Presentation on theme: "IPv6 – now what? Philipp Kuhn Premier Field Engineer, Global Business Support email@example.com."— Presentation transcript:
1IPv6 – now what?Philipp Kuhn Premier Field Engineer, Global Business Support
2IPv6 BasicsDeploymentBest practice and current issues challenges
3Limitations of IPv4 IPv6 Basics An IPv4 address walks into a bar and says: “Quick, give me a drink. I am exhausted!”
4Limitations of IPv4Exponential growth of the Internet and the exhaustion of the IPv4 address spaceNeed for simpler configurationRequirement for security at the IP levelNeed for better support for prioritized and real-time delivery of data
5Limitations of IPv4The modern Internet has grown beyond its original intent
6What about IPv5?The world is moving from IPv4 and going straight to IPv6 because Chuck Norris doesn’t like the number 5! When Alexander Bell invented the telephone he had 3 missed calls from Chuck Norris.
7Capabilities of IPv6 IPv6 Basics An IPv6 packet walks into a bar. Nobody talks to him.
8Capabilities of IPv6 More efficient packet header format Globally scalable address spaceStateless and stateful address configurationStandardized support for Internet Security protocolsBetter support for prioritized deliveryMore efficient node discoveryExtensibility
9IPv4 vs. IPv6 Feature IPv4 IPv6 Address length 32 bits 128 bits IPsec header support Optional RequiredPrioritized delivery support Some BetterFragmentation Hosts and routers Hosts onlyPacket size 576 bytes 1280 bytesLink-layer address resolution ARP (broadcast) Multicast Neighbor DiscoveryMulticast membership IGMP Multicast Listener Discovery (MLD)Router Discovery Optional RequiredUses broadcasts Yes NoConfiguration Manual, DHCP Automatic, DHCPv6DNS name queries Uses A records Uses AAAA recordsDNS reverse queries Uses IN-ADDR.ARPA Uses IP6.ARPA
10IPv6 terminologyNode - Any device that runs an implementation of IPv6. Router - A node that can forward IPv6 packets not explicitly addressed to itself. Host - A node that cannot forward IPv6 packets not explicitly addressed to itself (a non router). Upper-layer protocol - A protocol above IPv6 that uses IPv6 as its transport. Link - The set of network interfaces that are bounded by routers and that use the same 64-bit IPv6 unicast address prefix. Network - Two or more subnets connected by routers. Neighbors - Nodes connected to the same link. Interface - The representation of a physical or logical attachment of a node to a link. Address - An identifier that can be used as the source or destination of IPv6 packets that is assigned at the IPv6 layer to an interface or set of interfaces. Packet - The protocol data unit (PDU) that exists at the IPv6 layer and is composed of an IPv6 header and payload.
11The case for a IPv6 deployment IPv6 solves the address depletion problemIPv6 solves the disjoint address space problemIPv6 solves the international address allocation problemIPv6 restores end-to-end communicationIPv6 uses scoped addresses and address selectionIPv6 has more efficient forwardingIPv6 has support for security and mobility
12IPv6 BasicsIPv6 Address SpaceIPv4 is soon dead:beef.
13IPv6 address space 128-bit address space 2128 possible addresses 340,282,366,920,938,463,463,374,607,431,768,211,456 addresses (3.4 x or 340 undecillion)6.65 x 1023 addresses for every square meter of the Earth’s surface128 bits to allow flexibility in creating a multi-level, hierarchical, routing infrastructure64-bit subnet prefix and a 64-bit interface identifier
14IPv6 address syntax IPv6 address in binary form Divided along 16-bit boundariesEach 16-bit chunk is further broken down into four discreet 4-bit chunks called “nibbles”. Each nibble will represent a different hexadecimal valueEach 16-bit block is converted to hexadecimal and delimited with colons2001:0DB8:0000:2F3B:02AA:00FF:FE28:9C5ASuppress leading zeros within each block2001:DB8:0:2F3B:2AA:FF:FE28:9C5A
15Compressing zerosA single contiguous sequence of 16-bit blocks set to 0 can be compressed to “::” (double-colon)Example:FE80:0:0:0:2AA:FF:FE9A:4CA2 becomes FE80::2AA:FF:FE9A:4CA2FF02:0:0:0:0:0:0:2 becomes FF02::2Cannot use zero compression to include part of a 16-bit blockFF02:30:0:0:0:0:0:5 does not become FF02:3::5, but FF02:30::5A double-colon can only be used once when compressing an address.
