Upload
joshua
View
87
Download
0
Embed Size (px)
DESCRIPTION
IPv6 Deployment. Rocky Mountain Cisco User’s Group December, 2003. Scott Hogg CCIE #5133, CISSP, FCNE, CIPTSS. Agenda. Motivation for IPv6 IPv6 Protocol Specifics IPv6 Header and IPv6 Addressing ICMPv6 QoS, Security DNS for IPv6 IPv6 Routing Protocols IPv6 Transition Mechanisms - PowerPoint PPT Presentation
Citation preview
IPv6 Deployment
Scott HoggCCIE #5133, CISSP, FCNE, CIPTSS
Rocky Mountain Cisco User’s GroupDecember, 2003
2
Agenda
• Motivation for IPv6• IPv6 Protocol Specifics
– IPv6 Header and IPv6 Addressing– ICMPv6– QoS, Security
• DNS for IPv6• IPv6 Routing Protocols• IPv6 Transition Mechanisms• IPv6 6Bone and Research Projects• Vendor Support for IPv6 – Configuration Examples
– Cisco, Microsoft, Sun, Linux• Live IPv6 Technology Demonstration• Questions and Answers• References and Resources
3
IPv4 Deficiencies
• Address Space Limitations• Inadequate address aggregation mechanisms• Ballooning BGP databases• Router memory exhaustion• Increased forwarding table look up time• NAT is not an optimal solution – lack of peer-
to-peer model• Broadcast is inefficient• Uncontrolled packet fragmentation• No inherent security• Inadequate support for mobility
4
IPv4 Address Growth
0.00%
10.00%
20.00%
30.00%
40.00%
50.00%60.00%
70.00%
80.00%
90.00%
100.00%
1980 1985 1990 1995 2000 2005 2010
• Percentage IPv4 Addresses Allocated
Source of graph:Tony Hain – Technical Leader - Cisco SystemsNorth America Global IPv6 Summit 2003 presentation , Technology Director - IPv6 Forum Technical Directorate
5
IPng
Jan 92 Jul 92 Jan 93 Jan 94 Jul 94Jul 93
IPv7
(Ullman)TP/IX
CATNIP
TUBA
(Callon)
ENCAPS
(Hinden)IPAE
SIP
(Deering)PIP
(Francis)
SIPP
6
IPv6 Features
• Expanded addressing capability• Efficient and hierarchical addressing and routing• Auto-configuration mechanisms• Simplification of header format• Improved support for extensions and options• Extensions for authentication and privacy• Flow label capability• Mobility• Extensibility – future proof• Flexible transition mechanisms
7
128 bit Source Address
128 bit Destination Address
31
Version Class Flow Label
Payload Length Next Header Hop Limit
4 12 2416bit 0
bit 0 31
Version IHL Total Length
Identifier Flags Fragment Offset
32 bit Source Address
32 bit Destination Address
8 2416
Service Type
Options and Padding
Time to Live Header ChecksumProtocol
IPv4 Header IPv4 Header 20 octets, 12 fields, including 3 flag bits 20 octets, 12 fields, including 3 flag bits + fixed max number of options + fixed max number of options
IPv4 Header IPv4 Header 20 octets, 12 fields, including 3 flag bits 20 octets, 12 fields, including 3 flag bits + fixed max number of options + fixed max number of options
RemovedChanged
IPv6 Header IPv6 Header 40 octets, 8 fields40 octets, 8 fields+ Unlimited Chained Extension (options) Header + Unlimited Chained Extension (options) Header
IPv6 Header IPv6 Header 40 octets, 8 fields40 octets, 8 fields+ Unlimited Chained Extension (options) Header + Unlimited Chained Extension (options) Header
IPv6 Header
8
IPv6 Header Fields
• Version:– Bits 0-3 (0110 equals 6)
• Traffic Class: (DiffServ RFC 2472)– Bits 4-11 = relative to other packets from the same source –
like IPv4 TOS bits (8 bits)
• Flow Label: (currently experimental)– Bits 12-31 = Flow label (20 bits) identifies a packet flow that
may require special handling
• Payload Length:– Bits 32-47 – length (16 bits) of the rest of the packet following
the IPv6 header in octets– Payload up to 64KB (Jumbograms RFC 2675)
9
IPv6 Header Fields
• Next Header: similar to the IPv4 ‘protocol’ field– Bits 48-55 Next header (8 bits) – identifies the header
following the IPv6 header (optional headers)– Indicates what type of header follows the IPv6 header
• Hop Limit: similar to the IPv4 TTL field– Bits 56-63 Hop limit (8 bits) - decremented by one each hop –
discarded when reaches 0– TTL name changed since it has nothing to do with time
• Source Address– Bits 64-191 Source address (128 bits)
• Destination Address– Bits 192-319 Destination address (128 bits)
10
Next Header Field:
0 – Hop-by-Hop Options
60 – Destination Options (If Routing header is used)
43 – Routing
44 – Fragment
51 – AH
50 – ESP
60 – Destination Options
6 – TCP
17 – UDP
58 – ICMPv6
59 – None (no next header)Option
Type
(Next)
Option Data
Length
Option Data
(Variable Length)
8-bits 8-bits
IPv6 Extension Headers
IPv6 HeaderNext Header
= 6 TCP
TCP Header+ Data
IPv6 HeaderNext Header= 43 Routing
RoutingHeader
Next Header= 6 TCP
TCP Header+ Data
IPv6 HeaderNext Header= 43 Routing
RoutingHeader
Next Header= 44 Fragment
FragmentHeader
Next Header= 6 TCP
Fragment ofTCP Header
+ Data
11
IPv6 Address Types• Unicast – (Provider Based, Local Use, future definable...)
