SlideShare uma empresa Scribd logo

Ipv6 1-091110143246-phpapp01

R
Rimba Ari
EducaçãoTecnologia
1 de 61
Baixar para ler offline
IPv6 What, Why, How Jen Linkova aka Furry furry – at -openwall.com Openwall, Inc http://www.openwall.com Revision 1.0
IPv4 Address Distibution 32-bit number 4 294 967 296 addresses 256 /8 network blocks IPv4 address distibution IETF Reserved 35 IANA Pool 38 Allocated 18 Assigned 51 Advertised 114 0 20 40 60 80 100 120 /8 blocks 2
Lies, Damned Lies, Statistics 3 Source: «IPv4 Address Report», http://www.potaroo.net/tools/ipv4/
You have two choices: spend less... Address allocation policy for LIR (/19, /20, /21...) Address translation (NAT, NAPT): breaks end2end model affects protocols/applications provides a false sense of security See also: RFC 2775 «Internet Transparency» RFC 3027 «Protocol Complication with the IP Network Address Translator» RFC 2993 «Architectural Implications of NAT» Internet-Draft «Security implication of Network Address Translators» 4
...or earn more! ;-) IPv6 address: 340 282 366 920 938 463 463 374 607 431 768 211 456 total addresses 2^64 nodes per subnet fixed subnet size 5
Is it still enough? Assume...: RIRs request new block every 18 month Then... The block currently assigned by IETF (1/8TH IPv6 space) is about to run out by 2158 More than 5/8TH IPv6 address space will be still available (NB: 000/3 and 111/3 prefixes are reserved for special use) Source: David Conrad, General Manager, IANA, 2007 http://www.iana.org/about/presentations/conrad-buenosaires-citel-060913.pdf 6
IPv6 Address Format X:X:X:X:X:X:X:X where X = 0000 ... FFFF (hex) 2001:0DB8:0000:0000:0008:8000:0000:417A 2001:DB8:0:0:8:8000:0:417A 2001:DB8::8:8000:0:417A 2001:DB8:0:0:8:8000::417A 2001:db8::8:8000:417A 7
Examples loopback address 0:0:0:0:0:0:0:1 or ::1 unspecified address 0:0:0:0:0:0:0:0 or :: special exception: IPv4-mapped 0:0:0:0:0:FFFF:192.0.2.1 ::FFFF:192.0.2.1 ● 8
Find the Mistake 2001:0DB8:0000:0000:FFFF:0CA0:0000:0000 1)2001:DB8::FFFF:CA0:0:0 2)2001:db8:0:0:FFFF:0CA0:0:0 3)2001:DB8::FFFF:CA0:0:0 4)2001:db8::FFFF:ca0:: 5)2001:db8:0:0:FFFF:CA0:: 6)2001:db8::FFFF:CA:0:0 9
IPv6 Address Types Address Type Binary Prefix Prefix unspecified 000...0 (128 bits) ::/128 loopback 0000...01 (128 bits) ::1/128 link-local unicast 1111 1110 10 FE80::/10 multicast 1111 1111 FF00::/8 Global unicast all other addresses 10
Link-local Addresses FE80::/10 prefix Analogous to IPv4 169.254.0.0/16 Automatically assigned to an interface Valid in the scope of the given link! Not to be routed! To be used for auto-address configuration neighbour discovery 11
Multicast Addresses 8 bits 4 bits 4 bits 8 bits 8 bits 64 bits 32 bits 1111 1111 0RPT scope reserved plen net prefix group id flags T=0 – permanently-assigned (“well-known”) address, T=1 – non-permanently-assigned (“transient”) Scope 1 – node-local 2 – link-local 5 – site-local 14 – global (Internet) Group ID identififes the mulicast group within the given scope. For example: 1 – all nodes (scope = 1,2) 2 – all routers (scope = 1,2,5) 101 – all NTP servers Examples: FF02::101 – all NTP-servers on the same link as a sender FF02::2 – all routers on the same link as a sender 12 FF05::101 – all NTP-servers on the same site as a sender ●
Global Unicast Address Type Binary prefix Prefix unspecified 000...0 (128 bits) ::/128 loopback 0000...01 (128 bits) ::1/128 000...01111111111111111(96 Ipv4-mapped bits) ::FFFF/96 ULA 1111 110 FC00::/7 Assigned to RIRs 001 2000::/3 Global unicast all other addresses 13
Unique Local Unicast Addresses (ULA) FC00::/7 prefix (RFC4193) For local communications (site or limited set of sites) High probability of uniqueness Not expected to be routable on Internet Well-know prefixes => Easy filtering If leaked outside – no conflicts with other addresses 14
