Presentation on theme: "IPv6: Hype or Reality? Tim Helming Director of Product Management Corey, Nachreiner, CISSP, Sr. Network Security Strategist,"— Presentation transcript:
IPv6: Hype or Reality? Tim Helming Director of Product Management Corey, Nachreiner, CISSP, Sr. Network Security Strategist,
Welcome! IPv6: Hype, or Reality?Answer: Yes!
Youre here because v6 matters to you Were here to help!Things well answer: How soon will I need v6? How do I prepare? What will the transition be like? How can WatchGuard help me?
Come On In: The Waters Fine!
IPv4 is dead…long live IPv4! Last 2 /8s Allocated… So, what does v6 adoption look like?
IPv6 is Everywhere….sort of… Breadth, not depth All regions are participatingTraffic Volumes Low Source: Elise Gerich, IANA/ICANN
Sometimes unofficial data is the most interesting… IPv4: 5.5 Gbps worldwide IPv6: 407 kbps for a big /12 IP Background Radiation Graphic: Geoff Huston, APNIC
IPv6 Primer IPv6 Field Guide OK….Pencils and Binoculars Ready?
IPv6 Technical Brief
Whats the problem with IPv4? Simply put, it doesnt offer enough addresses… World Population: Around 6.8 billion Number of IPv4 addresses: Around 4.3 billion
It Gets Worse… People (personal computers) arent the only thing online…
IPv6 Technical Benefits Exponentially more IP addresses Fixed headers means faster traffic True end-to-end addressing. (No more NAT?) Built in end-to-end security (IPSec) Built in QoS functionality Autoconfiguration Great for mobiles
Quick IPv4 Address Recap Developed in 80s billion possible addresses (4,294,967,296) Generally represented in decimal NAT allows more (1000s of devices can hide behind one IPv4 address) Developed in 80s billion possible addresses (4,294,967,296) Generally represented in decimal NAT allows more (1000s of devices can hide behind one IPv4 address) bit (four bytes) long One byte =
Dissecting an IPv6 Address Developed in 1998 (RFC 2460) x or 340 Undecillion (what?) possible addresses Generally represented in hexadecimal (HEX) Who needs NAT! Developed in 1998 (RFC 2460) x or 340 Undecillion (what?) possible addresses Generally represented in hexadecimal (HEX) Who needs NAT! 2560:1900:4545:0003:0200:F8FF:FE21:67CF 128-bits (16 bytes) long Two bytes = 0 – FFFF (65535)
2001:19:545:3:200::67CF Shortening IPv6 Addresses 2001:0019:0545:0003:0200:0000:0000:67CF 2001:19:545:3:200:0:0:67CF Remove preceding zeros Remove groups of zeros 2001:19:545:3:200:::67CF
Reading HEX Primer Hexadecimal (base 16) is a numeral system with sixteen symbols 0-9 = well… zero through nine (duh) A-F = 10 – 15 10,11,12,13 = 16, 17, Converting HEX to decimal: 4D5F (4 x 16 3 ) + (13 x 16 2 ) +(5 x 16 1 ) + (15 x 16 0 ) (16384) + (3328)+(80)+(15) or ( )
Types of IPv6 Addresses Unicast Address – a one-to-one address: Global – publicly routable address assigned by IANA (2000::/3) Link local – Local address assigned for auto configuration or neighbor discovery, etc… not routed. (FE80::/10) Unique local – like private addresses. Just used at local site (FC00 or FD00::/8) Special – special addresses like loopback or default gateway Compatible – used for IPv4 to IPv6 migration Multicast Address – an address intended for one-to-many communication: Multicast – sent to members in a multicast group Broadcast – sent to all address on a network (technically, now a all- nodes multicast) Anycast Address – a new address used to send to the first receipient of a group
IPv6 Subnetting CIDR only (slash notation) No concept of subnet masks / followed by prefix size (decimal number 1-128) CIDR only (slash notation) No concept of subnet masks / followed by prefix size (decimal number 1-128) 2001:1900:4545:0003:0200:F8FF:FE21:67CF 2001:1900:4545::/48= 2001:1900:4545:0000:0000:0000:0000: :1900:4545:FFFF:FFFF:FFFF:FFFF:FFFF /16 /32/48 CIDR to range tool:
What about MAC? Hosts generate a unique Interface Identifier Called 64-bit Extended Unique Identifier or EUI bit MAC addresses converted by adding FFFE to the middle 1.MAC Address: 90-3A-2B-06-2C-D1 2.Split in half: 90-3A-2B06-2C-D1 3.Insert FFFE: 90:3A:2B:FF:FE:06:2C:D1 4.Change 7 th bit to 1: 92:3A:2B:FF:FE:06:2C:D1