(1:1)– Provider Based Unicast Addresses– Local Use Addresses– IPv4 Compatible IPv6 Addresses– IPv4 Mapped IPv6 Addresses (new style regular IPv4)
• Anycast – assigned to more than one interface (1:Nearest)– When used as part of a route sequence can allow for load
balancing – source selected policies– Allocated from the unicast space – indistinguishable from unicast
addresses– When assigned then the nodes must be explicitly configured to
know it’s an anycast interface/address– Router only – not used for source address
• Multicast (1:Many)– Including scope fields and transient/well know flag– The good old ‘broadcast’ addresses are not used anymore
12
Increased IPv6 Addresses
• IPv6 Increased Src/Dst Address to 128 bits• 2^128 = 34X1037
340,282,366,920,938,463,463,374,607,431,768,211,456 addresses
• If each IP address equaled one gram– IPv4 would be 1/76th the weight of the Empire State
Building– IPv6 would be 56.7 billion X the Earth’s weight
• 67 billion billion (6.65 X 1023) addresses per cm2 of the Earth’s surface
• 1246 IPv6 addresses per square meter of the area of the Milky Way galaxy
• That ought to be enough!
13
IPv6 Addressing Notation
• 128 bits get converted into more readable form– 0011 1111 1111 1110 1001 0000 1110 0000 0000 0000 0000
0011 0000 0000 0000 0000 / 0000 0000 0000 0000 0000 0000 0101 0000 0000 0000 0000 0000 0000 0000 0000 0000
• Convert bits to hex– 3FFE:90E0:0003:0000:0000:0050:0000:0000
• Reduce by removing leading zeros– 3FFE:90E0:3:0:0:50:0:0
• Use :: to consolidate multiple zeros – only once– 3FFE:90E0:3::50:0:0– or– 3FFE:90E0:3:0:0:50::
• Prefix format/notation– 3FFE:90E0:3::/64
14
IPv6 Addressing : Format Prefix • Reserved (::0/128) 0000 0000• Unassigned 0000 0001• Reserved for NSAP Allocation 0000 001 • Reserved for IPX Allocation – later deprecated 0000 010 • Unassigned 0000 011• Unassigned 0000 1• Unassigned 0001• Aggregatable Global Unicast Addresses (2001::/16) 001• Provider-Based Unicast Address 010• Unassigned 011• Reserved for Neutral-Interconnect-Based Unicast Addresses 100• Unassigned 101• Unassigned 110• Unassigned 1110• Unassigned 1111 0 • Unassigned 1111 10• Unassigned 1111 110• Unassigned 1111 1110 0• Link Local Use Addresses (FE80::/10) 1111 1110 10• Site Local Use Addresses (FEC0::/10) 1111 1110 11• Multicast Addresses (FF00:/8) 1111 1111
15
Site and Link Local Addresses
FE80 00:0000:0000:0000 Interface ID
10 Bits 54 Bits 64 Bits
• Link Local– Single Link Address – Never Routed– Used for autoconfiguration and neighbor discovery
• Site Local– Similar to RFC 1918 addresses– Can be divided into subnets
FEC0 00:0000:0000 Interface ID
10 Bits 38 Bits 64 Bits16 Bits
Subnet ID
16
Interface ID – EUI-64
• IEEE Extended Unique Identifier (EUI-64)– MAC address mapped with FFFE
– MAC = 00:08:74:9b:3c:f4– EUI-64 link-local = FE80::208:74FF:FE9B:3CF4
• Privacy Addresses (RFC3041)– Randomly generated
64 Bits
FFFE YY:YYYYZZ:XXXX
ZZ = 0000 00UGIf U/L=0 then universally administered addressIf U/L=1 then locally administered addressIf I/G=0 then individual unicast addressIf I/G=1 then group multicast address
17
Aggregatable Global Unicast
