Presentation is loading. Please wait.

Presentation is loading. Please wait.

HELP! I Need to Learn IPv6! or 60 IPv6 Slides in 60 minutes!

Similar presentations


Presentation on theme: "HELP! I Need to Learn IPv6! or 60 IPv6 Slides in 60 minutes!"— Presentation transcript:

1 HELP! I Need to Learn IPv6! or 60 IPv6 Slides in 60 minutes!
Rick Graziani Cabrillo College

2 HELP! I Need to Learn IPv6! Why IPv6… in three slides or less
What about IPv5 and NAT? IPv6 Address Representation IPv6 Global Unicast Address Link-local Unicast SLAAC (Stateless Address Autoconfiguration) DHCPv6 (Stateless vs Stateful) DHCPv6 Prefix Delegation – IPv6 for the home https://www.ipv6ready.org/

3 IPv6 For more information…
IPv6 Fundamentals LiveLessons: A Straightforward Approach to Understanding IPv6 Access to all my presentations on my web site: IPv6 IPv6 Fundamentals: A Straightforward Approach to Understanding IPv6

4 Why IPv6… in three slides or less.

5 IANA is out… RIRs and ISPs are running out.
We are running out of IPv4 address space. Monday, January 31, 2011 IANA allocated the last /8 IPv4 address blocks to the RIRs. RIR’s have very few, if any IPv4 address left. Many ISPs are severely limited and some have already run out. Actual or projected dates as of November 2014 Graphic is from Source: Note: APNIC and RIPE are not completely out of addresses but they are very restrictive on allocation of addresses.

6 World Internet Statistics
The regions with the largest populations have the lowest percentages of people connected to the Internet Graphic from Internet World Stats,

7 Benefits of IPv6 Larger address space Stateless autoconfiguration
End-to-end reachability without private addresses and NAT The “killer application” for the Internet is the Internet itself. Graphic from IPv6 Forum, https://www.ipv6ready.org/

8 What about IPv5 and NAT, and when is the big date to switch to IPv6?

9 RFC 1190 What About IPv5? 4 = IPv4 5 = ST2 6 = IPv6 In the late 1970s, a family of experimental protocols was developed intended to provide quality of service (QoS) for real-time multimedia applications such video and voice. Known as Internet Stream Protocol (ST) and later ST2 – (RFC 1190 and RFC 1819). Although it was never known as IPv5, when encapsulated in IP, ST uses IP Protocol version 5. “In the late 1970’s, a protocol named ST — The Internet Stream Protocol — was created for the experimental transmission of voice, video, and distributed simulation. Two decades later, this protocol was revised to become ST2 and started to get implemented into commercial projects by groups like IBM, NeXT, Apple, and Sun. Wow did it differ a lot. ST and ST+ offered connections, instead of its connection-less IPv4 counterpart. It also guaranteed QoS. ST and ST+, were already given that magical “5″. “

10 X No More NAT as We Know It NAT
Customer Network /24 (RFC 1918) ISP Network Public IPv4 Internet Public IPv4 X NAT has been used to help “hide” customers and works for many client-initiated applications. However, NAT also creates some issues, like peer-to-peer networking and accessing our “hidden” systems from other networks. Using NAT to “hide” IPv6 networks has been the source of some debate. IETF continues to state that NAT is not a security feature. For more information: RFC IAB Thoughts on IPv6 Network Address Translation RFC 4864 Local Network Protection for IPv6 RFC 6296 IPv6-to-IPv6 Network Address Translation (NAT66)

11 Transitioning to IPv6 Tunneling – Various protocols to encapsulate IPv6 packets inside IPv4 packets. NAT64 – Translating between IPv4 and IPv6. Native IPv6 – All IPv6 (our focus and the goal of every organization).

12 Transitioning to IPv6? IPv4 IPv6
IPv4 and IPv6 will coexist for the foreseeable future. Dual-stack – Device running both IPv4 and IPv6. Enterprises and ISPs have to support both protocols, which is a reason to eventually go to only IPv6.

13 Hex in the City and IPv6 Address Representation

14 Let’s Begin with the IPv6 Header
Similar fields Understanding IPv6 begins with the IPv6 header. IPv6 takes advantage of 64-bit CPUs. Several differences between IPv4 and IPv6 headers. IPv4 Simpler IPv6 header. Fixed 40 byte IPv6 header. We will focus on the addresses… 64-bit memory word IPv6 Understanding IPv6 all begins with the IPv6 header. When we think about IPv6 we usually think of the header’s IPv6 address but as we will see there are many changes. Understanding the IPv6 header will help us understand some of the other functionality of IPv6. Drawn as 64 bits wide, unlike IPv4 which is typically shown as a 32 bit wide header. Designers of IPv6 decided to take advantage of 64-bit processing although back then 64-bit CPUs were not common. We will explore these similarities and differences throughout this lesson. 64-bit CPUs can read one 64-bit wide memory word at a time, so to take advantage of this processing IPv6 fields start at an even 64-bit boundary or a multiple of 64. 32-bit CPUs aren’t negatively affected because a 64-bit boundary is also a 32-bit boundary. We will examine the changes between these two headers. IPv4 header – lighter shaded fields have a field in IPv6 with the same or similar functionality. The darker shaded fields are ones that are not included in IPv6. IPv6 is simpler and is fixed length. We’ll talk more about this in a moment.