ULA Address Format L = 1 the prefix is locally assigned L = 0 for future use Global ID a globally unique prefix identifier Subnet ID the identifier of a subnet within a site Pseudo-Random Global ID Algorithm: 1) Obtain the current time of day in 64-bit NTP format 2) Obtain EUI-64 identifier (from MAC for example) or any suitably unique ID 3) Concatenate the time (1) with the system ID (2) 4) Compute SHA-1 digest of (3) and use the least significant 40 bits as 15 Global ID
Interface Identifier How to configure Manual configuration Autoconfiguration (EUI-64-based interface ID) DHCPv6 Pseudo-random interface ID Cryptographically generated ID 16
Extended Unique Identifier EUI-64 Therefore: ::1 – globally assigned EUI-64, but locally assigned MEUI-64 17
IPv6 Header Format 18
IPv4 Header Format 19
IPv6 Header Fixed length All optional/additional info is encoded in Extension Header(s) Is not protected by checksum Payload Length instead of Total Length “Time To Live” field is replaced by “Hop Limit” one to better reflect its functions 20
Extension Headers IPv6 header Hop-by-Hop options Destination options next header = next header = next header = Hop-by-Hop options Destination options Routing header Routing header Fragment header AH next header = next header = next header = Fragment header AH ESP header ESP header Destination header upper-layer PDU next header = next header = (TCP/UDP/ICMP/..) Destination options upper-layer PDU 21
Extension Headers Processing All EHs (except for Hop-by-Hop options) are processed by the destination node only! Packet is dropped if any extension header isn't recognised Recommended order of headers (except for Hop-by-Hop Option) Reserved next header value: 59, «no next header» 22
Options Headers Separating Hop-by-hop and Destination is useful: not all options are examined along a packet's delivery path encryption fragmentation Hop-by-Hop Options: for every nodes along a path Destination Options: for a packet's destination node(s) A variable number of variable-length options 23
TLV-encoding (Type-Length-Value) Type: identifier of type of option Two highest bits of Type: unrecognised option processing: 00 – skip over the option and continue 01 – discard the packet 10 – discard the packet and send ICMPv6 11 – discard the packet and send ICMPv6 only if destination isn't IPv6 multicast address Third highest-order bit of Type: whether (1) or not (0) Option Data can change en-route to the final destination Length: length of the Option Data, in octets 24
Fragment Header Offset: the offset, in 8-octet units, of the data following this header, relative to the start of the Fragmentable Part of the packet M flag: 1 – more fragments, 0 – last fragment 25
Control Protocol(s) ● IPv4 Control Protocols: ARP (for Ethernet) ICMP IGMP ● IPv6 Control Protocol: ICMPv6 (IPv6 Next Header value = 58) Must be fully implemented & supported! 26
ICMPv6 Type field: 0 – 127: error messages 128 – 255: informational messages Body includes the the start of the invoking packet! Must not be fragmented! Must not be originated in response to ICMPv6 error or redirect messages multicast/broadcast packets addresses (with some exceptions) 27
MULTIfunctions of MULTIcast IPv6 node MUST support multicast! Broadcast == «all nodes on this link» multicast group don't forget to enable IGMP snooping/GMRP on switches All nodes with “similar” addresses share the same solicited-node multicast address Solicited-node multicast address format: Globally-assigned prefix FF02::1:FF00:0:/104 low-order 24 bits of a node address Example: a node 2001:db8::1:20cd:f345:5432:51d8 joins the multicast group FF02::1:FF00:0:32:51d8 28
