Presentation on theme: "| Basel IPv6 – now what? Philipp Kuhn Premier Field Engineer, Global Business Support"— Presentation transcript:
| Basel IPv6 – now what? Philipp Kuhn Premier Field Engineer, Global Business Support
Agenda IPv6 Basics Deployment Best practice and current issues challenges
| Basel Limitations of IPv4 IPv6 Basics An IPv4 address walks into a bar and says: “Quick, give me a drink. I am exhausted!”
Limitations of IPv4 Exponential growth of the Internet and the exhaustion of the IPv4 address space Need for simpler configuration Requirement for security at the IP level Need for better support for prioritized and real-time delivery of data
Limitations of IPv4 The modern Internet has grown beyond its original intent
What about IPv5? The world is moving from IPv4 and going straight to IPv6 because Chuck Norris doesn’t like the number 5! When Alexander Bell invented the telephone he had 3 missed calls from Chuck Norris.
| Basel Capabilities of IPv6 IPv6 Basics An IPv6 packet walks into a bar. Nobody talks to him.
Capabilities of IPv6 More efficient packet header format Globally scalable address space Stateless and stateful address configuration Standardized support for Internet Security protocols Better support for prioritized delivery More efficient node discovery Extensibility
IPv4 vs. IPv6 FeatureIPv4IPv6 Address length32 bits128 bits IPsec header supportOptionalRequired Prioritized delivery supportSomeBetter FragmentationHosts and routersHosts only Packet size576 bytes1280 bytes Link-layer address resolutionARP (broadcast)Multicast Neighbor Discovery Multicast membershipIGMPMulticast Listener Discovery (MLD) Router DiscoveryOptionalRequired Uses broadcastsYesNo ConfigurationManual, DHCPAutomatic, DHCPv6 DNS name queriesUses A recordsUses AAAA records DNS reverse queriesUses IN-ADDR.ARPA Uses IP6.ARPA
IPv6 terminology Node - Any device that runs an implementation of IPv6. Router - A node that can forward IPv6 packets not explicitly addressed to itself. Host - A node that cannot forward IPv6 packets not explicitly addressed to itself (a non router). Upper-layer protocol - A protocol above IPv6 that uses IPv6 as its transport. Link - The set of network interfaces that are bounded by routers and that use the same 64-bit IPv6 unicast address prefix. Network - Two or more subnets connected by routers. Neighbors - Nodes connected to the same link. Interface - The representation of a physical or logical attachment of a node to a link. Address - An identifier that can be used as the source or destination of IPv6 packets that is assigned at the IPv6 layer to an interface or set of interfaces. Packet - The protocol data unit (PDU) that exists at the IPv6 layer and is composed of an IPv6 header and payload.
The case for a IPv6 deployment IPv6 solves the address depletion problem IPv6 solves the disjoint address space problem IPv6 solves the international address allocation problem IPv6 restores end-to-end communication IPv6 uses scoped addresses and address selection IPv6 has more efficient forwarding IPv6 has support for security and mobility
| Basel IPv6 Address Space IPv6 Basics IPv4 is soon dead:beef.
IPv6 address space 128-bit address space possible addresses 340,282,366,920,938,463,463,374,607,431,768,211,456 addresses (3.4 x or 340 undecillion) 6.65 x addresses for every square meter of the Earth’s surface 128 bits to allow flexibility in creating a multi-level, hierarchical, routing infrastructure 64-bit subnet prefix and a 64-bit interface identifier
IPv6 address syntax IPv6 address in binary form Divided along 16-bit boundaries Each 16-bit chunk is further broken down into four discreet 4-bit chunks called “nibbles”. Each nibble will represent a different hexadecimal value Each 16-bit block is converted to hexadecimal and delimited with colons 2001:0DB8:0000:2F3B:02AA:00FF:FE28:9C5A Suppress leading zeros within each block 2001:DB8:0:2F3B:2AA:FF:FE28:9C5A
Compressing zeros A single contiguous sequence of 16-bit blocks set to 0 can be compressed to “::” (double-colon) Example: FE80:0:0:0:2AA:FF:FE9A:4CA2 becomes FE80::2AA:FF:FE9A:4CA2 FF02:0:0:0:0:0:0:2 becomes FF02::2 Cannot use zero compression to include part of a 16-bit block FF02:30:0:0:0:0:0:5 does not become FF02:3::5, but FF02:30::5 A double-colon can only be used once when compressing an address.