• Provider-based addresses changed name to Aggregatable Global Unicast– Format Prefix (FP) = 001– Top-Level Aggregation ID – 8192 assigned to registries– Next-Level Aggregation ID – Network access providers– Site-Level Aggregation ID – Internal Organizational – subnets– Sub-TLA assignments: (RFC 2450)– 2001:0400::/23 ARIN– 2001:0200::/23 APNIC– 2001:0600::/23 RIPE NCC– 2002::/16 6to4 (RFC 3056)– 3FFE::/16 6Bone (RFC 2471)
00
1
TLA Res NLAs Interface ID
64 Bits16 Bits24 Bits8 Bits13 Bits3 Bits
SLA
18
Multicast Addresses
• Flags Field:– Bit 0-3 = reserved must be zero– Bit 4 = 0 if it is a well-known multicast address – Permanently assigned– Bit 4 = 1 if this is a temporary multicast address – Temporary assigned
• Scope Field:– 1 – Node Local (Interface Local) – FF01– 2 – Link Local – FF02– 5 – Site Local – FF05
• FF01:0:0:0:0:0:0:1 - All Nodes Address• FF01:0:0:0:0:0:0:2 - All Routers Address• FF02:0:0:0:0:0:0:1 - All Nodes Address• FF02:0:0:0:0:0:0:2 - All Routers Address• FF02:0:0:0:0:0:0:5 - OSPFIGP• FF02:0:0:0:0:0:0:6 - OSPFIGP DR• FF02:0:0:0:0:0:0:9 - RIP Routers
112 Bits
Group IDFF
Fla
gs
Sco
pe
8 Bits 4 & 4 Bits
19
Anycast Addresses
• Same range as aggregatable global unicast addresses• Router interfaces have “subnet-router anycast
addresses”
• For Anycast addresses required to have a EUI-64 interface ID
• For all other IPv6 anycast address types
Subnet Prefix
128 - N BitsN Bits
0000:0000:0000 … 0000:0000:0000
Subnet PrefixAnycast
ID
7 Bits57 Bits64 Bits
FD:FFFF:FFFF:FFFF
Subnet PrefixAnycast
ID
7 Bits121 BitsN Bits
FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF
20
ICMPv6
• More powerful than ICMPv4• ICMPv6 uses IPv6 extension header # 58 (RFC 2463)
– Type Description– 1 Destination Unreachable – 2 Packet to Big– 3 Time exceeded– 4 Parameter problem– 128 Echo Request– 129 Echo Reply– 130 Multicast Listener Query – sent to ff02::1 (all nodes)– 131 Multicast Listener Report– 132 Multicast Listener Done – sent to ff02::2 (all routers)– 133 Router Solicitation (RS) – sent to ff01::2 (all routers)– 134 Router Advertisement (RA) – sent to ff01::1 (all nodes)– 135 Neighbor Solicitation (NS) – sent to ff02:0:0:0:0:1:ff00::/104– 136 Neighbor Advertisement (NA)– 137 Redirect
21
IPv6 Auto-Configuration
• IPv4 Configuration (Bootstrap/DHCP/ARP)– IPv4 Address, Subnet Mask, Default Gateway– Domain Name, Resolver
• IPv6 Configuration– Neighbor Discovery (stateless configuration)– DHCPv6 (stateful configuration)– Duplicate Address Detection (DAD)– Router/Prefix Discovery, Next-Hop Detection– Parameters discovery (link MTU, hop limit, …)– Redirect, Neighbor Unreachability Detection (NUD)
(useful for default routers)– Advertises 6to4 site router prefixes– Router Renumbering (RR) Protocol
22
IPv6 Quality of Service
• QoS is required for real time services1) Need for lower latency and jitter
3) Improved tolerance to lost packets
2) Less emphasis on re-transmission of lost data
3) More emphasis on timing relationships (time-stamping)
• 24-bit Flow Label - IDs of traffic flows• Drop Priority field to manage conflicts• RSVP used by routers to deal with requests
23
IPv6 Security
• IPv4 Security Problems1) Denial of service attacks
2) Address spoofing
3) Use of source routing defeats address authentication
• IPv6 Security1) Mandated at the OS level (IPSEC)
2) Authentication Header (Default to MD5)