Neighbor Discovery (ND) ICMPv6 is used for ND messages Multicast is used (unlike ARP) To request the link-layer address: neighbor solicitation (NS) query To provide some info: neighbor advertisement (NA) Soliced flag: S=1 – in response to NS S=0 – «unsolicited» NA Information is stored in: neighbor cache (NC) destination cache (DC) Information exchange with upper-layer! 29
30
ND-proxy The target host or a ND-proxy could respond to NS query. Nodes should give preference to non-proxy NA Flag «O» (override) ND-proxy: O=0 (REACHABLE -> STALE) target host: O=1 (Neighbor Cache is updated) 31
ARP is Dead, Long Live ND! Much more than ARP (see Router Discovery and redirects) Reducing network load (multicast vs broadcast) Improving robustness of packet delivery Neighbor unreachability detection (incl. half-link failures detection) Notification from/to upper-layer! 32
Anycast ● ● The same “anycast” address is assigned to a group of interfaces (nodes) ● A packet sent to an anycast address is delivered to the “nearest” interface (node) having this address ● Allow to increase the service reliability ● Allocated from the unicast address space 33
IPv6 Node Configuration IPv6 address configuration: Interface ID manual auto (stateful or stateless) Network ID manual auto (stateful or stateless) pre-defined well-known prefix (link-local, FE80::/10) additional parameters (routes, e.g.) 34
Interface Autoconfiguration Modified EUI-64 constructed from MAC see next slides for some alternatives What about collisions? duplicate MAC addresses duplicate interface ID (manual configuration, e.g.) Neighbor Discovery locates the owner of given IP address Duplicate Address Detection (DAD) based on ND 35
Duplicate Address Detection 1. Node X is going to assign IP address A on its interface “I” 2. Interface “I” joins the multicast groups: 1. FF02::1 (“all nodes”) 2. FF02::1:FF00:0:A' (the solicited-node multicast address «all nodes with IP = A») 3. Is there any NS queries? (dst ip = FF02::1:FF00:0:A, src ip = ::) 4. X sends NS query (dst ip = FF02::1:FF00:0:A, src ip = ::) 5. Is there any NA (flag S = 0) sent to address FF02::1? 6. In case of events 3 or 5 - the address isn't unique! 7. Else – the address is unique Must be performed on all unicast addresses (except for anycast) 36
StateLess Address Auto Configuration (SLAAC) Link-local address is already here: well-know network ID modified EUI-64 as interface ID DAD to ensure uniqueness Ready to communicate with neighbors! What's next? other IPv6 network IDs (global, e.g.) default gateway(s) routing table Routers have this info already! 37
Your Router Is Your Neighbor! ● Neighbor Discovery (RFC4861) ● Routers join the “all routers” multicast group FF02::2 ● Cliens send a «Router Solicitation» query (RS) ● Routers send out «Router Advertisiment» messages (RA) – periodically – in response to the RS query 38
Router Advertisement bits 8 10 16 32 type = 134 code = 0 checksum hop limit M O reserved router lifetime reachable time retransmit timer options (variable length) Src IP = link-local, Dst IP = the source IP of the RS query or FF02::1 M,O flags: indicate that addresses (M) or other configuration info (O) is available via DHCPv6 Router lifetime (in seconds) – the lifetime associated with the default router (0 - the router isn't default router, shouldn't appear on the default router list) Reachable time (millisecs) – how long the neighbor is reachable after receiving a reachability confirmation (NC record goes from Reachable -> Stale then) Retransmit timer (millisecs) – the interval between retransmitted NS 39 messages