15 The Beauty of Hexadecimal: 4 bits = 1 hex digit
Binary 8421 0000 0001 0010 0011 0100 0101 0110 0111 Binary 8421 1000 1001 1010 1011 1100 1101 1110 1111 Dec 1 2 3 4 5 6 7 Hex 1 2 3 4 5 6 7 Dec 8 9 10 11 12 13 14 15 Hex 8 9 A B C D E F Any combination of 4 bits (16 possibilities) can be represented by a single hexadecimal digit

16 IPv6 Address Notation 2001:0DB8:AAAA:1111:0000:0000:0000:0100
16 bits 1 16 bits 2 16 bits 3 16 bits 4 16 bits 5 16 bits 6 16 bits 7 16 bits 8 IPv6 addresses are 128-bit addresses represented in: Hexadecimal: 1 hex digit = 4 bits Eight 16-bit segments or “hextets” (not a formal term) between 0000 and FFFF Separated by colons Reading and subnetting IPv6 is easier than IPv4…. Really! [RFC4291] does not mention any preference of uppercase or lowercase. The RFC 5952 recommendation that SHOULD be followed is that characters be represented in lower text by systems when generating an address to be represented as text, but all implementations MUST accept and be able to handle any legitimate [RFC4291] format.

17 128-bit Address: How Many Is That?
2001:0DB8:AAAA:1111:0000:0000:0000:0100 128 bits

18 Number of IPv6 Addresses
Number name Scientific Notation Number of zeros 1 Thousand 103 1,000 1 Million 106 1,000,000 1 Billion 109 1,000,000,000 1 Trillion 1012 1,000,000,000,000 1 Quadrillion 1015 1,000,000,000,000,000 1 Quintillion 1018 1,000,000,000,000,000,000 1 Sextillion 1021 1,000,000,000,000,000,000,000 1 Septillion 1024 1,000,000,000,000,000,000,000,000 1 Octillion 1027 1,000,000,000,000,000,000,000,000,000 1 Nonillion 1030 1,000,000,000,000,000,000,000,000,000,000 1 Decillion 1033 1,000,000,000,000,000,000,000,000,000,000,000 1 Undecillion 1036 1,000,000,000,000,000,000,000,000,000,000,000,000 IPv4 4.3 billion IPv4 addresses: 4.3 billion IPv6 addresses: 340 undecillion IPv6 340 undecillion 340,282,366,920,938,463,463,374,607,431,768,211,456

19 Two Rules for Compressing IPv6 Addresses Rule 1: Omitting Leading 0s
Two rules for reducing the size of written IPv6 addresses. First rule: Leading zeroes in any 16-bit segment do not have to be written. 2001 : 0DB8 : 0001 : 1000 : 0000 : 0000 : 0ef0 : bc00 2001 : DB8 : 1 : 1000 : 0 : 0 : ef0 : bc00 2001 : 0DB8 : 010d : 000a : 00dd : c000 : e000 : 0001 2001 : DB8 : 10d : a : dd : c000 : e000 : 1 2001 : 0DB8 : 0000 : 0000 : 0000 : 0000 : 0000 : 0500 2001 : DB8 : 0 : 0 : 0 : 0 : 0 : 500 Only leading 0s, not trailing 0s. Otherwise we wouldn’t know which 0s were omitted – leading 0s, trailing 0s, or both. By the way, I’m using spaces between the hextets only for readability.

20 Two Rules for Compressing IPv6 Addresses Rule 1: Omitting Leading 0s
Only leading 0s can be excluded, trailing 0s must be included. Or leads to ambiguity… 2001 : 0DB8 : ab : 1234 : 5678: 9abcd: ef12: 3456 2001 : 0DB8 : 00ab : 1234 : 5678: 9abcd: ef12: 3456 2001 : 0DB8 : ab00 : 1234 : 5678: 9abcd: ef12: 3456 2001 : 0DB8 : 0ab0 : 1234 : 5678: 9abcd: ef12: 3456 ? Only leading 0s, not trailing 0s. Otherwise we wouldn’t know which 0s were omitted – leading 0s, trailing 0s, or both. By the way, I’m using spaces between the hextets only for readability.