3) Encryption (Default to DES-CBC)
4) Security Parameter Index
5) Repudiation features
24
Other IPv6 Features
• IPv6 requires every network link be capable of MTU of at least 576, min MTU is 1280
• IPv6 routers don’t fragment packets• Hosts perform their own Path MTU
Discovery• Provider selection (based on policy,
performance, cost, …)• Host mobility (route to current location)• Auto-readdressing (route to new address)• (Use IPv6’s routing extension header)
25
IPv6 Routing Protocols
• Key to scalable routing is to use hierarchical addressing
• RIPng (RFC 2080)• OSPFv3 (RFC 2740)• Integrated IS-ISv6 (draft-ietf-isis-ipv6-02.txt)• EIGRPv6 (available in 2002!)• MP-BGP (RFC 2858 and RFC 2545)• IDRPv6 – InterDomain Routing Protocol (ISO)• IPv6 still uses longest-prefix matching
26
RIPng
• Distance vector, classless, hop-based routing by rumor
ipv6 unicast-routinginterface Loopback0 ipv6 address FEC0:0:0:8::8/128!interface Ethernet0/0 ipv6 address 2001:88::8/64 ipv6 enable ipv6 rip RIPNG enable ipv6 rip RIPNG default-information originate!interface Serial0/1 ipv6 address 2001:68::8/64 ipv6 address FEC0:68::8/64 ipv6 enable ipv6 rip RIPNG enable!ipv6 router rip RIPNG
27
OSPFv3
• Highly scalable link-state IGP• Fundamental OSPF mechanisms and
algorithms unchanged • Packet and LSA formats are different • Runs per-link rather than per-subnet
– Interfaces can have multiple IPv6 addresses
• Uses FF02::5, and FF02::6• Neighbor Authentication done with IPSec• IPv4 RIDs, Area IDs, and LSA IDs
28
OSPFv3 Configuration
interface Ethernet 0 description backbone interface ipv6 address 2001:100:1::1/64 ipv6 enable ipv6 ospf 100 area 0interface Ethernet 1 description Area 1 interface ipv6 address 2001:200:2::1/64 ipv6 enable ipv6 ospf 100 area 1ipv6 router ospf 100 router-id 10.1.1.1 area 1 range 2001:200:FFFF:1::1/64
29
Multiprotocol BGP-4, BGP4+
• Multiprotocol Extensions for BGP-4 (RFC 2858)• Use of BGP-4 Multiprotocol Extensions for IPv6
Inter-Domain Routing (RFC 2545)• Multiprotocol Reach/Unreach NLRIs• Address Family Identifier (AFI=2) tells which
NLRIs are used• BGP TCP port 179 sessions can be over IPv4 or
IPv6– BGP4+ still relies upon a stable IGP
• Next-Hop attribute must be link-local or aggregatable global unicast IPv6 address
• Configured a lot like BGP-4 for IPv4 on Cisco routers
30
BGP-4+ Configurationinterface Ethernet0ipv6 address 5f00:0100:0:0:1::1 80!router bgp 100no bgp default ipv4-unicastneighbor 5f00:0100:0:0:2::1 remote-as 101aggregate-address 2001:420:2000::/42 summary-only!address-family ipv6neighbor 5f00:0100:0:0:2::1 activateneighbor 5f00:0100:0:0:2::1 prefix-list BGP-IN inneighbor 5f00:0100:0:0:2::1 prefix-list AGGREGATE outnetwork 5f00:0100:0:0:1::/40exit-address-family!ipv6 prefix-list AGGREGATE seq 5 deny 3FFE:C00::/24 ge 25ipv6 prefix-list AGGREGATE seq 10 permit ::/0 le 48!ipv6 prefix-list BGP-IN seq 5 deny 5F00::/8 le 128ipv6 prefix-list BGP-IN seq 10 deny ::/0ipv6 prefix-list BGP-IN seq 15 deny ::/1ipv6 prefix-list BGP-IN seq 20 deny ::/2ipv6 prefix-list BGP-IN n seq 25 deny ::/3 ge 4ipv6 prefix-list BGP-IN seq 30 permit ::/0 le 128
31
IPv6 Security
• IPv6 Access Control Lists– ipv6 access-list <ACL-NAME> [permit|deny] <src-prefix[*]> | any | host <hostip> … <dest-prefix[*]> | any | host <hostip> … [log | log-input]