RA: possible options Additional configuration info: Prefixes prefix ID and length Lifetime usage: for stateless configuration or destination cache MTU Link-layer address of the interface from which RA is sent NB: Unmatched advertised parameters could lead to unstable network! 40
How to secure ND ND takes place on-link (between adjacent nodes) ND messages are not to be routed Routers decrement TTL (Hop Count) TTL < 255 may mean 'the packet was routed' (NB: «0 – 1=255»!!) Generalized TTL Security Mechanism (GTSM) (RFC5082) 41
How to secure ND (cont.) One of major threats: address spoofing attacks How to authenticate NA? Cryptography is our friend! Symmetric: key protection is an issue Asymmetric: key distribution is an issue. how to authenticate the peer? 42
Give me the place to stand, and I shall move the earth Neighbor IP address is already known! IP address can be used to authenticate the peer IP and public key are associated Public key is attached to ND message Public key is verified against IP address Cryptographically Generated Addresses (CGA, RFC3972) 43
Cryptographically Generated Address 1.A private/public key pair is generated for a node 2.Interface ID is calculated as an public key fingerprint 3.Subnet prefix and interface ID are concatenated 4.Duplicate Address Detection is performed (CGA is re- calculated if necessary – up to 3 times) 5.CGA parameter is formed: ● IPv6 address ● Public key ● Some additional parameters 6.DNS and other records are updated.. The random modifier allows to change the fingerprint (IP address) periodically 44
CGA Verification 1. The verifier know the sender IP address (CGA) 2. The verifier gets the sender public key from CGA parameter 3. The verifier checks the association between IPv6 CGA and the corresponding pubic key 4. After then, the digital signature of ND message is verified No PKI, CA or trusted servers is needed! SEcure Neihgbor Discovery (SEND, RFC3971) describes Neighbor Discovery threats and protection 45
SEND: SLAAC protection Router Advertisement IP address can be spoofed RA IP is unknown => GCA can not be used Routers ARE authorised to act as routers Routers MAY be authorised to advertise prefixes Routers are given certificates from a trust anchor The hosts are configured with trust anchor(s) 46
Big Brother is watching you! MAC addresses are globally unique (in most cases) SLAAC: Interface ID is derived from MAC Users are mobile (home – office – internet-cafe – business trips – travels – office - home..): network prefixes are changing interface ID remains constant over time! User can be identified and tracked! 47
Privacy Extensions for SLAAC Task: provide privacy for users Requirements: do not broke SLAAC Approach: change the interface ID over time Interface ID must be locally (on-link) unique Interface ID can be random Duplicate Address Detection ensures uniqueness In case of collision a new random address is generated 48
Default Address Selection There are a number of ways to assign IPv6 addresses Requirements may be conflicting: Corporate environment: easily identification of a node Internet-connectivity: privacy is an issue IPv6 nodes are multi-addressed usually (+link-local) What address to choose for communication? See RFC5220 «Problem Statement for Default Address Selection in Multi-Prefix Environments: Operational Issues of RFC 3484 Default Rules» 49
Fragmentation “Fragmentation considered harmful” Inefficient use of resources of hosts, routers and bandwidth Degraded performance due to loss of fragments Reassembly is difficult Why fragmentation? MTU mismatch along the packet path (!tunnels!) TCP/IP implementations Blocking PMTUD leads to packets disappearing into “black hole” 50
