 0000 0000

– 0010 0100 0000 0001: 1110 0100 1111 1111:| 0001 1111 1111 1111

• i.e. There are, 65,535/48’s in a /32 and 256/56's in a single /48

– You can sub-allocate some /48's as /56’s for residential use and some full /48’s for corporate

customer use

• If you only wanted to support residential customers there are aprox.16,7 Million /56’s in

an entire /32 LIR allocation(24 bits)

24


Enterprise Allocation Strategy

• Suppose you wish to give out /52’s from the /48 for regions

– 2401:04A8:0000 : 0 | 000 : 0000 0000 or 2401:04A8::/52

– 2401:04A8:0000 : F | fff :0000 0000 or 2401:04A8:1f00::/52

• Then you wish to divide out /56’s from the /52 for departments

– 2401:04A8:0000 : 00 | 00 : 0000 0000 or 2401:04A8::/5

– 2401:04A8:0000 : FF | ff : 0000 0000 or 2401:04A8:1f00::/56

• 8 bits for local subnets per department gives 256 networks per department of

a nearly unlimited # of hosts (64bits for hosts!)

/48 /32 /52 4096

subnets

/48 /32 /56 256

subnets

25


Subnets longer then /64

• /126 or /127 for P2P links

– 2401:0468:1FE::1/126 & 2401:0468:1FE::2/126

– 2401:0468:1FE::149/127

• 2401:0468:1FE:1921:6801:5201::/96 for NAT64 Mapping (example)

26


Address Types Summary (review)

Binary Prefix IPv6 Notation

Unspecified 00 … 0 (128 bits) ::/128

Loopback 00 … 1 (128 bits) ::1/128

Multicast 1111 1111 FF00::/8

Link-local unicast 1111 1110 10 FE80::/10

Unique local unicast 1111 110 FC00::/7

Global unicast Everything else

Currently allocated space is

2000::/3

27


Required Router Addresses

• An IPv6 router interface is required to identify the following IPv6 addresses

for proper operation:

– All valid host addresses

– All-Routers multicast addresses

– Subnet-router anycast addresses for all interfaces for which it is configured to act as

a router (prefix:: ; interface id=0)

– Other unicast or anycast configured addresses

– All other Anycast addresses with which the router has been configured.

– All-Routers Multicast Addresses

– Multicast Addresses of all other groups to which the router belongs.

28


IPv6 Addresses – Examples

CR-6500-1>sh ipv6 int vlan 200

Vlan200 is up, line protocol is up

IPv6 is enabled, link-local address is FE80::2D0:D3FF:FE81:9000

Description: --- To Core ---

Global unicast address(es):

2001:DB8:12::1, subnet is 2001:DB8:12::/64

Joined group address(es):

FF02::1

FF02::2

FF02::5

FF02::D

FF02::16

FF02::1:FF00:1

FF02::1:FF81:9000

All nodes

All routers

OSPF Routers

All PIM Routers

All MLDv2 capable Routers

Global

Link-Local

Solicited Node Multicast

29


IPv6 Interface Identifier CR-IT-SW3#sh int gi 1/0/3 | in bia

GigabitEthernet1/0/3 is up, line protocol is up

Hardware is Gigabit Ethernet, address is 000c.3a3e.82de (bia

000c.3a3e.82de)

CR-IT-SW3#

CR-IT-SW3#sh ipv6 interface gi 1/0/3

GigabitEthernet1/0/3 is up, line protocol is up

IPv6 is enabled, link-local address is FE80::20C:3aFF:FE3E:82DE [TEN]

Global unicast address(es):

2001:DB8:24:0:20C:3aFF:FE3E:82DE, subnet is 2001:DB8:24::/64 [EUI/TEN]

Joined group address(es):

FF02::1

FF02::2

FF02::1:FF3E:82DE

CR-IT-SW3#

CR-IT-SW3#sh run int gi 1/0/3

!

interface GigabitEthernet1/0/3

no switchport

ip address 10.149.24.1 255.255.255.0

ipv6 address 2001:DB8:24::/64 eui-64

!

30


Multicast Assigned Addresses

Meaning Scope

FF02::1 All nodes Link-local

FF02::2 All routers Link-local

FF02::9 All RIP routers Link-local

FF02::1:FFXX:XXXX Solicited-node Link-local

FF05::101 All NTP servers Site-local

FF05::1:3 All-DHCP servers Site-local

FF0x:: is reserved (x = 0..F).

Inside this range, the following are assigned:

31


IPv6 Multicast MAC Address Conversion

IPv6 Multicast

Address

Corresponding

Ethernet Address

Multicast Prefix

for Ethernet

Multicast

• IPv6 multicast address to MAC address: – 33:33:(least significant 32 bits from IPv6)

BAD

BEEF

0B AD BE EF 33 33

FF02 0000 0000 0000 0000 0001

32


Subnetting Techniques

• Similar to IPv4 Subnetting

• Make address meaningful!

– Base Address on Location

– Type of Service

– User community

• Now we are working with 128 bits instead of 32

• We are also using HEX not BINARY!

33


Subneting Example

• We are assigned 2011:0524:0000:0000::/48

• Goal: Divide this into eight subnets.

• Solution use bits 49, 50, and 51 as the ‘subnet bits’

– First Three Bits of the first character in the fourth group

– 2011:0524:0000:0000::/48

34


Subnet

Subnet Binary Group

Binary HEX

1 000 0000 0

2 001 0010 2

3 010 0100 4

4 011 0110 6

5 100 1000 8

35


Address Break Down

Subnet

2011:0524:0000:0000::/48

2011:0524:0000:2000::/48

2011:0524:0000:4000::/48

2011:0524:0000:6000::/48

2011:0524:0000:8000::/48

2011:0524:0000:A000::/48

2011:0524:0000:C000::/48

2011:0524:0000:E000::/48

36

Host Focused IPv6


ICMPv6

• Required for IPv6 to work properly - MUST NOT BE FILTERED!!!!

