Ch 6: IPv6 Deployment Last modified

Topics 6.3 Transition Mechanisms 6.4 Dual Stack IPv4/IPv6 Environments 6.5 Tunneling

6.3 Transition Mechanisms IPv6 is not backwards-compatible with IPv4 So while both protocols are in use, we need transition mechanisms to connect them Three types of transition mechanisms –Dual Stack –Tunneling –Translation

Early Stages Islands of IPv6 Connected via IPv4

Middle Stages Core is IPv6 or Dual-Stack –Some tunnels are no longer needed –Translation mechanisms will be needed to allow legacy IPv4 devices to access IPv6 services

Last Stage Most equipment and services are IPv6- only –Only isolated islands of IPv4 legacy services remain –IPv4 tunnels over IPv6 –Translation devices allow IPv6-only devices to access IPv4 services

6.4 Dual Stack IPv4/IPv6 Environments Each host uses both IPv4 and IPv6 Reduces need for tunnels

6.4.1 Deployment of a Dual Stack Environment Consider the following issues –Shared infrastructure Must route and switch both IPv4 & IPv6 –Need for more resources Details on next slide –Application protocol preference

Need for more resources Each protocol stack must share the available network bandwidth Routers need to: –Maintain forwarding tables for both IPv4 and IPv6 –Run routing protocols for both protocols –Implement packet filtering for both protocols –Provide for congestion control for both protocols –Handle special cases (IPv4 Router Alerts and IPv6 Hop-by-Hop Options) for both –Forward packets for both protocols. Hosts must devote resources to both protocol stacks (for example, processing, memory, and network infrastructure traffic) Administrative and security staff must maintain concurrent environments as well

Applications in a Dual-Stack Environment Some applications are IPv4-only Some are IPv6-only Some are dual-stack DNS record order can be used to control preference for A or AAAA records on each resource –IPv6 should be first when possible (preferred)

6.4.2 Addressing in a Dual Stack Environment If you use static addresses, you must provide both IPv4 and IPv6 addresses If you use DHCP, you must provide both a DHCPv4 and DHCPv6 server

6.4.3 Security Implications of a Dual Stack Environment Each dual-stack node is exposed to the vulnerabilities of both IPv4 and IPv6 Security Details –Consistent security policy for both IPv4 & IPv6 –Account for new IPv6 functionality Mobility Stateless address autoconfiguration Neighbor discovery Privacy addresses End-to-end encryption with IPsec

Security Details (continued) Unexpected tunneling between hosts may violate security policies Organizations must upgrade –Intrusion detection or intrusion prevention systems –Firewalls –Monitoring, logging, and auditing to provide IPv6 protection equivalent to what was available for IPv4.

Security Details (continued) If tunneled packets are allowed to enter the network, the firewall or IDS/IPS system must be able to perform deep packet inspection. The performance of security systems may degrade when handling IPv6 (when using the same resources compared to IPv4)

6.5 Tunneling

Configured v. Automatic Tunnels Configured tunnels –Require system administrators to configure the endpoints of the tunnel Automatic tunnels –The nodes configure the endpoints themselves

Configured Tunnels SIT = 6in4, uses protocol 41 –Hurricane Electric Tunnel Broker –Sixxs Freenet6 can use many different tunnel types

Tunnels Bypassing Firewalls

iClicker Questions

Which of these upgrades is not needed to convert a router from IPv4 to dual-stack? A.Two routing tables B.Two routing protocols C.Twice as many network interfaces D.Two Access Control Lists E.Two congestion control mechanisms

Which protocol does not need to be changed to move from IPv4 to dual-stack? A.DHCP B.DNS C.RIP D.Ethernet E.ICMP

Which devices do not need to be upgraded to convert from IPv4 to dual-stack? A.Firewalls B.Intrusion Detection Systems C.Routers D.Switches E.Servers

Which of these features does not create new security risks when moving from IPv4 to dual-stack? A.Broadcast packets B.Mobility C.Neighbor discovery D.SLAAC E.Tunnels

Which of these features allows unauthorized traffic to bypass firewalls? A.Multicast B.Mobility C.Neighbor discovery D.SLAAC E.Tunnels