IPv6 Fragmentation By the source host only, not by routers along the packet's path! No “Don't Fragment” bit anymore Minimum MTU = 1280 bytes If a packet size > MTU, the packet is dropped, ICMPv6 is sent How to choose a packet's size: Always fragment to 1280 bytes (1232 bytes of payload) Use PMTUD, store MTU value in Destination Cache (DC) Applications can access IPv6 layer using API (Berkley sockets, e.g: see RFC3542) Socket Option Description IPV6_USE_MIN_MT U Disable PMTUD , use minimum MT U = 1280 bytes IPV6_PATHMT U Retrieve the c urrent MT U value for the s ocket IPV6_RECVPATHMT U Enable the r eceipt of the current MT U from recvfrom() IPV6_DO NTFRAG Disable the inserting of a fr agment header 51
IPv6 & DNS New Resource Record introduced: AAAA furry:~ furry$ dig www.kame.net aaaa www.kame.net. IN AAAA 2001:200::8002:203:47ff:fea5:3085 Reverse Delegation: the pseudo-domain ipv6.arpa Each label is a nibble (4 bits, one hex number) Example: PTR RR for an IPv6 address 2001:db8::20:219f:bd8c:17af f.a.7.1.c.8.d.b.f.9.2.1.0.2.0.0.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ipv6.arpa. PTR Don't forget to use $ORIGIN to simplify your DNS zone file! 52
Migration Dual-stack nodes (IPv6+IPv4) most workstations are IPv6-enabled Windows: prefers IPv6 in some cases uncontrolled connectivity is a security issue! Tunnels: connection of IPv6 domains via IPv4 clouds Address translations: interconnection between IPv6 and IPv4 domains 53
Tunnelling 6to4 – the most common IPv6 over IPv4 tunnelling protocol. Tunnel endpoints must have public IPv4 addresses Teredo – encapsulating IPv6 inside IPv4/UDP NAT-T is supported Globally unique IPv6 address is assigned to each endpoint Windows Vista: enabled, but not active by default (teredo.ipv6.microsoft.com) Can be a security issue!! 54
Tunnel brokers A service to provide encapsulated connectivity See RFC3053 “IPv6 Tunnel Broker” for details Extensive list can be found at: http://en.wikipedia.org/wiki/List_of_IPv6_tunnel_brokers 55
Address Translation: NAT64 http://tools.ietf.org/html/draft-bagnulo-behave-nat64-02 Packet headers are translated according to Stateless IP/ICMP Translation Algorithm (SIIT) IPv6 {address + port} is mapped into IPv4 {address + port} IPv4 addresses are mapped into IPv6 addresses as Pref64::IPv4 (Pref64 is an /96 IPv6 address pool) 56
Fragmentation & NAT64 IPv4 minimum MTU: 68 bytes IPv6 minimum MTU: 1280 bytes IPv4-node may originate ICMP “too big” with MTU < 1280 What IPv6-node can do? include a Fragment header or reduce the size of subsequent packets MTU>=1280 MTU= 1500 IPv4 cloud IPv6 cloud ICMP «too big» 57 MTU= 576 MTU= 576
IPv6 Advantages More efficient address space allocation End-to-end addressing; no NAT anymore! Fragmentation only by the source host Routers do not calculate header checksum (speedup!) Multicasting instead of broadcasting Built-in security mechanisms Single control protocol (ICMPv6) Auto-configuration Modular headers structure 58
Myths and Legends «How can I remember...» Use the Force (of DNS), Luke! Manual configuration: easy-readable addresses Use a compact notation (a lot of network prefixes to choose from) Just compare: furry:~ furry$ dig www.ipv6porn.co.nz aaaa www.ipv6porn.co.nz. 3324 IN AAAA 2002:3cea:4c32::1 (17 chars) www.ipv6porn.co.nz. 3324 IN AAAA 2001:388:f000::285 (18 chars) furry:~ furry$ dig www.ipv6porn.co.nz a www.ipv6porn.co.nz. 10000 IN A 60.234.76.50 (12 chars) 59
Myths and Legends «I don't want it, I don't need it...» IPv6 is already here! Spontaneous self-organised and uncontrolled IPv6 networks are security issues Better be pro-active rather than reactive IPv6 is becoming more popular: get ready to meet it! 60
? 61

