IPv6 Program

Sample Content

DePaul IPD

Information and a sample of course content

Program Format

10-week online course

Content is split into 6 modules, released at intervals through course, each has:

2-4 hours of instructional video

Readings, Homework

Lab exercise – typically Cisco config

24x7 e-mail to instructors / support.

Instructor chat and demonstrations

Case Study project to integrate all course technologies.

Example: Fall Schedule

Module Number

Module Name Content Available

Homework Due

Lab Due

1 Introduction to IPv6 Sept. 12 Sept. 23 Sept. 29

2 Technical Fundamentals I Sept. 21 Oct. 3 Oct. 7

3 Technical Fundamentals II Oct. 3 Oct. 13 Oct. 18

4 IPv6 Routing Oct. 12 Oct. 24 Oct. 28

5 Deployment and Transition Oct. 24 Nov. 4 Nov. 8

6 Security and the Future Nov. 2 Nov. 11 Nov. 15

Program Instruction

Effective IPv6 training:

10-week format provides deeper understanding and better retention than short-term training seminars.

High-quality course content.

Homeworks, Labs and Case Study ensure a thorough understanding of technologies and ability to perform necessary Cisco configurations.

Additional topics needed for a specific project can be added by request.

Contact: gbrewster@cdm.depaul.edu

IPv6 Labs Hands-on configuration practice is

essential to IPv6 learning!!

Online labs make use of CDM DLPods

Students reserve ‘pods’ of real devices, consisting of 5 routers, 3 switches, 3 hosts.

Students connect over VPN to configure devices via RDP, SSH, and Telnet/Cisco CLI.

Seven labs from Fall 2011: IPv6 Addressing, OSPF3 Configuration, MP-BGP Configuration, GRE tunnels, ISATAP tunnels, 6to4 tunnels, 6PE tunnels.

Example: 6PE Lab

All interface addresses, lab objectives and deliverables given in assignment.

Reserving Lab Time

DLPod Lab in Progress

Textbook

Excellent coverage of IPv6 technologies Lots of Cisco configuration examples An excellent reference to have on your shelf

Required Text: Deploying IPv6 Networks by Ciprian Popoviciu, Eric Levy-Abegnoli, Patrick Grossetete.

Optional Text:

TCP/IP Protocol Suite (4th ed.) by Behrouz A. Forouzan

Instructors

Gregory Brewster, PhD

Director, Center for Advanced Network Studies

Faculty Page

Anthony Chung, PhD

Associate Professor

Faculty Page

Jean-Philippe Labruyère, CCIE #1644

FullTime Faculty

Faculty Page

Sample Content

High-quality content to learn IPv6

Clear explanations

Extensive figures and diagrams

Animations and color coding

Demonstrations

In the remaining slides you will find sample content from the Fall 2011/12 offering of the program.

Some diagrams are from course texts.

IPv6 Program

Module 1 Introduction to IPv6

DePaul IPD

IPv6 Program

Module 2 Technical Fundamentals I

DePaul IPD

Topics Overview of IPv6 addressing

IPv6 Address Types and Scopes

Overview of Scope concept

Link-local

Unique Local

Global

Unicast

Overview of global allocation

Anycast

Multicast

Ipv6 and Layer2 addressing

IPv6 addresses required on a host

IPv6 Packet Format

Basic header format

Extension headers

ICMPv6

ICMPv6 Error Messages

ICMPv6 Information Messages

Source Address Selection

Some basic Cisco IPv6 Commands

Address Structure

From RFC 4291

Note: IANA unicast address assignments are currently limited to the

IPv6 unicast address range of 2000::/3.

IPv6 Global Unicast Address Assignments

http://www.iana.org/assignments/ipv6-unicast-address-assignments/ipv6-unicast-address-assignments.xml and http://www.iana.org/assignments/ipv6-address-space/ipv6-address-space.xml

Partial table

………..

