Presentation on theme: "Tony Kellar Daymar Institute. Why the OSI Model Multi-vendor support and standardization Enhances simplicity and design and troubleshooting Changes made."— Presentation transcript:
Tony Kellar Daymar Institute
Why the OSI Model Multi-vendor support and standardization Enhances simplicity and design and troubleshooting Changes made at one layer do not affect other layers TCP doesnt care UDP doesnt care Data-link doesnt care Only layer 3 cares IPv4 IPv6
WHY Internet Protocol 6 IPv4 address exhaustion has been a concern over time. Roughly 2/3 rd of actual addresses are publically usable Source:
Current IPv4 status Source:
Additional reasons for IPv6 IPv4 was created in late 1960s. Many lack of optimizations in design Broadcast and Multicast concerns Fragmentation became necessary Hack, Hack, Hack to get certain things to work Lack of global focus Internet Routing Table became HUGE! Impossible to optimize Security was not a concern in protocol creation IPv4 subnetting is….clunky and inefficient Poor management of IP space as we were NEVER GONNA RUN OUT!
WE ARE NOT YET READY FOR THIS
WHAT IS AN IPv4 ADDRESS? 32 bits in succession indicating the address Networks are sub-divided by the subnet mask The Internet started out CLASSFULLY (A,B,C,D,E) Now we can subnet networks to create optimizations of space (known as CLASSLESS) Source:http://www.cisco.com/web/about/ac123/ac147/archive d_issues/ipj_9-1/ip_addresses.html
How much bigger is IPv6 than IPv4 We can assign an IPv6 address to every atom on the surface of the Earth There are 2^52 more IPv6 addresses than known stars in our universe. If the entire IPv4 space was the size of a basketball, IPv6 is the size of the sun. My house is 4,294,967,296 times the space as the entire Internet on my primary network My secondary network (at my house), is 281,474,976,710,656 times larger than the entire Internet 17 times larger than the National Debt Comparison: IPv4 = 4,294,967,296 total address space IPv6 = APPROXIMATELY 3,402,823,669,209,384,634,633,746,074,317,700,000,000,000,000,000,000,000,000,000,000,000,000 MY CALCULATOR WILL NOT DISPLAY THE EXACT NUMBER LETS FACE IT – BIG NUMBER
IPv6 Address Format 128 bits in length (versus IPv4 32 bit length) Each section is 16 bits represented by 4 characters between 0 – F If you understand MAC addresses…easy stuff then Expressed in hexadecimal format (Base 16) 0(0)=00004(4)=01008(8)=100012(C)=1100 1(1)=00015(5)=01019(9)=100113(D)=1101 2(2)=00106(6)=011010(A)=101014(E)=1110 3(3)=00117(7)=011111(B)=101115(F)=1111 Each section of 16 bits is separated by a : Leading zeros in a section can be dropped Successive zeros in multiple sections can be expressed with :: NOTE: Can be used only once Whiteboard examples: 3f01:abcd:1234:5678:2780:1537:1100: :0db8:00ca:1300:0000:0000:1350:aaaa 2001:0db8:0000:0bde:0000:0000:1306: :0000:0000:0000:0000:0000:0000:0000
Exercise – Shortest Length These Answer ABCD:807::123D:5908:ABCD:8797:1 2001:DB8:1:3092:1:DE:1230: :DB8:0:3092::20: :1000:0:3821::E :1200:10::A 3001:3342:101::1:0:1:1 OR 3001:3342:101:0:1::1:1 C000::1
Quick Note – IPv6 address within URL URLs explicitly use the : to designate a port number IPv6s uses of colons creates problems does not work If pointing directly to an IPv6 address in a URL, encapsulate in brackets
IPv6 – Expressing Network vs. Host In IPv4, we use subnet masks to support this I.E In IPv6, if we used a subnet mask for the same number of hosts, we would have to type: IPv4: = /24 (how many 1s) IPv6: /## - same deal, therefore: 2610:0018:02c1:0041:2342:ffe2:1234:0001/64 RED = NETWORK WHITE = HOST
Addressing Hosts Statically – typing it in exactly (YUCK! for hosts)