What about ARP? IPv6 replaces ARP with the Neighborhood Discovery Protocol. This new protocol combines many functions: Address resolution (uses ICMPv6 Neighbor advertisement and solicitation msgs) Duplicate address detection Next-Hop determination Neighbor unreachable detection Host-to-Host Functions Router Discovery Prefix Discovery Parameter Discovery Address Autoconfiguration Host/Router Discovery FunctionsRedirect Function
Simplified Headers Mean Faster Traffic VersionIHL Type of Service Total Length Identification Flags Fragment Offset Time to Live ProtocolHeader Checksum Source Address Destination Address OptionsPadding IPv4 Header (20 bytes) Version Traffic Class Flow Label Payload Length Next Header Hop Limit Source Address Destination Address IPv6 Header (40 bytes) Stays sameDroppedName/position changeNew
IPv6 OS Support
Field Guide to Common IPv6 Addresses
Common Address Field Guide (1) Loopback address (was ) Link-local address (was /16) 0000:0000:0000:0000:0000:0000:0000:0001 or ::1 FE80::/10 FE80::28BB:0ACB:3F57:D837
Common Address Field Guide (2) Default route (was /0) Unique Local Address or ULA (Also called Site Local. Similar to private networks) 0000:0000:0000:0000:0000:0000:0000:0000/0 or ::/0 FC00::/7 FC00::28BB:0ACB:3F57:D837
Common Address Field Guide (3) Multicast address (was /4) Anycast address (new – send to the nearest node in a group) FF00::/8 FF02::1 Looks like a unicast address
Common Address Field Guide (4) 6to4 addresses 2002::/16 16 bits32 bit16 bits64 bits 2002IPv4 address (hex) SLA IDInterface ID = 2002:CF86:2A6F::/48
Common Address Field Guide (5) Unique Global (public IP address) 2000::/3 2260:F3A4:32CB:715D:5D11:D837
Common Address Field Guide (6) Other addresses/ranges of lesser note: 42::/16 - The Retiolum Prefix 2001::/32 -Teredo tunneling (transition mechanism) 2001:2::/48 -Assigned to BMWG 2001:10::/28 - ORCHID (Overlay Routable Cryptographic Hash Identifiers) 3FFE::/16 – 6Bone IPv6 Testbed addresses (legacy)
IPv6 Technical Summary
Glossary IP address: Internet protocol address. An address network devices use to identify one another NAT: Network address translation. A standard to hide many special IPs behind one real IP Hexadecimal: A base-16 numbering system consisting of 0-F Routing Prefix: The first 64-bits of an IPv6 address, which identifies routing info Interface ID: The last 64-bits of an IPv6 address, which identifies a single host CIDR: Classless Inter-Domain Routing. A scalable method for assigning IPs and routing packets MAC: Media Access Control address. A unique address for specific network hardware ARP: Address resolution protocol. A standard for IPv4 devices to find one another locally EUI-64: A unique 64-bit identifier of IPv6, based on MAC Network Discovery (ND) Protocol: IPv6 replacement for ARP and more…
Glossary (cont.) Addresses Unicast Address: Specific One-to-one address Multicast Address: An address to communicate from one-to-many Anycast Address: A new type of address to communicate from one to the first in a group to receive. Loopback: Address that represents the local host Local Link: Required, non-routable address that connects to local network, and is used for autoconfiguration Default Route: Address that represents where to send non-local traffic Unique Local: Non-global address similar to IPv4 private networks 6to4: One of many IPv6 transition mechanisms Unique Global: A specific, publicly routable IPv6 host address
Things We Havent Covered (Lots) IPv6 SecurityIPv6 QoSDHCPv6IPv6 & DNSICMPv6Transition and Tunneling mechanismsHeader ExtensionsIPv6 MobilityAnd much more…
Extra Reading Material for Geeks IPv6 Request For Comments (RFCs): RFC 1752 (1995): The Recommendation for IP Next Generation (IPng) Protocol RFC 2460 (1998): Internet Protocol Version 6 (IPv6) Specification RFC 2462: IPv6 Stateless Address Autoconfiguration RFC 3775: Mobility Support in IPv6 RFC 2893: Transition Mechanisms for IPv6 Hosts and Routers RFC 2373: IP Version 6 Addressing Architecture And many more (over 70 RFCs related to IPv6 ):
You Have Some New IPv6 Knowledge….Now What? Continue Learning and Exploring! Start Playing: Use v6 internally now, even if just in a lab Attend WatchGuards Upcoming Webinars!