Anycast Address Taken from the unicast address spaces and are not syntactically

distinguishable from unicast addresses

Assigned to more than one interface (typically belonging to different nodes), with the property that a packet sent to an anycast address is routed to the "nearest" interface having that address, according to the routing protocols' measure of distance. [RFC 4291]

All routers are required to support the Subnet-Router anycast address:

which is formed by the subnet prefix followed by all 0s in the

interface ID. A packet sent to this address is received by one of

the routers on that subnet.

Interface Local

Multicast Address

Some special multicast addresses:

All-nodes mulitcast - FF01:0:0:0:0:0:0:1 (interface local) and

FF02:0:0:0:0:0:0:1 (link local)

Comparison of Error-Reporting Messages in ICMPv4 and ICMPv6

IPv6 Program

Module 3 Technical Fundamentals II

DePaul IPD

Topics IPv6 Neighbor Discovery Protocol (NDP)

Overview / Comparison with IPv4

Router Solicit/Advertise

Stateless Address Autoconfiguration

Neighbor Solicit/Advertise

Router Selection

Address Services: DHCPv6 and DNS

IPv6-Enabled Applications

Enhanced Delivery Services

Global Multicast

Quality of Service (QoS)

IPv6 Mobility

IPv6 Stateless Autoconfiguration (animated)

2107:0:0:1::10 FE80::10

FE80::1:1

Enterprise network

IPv6 Router

DNSv6 Server

Link 2107:0:0:1::/64

Ethernet Switch

Network Prefix = 2107:0:0:1::/64

Gateway IP = FE80::1:1

Link MTU = 1500 bytes

Router Solicit

Router Solicit Router Adv.

2107:0:0:1::11 FE80::11

FE80::12

Gateway LLA = 00:0c:1a:00:13:ad

2107:0:0:9::1:2

DNS = 2107:0:0:9::1:2

2107:0:0:1::12

Neighbor Solicit

DHCPv6 (animated)

Enterprise network

IPv6 Router

DHCP/DNS Server

Ethernet Switch

ipv6 dhcp relay destination 2107:0:0:9::1:2

DHCP Req.

DHCP Req. DHCP Req.

DHCP Req. DHCP Req.

DHCP Ack.

Link 2107:0:0:1::/64

2107:0:0:9::1:2

IPv6 Address = 2107:0:0:1::12

DNS = 2107:0:0:9::1:2

“IPv6 Brokenness” Throughout 2010 and early 2011, early IPv6 adopters

warned that simply adding an AAAA record for a web site could block out large numbers of old IPv4 customers ...

This problem was called “IPv6 Brokenness”.

Mainly fixed now, but awareness and testing essential.

Multicast Tree Types

Figure 6-2 from text.

Verifying Multicast Groups - Cisco

R1# show ipv6 interface loopback 100

Loopback100 is up, line protocol is up

IPv6 is enabled, link-local address is FE80::222:55FF:FE18:7DE8

No Virtual link-local address(es):

Global unicast address(es):

2001:8:85A3:4290:222:55FF:FE18:7DE8, subnet is 2001:8:85A3:4290::/64 [EUI]

Joined group address(es):

FF02::1

FF02::2

FF02::1:FF18:7DE8

MTU is 1514 bytes

ICMP error messages limited to one every 100 milliseconds

ICMP redirects are enabled

ICMP unreachables are sent

ND DAD is not supported

ND reachable time is 30000 milliseconds (using 31238)

Hosts use stateless autoconfig for addresses.

R1#

Verifying Multicast Groups - Windows

Win command: netsh interface ipv6 show joins

IPv6 Program

Module 4 IPv6 Routing

DePaul IPD

Topics IPv6 packet processing and forwarding by routers

Routing option header

Configuring Static Route

Configuring routing protocols

RIPng

EIGRPv6

OSPFv3

IS-IS for IPv6

MP-BGP

Multihoming

Deployment considerations

Core

Distribution

Access

Example routing table On Windows netsh interface ipv6 show route * Note – From “Understanding IPv6” by Joseph Davies

Taxonomy of Routing Protocols

RIPng IPv4 - neighboring routers must be on the same

subnet.