21 Two Rules for Compressing IPv6 Addresses
Rule 2: Double Colon :: The second rule can reduce this address even further: Second rule: Any single, contiguous string of one or more 16-bit segments consisting of all zeroes can be represented with a double colon (::). 2001 : 0DB8 : 1000 : 0000 : 0000 : 0000 : 0000 : 0001 2001 : DB8 : 1000 : : 1 2001:DB8:1000::1 First rule Second rule First rule

22 Rule 2: Double Colon :: Choices
Only a single contiguous string of all-zero segments can be represented with a double colon. Although the rule states that both of these are correct… 2001 : DB8 : 0000 : 0000 : 1234 : 0000 : 0000 : 5678 2001 : DB :: 1234 : 0 : 0 : 5678 2001 : DB8 : 0 : 0 : :: 5678 RFC 5952 or … RFC 5952 states that the longest string of zeroes must be replaced with the :: and if they are equal then the first string of 0’s should use the :: representation. RFC 5952 does state that the longest string of zeroes must be replaced w/ the :: and if they are equal then the first string of 0’s should use the :: representation RFC 5952 A Recommendation for IPv6 Address Text Representation provides clarity on how addresses should be represented Maximum reduction of the address is known as the “compressed” format.

23 Rule 2: Double Colon :: Only Once
Using the double colon more than once in an IPv6 address can create ambiguity because of the ambiguity in the number of 0s. 2001:DB8::1234::5678 2001:DB8:0000:0000:0000:1234:0000:5678 2001:DB8:0000:0000:1234:0000:0000:5678 2001:DB8:0000:1234:0000:0000:0000:5678

24 IPv6 Global Unicast Address
Exactly the same as a Public IPv4 Address…. only different.

25 IPv6 Address Types IPv6 Addresses Unicast Multicast Anycast Assigned
Solicited Node FF00::/8 FF02::1:FF00:0000/104 Global Unicast Link-Local Loopback Unspecified Unique Local Embedded IPv4 2000::/3 FE80::/10 ::1/128 ::/128 FC00::/7 ::/80 IPv6 does not have a “broadcast” address.

26 IPv6 Source and Destination Addresses
IPv6 Source – Always a unicast (link-local or GUA) IPv6 Destination – Unicast, multicast, or anycast. IPv4 IPv6

27 Global Unicast Address
IPv6 Internet Global Unicast Address (GUA) 2000::/3 (First hextet: 2000::/3 to 3FFF::/3) Globally unique and routable Similar to public IPv4 addresses 2001:DB8::/32 - RFC 2839 and RFC 6890 reserves this range of addresses for documentation These are the addresses we will be referring to the most. RFC 6890 lists other special use blocks for both IPv4 and IPv6 blocks.

28 Global Unicast Address Range
Global Routing Prefix Subnet ID Interface ID 001 Range: 2000: 3FFF: : : First hextet Global Unicast Address (GUA) 2000::/3 Range 2000::/64 thru 3fff:fff:fff:fff::/64 1/8th of IPv6 address space IANA’s allocation of IPv6 address space in 1/8th sections

29 Global Unicast Address Range
Global Routing Prefix Subnet ID Interface ID Range: 2000::/64 thru 3fff:fff:fff:fff::/64 001 Except under very specific circumstances, all end users will have a global unicast address. Note: A host (an interface) can potentially have multiple IPv6 addresses on the same or different networks. Terminology: Prefix equivalent to the network address of an IPv4 address Prefix length equivalent to subnet mask in IPv4 Interface ID equivalent to host portion of an IPv4 address

30 Parts of a Global Unicast Address
IPv4 Unicast Address /? Network portion Subnet portion Host portion 32 bits IPv6 Global Unicast Address /48 /64 16-bit Subnet ID Global Routing Prefix Interface ID 128 bits 64-bit Interface ID = 18 quintillion (18,446,744,073,709,551,616) devices/subnet 16-bit Subnet ID (initially recommended) = 65,536 subnets /48 global routing prefix could be more or less depending on what you service provider gives you – we will talk about this in a moment Most orgs that go to ARIN are more likely to get a /40 w/ the ARIN assignment policy based on the number of sites. So you actually end w/ a more variable length “subnet” range that you can use. The /48 boundary was initially recommended by the first IPv6 standards but it is changing.

31 /64 Global Unicast Address and the 3-1-4 Rule
/48 /64 16 bits 16 bits 16 bits 16 bits 16 bits 16 bits 16 bits 16 bits Global Routing Prefix Subnet ID Interface ID 3 1 4 2001 : 0DB8 : CAFE : 0001 : 0000 : 0000 : 0000 : 0100 3 + 1 = 4 (/64) : 4 2001:0DB8:CAFE:0001:0000:0000:0000:0100/64 2001:DB8:CAFE:1::100/64 3-1-4 when using a /48 (common but a moving target)

32 3-1-4 Rule Subnetting IPv6 Can you count in hex?
Just increment by 1 in Hexadecimal: 2001:0DB8:CAFE:0000::/64 2001:0DB8:CAFE:0001::/64 2001:0DB8:CAFE:0002::/64 ... 2001:0DB8:CAFE:0009::/64 2001:0DB8:CAFE:000A::/64 Valid abbreviation is to remove the leading 0s: 2001:DB8:CAFE:1::/64 3-1-4 Rule