– Router(config-if)# ipv6 traffic-filter <ACL-NAME> [in | out]
• IPv6 Access Classes– ipv6 access-list IPV6AC permit 2001:100:400::/48 any
– line vty 0 4– ipv6 access-class IPV6VAC in
32
DNS for IPv6
• Upgrade DNS servers first– DNS for IPv6 – RFC 1886
• Bind v9 supports IPv6– AAAA (“quad-A” = 4 X 32 = 128) simple format– A6 format – more complex format for business
deployments– Use IPv6 else use IPv4 format – if both types are
returned then the decision is left up to the requesting host
– Respond based on the version number of the request packet
33
DNS for IPv6
• Nodes can have both IPv4 and IPv6 A records in forward lookup files– www.example.org IN A 192.0.2.1– www.example.org IN AAAA 3ffe:b00:1::1
• Reverse lookup files– .ipv6.int is deprecated, so use .ipv6.arpa, or both– 1.2.0.192.in-addr.arpa IN PTR www.example.org. – 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.0.0.0.b.0.e.
f.f.3.ip6.arpa. IN PTR www.example.org.
• named.conf– listen-on {192.0.2.1;}; – listen-on-v6 {3ffe:b00:1::1; }; – masters {3ffe:b00:1::1;}; – allow-transfer {3ffe:b00:1::1;};
• Client’s /etc/resolv.conf– nameserver 3ffe:b00:1:1::2
34
IPv6 Transition Techniques
• Dual Stack• Tunnel/Encapsulation
– Configured Tunnels– Automatic Tunnels
• 6to4• ISATAP• Tunnel Broker with TSP• Teredo
• Application Layer Gateways– Proxy
35
Dual IP Stacks Architecture
Application
Data Link (EthernetII)
TCP UDP
IPv4 IPv6
0x86dd0x0800
• Dual-Stack Architecture – RFC 1933• 4 different possibilities• Ships in the night
36
Sample Cisco Configurations
Dual-Stack Router:
ipv6 unicast-routing
interface Loopback0
ip address 200.100.1.3 255.255.255.255
ipv6 address FEC0:0:0:8::8/128
interface Ethernet 0 ip address 192.168.100.1 255.255.255.0 ipv6 address 2001:100:1:1::1/64 ipv6 enableipv6 route ::/0 2001:150:1::4
37
IPv6 Tunneling
• Manually configured or Automatic• IPv6 PDUs encapsulated in IPv4 protocol 41
IPv4
v4 v4 v4
v4/v6 v4/v6
IPv6
IPv4
DATADATAIPv6
DATAIPv6
Dual-StackNode
Dual-StackNode
Node-to-Node Tunnel
Router-to-RouterTunnel
38
Cisco Tunnel Configuration
hostname Router1interface Tunnel 0 ipv6 address 3ffe:b00:c18:1::3/127 tunnel source 192.168.100.1 tunnel destination 192.168.200.2 tunnel mode ipv6ip hostname Router2interface Tunnel 0 ipv6 address 3ffe:b00:c18:1::2/127 tunnel source 192.168.200.2 tunnel destination 192.168.100.1 tunnel mode ipv6ip
39
IPv4-to-IPv6 Addresses
• IPv4-Compatible IPv6 addresses
• IPv4-Mapped IPv6 addresses
0000:0000:0000:0000:0000 IPv4 Address
80 Bits 32 Bits16 Bits
0000
0000:0000:0000:0000:0000 IPv4 Address
80 Bits 32 Bits16 Bits
FFFF
40
IPv6 Tunneling – 6to4
• Connection of Isolated IPv6 Domains via IPv4 Clouds Without Explicit Tunnels
• Inter-domain tunneling using IPv4 address as IPv6 site prefix IPv6 using IPv4 as a virtual link-layer– IPv6 VPN over IPv4 Internet (2002::/16 prefix) – Automatic tunneling approach - Minimal manual configuration– Uses globally unique prefix comprised of the unique 6to4 TLA
and the globally unique IPv4 address of the exit router.• 6to4 Relay is the gateway between the IPv6 and IPv4
worlds– No NAT can exist in the path– 6to4 Relay may be far away from end node– Security issues related to an open relay