• Completely Changed – note new header type

• Now includes IGMP

• Types organized as follows 0-127 – error messaging and 128-255

informational messaging

– 1 – 4 Error messages

– 128 – 129 Ping

– 130 – 132 Group membership

– 133 – 137 Neighbor discovery

38


ICMPv6 (Type Codes)

Type Description

1 Destination Unreachable

2 Packet Too Big

3 Time Exceeded

4 Parameter Problem

128 Echo Request

129 Echo Reply

130 Group Membership Query

131 Group Membership Report

132 Group Membership Reduction

133 Router Solicitation

134 Router Advertisement

135 Neighbor Solicitation

136 Neighbor Advertisement

137 Redirect

39


Neighbor Discovery & ICMPv6

Neighbor Discovery

DAD

NUD

Redirects

Address Resolution (equivalent to ARP)

Router Discovery

Neighbor Discovery Types that use ICMPv6

40


Neighbor Discovery& ICMPv6 (cont.) • IPv4 uses ARP to resolve local addresses

– Relies on broadcasts

• IPv6 does not have the concept of broadcasts

– Still need a method to resolve local addresses

– Use solicited-node multicast instead

• IPv6 uses ICMPv6 the following types of message:

– Neighbor solicitation

– Neighbor advertisement

– Router solicitation

– Router advertisement

41


Autoconfiguration • IPv6 hosts can configure their own addresses automatically

• Similar in function to IPv4 DHCP

• Two methods:

– Stateless autoconfiguration

– Stateful autoconfiguration

• Common ICMPv6 messages to both:

– Router advertisements

– Router solicitations

42


Router Advertisement • Used to configure hosts

• Periodically sent to the all-nodes multicast group

• Also sent in response to a router solicitation message

• Options can contain:

– Layer 2 address of the advertising router

– On-link prefixes and lifetimes

– MTU

32 bits

Type=134 Code Checksum

Reachable Time

Hop Limit M O RSV Router lifetime

Retransmit Timer

Options

43


Router Solicitation • Sent by hosts to locate on-link routers

• Usually sent to the all-routers multicast group

• Source address can be:

– Unspecified

– Local address

• Router solicitation message consists of five fields

Type=133 Code Checksum

Reserved

Options

32 bits

44


Stateless Autoconfiguration

Build link-local address

Join all-nodes multicast group

Join solicited node multicast group

Send NS

My address is unique!

Send RS

No routers!

Try stateful configuration

Link-local only

Host 1

45


Stateless Autoconfiguration




Send NS


Send RS

Send RA

Build on-link addresses

46


Stateful Autoconfiguration (1 of 2)




Send own NS


Send RS

Send RA

(M bit = 0, O bit = 1)

Build on-link addresses

47


Stateful Autoconfiguration (2 of 2)

Send DHCP request

to FF05::1:3 (All DHCP Servers)

Send DHCP reply

(Unicast)

Read options and configure

parameters

48


Windows 7

Windows 7 – Microsoft rebuilt the IPv6 stack for this release

• Supports:

• Selects IPv6 by default

• Neighbor discovery

• DHCPv6

• Tunneling: ISATAP, Teredo, 6to4

• Privacy Extensions enabled by default

• Firewall supports statefull IPv6 filtering

• DHCPv6 Client only additional support via external packages

For More info please see:

http://technet.microsoft.com/en-us/network/bb530961.aspx

49






Windows 7 – Temporary Interface Identifier

50

C:\>netsh int ipv6 sh addr

Interface 1: Loopback Pseudo-Interface 1

Addr Type DAD State Valid Life Pref. Life Address

--------- ----------- ---------- ---------- ------------------------

Other Preferred infinite infinite ::1

Interface 12: isatap.{7218C71C-E509-4EF9-AB57-C08863056588}


--------- ----------- ---------- ---------- ------------------------

Other Deprecated infinite infinite fe80::5efe:10.109.109.6%12

Interface 13: Local Area Connection* 9


--------- ----------- ---------- ---------- ------------------------

Public Preferred infinite infinite 2001:0:5ef5:73bc:a2:3ac1:f592:92f9

Other Preferred infinite infinite fe80::a2:3ac1:f592:92f9%13

Interface 11: Local Area Connection


--------- ----------- ---------- ---------- ------------------------

Temporary Preferred 6d23h49m31s 6d23h49m31s 2001:db8:9:cafe:a133:5fb8:31df:864a

Public Preferred 29d23h59m49s 6d23h59m49s 2001:db8:9:cafe:b407:e685:fb14:c12d

Other Preferred infinite infinite fe80::b407:e685:fb14:c12d%11

• Windows 7 doesn’t use the EUI-64 technique by default when forming its interface identifier, but uses their randomly-generated interface identifiers


MAC OS X Mac OS X 10.7 (supported from 10.4 onwards)

• Mac OS X IPv6 stack is based on the KAME project (http://www.kame.net/)

• Supports:

• IPv6 enabled by default

• GUI preferences tool or /usr/sbin/ip6 # ip6 –a | # ip6 –x

• To accept Router Advertisements sysctl -w net.inet6.ip6.accept_rtadv=1

• Privacy addresses and EUI-64 Host addresses enabled by default

• FreeBSD’s IPFW supports stafeful and stateless filtering # ip6fw

• Mail, Perl, Apache, PHP, BIND,(on Server ver.) all default IPv6 support

• Tunnel support for IPIP, 6to4

• DHCPv6 client mode only (hidden behind “automatic” config in GUI

• No Server side direct solutions at this time (FreeBsd port is possible)

51

http://www.kame.net/


DUAL STACK (Default) BEHAVIOR

Unconditional (default) preference of IPv6 over IPv4

If the local Host client has an active IPv6 Interface:

• Client Performs both an A and an AAAA record query

• Wait for both to reply or timeout

• If the AAAA query succeeds then initiate the browser

connection via IPv6

• If the AAAA query fails or times out then initiate the

browser connection via IPv4

Sounds perfectly sane right? But,…

52


DUAL STACK BEHAVIOR ISSUES

• We must accept FOR NOW that the dual stack world is broken!

• Failure of one or the other protocol to respond causes a variety of different broken behaviors

• How long will you wait before you fall back to IPv4?

• Windows: 3 SYN Packets= Failure, 19 seconds

• Mac OS X 7: 11 SYN Packets=Failure, 75 Seconds

• Linux: ≥ 11 SYN Packets = Failure, between 75 Seconds and 180 Seconds

This is BAD! But stack tuning has its own issues…

For a full explanation and lots of options germane to these issues please see:

“Analyzing Dual Stack Behavior and IPv6 Quality” By Geoff Huston & George Michaelson of APNIC

https://ripe64.ripe.net/presentations/78-2012-04-16-ripe64.pdf

53












Concluding Thoughts …

• IPv6 is simply an address change at layer-3. So why is it so complicated?

• This stuff was supposedly finalized in 2000. So why are their new RFC’s and working groups forming every day to figure this stuff out?