IPv6 prefixes Express routes, address spaces, or address ranges IPv6 always uses address/prefix-length notation Similar to CIDR notation Examples 2001:DB8:0:2F3B::/64 for a subnet prefix 2001:DB8:3F::/48 for a route prefix
IPv6 address types Global addresses Local-use addresses (Link-local) Unique local addresses Special addresses
Global addresses Address scope is the entire IPv6 Internet Equivalent to public IPv4 addresses Structure Global Routing Prefix (part of the Public Routing Topology – along with 001 prefix) Subnet ID (Site Topology) Interface ID
Link-local addresses Address scope is a single link Equivalent to APIPA IPv4 addresses FE80::/64 prefix Used for: Single subnet, routerless configurations Neighbor Discovery processes
Zone IDs Link-local addresses are ambiguous Multiple links (common) Multiple sites (uncommon) Zone ID is used to identify a specific interface (e.g. multiple NICs) Zone ID is typically set to the interface index of the sending interface Examples: ping fe80::2b0:d0ff:fee9:4143%3 tracert fe80::f282:2b0:d0ff:fee9:4143%2 Zone IDs are only used for link-local addresses since routable addresses are non-ambiguous
Unique local addresses Private to an organization, yet unique across all of the sites of the organization FD00::/8 prefix Replacement for site-local addresses Global scope, no zone ID required
Special addresses Unspecified Address 0:0:0:0:0:0:0:0 or :: Loopback Address 0:0:0:0:0:0:0:1 or ::1
Well-known multicast addresses All multicast addresses begin with FF ( ) Prefixes FF01 – Node-local FF02 – Link-local FF05 – Site Local Suffixes 1 – All nodes 2 – All routers 1:2 – DHCP Servers + Relay Agents 1:3 – LLMNR
IPv4 addresses and IPv6 equivalents IPv4 AddressIPv6 Address Multicast addresses ( /4)IPv6 multicast addresses (FF00::/8) Broadcast addressesN/A Unspecified address is Unspecified address is :: Loopback address is Loopback address is ::1 Public IP addressesGlobal unicast addresses Private IP addressesUnique-local addresses (FD00::/8) APIPA addressesLink-local addresses (FE80::/64) Dotted decimal notationColon hexadecimal format Subnet mask or prefix lengthPrefix length notation only
| Basel IPv6 Interface Identifiers IPv6 Basics A TCP packet walks in to a bar and says “I want a beer”, barman says “you want a beer?” and TCP packet says “yes, a beer”.
Original plan… Last 64 bits of an auto-configured IPv6 address would be populated with the interface’s MAC address But… MAC is only 48 bits, so EUI-64 was created to allow a predictable and repeatable transformation from 48 bits to 64 bits But… Privacy advocates argued that all internet communications could now be traced to a person Beginning with Windows Vista and Windows Server 2008, a randomized method is utilized to determine the Interface ID instead of EUI-64 Netsh int ipv6 set global randomizeidentifiers=enabled|disabled
How does a host obtain an IPv6 address? There are four general methods for obtaining an IPv6 address: Statically configured Stateless Address Auto Configuration (SLAAC) Stateless DHCPv6 Stateful DHCPv6 The host decides which method to used based on the configuration of a Router Advertisement message Note: Link-local addresses are always generated regardless of any other options
Router advertisements IPv6 enabled hosts, are always listening for RA’s Additionally, a host will request a RA by sending a Router Solicitation when the host’s configuration changes Host powers up Network Change Notification An RA is usually sent by a Layer 3 device, and has specific options available RA’s control both addressing and routing on the host
Router advertisement options RFC 4861 Autonomous flag (A bit) – Hosts will generate an address based on this RA and if this bit is enabled. Valid Lifetime – a 32-bit number representing the length of time (in seconds) that a prefix will be used in the host’s routing table Managed Address Configuration flag (M bit) – Hosts will contact a DHCPv6 server to obtain an IPv6 address if this bit is set Other Stateful Configuration flag (O bit) – Hosts will contact a DHCPv6 server to obtain non-address configuration information if this bit is set.
| Basel A typical IPv6 deployment… Deployment DHCP jokes are leased.