Interface ID
64 Bits
001 TLA
0x0002
16 Bits13 Bits3 BitsFP
IPv4 Address
32 Bits
SLA
41
6-to-4 Configuration
hostname Router1interface Ethernet 0 ip adderess 200.168.100.1 255.255.255.0 ipv6 address 2002:c8a8:6401:1::1/64interface Tunnel 0 no ip address ipv6 unnumbered Ethernet 0 tunnel source Ethernet 0 tunnel mode ipv6ip 6to4ipv6 route 2002::/16 Tunnel0
hostname Router2interface Ethernet 0 ip adderess 200.168.200.2 255.255.255.0 ipv6 address 2002:c8a8:c802:2::2/64interface Tunnel 0 no ip address ipv6 unnumbered Ethernet 0 tunnel source Ethernet 0 tunnel mode ipv6ip 6to4ipv6 route 2002::/16 Tunnel0
42
IPv6 Tunneling – ISATAP
• Intra-Site Automatic Tunnel Addressing Protocol• Automatic tunneling inside an enterprise• Creates a virtual IPv6 link over an IPv4 network• Uses 5EFE just before the 32 bit IPv4 address
bits – converted to hex• Can use private address space
Prefix 00 00 5E FE IPv4 Address
32 Bits32 Bits64 Bits
43
IPv6
IPv6 Tunneling – ISATAP
interface Ethernet 0
ip address 192.168.12.1 255.255.255.0
interface tunnel 0
ipv6 address 3ffe:b00:ffff:3::/64 eui-64
tunnel source Ethernet 0
tunnel mode ipv6ip isatap
no ipv6 nd suppress-ra
IPv4
v4/v6
ISATAPDual-Stack
NodeISATAP Tunnel
192.168.12.1FE80::5EfE:C0A6:0C01
192.168.3.3FE80::5EfE:C0A6:0303
44
IPv6 Tunneling – Tunnel Broker
• Tunnel Brokers use a web-based service to create a tunnel• Connects an isolated host to IPv6 net of provider operating the
tunnel broker• Tunnel information is sent via http-ipv4
– Tunnel managed by ISP
– Sends scripts/configs to Dual Stack Router
IPv4v4
v4/v6
Dual-StackNode
TunnelBroker
IPv6Tunne
l Req
uest
Configured Tunnel
Tunnel
Configuration
45
IPv6 Tunneling - Tunnel Broker
• Automation of configured tunnels• Tunnel Setup Protocol (TSP)• Client sends request for tunnel• Broker is based on policies• Broker sends tunnel infromation• Broker configures its tunnel endpoint• Client then configures its tunnel endpoint• Client receives stable IPv6 address and prefix• Well known free services Freenet6, Hurricane
Electric, XS26, among others• 20 different tunnel brokers exist• Clients for Windows, BSD, Linux, Solaris, etc • 6Bone access
46
IPv6 Tunneling – Teredo
• Called Shipworm in earlier IETF drafts• IPv4/UDP encapsulated IPv6 packets• Works behind an IPv4 NAT• Reduces MTU because of UDP encap.• Uses Teredo server, Teredo relay, and a
Teredo client• External mapping of IPv4 address and
port are discovered by the Teredo server (on the external side of the NAT)
47
Other Transition Techniques
• Translation– NAT-PT (RFC 2766) – TCP-UDP Relay (RFC 3142)– DSTM (Dual Stack Transition Mechanism)– Stateless IP/ICMP Translator (SIIT)
• API– BIS (Bump-In-the-Stack)– BIA (Bump-In-the-API)
• ALG– SOCKS-based Gateway– Microsoft PortProxy
48
IPv6 Transition Techniques• “It’s like rebuilding a car engine when the car is
traveling 100 mph”– Service interruptions, performance degradation,
longer provisioning times• Upgrade all hosts one at a time
– Not likely/plausible• Enable host address autoconfiguration
– Allows for graceful renumbering• Dual-stack, tunneling to be used in combination
– Translation is a last resort• Start IPv6 at the edge and then move toward
the core• No Flag Day!