• Most OS’s (x)NIX’s implemented SLACC and thought they were done. Not enough great support yet for DHCPv6

• We will have to suffer through behavior changes until the end of IPv4. My prediction is 10 yrs from now we will be about 85-95% fully converted to IPv6

• BTW we will have another round of issues to fight when we start trying to reach IPv4 legacy resources via IPv6 only hosts at the tail end of this decade of conversion

54

IPv6 Network Side

IPv6 Multicast


IPv4 and IPv6 Multicast Comparison

Service IPv4 Solution IPv6 Solution

Addressing Range 32-bit, Class D 128-bit (112-bit Group)

Routing Protocol Independent, All IGPs and

MBGP Protocol Independent, All IGPs and

MBGP with v6 mcast SAFI

Forwarding PIM-DM, PIM-SM,

PIM-SSM, PIM-bidir, PIM-BSR PIM-SM, PIM-SSM, PIM-bidir, PIM-BSR

Group Management IGMPv1, v2, v3 MLDv1, v2

Domain Control Boundary, Border Scope Identifier

Interdomain Solutions MSDP across Independent PIM

Domains Single RP within Globally Shared

Domains

Static RP, BSR, No Auto-RP

Embedded RP 57


PIMv6

58

Ipv6 multicast-routing

Ipv6 pim rp-address (ipv6#)

Ipv6 pim anycast-rp address (anycast#) (peer addr#)

IPv6 Quality of Service


Quality of Service • IPv6 QoS

– Same architectural models as IPv4

– Differentiated Services (Traffic Class field)

– Integrated Services (RSVP)

• IPv6 traffic class – Value defined per applications, same DSCP for

applications over both IPv4 and IPv6 – decision to differentiate per protocol is an operational one

• IPv6 flow label (RFC 3697) – A new 20-bit field in the IPv6 basic header

– Its value cannot be changed by intermediate devices

– No RFC regarding flow label usage yet

• Transition – Mapping between IPv6 DSCP & IPv4 ToS or MPLS EXP

Version Traffic Class Flow Label

Payload Length Next Header Hop Limit

Source Address

Destination Address

60


Exercise with QoS

• IPv6 QoS

• This is an excellent opportunity to look at QoS as it stands currently within your network

• What will change with IPv6 deployment?

• What needs to change with IPv6 deployment?

• All of life is merely a matter of perspective!

• Match/set for dscp/precedence now v4/v6 agnostic

• Match ipv6 address is new

61

IPv6 Security: Access-List Filtering


Cisco IOS IPv6 Extended Access Control Lists

• Very much like in IPv4 – Filter traffic based on

• Source and destiion addresses • Next header presence • Layer 4 information

– Implicit deny all at the end of ACL – Empty ACL means traffic allowed – Reflexive and time based ACL

• Known extension headers (HbH, AH, RH, MH, destination, fragment) are scanned until: – Layer 4 header found – Unknown extension header is found

• Side note for 7600 & other switches: – No VLAN ACL – Port ACL on Nexus-7000, Cat 3750 (12.2(46)SE), Cat 4K (12.2(54)SG), – Cat 6K (12.2(33)SXI4)

63


IOS IPv6 Extended ACL

• Can match on – Upper layers: TCP, UDP, SCTP port numbers

– TCP flags SYN, ACK, FIN, PUSH, URG, RST

– ICMPv6 code and type – Traffic class (only six bits/8) = DSCP

– Flow label (0-0xFFFFF)

• IPv6 extension header – routing matches any RH, routing-type matches specific RH – mobility matches any MH, mobility-type matches specific MH

– dest-option matches any, dest-option-type matches specific destination options – auth matches AH – Can skip AH (but not ESP) since IOS 12.4(20)T

• fragments keyword matches – Non-initial fragments (same as IPv4) – And the first fragment if the L4 protocol cannot be determined

• undetermined-transport keyword matches (only for deny) – Any packet whose L4 protocol cannot be determined: fragmented or unknown extension header

64


Cisco IOS IPv6 ACL

65

• Filtering Inbound Traffic to one Specific Destination Address

Prefix: 2001:db8:2c80:1000::/64

IPv6 Internet

2001:db8:2c80:1000::1

others

Serial 0

ipv6 access-list MY_ACL

remark basic anti-spoofing

permit any 2001:db8:2c80:1000::1/128

deny 2001:db8:2c80:1000::/64 any

interface Serial 0

ipv6 traffic-filter MY_ACL in


IPv6 ACL Implicit Rules - RFC 4890

• Implicit entries exist at the end of each IPv6 ACL to allow neighbor discovery:

• Nexus 7000 also allows RS & RA

66

permit icmp any any nd-na

permit icmp any any nd-ns

deny ipv6 any any


IPv6 ACL Implicit Rules

67

• The beginner’s mistake is to add a deny log at the end of IPv6 ACL

• Solution, explicitly add the implicit ACE

! Now log all denied packets

deny IPv6 any any log

! Hey . . . I forget about these implicit lines



deny ipv6 any any

. . .

! Now log all denied packets



deny ipv6 any any log


Example: Rogue RA & DHCP Port ACL

68

ipv6 access-list ACCESS_PORT

remark Block all traffic DHCP server -> client

deny udp any eq 547 any eq 546

remark Block Router Advertisements

deny icmp any any router-advertisement

permit any any

Interface gigabitethernet 1/0/1

switchport

ipv6 traffic-filter ACCESS_PORT in

Note: Nexus-7000 and Cat 3750 12.2(46)SE,

Catalyst 6500 12.2(33)SXI4, Catalyst 4500 12.2(54)SG

IPv6 Routing Protocol Configuration


Concept

• IPv6 uses a separate routing table than IPv4

• Routed –vs- Routing Protocols

– Routed Protocols transmit Payload

– Routing Protocols transmit Path

– Routed Protocols do not change • Example: HTTP and SMTP

– Routing Protocols do change! • Some are unique to IPv6 (Ex: RIPMG)

• Some like ISIS are the same

70


Basic IPv6 Commands

• R1(config)# ipv6 unicast-routing

• R1(config-if)# ipv6 address (#)

– Ipv6 enable Link Local Only

– Ipv6 address 3ffe:b00:c18:1:260:3eff:fe47:1500/64 Full Address

– Ipv6 address 3ffe:b00:c18:1::/64 eui-64 Auto Assign on Net

• R1(config)# ipv6 route (net/vlsm) (node#)

– Ipv6 route ::/0 3ffe:b00:c18:1:260:3eff:fe47:1530

• Show ipv6 neighbors

• Ping (ipv6-addr)

71


L2 to L3 Mapping

• Don’t forget that this is another protocol!

– Any interface using manual mapping needs to be updated

– Frame-relay map ipv6 ……

– Dialer map ipv6 ……

– Etc.