Overall IPv6 deployment strategy IPv6 Deployment is not your “typical” IT project With proper planning, an organization’s IPv6 deployment should happen as a normal evolution over the course of time Specific IT investments focused on IPv6 should be very limited Ensure IPv6 capabilities as part of normal refresh interval in infrastructure components Readiness planning process is key to success Communications across groups has become much more important
Overall IPv6 deployment strategy People “What do we know about IPv6?” Process “How will our existing processes be impacted by IPv6?” Technology “What impact will IPv6 have on our existing hardware/software landscape?” Inventory is key Develop and revise a scorecard to track progress Schedule Quarterly Review with stakeholders
Factors in determining project duration Scope of the deployment Scale of the deployment Required organizational preparedness activities Protocol dependencies of the application inventory IPv6 capabilities of the operating systems IPv6 capabilities of the networking hardware Monitoring and management capabilities of the network IPv6 capability of the directory infrastructure And others …
Preparing for an IPv6 deployment Infrastructure technology pieces An IPv6 Addressing Plan DNS Servers for name resolution of IPv6 AAAA records Packet inspection technologies that can operate with IPv6 IPv6 configuration at the network edge IPv6 capability of network computers For Native IPv6: DHCP Servers capable of issuing DHCP options to IPv6 clients IPv6-capable routers configured following an IPv6 routing design
Implementing the IPv6 deployment Introduce a Pool of IPv6 Addresses Best Option: Acquire an IPv6 prefix Traditionally from ISP Provider Independent if multi-homed Other options include: 6to4 address corresponding to current public IPv4 address Unique Local IPv6 Unicast Configure IPv6-Compatible Name Resolution AAAA Records IP6.ARPA for PTR records
Implementing the IPv6 deployment Introduce a Pool of IPv6 Addresses
| Basel IPv6 support in Microsoft products Best practice and current issues challenges WHOIS going to tell us a Domain Name joke?
What does IPv6 compatible mean? According to the Microsoft Common Engineering Criteria: “All Microsoft server products are required to support both IPv6 and IPv4. In addition, all server products are required to be configurable to run in dual-stack (IPv4 and IPv6) or IPv6-only modes.” Additionally: “The goal is feature parity. Whatever a customer can do using IPv4, they should be able to do using IPv6, with the same level of security, performance, and scalability.”
Microsoft products that do not support IPv6 “Microsoft has informed Gartner that it does not plan to ship another full version of…Forefront Threat Management Gateway (TMG). The product is effectively in sustaining mode, with Microsoft continuing to ship Service Pack (SP) updates…for the standard support life cycle — five years of mainstream support and five years of extended support.” Magic Quadrant for Secure Web Gateway, 25 May, 2011
Microsoft’s strategy with IPv6 Microsoft plans to have full dual-stack and IPv6-only capabilities for all enterprise-class products Microsoft’s has been working on achieving this capability since 2007
| Basel Current issues opportunities Best practice and current issues challenges An ARP request goes to McDonald’s and asks for a Big MAC.
Application dependencies Most applications follow the OSI model, thus they are IP agnostic (Recommended) They pass a name to the TCP/IP stack and let the stack determine how to connect (using RFC 3484) Some applications try to handle IP connectivity on their own by opening a socket (Not recommended) These applications must specifically be coded to support IPv6 Some applications (or scripts) assume that the returned IP is in dotted decimal notation They fail on reading an IPv6 address
Hardware dependencies Network infrastructure hardware which inspect, modify, or route IP packets must specifically support IPv6 Examples: Routers Firewalls Load Balancers WAN Accelerators Intrusion Detection/Prevention Systems Proxy Servers Network probes and protocol analyzers
Transition technologies Transition Technologies can cause issues Whenever a machine has a public IPv4 address assigned it will automatically generate a 6to4 address as well 6to4 addresses are global routable addresses 6to4 addresses register in DNS Solution: Don’t use public IPv4 addresses inside a corporate network or disable 6to4 using Group Policy
Stay up-to-date Recommended updates for Windows 8/8.1/Server 2012/2012 R2 Make sure you install the monthly update rollups Recommended updates for Windows 7/Server 2008 R2 An enterprise hotfix rollup is available for Windows 7 SP1 and Windows Server 2008 R2 SP1 An IPv6 readiness update is available for Windows 7 and for Windows Server 2008 R2
| Basel Disabling IPv6 – Don’t do it Best practice and current issues challenges How do you catch an Ether bunny? With an Ethernet.
Keeping IPv6 enabled Microsoft recommends leaving IPv6 enabled even when not in active use, although disabling IPv6 is a supported action Microsoft products are not tested with IPv6 disabled. Disabling IPv6 places that host and application into a less-tested state Leaving IPv6 enabled, even when not in use, does not impact production networks
Leave it enabled Don’t remove this checkbox on a regular NIC Unbinds IPv6 from that one interface Cannot be scripted IPv6 loopback is still enabled
In case you really need to… Recommend using the DisabledComponents Registry Key Documented in The DisabledComponents key does not exist by default and must be created Leave the IPv6 box checked in the NIC properties when using the DisabledComponents Key Only use this as a last resort. However there is no technical reason to disable IPv6 in Windows
| Basel Q&A Done! A UDP packet walks into a bar without a checksum. Nobody cares.