33 Static GUA Configuration
2001:DB8:CAFE:1::/64 :100 A G0/0 :1 2001:DB8:CAFE:3::/64 :1 S0/0/0 :1 G0/1 R1 :100 B 2001:DB8:CAFE:2::/64 I love the rule and subnetting IPv6! R1(config)#interface gigabitethernet 0/0 R1(config-if)#ipv6 address 2001:db8:cafe:1::1/64 R1(config-if)#no shutdown R1(config-if)#exit R1(config)#interface gigabitethernet 0/1 R1(config-if)#ipv6 address 2001:db8:cafe:2::1/64 R1(config)#interface serial 0/0/0 R1(config-if)#ipv6 address 2001:db8:cafe:3::1/64

34 Link-local Unicast You see it all of the time. You just never knew what it was.

35 IPv6 Address Types IPv6 Addresses Unicast Multicast Anycast Assigned
Solicited Node FF00::/8 FF02::1:FF00:0000/104 Global Unicast Link-Local Loopback Unspecified Unique Local Embedded IPv4 2000::/3 FE80::/10 ::1/128 ::/128 FC00::/7 ::/80 IPv6 does not have a “broadcast” address.

36 Link-Local Unicast Address
IPv6 Source – Always a unicast IPv6 Destination – Unicast, multicast, or anycast. Unicast, including a link-local address IPv4 IPv6

37 Link-Local Unicast Address Link-Local Communications
Used to communicate with other devices on the link. Are NOT routable off the link (network). Only have to be unique on the link. Not included in the IPv6 routing table. An IPv6 device must have at least a link-local address. Might mention here that link local addresses are intended to provide a stable communications address as global addresses may change over time whereas link local addresses are consistent and constantly available (for the most part)

38 Link-Local Unicast Range
First 10 bits Remaining 54 bits xx xxxx 64-bit Interface ID Range: FE80: FEBF: : : First hextet Link-local Unicast Link – Network segment Link-local means, local to that link or network.

39 Link-Local Unicast Address
First 10 bits Remaining 54 bits xx xxxx 64-bit Interface ID FE80::Interface ID Link-local addresses are created Automatically : FE80 (usually) – First 10 bits Interface ID EUI-64 (Cisco routers) Random 64 bits (many host operating systems) Static (manual) configuration – Common practice for routers.

40 Modified EUI-64 Format (Extended Unique Identifier–64)
OUI (24 bits) Device Identifier (24 bits) FC 99 47 75 C3 E0 Insert FF-FE FC 99 47 FF FE 75 C3 E0 FC 99 47 FF FE 75 C3 E0 U/L bit flipped FE 99 47 FF FE 75 C3 E0 Insert FFFE gives us a 64 bit Interface ID IPv6 64-bit interface IDs are on a 64 bit boundary and accommodate IEEE specification for 64 bit MAC addresses IEEE has chosen FFFE as a reserved value which can only appear in EUI-64 generated from the an EUI-48 MAC address. IEEE's Guidelines for EUI-64 Registration Authority, Reason for U/L bit flipped can be found in RFC 4291 IP Version 6 Addressing Architecture

41 Verifying the Router’s Link-Local Address
Link-local addresses only have to be unique on the link. R1# show interface gigabitethernet 0/0 GigabitEthernet0/0 is up, line protocol is up Hardware is CN Gigabit Ethernet, address is fc c3e0 (bia fc c3e0) <Output Omitted> R1#show ipv6 interface brief GigabitEthernet0/0 [up/up] FE80::FE99:47FF:FE75:C3E0 2001:DB8:CAFE:1::1 GigabitEthernet0/1 [up/up] FE80::FE99:47FF:FE75:C3E1 2001:DB8:CAFE:2::1 Serial0/0/ [up/up] 2001:DB8:CAFE:3::1 R1# Wait! Two Link-locals are the same! EUI-64 FF:FE = EUI-64 (most likely) Serial interfaces will use a MAC address of an Ethernet interface. Mystery © Copyright sato00

42 Verifying the PC’s Link-Local Address
EUI-64 or random 64-bit value PC> ipconfig Windows IP Configuration Ethernet adapter Local Area Connection: Connection-specific DNS Suffix : Link-local IPv6 Address : fe80::50a5:8a35:a5bb:66e1 IPv4 Address : Subnet Mask : Default Gateway : Many operating systems will use a random 64-bit Interface IDs for GUA and Link-Local IPv6 Addresses. Similar security issues and solutions as IPv4. Highlight on the second bullet that IPv6 comms can happen even if constructs are in place to prevent such comms (e.g. IPv4 acl) I think the graphic build up gets to it but maybe worth highlighting. Might also be worth highlighting that even if you don’t intend to deploy IPv6 you still need to secure and provide instrumentation and processes to detect IPv6. People Icon: Occupations set 5 © Copyright Fredy Sujono

43 An Important Role in IPv6
Routing Protocol Messaging From: Link-local To: Multicast ICMPv6 Router Solicitation From: Link-local or unspecified address To: Multicast ICMPv6 Router Advertisement From: Link-local To: Multicast I will use your link-local as my default gateway, Used as a source IPv6 address before a device gets one dynamically (SLAAC and DHCPv6). Router’s link-local address is used by devices as the default gateway. Routers exchange routing messages. Router use the link-local address as the next-hop address in the routing table: via link-local address.