72


HSRP for v6

First Hop Router Redundancy

73

• Modification to Neighbor Advertisement, Router Advertisement, and ICMPv6 redirects

• Virtual MAC derived from HSRP group number and virtual IPv6 link-local address

HSRP

Standby HSRP

Active

GLBP for v6 Modification to Neighbor Advertisement, Router

Advertisement—GW is announced via RAs

Virtual MAC derived from GLBP group number and virtual IPv6 link-local address

GLBP

AVF,

SVF

GLBP

AVG,

AVF

Neighbor Unreachability Detection (NUD) For rudimentary HA at the first HOP

Hosts use NUD “reachable time” to cycle to next known default gateway (30s by default)

RA Sent

Reach-time =

5,000 msec


Static Name to Host Address Entries

• Name to address resolution just like IPv4

– Ipv6 host (name) (ipv6-address)

• Can specify up to four addresses

• You can run DHCP server and DNS server in IPv6

• No concept of secondary addresses in IPv6, all are valid options

74


Neighbor Discovery Configuration

LAN1: 3000:b00:c18:1::/64

LAN2: 3000:b00:c18:2::/64

RA

RA

Fa0/0

Fa0/1

Fa0/0

interface FastEthernet0/0

ipv6 nd prefix 3000:b00:c18:1::/64 43200 43200

ipv6 nd ra-lifetime 0


ipv6 nd prefix 3000:b00:c18:2::/64 43200 43200


ipv6 nd prefix 3000:b00:c18:1::/64 43200 43200

R2

R1

IPv6 Internet

75


Prefix Renumbering

NEW network prefix: 3ffe:b00:c18:2::/64

Deprecated prefix: 3ffe:b00:c18:1::/64

Hosts:

Autoconfigured

IPv6 hosts

deprecated address 3ffe:b00:c18:1:260:8ff:fede:8fbe

preferred address 3ffe:b00:c18:2:260:8ff:fede:8fbe

Router configuration after renumbering:

Router advertisements

with expiration dates

OR:


ipv6 nd prefix 3ffe:b00:c18:1::/64 43200 0

ipv6 nd prefix 3ffe:b00:c18:2::/64 43200


ipv6 nd prefix 3ffe:b00:c18:1::/64 at Sep 1 2012 23:59 Sep 1 2012 23:59

ipv6 nd prefix 3ffe:b00:c18:2::/64 43200 43200

76


Concluding Thoughts …

• Subnetting in IPv6 is actually easier than IPv4

• Only a few Bit boundaries to worry about:

• /32 – LIR (ISP) allocations

• /48 – Enterprise allocations

• /56 – Residential allocations

• Valid subnet range – /48 - /64

• /126, /127, & /96 – Special Subnets

77


Routing: The IPv4 – IPv6 Parallel

RIP RIPv2 for IPv4

RIPng for IPv6

Distinct but similar protocols with RIPng taking advantage of IPv6 specificities

OSPF

OSPFv2 for IPv4

OSPFv3 for IPv6

Distinct but similar protocols with OSPFv3 being a cleaner implementation that takes advantage of IPv6

specificities

IS-IS Extended to support IPv6

Natural fit to some of the IPv6 foundational concepts

Supports Single and Multi Topology operation

EIGRP Extended to support IPv6

(IPv6_REQUEST_TYPE, IPv6_METRIC_TYPE, IPv6_EXTERIOR_TYPE) Some changes reflecting

IPv6 characteristics

BGP New MP_REACH_NLRI, MP_UNREACH_NLRI, AFI=2 with SAFI for Unicast/

/Label/VPN

Peering over IPv6 or IPv4 (route maps)

For all intents and purposes, IPv6 IGPs are similar to their IPv4 counterparts

IPv6 IGPs have additional features that could lead to new designs

78


Routing Protocols

• Static Routes

– BFD

• RIPng

– Graceful Restart and NSR

• OSPFv3

– IPv6 EH authentication

– IPSec encryption (ESP Header)

– Overloading


– BFD (9.3)

– P2P interface (9.4)

– OSPF Rib-group for IPv6

– Realm support (IPv4 support) but without TE support

• IS-IS

– Authentication

– Unicast Mesh Groups

– Multicast Mesh Groups


– BFD for dual stack interface (not for v6-only)

– ISIS Rib-groups for ipv6

• Multitopology IS-IS – Unicast – Multicast

• BGP – Authentication – BGP peering to IPv6 endpoints – IPv6 routes over IPv4 peering – IPv6 Prefix Limits – Interface counters – Graceful Restart and NSR

• BGPv6 supported families: – family inet6 unicast – family inet6 multicast – family inet6 labeled-unicast – Inet4 unicast (not supported)

• Routing Policy – IPv6 multicast scoping – IPv6 address family – IPv6 prefixes – IPv6 route destination address

79


Routing Protocols

• IPv6 PIM – Multicast Address Support

– PIMv2

– PIM Anycast RP

– Statically Defined RP

– Embedded RP Addresses

– Source-Specific Multicast (SSM)

– Multicast Listener Discovery (v1 and v2)

– Bootstrap Router (BSR) for IPv6

– Disable IPv6 PIM independently from IPv4 (9.6)

• L3VPN Multicast – NG MVPN: IPv6 multicast (2H2009)

• MPLS Protocols

• IPv6 Tunneling over MPLS LSPs

• RSVP-TE for IPv6 (not scheduled yet)

• LDP for IPv6 (not scheduled yet)

• MPLS VPNs

• 6PE, 6VPE

• VRF Table-label

80

IPv6 Routing Protocols: Static Routes


Static Route Example

R1(config)# ipv6 route fde7:0e06:ef31::/48 null0

R1#sh ipv6 route static

IPv6 Routing Table - Default - 2 entries

Codes: C - Connected, L - Local, S - Static, U - Per-user Static route

B - BGP, M - MIPv6, R - RIP, I1 - ISIS L1

I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary, D - EIGRP

EX - EIGRP external

O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2

ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2

S FDE7:E06:EF31::/48 [1/0]

via Null0, directly connected

R1#

R1(config)# ipv6 route 2300:0106:aa23::/48 fa0/0

R1(config)#do sh ipv6 route static | begin ^S

S 2300:106:AA23::/48 [1/0]

via FastEthernet0/0, directly connected

S FDE7:E06:EF31::/48 [1/0]

via Null0, directly connected

R1(config)#

82


Static Options All static parameters are optional

Parameters are like any other static route

R1(config)#ipv6 route 2300:0106:aa23::/48 fa0/0 ?

<1-254> Administrative distance

X:X:X:X::X IPv6 address of next-hop

multicast Route only usable by multicast

nexthop-vrf Nexthop IPv6 VRF

tag Tag value

unicast Route only usable by unicast

<cr>

83


Routing Policy

• Configured in the same way as routing policy for IPv4

– Similar match conditions and actions

– Create policy first…

– …then apply to inteface (PBR), neighbor (BGP), or routing protocol

• One new match condition

– Match protocol ipv6

• Routing table built the same as always!