Recomendados

IPv6 header
IPv6 headerIPv6 header
IPv6 headerHeba_a
 
I Pv6 Extension Headers
I Pv6 Extension HeadersI Pv6 Extension Headers
I Pv6 Extension HeadersRam Dutt Shukla
 
IPV6 Flow Labels
IPV6 Flow LabelsIPV6 Flow Labels
IPV6 Flow LabelsBinan AL Halabi
 
Ipv6 cheat sheet
Ipv6 cheat sheetIpv6 cheat sheet
Ipv6 cheat sheetSwarup Hait
 
Comparative study of IPv4 & IPv6 Point to Point Architecture on various OS pl...
Comparative study of IPv4 & IPv6 Point to Point Architecture on various OS pl...Comparative study of IPv4 & IPv6 Point to Point Architecture on various OS pl...
Comparative study of IPv4 & IPv6 Point to Point Architecture on various OS pl...IOSR Journals
 
Ipv6 cheat sheet
Ipv6 cheat sheetIpv6 cheat sheet
Ipv6 cheat sheetjulianlz
 
IPv6: Internet Protocol version 6
IPv6: Internet Protocol version 6IPv6: Internet Protocol version 6
IPv6: Internet Protocol version 6Ankita Mahajan
 
Internet Protocol version 6
Internet Protocol version 6Internet Protocol version 6
Internet Protocol version 6Rekha Yadav
 

Recomendados

IPv6 header
IPv6 headerIPv6 header
IPv6 headerHeba_a
 
I Pv6 Extension Headers
I Pv6 Extension HeadersI Pv6 Extension Headers
I Pv6 Extension HeadersRam Dutt Shukla
 
IPV6 Flow Labels
IPV6 Flow LabelsIPV6 Flow Labels
IPV6 Flow LabelsBinan AL Halabi
 
Ipv6 cheat sheet
Ipv6 cheat sheetIpv6 cheat sheet
Ipv6 cheat sheetSwarup Hait
 
Comparative study of IPv4 & IPv6 Point to Point Architecture on various OS pl...
Comparative study of IPv4 & IPv6 Point to Point Architecture on various OS pl...Comparative study of IPv4 & IPv6 Point to Point Architecture on various OS pl...
Comparative study of IPv4 & IPv6 Point to Point Architecture on various OS pl...IOSR Journals
 
Ipv6 cheat sheet
Ipv6 cheat sheetIpv6 cheat sheet
Ipv6 cheat sheetjulianlz
 
IPv6: Internet Protocol version 6
IPv6: Internet Protocol version 6IPv6: Internet Protocol version 6
IPv6: Internet Protocol version 6Ankita Mahajan
 
Internet Protocol version 6
Internet Protocol version 6Internet Protocol version 6
Internet Protocol version 6Rekha Yadav
 
IPv6
IPv6IPv6
IPv6edgarjgonzalezg
 
I pv4 format
I pv4 formatI pv4 format
I pv4 formatNitesh Singh
 
IPv6 - Neighbour Discovery
IPv6 - Neighbour DiscoveryIPv6 - Neighbour Discovery
IPv6 - Neighbour DiscoveryHeba_a
 
IPv6_Quick_Start_Guide
IPv6_Quick_Start_GuideIPv6_Quick_Start_Guide
IPv6_Quick_Start_GuideParthiban Nallathambi
 
Tlcm513 ipv6
Tlcm513 ipv6Tlcm513 ipv6
Tlcm513 ipv6CAL
 
Tuning 17 march
Tuning 17 marchTuning 17 march
Tuning 17 marchBinan AL Halabi
 
IPv4 to IPv6
IPv4 to IPv6IPv4 to IPv6
IPv4 to IPv6mithilak
 
Ip4 vs ip6
Ip4 vs ip6Ip4 vs ip6
Ip4 vs ip6Mani Singh
 
IPV6 Introduction
IPV6 Introduction IPV6 Introduction
IPV6 Introduction Heba_a
 
Ipv6 cheat sheet
Ipv6 cheat sheetIpv6 cheat sheet
Ipv6 cheat sheetbalamurugan N
 
IPv6 address
IPv6 addressIPv6 address
IPv6 addressPina Parmar
 
Internet protocol v6
Internet protocol v6Internet protocol v6
Internet protocol v6Pramith P
 
Ipv4 packet structure
Ipv4 packet structureIpv4 packet structure
Ipv4 packet structurevlsirajagopal
 
IPv6 Fundamentals
IPv6 FundamentalsIPv6 Fundamentals
IPv6 FundamentalsMatt Bynum
 
Internetworking - IP
Internetworking - IPInternetworking - IP
Internetworking - IPselvakumar_b1985
 