49
Wireless
• Third Generation Partnership Project (3GPP) mandated use of IPv6 for next generation wireless networks
• Universal Mobile Telecommunications System (UMTS) – Europe’s brand name for 3G
• CDMA-2000 in North America• IDC says there will be 1.4 Billion wireless
users by end of 2004• By 2005 there could 2 billion IP addresses
required for wireless, PDAs, etc.– IPv4 theoretical limit is 4 Billion
• Mobile IPv6 (persistent IP address vs. persistent services)
52
6Bone
• 6Bone is a global IPv6 testbed network
• Assists in the evolution and deployment of IPv6
• Early testing of transition strategies
• IDRPv6 was original protocol – now BGP4+
• IPv6 Islands connected via configured tunnels
• Mix of Static and Dynamic Routing
• Routers only use of Native IPv6 test addresses
53
IPv6 Internet Exchange Points
• PAIX: Palo Alto• MCI MAE: WashDC, San Jose, Chicago,
Dallas, Frankfurt, Paris• NY6IX: New York• S-IX: NTT San Jose • AMSIX: Amsterdam, NL• INXS: Munich/Hamburg DE • 6TAP: Canarie, Viagenie, ESNet• 6iix: Telehouse - NY, LA, Santa Clara• UK6X: Telehouse, UK• 6TAP: STARTAP in Chicago• 6NGIX: Seoul, South Korea• FNIX6: Paris France• JPIX: Japan
54
IPv6 Service ProvidersNSPIXP6 PAIX S-IX AMS-IXLINXUK6XJPNAP6 EQUI6IX
NTT/VERIO IPv4 Backbone
Backbone TransitionBackbone TransitionBackbone TransitionBackbone Transition
Backbone and ServicesBackbone and ServicesBackbone and ServicesBackbone and Services: IPv6 exchange point
NTT/VERIO IPv4 Backbone
NTT/VERIO IPv6 Backbone
NTT/VERIO IPv4/IPv6 Backbone
: NTT/VERIO global IPv6 service availability
Before 2000Only IPv4
Q1 2000 ~ Q2 2003IPv4 and IPv6 separately
CurrentIPv4/IPv6 Dual StackDual Stack
Japan
Australia
United States
Spain
France
Malaysia
PhilippinesHong Kong Germany
UK
S. Korea Neth
56
• Operating Systems– Windows 2000, XP SP1, 2003– Linux, BSD, Solaris 8/9, HP-UX, AIX– MacOS X 10.2
• Current IPv6 Applications: ping, finger, ifconfig, …, NFS, routing, FTP, Telnet, WWW, Sendmail, SMTP, POP, …
• Cisco supports IPv6 in beta releases of its IOS (IPv6 fully supported in 12.2T)– IOS Upgrade = Free IPv6 Support– Initially just basic functionality – then more
features/protocols and then performance
IPv6 Vendors and Products
57
Microsoft XP, 2000, 2003
• “ipv6 install” or “netsh interface ipv6 install”• “ipv6 if” or “netsh int ipv6 show addr”• “ping6 <ipv6addr>”• “tracert6 <ipv6addr>”• “pathping -6 <ipv6addr>”• “ipv6 [-rc | -nc | -rt ]”• “show global”• “6to4cfg” or “netsh int ipv6 6to4 set relay”• “ipv6 adu …” or “netsh int ipv6 add addr …”
58
Linux
• “modprobe ipv6” to load IPv6 kernel module• Add “NETWORKING_IPV6=YES” to the
/etc/sysconfig/network file• Add “IPV6INT=yes” to all /etc/sysconfig/networking-
scripts/ifcfg-eth0 files• “service network restart”• “ifconfig –a” or “ip –f inet6 addr show”• “netstat --inet6”• “route –A inet6” or “ip –f inet6 route show”• “ping6 <ipv6addr>”• “traceroute6 <ipv6addr>”• “tracepath6 <ipv6addr>”
59
Sun Solaris
• IPv6 support in Solaris 8 and 9– Be sure to install OS with IPv6 support
• “touch /etc/hostname6.qfe0” then reboot• “ifconfig qfe0 inet6” shows the qfe0 interface config• “ifconfig qfe0:1 inet6” shows the qfe0:1 interface config• “netstat –f inet6” or “netstat –rn”• “route add –inet6”• “ping -inet6 -i qfe0 <ipv6addr>”• “traceroute -i qfe0 <ipv6addr>”• “snoop -d qfe0 ip6”
60
IPv6 Advantages