Addressing Hosts Dynamically Method 1: Auto-configuration (privacy mechanism!!!) Host picks random and validates it is not already on the network 2610:18:2c1:41:cca8:57fd:6a7c:cdbf Uses a mechanism known as RS/RA – Router Solicitation and Router Advertisement for default- gateway establishment Method 2: IPv6 DHCP (Stateful) Can use either RD/RA or statically defined default- gateway Method 3: Cryptographically generated addresses I BELIEVE BUTTON
Addressing Hosts Dynamically Method 4: EUI-64 addressing Host uses MAC address on Ethernet NIC as NIC is 48 bits and globally unique Flips 7th bit from 0 1 or 1 0 Why? Not a clue! I didnt write it. Inserts FFFE between first 24 bits and last 24 bits of MAC and makes IP address See next slide for an example Also uses RS/RA for default-gateway establishment
Addressing Hosts: EUI-64 example Source:
IPv6 Address Apportionment
IPv6 addressing standard networks Businesses will go to RIR/NIR for IPv6 addresses if needing multipath routing Single path routing for businesses/large customers will be provided a /48 from the ISP Extremely small business and private customers (us)….will traditionally get a /64 NOTE: Even though obscene number of IPs…IETF specifies smallest network really should be /64….even in point-to-point networks Certain tunneling technologies…i.e. ISATAP…REQUIRES the network to be a /64 (I lost hair over this and I cant afford that!)
Types of Traffic IPv4 Unicast – host to host only communications Multicast – host to many (listening hosts) comms Broadcast – host to everybody on segment IPv6 Unicast – host to host only communications Multicast – host to many (listening hosts) Anycast – host to closest address (Ugh!) Wait – Where did broadcasts go? What about ARP??? Well get there…hold on that!
Types of Address (there are more) Aggregatable Global Unicast: 2000::/3 (2000-3FFF) No such thing as a private IP in IPv6 Multicast: FF00::/8 This requirement will never go away Routing protocols Special services – Video Link-Local Unicast: FE80::/10 – Ah-ha… IP address used by host to talk to other hosts within the network (Time To Live of 1) Finds hosts and routers on link only Solicited Node Multicast: FF02::1::/104 – Ah-ha!!! IP address used by host to query the MAC of a host Also used for Duplicate Address Detection (DAD)
Link Local – FE80::/10 Link local breakdown: FE80 for first 10 bits Next 54 bits are all 0s Last 64 bits are the last 64 bits of IP address Given IP address: 2610:18:2c1:41:cca8:57fd:6a7c:cdbf Link Local address: FE80::cca8:57fd:6a7c:cdbf Link local does not talk outside of link Used by the host to talk WITHIN the link
Special IPv6 Addresses :: = I dont have an address – source = 0s ::1 = Equal to IPv4s Ping it. It will respond (we hope) IPv4 to IPv6 tunneling address IPv4 compatible IPv6 address 0:0:0:0:0:0:IPv4 address 0:0:0:0:0:0: or :: IPv4-mapped IPv6 address 0:0:0:0:FFFF: I BELIEVE BUTTON I BELIEVE BUTTON
Solicited-Node Multicast Addresses Provides ability for host to contact an IP address when it only knows its IP (sounds like ARP) Address format = FF02::1:FF00:0000/104 Last 24 bits are the IP address that is bound to that host Link Local Only Used for Neighbor Discovery (ARP) and DAD
Solicited-Node Multicast Addresses I know what you are thinking If the host size is 64 bits…but Solicited Node Multicast = last 24 bits, isnt it possible to have two nodes with the same address? I.E. 2610:18:2c1:abcd:abcd:1234:1234: :18:2c1:abcd:abcd:1234:1334:1001 Yup! But given size of a /64…risk is small. 2^24=1,677,216 addresses. What…too small for you? And if it happened, impact is small. Neighbors will be found. DAD will recognize if a real duplicate exists.