16IPv6 prefixes Express routes, address spaces, or address ranges IPv6 always uses address/prefix-length notationSimilar to CIDR notationExamples2001:DB8:0:2F3B::/64 for a subnet prefix2001:DB8:3F::/48 for a route prefix
17IPv6 address types Global addresses Local-use addresses (Link-local) Unique local addressesSpecial addresses
18Global addresses Address scope is the entire IPv6 Internet Equivalent to public IPv4 addressesStructureGlobal Routing Prefix (part of the Public Routing Topology – along with 001 prefix)Subnet ID (Site Topology)Interface ID
19Link-local addresses Address scope is a single link Equivalent to APIPA IPv4 addressesFE80::/64 prefixUsed for:Single subnet, routerless configurationsNeighbor Discovery processes
20Zone IDs Link-local addresses are ambiguous Multiple links (common) Multiple sites (uncommon)Zone ID is used to identify a specific interface (e.g. multiple NICs)Zone ID is typically set to the interface index of the sending interfaceExamples:ping fe80::2b0:d0ff:fee9:4143%3tracert fe80::f282:2b0:d0ff:fee9:4143%2Zone IDs are only used for link-local addresses since routable addresses are non-ambiguous
21Unique local addresses Private to an organization, yet unique across all of the sites of the organizationFD00::/8 prefixReplacement for site-local addressesGlobal scope, no zone ID required
22Special addresses Unspecified Address 0:0:0:0:0:0:0:0 or :: Loopback Address0:0:0:0:0:0:0:1 or ::1
23Well-known multicast addresses All multicast addresses begin with FF ( )PrefixesFF01 – Node-localFF02 – Link-localFF05 – Site LocalSuffixes1 – All nodes2 – All routers1:2 – DHCP Servers + Relay Agents1:3 – LLMNR
24IPv4 addresses and IPv6 equivalents IPv4 Address IPv6 AddressMulticast addresses ( /4) IPv6 multicast addresses (FF00::/8)Broadcast addresses N/AUnspecified address is Unspecified address is ::Loopback address is Loopback address is ::1Public IP addresses Global unicast addressesPrivate IP addresses Unique-local addresses (FD00::/8)APIPA addresses Link-local addresses (FE80::/64)Dotted decimal notation Colon hexadecimal formatSubnet mask or prefix length Prefix length notation only
25IPv6 Interface Identifiers IPv6 BasicsIPv6 Interface IdentifiersA TCP packet walks in to a bar and says “I want a beer”,barman says “you want a beer?” and TCP packet says “yes, a beer”.
26Original plan…Last 64 bits of an auto-configured IPv6 address would be populated with the interface’s MAC addressBut…MAC is only 48 bits, so EUI-64 was created to allow a predictable and repeatable transformation from 48 bits to 64 bitsPrivacy advocates argued that all internet communications could now be traced to a personBeginning with Windows Vista and Windows Server 2008, a randomized method is utilized to determine the Interface ID instead of EUI-64Netsh int ipv6 set global randomizeidentifiers=enabled|disabled
27How does a host obtain an IPv6 address? There are four general methods for obtaining an IPv6 address:Statically configuredStateless Address Auto Configuration (SLAAC)Stateless DHCPv6Stateful DHCPv6The host decides which method to used based on the configuration of a Router Advertisement messageNote: Link-local addresses are always generated regardless of any other options
28Router advertisements IPv6 enabled hosts, are always listening for RA’sAdditionally, a host will request a RA by sending a Router Solicitation when the host’s configuration changesHost powers upNetwork Change NotificationAn RA is usually sent by a Layer 3 device, and has specific options availableRA’s control both addressing and routing on the host
29Router advertisement options RFC 4861 Autonomous flag (A bit) – Hosts will generate an address based on this RA and if this bit is enabled.Valid Lifetime – a 32-bit number representing the length of time (in seconds) that a prefix will be used in the host’s routing tableManaged Address Configuration flag (M bit) – Hosts will contact a DHCPv6 server to obtain an IPv6 address if this bit is setOther Stateful Configuration flag (O bit) – Hosts will contact a DHCPv6 server to obtain non-address configuration information if this bit is set.
30A typical IPv6 deployment… DHCP jokes are leased.