• Added addresses• Stateless Autoconfiguration• Simplifies routing – fewer header fields• Supports IPSec natively• Improved Mobile IP support• QOS support – flow label potential• Native Multicast• Includes Anycast• Backward compatible• Many transition mechanisms• Extensible
61
IPv6 Challenges
• Something new to learn - Addresses are difficult to remember
• Larger header – More bits to read in order to get to destination address
• IPv6 protocol may seem like just a minor upgrade to IPv4
• Effort required to make transition but hopefully operational cost savings with IPv6
• End users won’t notice the improvement• Multi-Homing is not solved• May break older applications• New IPv6 enables apps will need to be developed
62
IPv6 Future
• Car manufacturers – 1 billion cars by 2010 (even just 15% of them means 150 million addresses)– GPS and Yellow Page Services
• Home appliances (toaster, dishwasher, video, …)• More security problems on the IPv4 Internet• Demand for peer-to-peer & multimedia applications• Always-on broadband Internet access• DOD pushing for IPv6 systems to support their operations• Internet in every School• Power industry and agricultural applications of IP• Likely deployed in foreign markets (China, India, Japan, Russia, Asia,
South America, Africa, …) who’s registries weren’t granted larger blocks of IPv4
• VoIP – IP address for every phone?• IPv6 infrastructure is ready now – start experimenting!• The sooner you begin the transition, the sooner you will be done and
ahead of your competition
64
IPv6 DemoEthernet
Ethernet
Den-R1
Den-R6 Den-R7
Den-R8
Sony Vaio Laptop200.0.88.1002001:88:a00:46ff:fe51:9e46FE80::a00:46ff:fe51:9e46%4
VM - Linux RedHat 9200.0.88.32001:88::20c:29ff:febc:a775
Dell Laptop200.0.11.22001:11::208:74ff:fe9b:3cf4FE80::208:74ff:fe9b:3cf4%4
VM - Linux RedHat 8200.0.11.32001:11::20c:29ff:fed8:9980
Ethernet 0 - 2001:11::1/64FE80::2D0:58FF:FEAD:CFC0
Serial 0 - 200.0.17.1/28
Serial 1 - 200.0.17.7/28
Serial 0 - 200.0.78.7/28
Serial 0/0 - 200.0.78.8/28
V4/V6
V4/V6
EIGRP - V4V6 - RIPng
Loopback 0 - 200.1.1.1/32
Loopback 0 - 200.7.7.7/32Ethernet 0 - 200.0.77.7/24
Loopback 0 - 200.8.8.8/32
Loopback 0 - FEC0:0:0:1::1/128
Ethernet 0 - 200.0.11.1/24
Ethernet 0 - 200.0.88.8/24Ethernet 0/0 - 2001:88::8/64FE80::202:B9FF:FE50:9C00
Loopback 0 - FEC0:0:0:8::8/128
Serial 0/1 - 2001:68::8/64FEC0:68::8/64
Serial 0 - 2001:68::6/64FEC0:68::6/64
Loopback 0 - FEC0:0:0:6::6/128Ethernet 0 - 2001:60::6/64Ethernet 1 - 2001:61::6/64
Serial 1 - 2001:16::6/64FEC0:16::6/64
Serial 1 - 2001:16::1/64FEC0:16::1/64
65
IPv6 Books• Implementing Cisco IPv6 Networks, Regis Desmeules, Cisco Press,
May 2003.• Understanding IPv6, Joseph Davies, Microsoft Press, 2003. • IPv6 Essentials, Silvia Hagen, O’Reilly and Associates, 2002.• Migrating to IPv6 - IPv6 in Practice: IPv6 in Practice, Marc Blanchet, John
Wiley & Sons, November 2002.• Mobile IPv6, Hesham Soliman, Addison-Wesley, March 2004.• Configuring IPv6 for Cisco IOS, Syngress, 2002.• Implementing IPv6: Supporting the Next Generation Internet Protocols,
Mark A. Miller, John Wiley & Sons, March 2000.• IPv6 Clearly Explained, Peter Loshin, January 1999.• Hands-On IPv6, Marcus Goncalves, Kitty Niles, McGraw-Hill, May 1998.• IPv6 the New Internet Protocol, Christian Huitema, Prentice Hall, January
1996.• Internetworking IPv6 with Cisco Routers, Silvano Gai, McGraw-Hill,
March, 1998.• IPv6: The Next Generation Protocol, Stewart S. Miller, Digital Press,
December 1997.