• Nothing new to learn for IPv6 though process

84

IPv6 Routing Protocols: OSPFv3


OSPFv3

• Changes from OSPFv2

– Per Link Processing

– Addition of flooding scope

– New Link LSA

– Handling of unknown LSA types

– Virtual Link Changes

– Authentication changes

86


OSPFv3

• Per Link Processing

– IPv6 uses the term “link” instead of network or subnet to indicate communication • Interfaces connect to links

• Adjacencies are formed on link local addresses

– Multiple IPv6 subnets can be assigned to a single link • Two nodes can talk directly over a single link, even if they do not share a common IPv6 subnet

• Network address and mask do not impact the formation of adjacencies

87


OSPFv3

• Flooding Scope

– Each LSA now contains two bits indicating the flooding scope • AS scope, LSA is flooded throughout the AS

• Area scope, LSA is flooded only within an area

• Link-local scope, LSA is flooded only on the local link

– These changes also impact the names of the LSAs • Type 3 (Summary LSA) is now called the inter-area-prefix-LSA

• Type 4 (Autonomous System Border LSA) is now called the inter-area-router-LSA

• Other new LSAs have been added

88


OSPFv3

LSA Name LS Type code Flooding scope LSA Function code

Router LSA 0x2001 Area scope 1

Network LSA 0x2002 Area scope 2

Inter-Area-Prefix-LSA 0x2003 Area scope 3

Inter-Area-Router-LSA 0x2004 Area scope 4

AS-External-LSA 0x4005 AS scope 5

Group-membership-LSA 0x2006 Area scope 6

Type-7-LSA 0x2007 Area scope 7

Link-LSA 0x0008 Link-local scope 8

Intra-Area-Prefix-LSA 0x2009 Area scope 9

Flooding Scope

89


OSPFv3

• Handling Unknown LSA Types

– Each LSA now contains an “unknown LSA” bit • 0: Treat this LSA as a link local

• 1: Store and flood this LSA even if you don’t understand it

– This allows the deployment of new features in the future • Routers that don’t understand the new feature will simply store and forward the LSA

• Features can be deployed at edges, within a flooding domain, etc., without the need to upgrade all routers

90


OSPFv3

• Virtual Link Requirements

– At least one global/unique local IPv6 address in the transit area • OSPFv3 normally sends LSAs with a link local source address

• This won’t work over a virtual link –the packet needs to be forwarded through the intervening area

– Advertisement of a /128 prefix • If no /128 is available in the table, a /128 from within an existing prefix space will be used

• This provides most-specific reachability between the endpoints of the virtual link

91


OSPFv3

• Authentication

– OSPFv3 currently only supports IPsec for authentication • Group keying is painful for IPsec

• There is current work in GDOI and other spaces to make group keying work better for this space

– There is current work in the OSPF working group to allow HMAC-SHA and other forms of “in packet” authentication

92


OSPFv3

93

Router1#

interface POS1/1

ipv6 address 2001:410:FFFF:1::1/64

ipv6 enable

ipv6 ospf 100 area 0

interface POS2/0

ipv6 address 2001:B00:FFFF:1::2/64

ipv6 enable


ipv6 router ospf 100

router-id 10.1.1.3

Router2#

interface POS3/0

ipv6 address 2001:B00:FFFF:1::1/64

ipv6 enable


ipv6 router ospf 100

router-id 10.1.1.4

Configuration & Show Example

POS 3/0

2001:b00:ffff:1::1/64

2001:b00:ffff:1::2/64

POS 2/0

Area 1

Area 0

POS 1/1

2001:410:ffff:1::1/64

A

B


OSPFv3

Router2#sh ipv6 ospf int pos 3/0

POS3/0 is up, line protocol is up

Link Local Address FE80::290:86FF:FE5D:A000, Interface ID 7

Area 1, Process ID 100, Instance ID 0, Router ID 10.1.1.4

Network Type POINT_TO_POINT, Cost: 1

Transmit Delay is 1 sec, State POINT_TO_POINT,

Timer intervals configured, Hello 10, Dead 40, Wait 40,

Retransmit 5

Hello due in 00:00:02

Index 1/1/1, flood queue length 0

Next 0x0(0)/0x0(0)/0x0(0)

Last flood scan length is 3, maximum is 3

Last flood scan time is 0 msec, maximum is 0 msec

Neighbor Count is 1, Adjacent neighbor count is 1

Adjacent with neighbor 10.1.1.3

Suppress hello for 0 neighbor(s)


POS 3/0

2001:b00:ffff:1::1/64

2001:b00:ffff:1::2/64

POS 2/0

Area 1

Area 0

POS 1/1

2001:410:ffff:1::1/64

A

B

94


OSPFv3

Router2#sh ipv6 ospf neighbor detail

Neighbor 10.1.1.3

In the area 1 via interface POS3/0

Neighbor: interface-id 8, link-local address

FE80::2D0:FFFF:FE60:DFFF

Neighbor priority is 1, State is FULL, 12 state changes

Options is 0x630C34B9

Dead timer due in 00:00:33

Neighbor is up for 00:49:32

Index 1/1/1, retransmission queue length 0, number of

retransmission 1

First 0x0(0)/0x0(0)/0x0(0) Next 0x0(0)/0x0(0)/0x0(0)

Last retransmission scan length is 2, maximum is 2

Last retransmission scan time is 0 msec, maximum is 0 msec


POS 3/0

2001:b00:ffff:1::1/64

2001:b00:ffff:1::2/64

POS 2/0

Area 1

Area 0

POS 1/1

2001:410:ffff:1::1/64

A

B

95


OSPFv3

96

Router2#sh ipv6 route

IPv6 Routing Table - 5 entries

Codes: C - Connected, L - Local, S - Static, R - RIP,

B – BGP, U - Per-user Static route

I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea

O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1,

OE2 - OSPF ext 2

OI 2001:410:FFFF:1::/64 [110/2]

via FE80::2D0:FFFF:FE60:DFFF, POS3/0

C 2001:B00:FFFF:1::/64 [0/0]

via ::, POS3/0

L 2001:B00:FFFF:1::1/128 [0/0]

via ::, POS3/0

L FE80::/10 [0/0]

via ::, Null0

L FF00::/8 [0/0]

via ::, Null0


POS 3/0

2001:b00:ffff:1::1/64

2001:b00:ffff:1::2/64

POS 2/0

Area 1

Area 0

POS 1/1

2001:410:ffff:1::1/64

A

B


Same As OSPFv2

• Similarities:

– One of the similarities is the RID

– OSPFv3 maintains a 32-bit RID that represents the router in the link-state database

– The RID is not related to an IPv6 address like it is in IPv4

– Requires explicit configuration (assuming no IPv4 addresses are present) because IPv6 addressing cannot be used

97


Cisco IPv6 and OSPF

• Customized globally

– R1(config)# ipv6 router ospf (#)

– R1(config-router)# area (#) range ……..