31Overall IPv6 deployment strategy IPv6 Deployment is not your “typical” IT projectWith proper planning, an organization’s IPv6 deployment should happen as a normal evolution over the course of timeSpecific IT investments focused on IPv6 should be very limitedEnsure IPv6 capabilities as part of normal refresh interval in infrastructure componentsReadiness planning process is key to successCommunications across groups has become much more important
32Overall IPv6 deployment strategy People“What do we know about IPv6?”Process“How will our existing processes be impacted by IPv6?”Technology“What impact will IPv6 have on our existing hardware/software landscape?”Inventory is keyDevelop and revise a scorecard to track progressSchedule Quarterly Review with stakeholders
33Factors in determining project duration Scope of the deploymentScale of the deploymentRequired organizational preparedness activitiesProtocol dependencies of the application inventoryIPv6 capabilities of the operating systemsIPv6 capabilities of the networking hardwareMonitoring and management capabilities of the networkIPv6 capability of the directory infrastructureAnd others …
34Preparing for an IPv6 deployment Infrastructure technology pieces An IPv6 Addressing PlanDNS Servers for name resolution of IPv6 AAAA recordsPacket inspection technologies that can operate with IPv6IPv6 configuration at the network edgeIPv6 capability of network computersFor Native IPv6:DHCP Servers capable of issuing DHCP options to IPv6 clientsIPv6-capable routers configured following an IPv6 routing design
35Implementing the IPv6 deployment Introduce a Pool of IPv6 Addresses Best Option: Acquire an IPv6 prefixTraditionally from ISPProvider Independent if multi-homedOther options include:6to4 address corresponding to current public IPv4 addressUnique Local IPv6 UnicastConfigure IPv6-Compatible Name ResolutionAAAA RecordsIP6.ARPA for PTR records
36Implementing the IPv6 deployment Introduce a Pool of IPv6 Addresses There will be IPv4-only resources that you want to expose over IPv6You want to avoid full IPv4 NATIntroduce some IPv6-to-IPv4 translation points in your networkNAT64Network Address Translation/Protocol Translation (NAT-PT) deviceThis has been deprecated as an IETF standard in favor of NAT64DNS64
37IPv6 support in Microsoft products Best practice and current issues challengesIPv6 support in Microsoft productsWHOIS going to tell us a Domain Name joke?
38What does IPv6 compatible mean? According to the Microsoft Common Engineering Criteria:“All Microsoft server products are required to support both IPv6 and IPv4. In addition, all server products are required to be configurable to run in dual-stack (IPv4 and IPv6) or IPv6-only modes.”Additionally:“The goal is feature parity. Whatever a customer can do using IPv4, they should be able to do using IPv6, with the same level of security, performance, and scalability.”
39Microsoft products that do not support IPv6 “Microsoft has informed Gartner that it does not plan to ship another full version of…Forefront Threat Management Gateway (TMG). The product is effectively in sustaining mode, with Microsoft continuing to ship Service Pack (SP) updates…for the standard support life cycle — five years of mainstream support and five years of extended support.” Magic Quadrant for Secure Web Gateway, 25 May, 2011
40Microsoft’s strategy with IPv6 Microsoft plans to have full dual-stack and IPv6-only capabilities for all enterprise-class productsMicrosoft’s has been working on achieving this capability since 2007
41Current issues opportunities Best practice and current issues challengesCurrent issues opportunitiesAn ARP request goes to McDonald’s and asks for a Big MAC.
42Application dependencies Most applications follow the OSI model, thus they are IP agnostic (Recommended)They pass a name to the TCP/IP stack and let the stack determine how to connect (using RFC 3484)Some applications try to handle IP connectivity on their own by opening a socket (Not recommended)These applications must specifically be coded to support IPv6Some applications (or scripts) assume that the returned IP is in dotted decimal notationThey fail on reading an IPv6 address
43Hardware dependencies Network infrastructure hardware which inspect, modify, or route IP packets must specifically support IPv6Examples:RoutersFirewallsLoad BalancersWAN AcceleratorsIntrusion Detection/Prevention SystemsProxy ServersNetwork probes and protocol analyzers
44Transition technologies Transition Technologies can cause issuesWhenever a machine has a public IPv4 address assigned it will automatically generate a 6to4 address as well6to4 addresses are global routable addresses6to4 addresses register in DNSSolution: Don’t use public IPv4 addresses inside a corporate network or disable 6to4 using Group Policy
45Stay up-to-dateRecommended updates for Windows 8/8.1/Server 2012/2012 R2Make sure you install the monthly update rollupsRecommended updates for Windows 7/Server 2008 R2An enterprise hotfix rollup is available for Windows 7 SP1 and Windows Server 2008 R2 SP1An IPv6 readiness update is available for Windows 7 and for Windows Server 2008 R2
46Disabling IPv6 – Don’t do it Best practice and current issues challengesDisabling IPv6 – Don’t do itHow do you catch an Ether bunny? With an Ethernet.
47Keeping IPv6 enabledMicrosoft recommends leaving IPv6 enabled even when not in active use, although disabling IPv6 is a supported actionMicrosoft products are not tested with IPv6 disabled. Disabling IPv6 places that host and application into a less-tested stateLeaving IPv6 enabled, even when not in use, does not impact production networks
48Leave it enabled Don’t remove this checkbox on a regular NIC Unbinds IPv6 from that one interfaceCannot be scriptedIPv6 loopback is still enabled
49In case you really need to… Recommend using the DisabledComponents Registry KeyDocumented inThe DisabledComponents key does not exist by default and must be createdLeave the IPv6 box checked in the NIC properties when using the DisabledComponents KeyOnly use this as a last resort. However there is no technical reason to disable IPv6 in Windows
50Done!Q&AA UDP packet walks into a bar without a checksum. Nobody cares.