44 Pinging a Link-Local Address
? FE80::1 FE80::1 FE80::2 FE80::2 Ser 0/0/0 :1 G0/0 R1 Ser 0/0/0 :2 R2 2001:DB8:CAFE:2::/64 2001:0DB8:ACAD:1::/64 R1# ping fe80::2 Output Interface: ser 0/0/0 % Invalid interface. Use full interface name without spaces (e.g. Serial0/1) Output Interface: serial0/0/0 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to FE80::2, timeout is 2 secs: !!!!! Must include exit-interface a link local that an egress interface MUST be associated w/ that use. (Might also show an example of a PC using a LL to ping a link local address. Rick – Windows 7 didn’t have to specify egress interface)

45 SLAAC (Stateless Address Autoconfiguration)
No DHCP Required

46 ICMPv6 Neighbor Discover Protocol
ICMPv6 Neighbor Discovery defines 5 different packet types: Router Solicitation Message Router Advertisement Message Used with dynamic address allocation Neighbor Solicitation Message Neighbor Advertisement Message Used with address resolution (IPv4 ARP) Redirect Message Similar to ICMPv4 redirect message Router-to-Device messaging Router-Device Messaging Device-Device Messaging See these processes with: R1# debug ipv6 nd

47 Address Resolution: IPv4 and IPv6
ARP Request: Broadcast IPv4: ARP over Ethernet Ethernet ARP Request/Reply ARP Cache Know IPv4, what is the MAC? My IPv4! Here is the MAC? 2 1 ARP Reply PC2 ARP Request PC1 2 1 My IPv6! Here is the MAC? Know IPv6, what is the MAC? Neighbor Advertisement Neighbor Solicitation Neighbor Cache IPv6: ICMPv6 over IPv6 over Ethernet NS: Multicast NS: Solicited Node Multicast Ethernet More about address resolution in Lesson X. More about Solicited Node Multicast in Lesson X and Y. IPv6 Header ICMPv6: Neighbor Solicitation/Advertisement

48 Router Solicitation & Router Advertisement Messages
ICMPv6 Neighbor Discovery defines 5 different packet types: Router Solicitation Message Router Advertisement Message Used with dynamic address allocation Neighbor Solicitation Message Neighbor Advertisement Message Used with address resolution (IPv4 ARP) Redirect Message Similar to ICMPv4 redirect message Router-to-Device messaging Router-Device Messaging Device-Device Messaging

49 Dynamic IPv6 Address Allocation
Global Unicast Manual Dynamic Stateless Stateful Static IPv6 unnumbered SLAAC DHCPv6 Similar to IPv4 unnumbered Static + EUI 64 SLAAC + DHCPv6 DHCPv6-PD

50 Dynamic Address Allocation in IPv4
DHCPv4 Server 1 2 I need IPv4 addressing information. Here is everything you need. DHCPv4 server is a stateful server.

51 Dynamic Address Allocation in IPv6
To all IPv6 routers: I need IPv6 address information. I might not be needed. ICMPv6 Router Solicitation DHCPv6 Server ICMPv6 Router Advertisement To all IPv6 devices: Let me tell you how to do this … 1. SLAAC SLAAC (Stateless Address Autoconfiguration) 2. SLAAC with Stateless DHCPv6 Router Solicitations Router Advertisements The Router Advertisement (RA) tells hosts how it will receive IPv6 Address Information. Sent periodically by an IPv6 router or… … when the router receives a Router Solicitation (RS) message from a host. More options for devices to get addressing. The device doesn’t need to access a DHCPv6 server for addressing. It’s router, its default gateway is its way out of the network and everything it needs for addressing. Much more in lesson XXX 3. Stateful DHCPv6

52 Router Advertisement: 3 Options
Option 1 and 2: Stateless Address Autoconfiguration DHCPv6 Server does not maintain state of addresses Option 3: Stateful Address Configuration Address received from DHCPv6 Server DHCPv6 Router(config)# ipv6 unicast-routing DHCPv6 Server Option 1: SLAAC – No DHCPv6 (Default on Cisco routers) “I’m everything you need (Prefix, Prefix-length, Default Gateway)” Option 2: SLAAC + Stateless DHCPv6 for DNS address “Here is my information but you need to get other information such as DNS addresses from a DHCPv6 server.” (DNS can be in RA) Option 3: All addressing except default gateway use DHCPv6 “I can’t help you. Ask a DHCPv6 server for all your information.” RA Option 1 technically isn’t everything as there’s no DNS server or domain name info (RFC 6106). Need both the router to support the sending of the info and the end system to know what to do w/ it. For option 3, you still need to control the SLAAC process w/ the RA’s (e.g. how the prefix in the RA should be used) otherwise the end system will end up a DHCP and SLAAC address