Comparison between ipv4 and ipv6
Comparison between ipv4 and ipv6Comparison between ipv4 and ipv6
Comparison between ipv4 and ipv6Dharmesh Patel
 
INTERNET PROTOCOL VERSION 6
INTERNET PROTOCOL VERSION 6INTERNET PROTOCOL VERSION 6
INTERNET PROTOCOL VERSION 6Chaitanya Ram
 
I pv6(internet protocol version 6)
I pv6(internet protocol version 6)I pv6(internet protocol version 6)
I pv6(internet protocol version 6)Subrata Kumer Paul
 
Why we need ipv6...
Why we need ipv6...Why we need ipv6...
Why we need ipv6...Adii Shah
 
Network Layer And I Pv6
Network Layer And I Pv6Network Layer And I Pv6
Network Layer And I Pv6Ram Dutt Shukla
 
Ch31
Ch31Ch31
Ch31tejindershami
 
IPv6
IPv6IPv6
IPv6Talal Alsubaie
 

Mais conteúdo relacionado

Mais procurados

IPv6 - Neighbour Discovery
IPv6 - Neighbour DiscoveryIPv6 - Neighbour Discovery
IPv6 - Neighbour DiscoveryHeba_a
 
Tlcm513 ipv6
Tlcm513 ipv6Tlcm513 ipv6
Tlcm513 ipv6CAL
 
IPv4 to IPv6
IPv4 to IPv6IPv4 to IPv6
IPv4 to IPv6mithilak
 
IPV6 Introduction
IPV6 Introduction IPV6 Introduction
IPV6 Introduction Heba_a
 
Internet protocol v6
Internet protocol v6Internet protocol v6
Internet protocol v6Pramith P
 
Ipv4 packet structure
Ipv4 packet structureIpv4 packet structure
Ipv4 packet structurevlsirajagopal
 
IPv6 Fundamentals
IPv6 FundamentalsIPv6 Fundamentals
IPv6 FundamentalsMatt Bynum
 
Comparison between ipv4 and ipv6
Comparison between ipv4 and ipv6Comparison between ipv4 and ipv6
Comparison between ipv4 and ipv6Dharmesh Patel
 
INTERNET PROTOCOL VERSION 6
INTERNET PROTOCOL VERSION 6INTERNET PROTOCOL VERSION 6
INTERNET PROTOCOL VERSION 6Chaitanya Ram
 
I pv6(internet protocol version 6)
I pv6(internet protocol version 6)I pv6(internet protocol version 6)
I pv6(internet protocol version 6)Subrata Kumer Paul
 
Why we need ipv6...
Why we need ipv6...Why we need ipv6...
Why we need ipv6...Adii Shah
 

Mais procurados (19)

IPv6
IPv6IPv6
IPv6
 
I pv4 format
I pv4 formatI pv4 format
I pv4 format
 
IPv6 - Neighbour Discovery
IPv6 - Neighbour DiscoveryIPv6 - Neighbour Discovery
IPv6 - Neighbour Discovery
 
IPv6_Quick_Start_Guide
IPv6_Quick_Start_GuideIPv6_Quick_Start_Guide
IPv6_Quick_Start_Guide
 
Tlcm513 ipv6
Tlcm513 ipv6Tlcm513 ipv6
Tlcm513 ipv6
 
Tuning 17 march
Tuning 17 marchTuning 17 march
Tuning 17 march
 
IPv4 to IPv6
IPv4 to IPv6IPv4 to IPv6
IPv4 to IPv6
 
Ip4 vs ip6
Ip4 vs ip6Ip4 vs ip6
Ip4 vs ip6
 
IPV6 Introduction
IPV6 Introduction IPV6 Introduction
IPV6 Introduction
 
Ipv6 cheat sheet
Ipv6 cheat sheetIpv6 cheat sheet
Ipv6 cheat sheet
 
IPv6 address
IPv6 addressIPv6 address
IPv6 address
 
Internet protocol v6
Internet protocol v6Internet protocol v6
Internet protocol v6
 
Ipv4 packet structure
Ipv4 packet structureIpv4 packet structure
Ipv4 packet structure
 