IPv6 – neighboring routers always share the same link-local subnet (FE80::/10), and multiple

subnets can be assigned on the same interface.

IPv6 does not use broadcast, but “all RIP routers” link-local multicast address (FF02::9)

RIPng relies on IP Authentication Header and IP Encapsulating Security Payload rather than the RIP authentication mechanism.

EIGRPv6

Example configurations: interface Ethernet0

ipv6 enable

ipv6 eigrp 100

If it’s an IPv6-only router, the router ID must be manually configured: ipv6 router eigrp 100

Router-id 10.10.10.1

OSPFv3

Configuration example interface Ethernet1/0

ipv6 address 2001:200::2/64

ipv6 ospf 100 area 1

end

Options ipv6 router ospf 100

router-id 200.11.11.1

area range 1 2001::/48

area 1 authentication ipsec spi 678 md5

1234567890ABCDEF1234567890ABCDEF

MP-BGP

BGP Deployment Example

IPv6 Program

Module 5 Deployment and Transition

DePaul IPD

IPv6 Deployment and Transition IPv6 Deployment Scenarios

Tunnels

Manually Configured Tunnels (MCT)

Generic Record Encapsulation (GRE) Tunnels

Teredo, TSP

ISATAP

6to4, 6rd

6PE

Translation

NAT-PT

NAT64, DNS64

Carrier Grade NAT (CGN)

Colors for Figures In figures and diagrams, I will use the

following color scheme:

IPv4 – Blue

IPv6 – Crimson

Ethernet – Green

PPP or L2TP - Purple

IPv6 Router Dual-Stack Router IPv4 Router

IPv6 Cloud

IPv4 Cloud

IPv6 Host Dual-Stack Host IPv4 Host

Scenario #1: Enterprise Client Native IPv6 Access

IPv4/v6

ISP

IPv6

Internet

IPv6 Server

Sally

ForwardCorp

Sally works for ForwardCorp, which has upgraded all corporate workstations and routers to dual-stack.

ForwardCorp connects to an ISP providing IPv4 and IPv6 routing.

Sally can natively connect to IPv4 and IPv6 Internet services.

IPv6 Eth

IPv6 PPP

Enterprise Client Scenario Tunneling through IPv4 ISP

IPv4

ISP

IPv6

Internet

IPv6 Server

Sally

ForwardCorp

Sally works for ForwardCorp, which has upgraded all corporate workstations and routers to dual-stack.

ForwardCorp connects to an ISP providing IPv4 routing only.

ForwardCorp may set up an IPv6-over-IPv4 tunnel between its access router and a dual-stack IPv6 Tunnel Router.

IPv6 Eth

IPv6 IPv4 PPP

IPv6 PPP

Protocol = 41

Enterprise Client Scenario Host-Initiated Tunnel

IPv4

ISP

IPv6

Internet

IPv6 Server

Sally

ForwardCorp

Tunnel

Server

What if Sally has upgraded her workstation to dual-stack, but the rest of ForwardCorp is still IPv4-only?

ForwardCorp connects to an ISP providing IPv4 routing only.

Sally may set up a host-initiated automatic IPv6-over-IPv4 tunnel between her workstation and a dual-stack IPv6 Tunnel Router.

IPv6 EthIPv4

IPv6 IPv4 PPP

IPv6 PPP

Scenario #3: Home Network Tunneling to Tunnel Server

IPv4

ISP

IPv6

Internet

IPv6 Server

Edward’s

LaptopEdward’s Home

(WiFi)

Edward’s Wife’s

Laptop

DSL/Cable

AP/RouterTeredo

Tunnel

Server

What if Edward’s ISP is still IPv4-only and provides no type of Access Layer tunneling?

Edward still may be able to use a host-initiated dynamic tunneling protocol that works through NAT, such as TSP or Teredo, to access a Tunnel Server somewhere in the Internet.