• Enabled on an interface

– R1(config-if)# ipv6 ospf (#) area-id (#)

– R1(config-if)# ipv6 ospf (#) neighbor (addr)

98


IPv6 and OSPF

• Authentication is interesting

– Requires IPSec be used by OSPF

– Authentication fields are no longer part of OSPF packet, but signaled to IPv6 security

99


IPv6 and OSPF - Security

• Two methods, AH or ESP

– Ipv6 ospf authentication

– Ipv6 ospf encryption

• Examples (interface config)

– Ipv6 ospf authentication ipsec spi 500 md5 1234567890abcdef1234567890abcdef

– Ipv6 ospf encryption ipsec spi 1001 esp null sha1 123456789A123456789B123456789C123456789D

• Examples (area config – encryption same format)

– Area 0 authentication ipsec spi 422 md5 1234567890abcdef1234567890abcdef

100


Router ID Selection

• Router ID selection:

– IPv6 networks preserve the 32-bit router ID • This is not an IPv4 address, it just looks like one!

– You can set RID manually under routing-options, although an existing IPv4 address can be used • The Junos OS uses the first non-127/8 address it finds as the RID

• lo0 is the first interface activated, so a non-127/8 configured here serves as the RID

• If the Junos software does not find a suitable address on lo0, it examines the next interface activated (normally fxp0)

– IPv6 functionality should not depend on another protocol being configured, so set RID manually!

101

IPv6 Routing Protocols: MBGP


MP-BGP Basics

• Path Vector Protocol – Carries sequence of AS numbers indicating path

• Ties Autonomous Systems together via Peering

• Multiple address families: ipv4, ipv6, unicast, multicast

SiSiSiSi

SiSi SiSi

SiSi

AS 101 AS 201

AS 301

Peering

103


BGP-4 Extensions for IPv6

• TCP Interaction

– BGP-4 runs on top of TCP

– This connection could be setup either over IPv4 or IPv6

• Router ID

– When no IPv4 is configured, an explicit bgp router-id needs to be configured

– This is needed as a BGP Identifier, this is used as a tie breaker, and is sent within the OPEN message

104


Non Link Local Peering

Router A

router bgp 1

no bgp default ipv4 unicast

bgp router-id 1.1.1.1 neighbor 2001:db8:ffff:2::2 remote-as 2

address-family ipv6

neighbor 2001:db8:ffff:2::2 activate

network 2003:3:2::/64

network 2003:3:3::/64

AS 1

AS 2

2001:db8:ffff:2/64

:1

:2

network 2003:3:2::/64

network 2003:3:3::/64

B

A

105


BGP-4 Extensions for IPv6 (RFC 2545)

• BGP-4 carries only 3 pieces of information which is truly IPv4 specific:

– NLRI in the UPDATE message contains an IPv4 prefix

– NEXT_HOP path attribute in the UPDATE message contains a IPv4 address

– BGP Identifier is in the OPEN message & AGGREGATOR attribute

• To make BGP-4 available for other network layer protocols, RFC 2858 (obsoletes RFC 2283) defines multi-protocol extensions for BGP-4

– Enables BGP-4 to carry information of other protocols e.g MPLS,IPv6

– New BGP-4 optional and non-transitive attributes: • MP_REACH_NLRI

• MP_UNREACH_NLRI

– Protocol independent NEXT_HOP attribute

– Protocol independent NLRI attribute

106



• Address Family Information (AFI) for IPv6

– AFI = 2 (RFC 1700)

– Sub-AFI = 1 Unicast

– Sub-AFI = 2 (Multicast for RPF check)

– Sub-AFI = 3 for both Unicast and Multicast

– Sub-AFI = 4 Label

– Sub-AFI= 128 VPN

107



• Next-hop contains a global IPv6 address or potentially a link local (for iBGP update this has to be changed to global IPv6 address with route-map)

• The value of the length of the next hop field on MP_REACH_NLRI attribute is set to 16 when only global is present and is set to 32 if link local is present as well

• Link local address as a next-hop is only set if the BGP peer shares the subnet with both routers (advertising and advertised)

108

AS1 AS2

B A C


BGP Overview

• Path-vector EGP that uses multiple path attributes to select the active route

– Originally designed for IPv4

– Extended to carry additional information • Multicast

• VPNs

• IPv6

• MBGP specifications

– Multiprotocol extensions for BGP-4 • RFC 4760—January 2007

– Use of BGP-4 multiprotocol extensions for IPv6 interdomain routing • RFC 2545

109


MP-BGP and IPv6

• Multiprotocol extensions for BGP4:

– Adds new fields to identified the type of route being advertised

– Make it possible to carry IPv6 routes on top of IPv4 BGP sessions

• IPv6-specific extensions:

– Scoped addresses: NEXT_HOP contains a global IPv6 address and potentially a link-local address (only when there is link-local reachability with the peer)

– NEXT_HOP and NLRI are expressed as IPv6 addresses and prefixes in the multiprotocol attributes

110


Address-Families are new RIBs

• Address families began with MBGP to separate RIB entries

• Common address-families are

– IPv6 (unicast | multicast)

– Nsap

– IPv4 Multicast

– Vpnv4

– Vpnv6

– Ipv4 unicast vrf (name)

• Default is IPv4 Unicast

111


Prior to Address Families

• Router bgp 1001

– Neighbor 10.1.1.4 remote-as 1001

– Neighbor 10.1.1.4 update-source loopback 0

– Neighbor 10.1.1.4 route-map Bob in

– Neighbor 10.1.1.4 send-community

– Network 10.1.100.0 mask 255.255.255.0

– Network 10.1.101.0 mask 255.255.255.0

– Redistribute static

112


Way to Think About the “Old” Way

• Router bgp 1001

– [Connections]