Multicast Starts with FF00::/8 So easily done in IPv6. Overcomes major problems with IPv4 IETF did a wonderful job mapping old to new ProtocolIPv4 MulticastIPv6 Multicast All hosts FF02::1 All routers FF02::2 All OSPF routers/OSPFv FF02::5 All OSPF DR|BDR/OSPFv3 DR|BDR FF02::6 RIP/RIPng FF02::9 EIGRP/EIGRPv FF02::A
IPv6 Transition Mechanisms IPv6 only – sounds weird? Go to China. IPv4 and IPv6 dual stack – interface supports both IPv4 and IPv6. Best implementation in my humble opinion. IPv6 over IPv4 tunnels/IPv4 tunnels over IPv6 Complex Readily available as IPv4 is readily available Active proxy NAT64 – translating IPv6 addresses to IPv4…vice versa DNS64 – translating AAAA to A…requiring a server
Why Arent We All At IPv6 Yet? You:I want to implement IPv6 across the enterprise. For our own /48, we will have to pay $2,000 per year, upgrade equipment software, setup the PCs, and will cost us about 1,000 man hours. Plus, we will have to train your staff. Manager: Will we make money off of this project? You: Not yet. But someday we might need it. Manager: Who is doing IPv6? You: About 1% of the planet Managers response: Now adjust. You are an ISP. What is the justification for you to have IPv6 for all your customers when only 1% of the planet even knows what it is? Infancy….Engineering….Cost….vs. Gain
Useful PC diagnostic commands ipconfig or ipconfig /all ping -4 IP or ping -6 IPv6 address Note, if running both…IPv6 wins by default tracert -4 IP or tracert -6 netstat – r or route print : shows PC routing table (- 4 or -6 will specify only that table) netstat –ps IPv6: Shows IPv6 traffic stats netstat –ps ICMPv6: Shows IPv6 ICMP stats netstat –ps TCPv6: Shows TCP stats netsh interface ipv6 show neighbor: shows what IPv6 neighbors have been learned on local link Important Cisco commands - not in CCNA
Things to Remember – Part 1 IPv4 uses DNS A records. IPv6 uses DNS AAAA records or A6 (experimental) records. You do not need explicitly an IPv6 server. An IPv4 DNS server will pass AAAA. IPv4 has a primary address on the interface. It does all the talking. IPv6 can have hundreds of addresses on the interface…with each capable of talking….even in the same subnet. Windows XP is first Windows that started will down IPv6. However, go Windows 7 if you can. MUCH MORE CAPABLE. Mobile devices – already ready and in many cases, cant turn it off IPv6 is really simpler than IPv4. The problem is concepts, availability of connections, and learning to understand it. IPv6 does NOT allow for fragmentation. The router sends out the MTU in its advertisements. It is left to the host to perform any fragmentation prior to shipping. There is way more to this thing….as one could expect
Things to Remember – Part 2 SECURITY If you are not using IPv6, TURN IT OFF: Disable TCP/IP IPv6 Disable Tunnel Adapters Teredo Automatic 6-4 ISATAP There is no such thing as private IPv6 addresses Firewall all machines Stateful packet inspection at hardware router/firewall is best IPv6 is really simpler and more productive 1 drawback. 64-bit processor can process both IPv4 source and destination in one pass. IPv6 – 4 passes. Security (IPSEC) built in Network apportionment is easy It is like going for a 2 mile run. It hurts BADLY at first … but hurts less the next time….and always hurts a little.
Test Network Topology IPv6 ipv6.google.com HE ISP Tonys House IPv6 over IPv4 GRE tunnel IPv4 Your PC Daymar Network IPv4 Encrypted IPv6 traffic over IPv4 tunnel IPv4 IPv6 Daymar Switch SAME Daymar Switch
PLAYTIME Hopefully, you are now on the IPv6 NET Go to IPv6.google.com. Ping ipv6.google.com Ping each others address. Fun entering that…huh? DNS will be HUGE in the future. Search for IPv6 enabled websites Do the PC associated commands NO IPv6 PORN…AKA PORN6? HAHA Remember, you are on my network! Thank you for your time!
Useful PC diagnostic commands ipconfig or ipconfig /all ping -4 IP or ping -6 IPv6 address Note, if running both…IPv6 wins by default tracert -4 IP or tracert -6 netstat – r or route print : shows PC routing table (-4 or -6 will specify only that table) netstat –ps IPv6: Shows IPv6 traffic stats netstat –ps ICMPv6: Shows IPv6 ICMP stats netstat –ps TCPv6: Shows TCP stats netsh interface ipv6 show neighbor: shows what IPv6 neighbors have been learned on local link