53 Obtaining an IPv6 Address Automatically

54 SLAAC: Stateless Address Autoconfiguration
2001:DB8:CAFE:1::/64 MAC: D2-8C-E0-4C 1 SLAAC Option 1 – RA Message To: FF02::1 (All-IPv6 devices) From: FE80::1 (Link-local address) Prefix: 2001:DB8:CAFE:1:: Prefix-length: /64 2 RA Prefix: 2001:DB8:CAFE:1:: Prefix-length: /64 Default Gateway: FE80::1 Global Unicast Address: 2001:DB8:CAFE:1: + Interface ID Note: Domain name and DNS server list may be included if router (and end system) support RFC 6106 IPv6 RA Options for DNS Configuration. 3 EUI-64 Process or Random 64-bit value ipv6 nd ra dns-suffix ipv6.vmwcs.com To configure the IPv6 router advertisement of DNS server addresses on an interface, use the ipv6 nd ra dns server command in interface configuration mode. To remove the IPv6 router advertisement of DNS server addresses, use the no form of this command. ipv6 nd ra dns server ipv6-address seconds no ipv6 nd ra dns server ipv6-address Syntax Description seconds The amount of time (in seconds) that the Domain Naming System (DNS) server is advertised in an IPv6 router advertisement (RA). The range is from 200 to Command Default The DNS server is not advertised in an IPv6 RA. Command Modes Interface configuration (config-if) Command History Release Modification Cisco IOS XE Release 3.9S This command was introduced. Usage Guidelines You can use the ipv6 nd ra dns server command to configure up to eight DNS server addresses in an RA. If you configure a seconds value of zero, the DNS server will no longer be used. Examples The following example configures a DNS server with an IPv6 address of 2001:DB8:1::1 to be advertised in an RA with a lifetime of 600 seconds: Router(config)# interface ethernet 0/0 Router(config-if)# ipv6 nd ra dns server 2001:DB8:1::1 600 DHCPv6 Server

55 SLAAC: Interface ID ✔ DHCPv6 Server /48 /64 16-bit Subnet ID
Global Routing Prefix 64-bit Interface ID Operating System EUI-64 Random 64-bit Windows XP, Server 2003 Windows Vista and newer MAC OSX Linux SLAAC EUI-64 Process Randomly Generated Number (Privacy Extension) Check your OS for the default…. Most operating systems provide options to use use either one. Cisco router configured as a client will use EUI-64. More on the router as a client in Lesson 8 when we discuss SLAAC and DHCPv6. Default OS behavior can be changed. Known instead of unknown © Copyright DOC RABE Media Man in paper bag on head © Copyright binik

56 SLAAC: EUI-64 Option 1 2 RA 3 MAC: 00-19-D2-8C-E0-4C
2001:DB8:CAFE:1::/64 MAC: D2-8C-E0-4C 1 SLAAC Option 1 – RA Message To: FF02::1 (All-IPv6 devices) From: FE80::1 (Link-local address) Prefix: 2001:DB8:CAFE:1:: Prefix-length: /64 2 RA Prefix: 2001:DB8:CAFE:1:: Prefix-length: /64 Default Gateway: FE80::1 Global Unicast Address: 2001:DB8:CAFE:1: + Interface ID Note: Domain name and DNS server list may be included if router (and end system) support RFC 6106 IPv6 RA Options for DNS Configuration. 3 EUI-64 Process or Random 64-bit value As of now Cisco only supports DNS server advertisement not domain name on IOS XE. To configure the IPv6 router advertisement of DNS server addresses on an interface, use the ipv6 nd ra dns server command in interface configuration mode. To remove the IPv6 router advertisement of DNS server addresses, use the no form of this command. ipv6 nd ra dns server ipv6-address seconds no ipv6 nd ra dns server ipv6-address Syntax Description seconds The amount of time (in seconds) that the Domain Naming System (DNS) server is advertised in an IPv6 router advertisement (RA). The range is from 200 to Command Default The DNS server is not advertised in an IPv6 RA. Command Modes Interface configuration (config-if) Command History Release Modification Cisco IOS XE Release 3.9S This command was introduced. Usage Guidelines You can use the ipv6 nd ra dns server command to configure up to eight DNS server addresses in an RA. If you configure a seconds value of zero, the DNS server will no longer be used. Examples The following example configures a DNS server with an IPv6 address of 2001:DB8:1::1 to be advertised in an RA with a lifetime of 600 seconds: Router(config)# interface ethernet 0/0 Router(config-if)# ipv6 nd ra dns server 2001:DB8:1::1 600 DHCPv6 Server