Scenario #4: Site-to-Site CE-CE Tunneling through IPv4 backbone

IPv4

Backbone

ForwardCorp

LA

ForwardCorp

NY

ForwardCorp has two corporate sites – one in Los Angeles and one in New York.

ForwardCorp connects to an ISP providing IPv4 routing only.

ForwardCorp may set up a IPv6-over-IPv4 tunnel between the Customer Edge (CE) routers at both sites.

IPv6 Eth

IPv6 IPv4 PPP

Protocol = 41

IPv6 Eth

Scenario #5: Translation IPv6 Client to IPv4 Server

ForwardCorp

LA (IPv6)

IPv6

Backbone NAT

64

IPv4

Backbone

IPv4-only

Server

IPv6-only

Client

If an IPv6-only Client wishes to obtain service from an IPv4-only server, then tunneling will not help.

A translation service is needed to perform IPv6/IPv4 Network Address Translation / Port Translation (NAT-PT). A NAT64 server is one possible translation service implementation.

IPv6 Eth

IPv6 PPP

IPv4 PPP

Scenario #2: Enterprise Server ISATAP Server

IPv4/v6

ISP

IPv6

Internet

Web Server

DNS Server

ForwardCorp

ISATAP

Server

ISATAP can be deployed by a corporation that wants to provide access to its IPv6 services to IPv6 users in the public Internet.

ISATAP – Cisco Config

Scenario #4: Site-to-Site CE-CE Tunneling using 6to4

IPv4

Backbone

ForwardCorp

LA

ForwardCorp

NY

ForwardCorp can use site-to-site 6to4 tunneling if they adopt 2002::/16 6to4 addressing on their sites.

Advantage over static tunnels: no additional configuration needed at these sites when additional sites are added, and access to all other 6to4 sites.

6to4 Router 6to4

Router

6to4 Configuration (Ex. 3-21) ! Router1 interface Tunnel2002 ipv6 address 2002:C80F:F01::1/128 tunnel source Ethernet0/0 tunnel mode ipv6ip 6to4 interface Ethernet0/0 ip address 200.15.15.1 255.255.255.0 interface Ethernet1/0 ipv6 address 2002:C80F:F01:100::2/64 ! route to other 6to4 sites ipv6 route 2002::/16 Tunnel2002 ! route to native IPv6 service ipv6 route ::/0 2002:C058:6301::1

6rd 6rd (IPv6 Rapid Deployment) is a newer revision

of the 6to4 concept developed in 2007 by Rèmi Desprès.

Each ISP uses one of its own IPv6 prefixes for 6rd service – 2002://16 is not used.

6rd client network prefix will be ISP prefix + IPv4 Access Address + Subnet ID::/64

ISP can “compress” the IPv4 Access Address to fewer than 32 bits by dropping leading bits that are identical within ISP.

Operation continues as in 6to4. Access outside of ISP network is through 6rd Relay.

6rd addresses are indistinguishable from native IPv6 addresses on the backbone.

NAT-PT Example (Fig. 3-18)

DNS64 / NAT64

Wikipedia Commons: http://commons.wikimedia.org/wiki/File:NAT64.svg

1 2

3 4

5

6

h2.example.com

v6-only client

Carrier Grade NAT (CGN)

Carrier Grade NAT is a large NAT device placed at the

edge of an ISP network where it connects to Internet

backbone.

CGN is used to reduce need for IPv4 addresses

Example: NAT444 is a 2-stage IPv4 NAT process

Customer Private IPv4 is NAT-ed to ISP Private IPv4

ISP Private IPv4 is NAT-ed to public IPv4 at a CGN as

they leave ISP network.

No IPv6 here – just used to reduce IPv4 address

requirements.

IPv6 Program

Module 6 IPv6 Security and the

Future

DePaul IPD

Agenda IPv6 Security Resources

Shared security aspects IPv4 and IPv6

Similar (yet different) security aspects

Specific Security Issues in IPv6

Transitioning and Tunneling issues

Routing Protocol Security in IPv6

IPv6 and IPSEC

IPv6 Firewalls

Attack and Defense Tools

Conclusions