– Neighbor 10.1.1.4 remote-as 1001

– Neighbor 10.1.1.4 update-source loopback 0

– address-family ipv4

– Neighbor 10.1.1.4 route-map Bob in

– Neighbor 10.1.1.4 activate

– Neighbor 10.1.1.4 send-community

– Network 10.1.100.0 mask 255.255.255.0

– Network 10.1.101.0 mask 255.255.255.0

– Redistribute static

113


Activate Each Neighbor

• Multiple neighbors can carry some or all of the supported families

• Activate each one

• Each RIB filters separately

• Each RIB name is important for NLRI information to be kept correctly

• Each RIB/Family information is separate

• Useful for running separate info over separate links/peering information

114


MBGP Configuration

AS 65001 AS 65002 Router2 Router1

Router1#


ipv6 address 3FFE:B00:C18:2:1::F/64

router bgp 65001

no bgp default ipv4-unicast

neighbor 3FFE:B00:C18:2:1::1 remote-as 65002

address-family ipv6

neighbor 3FFE:B00:C18:2:1::1 activate

neighbor 3FFE:B00:C18:2:1::1 prefix-list bgp65002in in

neighbor 3FFE:B00:C18:2:1::1 prefix-list bgp65002out out

exit-address-family

3ffe:b00:c18:2:1::F 3ffe:b00:c18:2:1::1

115


MBGP Prefix Bidirectional Filtering

116

– Filtering BGP routing updates

3FFE:0B00:0001::/48

3FFE:0300::/32

3FFE:0B00::/24

Router2 Router1

3ffe:b00:c18:2:1::F 3ffe:b00:c18:2:1::1

Router1#

router bgp 65001



address-family ipv6


neighbor 3FFE:B00:C18:2:1::1 prefix-list bgp65002in in

neighbor 3FFE:B00:C18:2:1::1 prefix-list bgp65002out out

network 3FFE:B00::/24

exit-address-family

ipv6 prefix-list bgp65002in seq 5 permit 3FFE::/16 le 24

ipv6 prefix-list bgp65002out seq 5 permit 3FFE::/16 le 24

3ffe:b00::/24


MBGP Config with Inbound Filtering

• Configure BGP to accept legal prefixes only (prefix-list)

117

3ffe:b00:c18:2:1::f

3ffe:b00:c18:2:1::1

AS 65002

AS 65003

AS 65001

3ffe:b00:c18:2:1::2

router bgp 65001




address-family ipv6



neighbor 3FFE:B00:C18:2:1::1 prefix-list Legal in

neighbor 3FFE:B00:C18:2:1::2 prefix-list Legal in

network 3FFE:B00::/24

exit-address-family

ipv6 prefix-list Legal seq 5 permit 2001::/16 le 35

ipv6 prefix-list Legal seq 10 permit 3FFE::/17 ge 24 le 24

ipv6 prefix-list Legal seq 15 permit 3FFE:8000::/17 ge 28 le 28

ipv6 prefix-list Legal seq 20 permit 2002::/16


Configuration – EIGRP

hostname R1

!

ipv6 unicast-routing

!

interface Loopback0

no ip address

ipv6 address 1010:AB8::/64 eui-64

ipv6 enable

ipv6 eigrp 1

!

ipv6 router eigrp 1

router-id 2.2.2.2

no shutdown

!

118


Troubleshooting

• show ipv6 eigrp events

• show ipv6 eigrp interfaces

• show ipv6 eigrp neighbors

• show ipv6 interface

• show ipv6 ospf

• show ipv6 route

• show ipv6 route bgp

119

IPv6 Whats Next?


IPv4 to IPv6 Transition Challenges

• 16+ methods, possibly in combination

• Dual stack

– Consider security for both protocols

– Cross v4/v6 abuse

– Resiliency (shared resources)

• Tunnels

– Bypass firewalls (protocol 41 or UDP)

– Can cause asymmetric traffic (hence breaking stateful firewalls)

121


Dual Stack Host Considerations

• Host security on a dual-stack device

– Applications can be subject to attack on both IPv6 and IPv4

– Fate sharing: as secure as the least secure stack...

• Host security controls should block and inspect traffic from both IP versions

– Host intrusion prevention, personal firewalls, VPN clients, etc.

122

Dual Stack Client

IPv4 IPsecVPN with No

Split Tunneling

Does the IPsec Client Stop an

Inbound IPv6 Exploit?

IPv6 HDR IPv6 Exploit


IPv6 Tunneling Summary

• RFC 1933/2893 configured and automatic tunnels

• RFC 2401 IPSec tunnel

• RFC 2473 IPv6 generic packet tunnel

• RFC 2529 6over4 tunnel

• RFC 3056 6to4 tunnel

• RFC 5214 ISATAP tunnel

• MobileIPv6 (uses RFC2473)

• RFC 4380 Teredo tunnels

• RFC5569 6RD

• Only allow authorized endpoints to establish tunnels

• Static tunnels are deemed as “more secure,” but less scalable

• Automatic tunneling mechanisms are susceptible to packet forgery and DoS attacks

• These tools have the same risk as IPv4, just new avenues of exploitation

• Automatic IPv6 over IPv4 tunnels could be secured by IPv4 IPSec

123


DNS: Basic Ideas

• DNS in IPv6 is much like DNS in IPv4

• Keep files and delegations as simple as possible.

• Can use IPv4 as transport for DNS for now.

• Modern versions of Bind will work – Bind9 is stable and works with IPv6.

• There is work on dynamic DNS in progress, but we don’t need to worry about that for now.

124


IPv4 IPv6

Hostname

to

IP address

A record:

www.abc.test. A 192.168.30.1

IPv6 and DNS

AAAA record:

www.abc.test. AAAA 2001:db8:C18:1::2

IP address

to

hostname

PTR record: 2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.0.8.

1.c.0.

8.b.d.0.1.0.0.2.ip6.arpa. PTR

www.abc.test.

PTR record:

1.30.168.192.in-addr.arpa. PTR

www.abc.test.

125


DNS Example (IPv4-Only)

DNS Request (h.root-servers.net) (QTYPE=A)

IPv4 A Response (128.63.2.53)

H.ROOT-SERVERS.NET. 210892 IN A 128.63.2.53

Sample DNS Response

IPv4-Only Host DNS Server

126


DNS Example (IPv6-Only)

DNS Request (h.root-servers.net) (QTYPE=AAAA)

IPv6 AAAA Response (2001:500:1::803f:235 )

IPv4-Only Host DNS Server

H.ROOT-SERVERS.NET. 210892 IN AAAA 2001:500:1::803f:235

Sample DNS Response

127


DNS Example (Dual-Stack)

DNS

Server Dual-Stack Host

DNS Request (h.root-servers.net) (QTYPE=AAAA, A)

I prefer IPv6

addresses

IPv6 AAAA Response (2001:500:1::803f:235 )

IPv4 A Response (128.63.2.53)

H.ROOT-SERVERS.NET. 210892 IN AAAA 2001:500:1::803f:235

H.ROOT-SERVERS.NET. 210892 IN A 128.63.2.53

Sample DNS Response

128


DNS Capture – Default IPv6 init

A and AAAA Queries

for www.google.com

IPv6 Transport Preferred

Response IPv4 and

IPv6 Addresses

129


DNS Enhancements for IPv6

• RFC 3596

– DNS extensions to support IP version 6

• Name to address records

– AAAA record type (equivalent to IPv4 A record)

– Example record host1.microsoft.com IN AAAA 2001:DB8::1:DD48:AB34:D07C:3914

• Address to name records

– New reverse domain called IP6.ARPA.