57 Modified EUI-64 Format (Extended Unique Identifier–64)
OUI (24 bits) Device Identifier (24 bits) 00 19 D2 8C E0 4C Insert FF-FE 00 19 D2 FF FE 8C E0 4C 19 D2 FF FE 8C E0 4C 00 U/L bit flipped 02 19 D2 FF FE 8C E0 4C Insert FFFE gives us a 64 bit Interface ID IPv6 64-bit interface IDs are on a 64 bit boundary and accommodate IEEE specification for 64 bit MAC addresses IEEE has chosen FFFE as a reserved value which can only appear in EUI-64 generated from the an EUI-48 MAC address. IEEE's Guidelines for EUI-64 Registration Authority, Reason for U/L bit flipped can be found in RFC 4291 IP Version 6 Addressing Architecture

58 Verifying SLAAC on the PC Using EUI-64
Router Advertisement EUI-64 PC> ipconfig Windows IP Configuration Ethernet adapter Local Area Connection: IPv6 Address : 2001:db8:cafe:1:0219:d2ff:fe8c:e04c Link-local IPv6 Address . . : fe80::0219:d2ff:fe8c:e04c Default Gateway : fe80::1 A 64-bit Interface ID and the EUI-64 process accommodates: The IEEE specification for a 64-bit MAC address 64-bit boundary processing FF-FE – more than likely EUI-64 Link local address is usually the same process Default gateway – link-local address Why. The Dude looking at the red question mark © Copyright jojje11

59 SLAAC: Random 64-bit Interface ID
DHCPv6 Server /48 /64 16-bit Subnet ID Global Routing Prefix 64-bit Interface ID Operating System EUI-64 Random 64-bit Windows XP, Server 2003 Windows Vista and newer MAC OSX Linux SLAAC EUI-64 Process Randomly Generated Number (Privacy Extension) Check your OS for the default…. Most operating systems provide options to use use either one. Known instead of unknown © Copyright DOC RABE Media Man in paper bag on head © Copyright binik

60 Verifying SLAAC on the PC Using Privacy Extension
Router Advertisement EUI-64 PC-Windows7> ipconfig Windows IP Configuration Ethernet adapter Local Area Connection: IPv6 Address : 2001:db8:cafe:1:50a5:8a35:a5bb:66e1 Link-local IPv6 Address . . : fe80::50a5:8a35:a5bb:66e1 Default Gateway : fe80::1 No FF-FE

61 Ensuring Unique Unicast Addresses
Global Unicast :db8:cafe:1:0219:d2ff:fe8c:e04c Link-local fe80::50a5:8a35:a5bb:66e1 Neighbor Solicitation Neighbor Advertisement? Not received = unique address Received = duplicate address SLAAC is stateless, no entity (DHCPv6 server) maintaining a state address-to-device mappings. How can we guarantee the address is unique? Duplicate Address Detection (DAD) Once required for all unicast addresses (static or dynamic), RFC was updated that DAD is only recommended. /64 Interface IDs!

62 DHCPv6 (Stateless vs Stateful)
For those who want it.

63 DHCPv6 Global Unicast Manual Dynamic Static IPv6 unnumbered SLAAC
Stateless Stateful Static IPv6 unnumbered SLAAC DHCPv6 Similar to IPv4 unnumbered Static + EUI 64 SLAAC + DHCPv6 DHCPv6-PD

64 RA Message Option 1 and 2: Stateless Address Autoconfiguration
DHCPv6 Server does not maintain state of addresses Option 3: Stateful Address Configuration Address received from DHCPv6 Server DHCPv6 Router(config)# ipv6 unicast-routing DHCPv6 Server Option 1: SLAAC – No DHCPv6 (Default on Cisco routers) “I’m everything you need (Prefix, Prefix-length, Default Gateway)” Option 2: SLAAC + Stateless DHCPv6 for DNS address “Here is my information but you need to get other information such as DNS addresses from a DHCPv6 server.” (DNS can be in RA) Option 3: All addressing except default gateway use DHCPv6 “I can’t help you. Ask a DHCPv6 server for all your information.” RA

65 Router as a Stateless DHCPv6 Server
ICMPv6 Router Solicitation 1 ICMPv6 Router Advertisement IPv6 Router & DHCPv6 Server 2 Option 2: Stateless DHCPv6 O Flag = 1, M Flag = 0 Note: Domain name and DNS server list may be included if router (and end system) support RFC 6106 IPv6 RA Options for DNS Configuration. DHCPv6 I created my own address (Stateless), and have the default gateway, but I need a DNS address… SOLICIT To all DHCPv6 Servers 3 ADVERTISE Unicast 4 INFORMATION REQUEST To all DHCPv6 Servers 5 DHCPv6 messages are similar to DHCPv4. The Information Request is used for Stateless DHCPv6 whereas a REQUEST message is used for Stateful DHCPv6. REPLY Unicast 6