Automatic Tunneling Mechanisms 6over4 – requires IPv4 multicast, rarely used 6to4 and 6rd – requires public IPv4 addresses, widely implemented ISATAP – does not work across NAT Teredo - UDP encapsulation intended for tunneling through IPv4 NATs

6.5.46over4 Protocol Old and simple Relies on IPv4 multicast Has not been widely deployed Hosts use their IPv4 address as an Interface ID

6over4 Example Network: 2001:5c0:1000:b::/64 Gateway:2001:5c0:1000:b::1 Host Addresses: –IPv4 (dotted-decimal): –IPv4 (hex): c0 a –Public IPv6:2001:5c0:1000:b::c0a8:165 –Link-Local IPv6:fe80::c0a8:165

6.5.56to4 and 6rd Protocols 6to4 –Allows IPv6 sites to connect to one another over an IPv4 network –IPv4 address is embedded in IPv6 prefix –Useful when your ISP does not offer an IPv6 prefix

6rd (Rapid Deployment) Allows IPv4 ISPs to offer IPv6 to customers quickly and easily Uses the same system as 6to4, but with the provider’s IPv6 prefix

Using 6to4 and 6rd Each 6to4 border router needs a public IPv4 address: w.x.y.z The IPv6 network connected to that router uses the IPv6 prefix 2002:w.x.y.z/48 –Example: CCSF uses: – In hexadecimal: –Our 6to4 IPv6 prefix is:2002:9390:1::/48

6to4 Relays Each 6to4 domain must have at least one relay router Relay router has an (IPv4) anycast address:

6.5.6 Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) ISATAP allows isolated IPv6 hosts within a site running IPv4 to construct an automatic IPv6-in- IPv4 tunnel Does not use IPv4 multicast, as required with 6over4 All hosts using ISATAP must be dual stack IPv4/IPv6 ISATAP hosts communicate by tunneling IPv6 packets over IPv4 using protocol 41

IPv4 Packet Header

Protocol Numbers 6TCP 17UDP 41IPv6 (encapsulation)

Protocol 41 is Blocked by Most Home Routers

ISATAP Addresses A host with an IPv4 address w.x.y.z performs autoconfiguration with interface ID = ::0:5EFE:w.x.y.z.

ISATAP Limitations All IPv6 hosts run dual stack IPv4/IPv6 with support for ISATAP Each ISATAP host must know at least one dual stack IPv4/IPv6 router All traffic is constrained to a single administrative domain There is no need for IPv4 NAT traversal

6.5.7Teredo Protocol Tunneling IPv6 over UDP through Network Address Translations (NATs) Developed by Microsoft Has a high overhead Detects NAT, then starts with a UDP packet sent from inside the NAT A Teredo server listens to UDP port 3544

Teredo Addresses IPv6 addresses for Teredo clients are comprised of the following five parts: –Prefix: the 32-bit Teredo service prefix 2001:0000::/32 –Server IPv4: the 32-bit IPv4 address of a Teredo server –Flags: 16 bits set to 8000 for cone NATs and 0000 otherwise –Port: The Teredo client’s 16-bit UDP port number, inverted bit by bit –Client IPv4: The Teredo client’s 32-bit IPv4 address (behind the NAT), inverted bit by bit

Figure 6-5. Teredo Address | Prefix | Server IPv4 | Flags | Port | Client IPv4 |

To Disable Them From and-computing-tips-and-tricks/249-disabling-ipv6- communications.html

iClicker Questions

Which of these techniques works through Network Address Translation? A.6over4 B.6to4 or 6rd C.ISATAP D.Teredo E.More than one of the above

Which of these techniques requires IPv4 multicast? A.6over4 B.6to4 or 6rd C.ISATAP D.Teredo E.More than one of the above

Which of these techniques was developed by Microsoft? A.6over4 B.6to4 or 6rd C.ISATAP D.Teredo E.More than one of the above

Which of these techniques embeds an IPv4 address inside an IPv6 address? A.6over4 B.6to4 or 6rd C.ISATAP D.Teredo E.More than one of the above

Which of these techniques embeds a layer 4 port number inside an IPv6 address? A.6over4 B.6to4 or 6rd C.ISATAP D.Teredo E.More than one of the above

Which of these techniques uses relays at ? A.6over4 B.6to4 or 6rd C.ISATAP D.Teredo E.More than one of the above