– Example record for 2001:DB8::1:DD48:AB34:D07C:3914 (or 2001:0DB8:0000:0001:DD48:AB34:D07C:3914) 4.1.9.3.C.7.0.D.4.3.B.A.8.4.D.D.1.0.0.0.0.0.0.0.8.B.D.0.1.0.0.2.IP6.ARPA. IN PTR

host1.microsoft.com

130


Name Resolution Support in Windows

• Resolution Options:

1. Entries in the Hosts file

2. DNS resolver support

3. DNS Server service support

4. DNS dynamic update

5. DNS zone transfers

6. Source and destination address selection

7. LLMNR support

8. Support for ipv6-literal.net names

9. Peer Name Resolution Protocol

10. Name Resolution Policy Table

11. DNS Security Extensions (DNSSEC)

131


DNS Issues

• Upgrade DNS servers to support IPv6

• Adding AAAA record for a specific server to the DNS Server requires ALL

services to be IPv6 aware

– LDAP or AD IPv6 Aware

– All Services running on the Server

• Interim solution is to use a temporary name (see Google IPv6 start in

2008)

– ipv6.google.com vs. www.google.com

– This practice helps reduce the issue of unhappy dual-stack hosts by eliminating

the multiprotocol response to DNS requests

132

http://www.google.com


Forward Lookups

• Uses AAAA records for assign IPv6 addresses to names.

• Multiple addresses possible for any given name – for example, in a multi-

homed situation.

• Can assign A records and AAAA records to a given name/domain.

• (Once IPv6 is more stable globally)

• Can also assign separate domains for IPv6 and IPv4.

– BCP today.

• Don’t be afraid to experiment!

133


Upstream Support

• How to get IPv6?

– Tunnel Brokers • Hurricane Electric

• RoutintHouse.com

• SixXS

• Others: http://en.wikipedia.org/wiki/List_of_IPv6_tunnel_brokers

– 6 to 4 Gateway

134

http://en.wikipedia.org/wiki/List_of_IPv6_tunnel_brokers

http://en.wikipedia.org/wiki/List_of_IPv6_tunnel_brokers


Participate in the “My Favorite Speaker” Contest

• Promote your favorite speaker through Twitter and you could win $200 of Cisco Press products (@CiscoPress)

• Send a tweet and include

– Your favorite speaker’s Twitter handle @CiscoKid14074

– Two hashtags: #CLUS #MyFavoriteSpeaker

• You can submit an entry for more than one of your “favorite” speakers

• Don’t forget to follow @CiscoLive and @CiscoPress

• View the official rules at http://bit.ly/CLUSwin

Promote Your Favorite Speaker and You Could be a Winner

135

http://bit.ly/CLUSwin


SP Related Official Cisco Training Offerings … Course Description Cisco Certification

Building Cisco Service Provider

Next-Generation Networks, Part 1

(SPNGN1), and Part 2 (SPNGN2)

These courses introduce Cisco SP IP Next-Generation Network

technologies and solutions, including OSI and TCP/IP models, IPv4/v6

addressing, switching, routing, transport types, security, network

management, and Cisco operating systems.

CCNA Service Provider ®

Deploying Cisco Service Provider

Network Routing (SPROUTE)

This course covers the implementation of routing protocols (OSPF, IS-

IS, BGP), route manipulations, and high availability routing features

within SP IP NGN environments.

CCNP Service Provider ®

Deploying Cisco Service Provider

Advanced Network Routing

(SPADVROUTE)

This course covers advanced routing topics in BGP, as well as

multicast services including PIM-SM, and IPv6 within SP IP NGN

environments.


Implementing Cisco Service

Provider Next-Generation Core

Network Services (SPCORE)

This course covers core network services, including MPLS-LDP

features, MPLS traffic engineering, QoS queuing mechanisms, and

transport technologies within SP IP NGN environments.


Implementing Cisco Service

Provider Next-Generation Edge

Network Services (SPEDGE)

This course covers edge network services, including MPLS Layer 3

VPNs, Layer 2 VPNs, and Carrier Ethernet services within SP IP NGN

environments.


For more details please visit : http://learningnetwork.cisco.com

Questions: Visit the Learning@Cisco Booth

136

http://learningnetwork.cisco.com


R&S Related Official Cisco Training Offerings …

Course Description Cisco Certification

CCIE R&S Advanced Workshops

(CIERS-1 & CIERS-2) plus

Self Assessments, Workbooks & Labs

Expert level trainings including: instructor led workshops,

self assessments, and practice labs to prepare candidates

for the CCIE R&S practical exam.

CCIE® Routing & Switching

• Implementing Cisco IP Routing

• Implementing Cisco IP Switched

Networks

• Troubleshooting and Maintaining

Cisco IP Networks

Professional level instructor led trainings to prepare

candidates for the CCNP R&S exams (ROUTE, SWITCH

and TSHOOT). Also available in self study eLearning

formats with Cisco Learning Labs.

CCNP® Routing & Switching

Interconnecting Cisco Networking

Devices: Part 2 (or combined)

Configure, implement and troubleshoot local and wide-

area IPv4 and IPv6 networks. Also available in self study

eLearning format with Cisco Learning Lab.

CCNA® Routing & Switching

Interconnecting Cisco Networking

Devices: Part 1

Installation, configuration, and basic support of a branch

network. Also available in self study eLearning format with

Cisco Learning Lab.

CCENT® Routing & Switching

For more details please visit : http://learningnetwork.cisco.com

Questions: Visit the Learning@Cisco Booth

137

http://learningnetwork.cisco.com


Complete Your Online Session Evaluation

• Give us your feedback and you could win fabulous prizes. Winners announced daily.

• Complete your session evaluation through the Cisco Live mobile app or visit one of the interactive kiosks located throughout the convention center.

• Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at ciscolive.com/online

138


Continue Your Education

• Demos in the Cisco Campus

• Walk-in Self-Paced Labs

• Table Topics

• Meet the Engineer 1:1 meetings

139

Documents

HardCore IPv6 Routing - No Feard2zmdbbm9feqrf.cloudfront.net/2014/usa/pdf/BRKCRT-2000.pdfHardCore IPv6 Routing - No Fear ... IPv6 Certification Agenda • CCNA ... • An IPv6 router