66 SLAAC for Addressing & DNS for Other Information
2001:DB8:CAFE:1::/64 MAC: D2-8C-E0-4C 1 2 RA Message: Stateless DHCPv6 To: FF02::1 (All-IPv6 devices) From: FE80::1 (Link-local address) Prefix: 2001:DB8:CAFE:1:: Prefix-length: /64 Other Configuration Flag: 1 Prefix: 2001:DB8:CAFE:1:: Prefix-length: /64 Default Gateway: FE80::1 Global Unicast Address: 2001:DB8:CAFE:1: + Interface ID RA 2001:DB8:CAFE:1:6909:cb1c:36a0:a595 DHCPv6 For DNS DNS: 2001:DB8:CAFE:1::99 Domain name: cafe.com 3 Stateless DHCPv6 Server EUI-64 Process or Random 64-bit value

67 RA Message Option 1 and 2: Stateless Address Autoconfiguration
DHCPv6 Server does not maintain state of addresses Option 3: Stateful Address Configuration Address received from DHCPv6 Server DHCPv6 Router(config)# ipv6 unicast-routing DHCPv6 Server Option 1: SLAAC – No DHCPv6 (Default on Cisco routers) “I’m everything you need (Prefix, Prefix-length, Default Gateway)” Option 2: SLAAC + Stateless DHCPv6 for DNS address “Here is my information but you need to get other information such as DNS addresses from a DHCPv6 server.” (DNS can be in RA) Option 3: All addressing except default gateway use DHCPv6 “I can’t help you. Ask a DHCPv6 server for all your information.” RA

68 Router as a Stateful DHCPv6 Server
ICMPv6 Router Solicitation 1 ICMPv6 Router Advertisement IPv6 Router & DHCPv6 Server 2 Option 3: Stateful DHCPv6 O Flag = 0, M Flag = 1 DHCPv6 I’m only using the default gateway address from the RA. I need to contact a stateful DHCPv6 server for all my addressing. SOLICIT To all DHCPv6 Servers 3 ADVERTISE Unicast 4 REQUEST To all DHCPv6 Servers 5 REPLY Unicast 6

69 Stateful DHCPv6 1 2 RA RA Message: Stateful DHCPv6
I need to get all my addressing from DHCPv6, HOWEVER I will use the router as my default gateway. 2001:DB8:CAFE:2::/64 1 RA Message: Stateful DHCPv6 To: FF02::1 (All-IPv6 devices) From: FE80::1 (Link-local address) Prefix: 2001:DB8:CAFE:2:: Prefix-length: /64 Managed Configuration Flag: 1 2 RA Default Gateway: FE80::1 Global Unicast Address: DHCPv6 2001:DB8:CAFE:1:6909:cb1c:36a0:a595 DNS: 2001:DB8:CAFE:1::99 Domain name: cafe.com DHCPv6 Stateful DHCPv6 Server

70 DHCPv6 Prefix Delegation Process IPv6 for the home

71 DHCPv4 and Private Addresses for the Home
NAT ISP G0/1 G0/1 HOME G0/0 DHCPv4 Public IPv4 Address for the interface Private IPv4 Address DHCPv4 /8 /12 /16 ISP only has to deliver a public IPv4 address for Home router interface. DHCPv4 and RFC 1918 private address space is used for home network. NAT is used for translation – but has its drawbacks! No NAT between private-public IPv6 (always in debate) ISP doesn’t have to worry about the home network address. RFC 1918 takes care of that.

72 HOME Router’s ISP Facing Interface Complete IPv6 Reachability
Delegating Router (DR) G0/1 G0/1 ISP-DR HOME-RR G0/0 ? Requesting Router (RR) IPv6 Address for the interface: SLAAC DHCPv6 (Stateful or Stateless) First, HOME’s ISP facing interface needs an IPv6 address. Similar to any IPv6 client it may dynamically get an address using: SLAAC - Using prefix in RA Stateless DHCPv6 – SLAAC but DHCPv6 for DNS address Stateful DHCPv6 - Like DHCPv4 What about the address for the HOME LAN?

73 Here is a separate IPv6 prefix for you to give out to your LAN.
DHCPv6 Step 3 2001:DB8:CAFE:9:: + Interface ID (EUI-64 or Random) Delegating Router (DR) Requesting Router (RR) ISP-DR G0/1 G0/1 HOME-RR G0/0 DHCPv6-PD REQUEST 1 RA with /64 prefix 2001:DB8:CAFE:9:: (DNS, domain name) 3 DHCPv6-PD REPLY 2 Here is a separate IPv6 prefix for you to give out to your LAN. 2001:DB8:CAFE:9:: (DNS, domain name)

74 For more information… IPv6 Fundamentals LiveLessons: A Straightforward Approach to Understanding IPv6 Access to all my presentations on my web site: IPv6 Fundamentals: A Straightforward Approach to Understanding IPv6

75 Labs….


Download ppt "HELP! I Need to Learn IPv6! or 60 IPv6 Slides in 60 minutes!"

Similar presentations


Ads by Google