IPv6 Fundamentals
IPv6 FundamentalsIPv6 Fundamentals
IPv6 Fundamentals
 
Internetworking - IP
Internetworking - IPInternetworking - IP
Internetworking - IP
 
Comparison between ipv4 and ipv6
Comparison between ipv4 and ipv6Comparison between ipv4 and ipv6
Comparison between ipv4 and ipv6
 
INTERNET PROTOCOL VERSION 6
INTERNET PROTOCOL VERSION 6INTERNET PROTOCOL VERSION 6
INTERNET PROTOCOL VERSION 6
 
I pv6(internet protocol version 6)
I pv6(internet protocol version 6)I pv6(internet protocol version 6)
I pv6(internet protocol version 6)
 
Why we need ipv6...
Why we need ipv6...Why we need ipv6...
Why we need ipv6...
 

Destaque

Introduction to ipv6 v1.3
Introduction to ipv6 v1.3Introduction to ipv6 v1.3
Introduction to ipv6 v1.3Karunakant Rai
 
ipv6 introduction & environment buildup
ipv6 introduction & environment buildupipv6 introduction & environment buildup
ipv6 introduction & environment builduppsychesnet Hsieh
 
software engineering notes for cse/it fifth semester
software engineering notes for cse/it fifth semestersoftware engineering notes for cse/it fifth semester
software engineering notes for cse/it fifth semesterrajesh199155
 

Destaque (7)

Network Layer And I Pv6
Network Layer And I Pv6Network Layer And I Pv6
Network Layer And I Pv6
 
Ch31
Ch31Ch31
Ch31
 
IPv6
IPv6IPv6
IPv6
 
IPv6 Overview
IPv6 OverviewIPv6 Overview
IPv6 Overview
 
Introduction to ipv6 v1.3
Introduction to ipv6 v1.3Introduction to ipv6 v1.3
Introduction to ipv6 v1.3
 
ipv6 introduction & environment buildup
ipv6 introduction & environment buildupipv6 introduction & environment buildup
ipv6 introduction & environment buildup
 
software engineering notes for cse/it fifth semester
software engineering notes for cse/it fifth semestersoftware engineering notes for cse/it fifth semester
software engineering notes for cse/it fifth semester
 

Semelhante a Ipv6 1-091110143246-phpapp01

ipv6_cheat_sheet.pdf
ipv6_cheat_sheet.pdfipv6_cheat_sheet.pdf
ipv6_cheat_sheet.pdfpradeeppotter
 
IPv6 Addressing Architecture
IPv6 Addressing ArchitectureIPv6 Addressing Architecture
IPv6 Addressing ArchitectureShreehari Dhat
 
IETF 106 - IPv6 Formal Anycast Addresses and Functional Anycast Addresses
IETF 106 - IPv6 Formal Anycast Addresses and Functional Anycast AddressesIETF 106 - IPv6 Formal Anycast Addresses and Functional Anycast Addresses
IETF 106 - IPv6 Formal Anycast Addresses and Functional Anycast AddressesMark Smith
 
Computer network (12)
Computer network (12)Computer network (12)
Computer network (12)NYversity
 
Fedv6tf-IPv6-new-friends
Fedv6tf-IPv6-new-friendsFedv6tf-IPv6-new-friends
Fedv6tf-IPv6-new-friendsTim Martin
 
Networking essentials lect2
Networking essentials lect2Networking essentials lect2
Networking essentials lect2Roman Brovko
 
Your app lives on the network - networking for web developers
Your app lives on the network - networking for web developersYour app lives on the network - networking for web developers
Your app lives on the network - networking for web developersWim Godden
 
Deploy ipv6 multicast_v0_1
Deploy ipv6 multicast_v0_1Deploy ipv6 multicast_v0_1
Deploy ipv6 multicast_v0_1Nguyen Thanh
 
Вопросы балансировки трафика
Вопросы балансировки трафикаВопросы балансировки трафика
Вопросы балансировки трафикаSkillFactory
 
Cisco presentation2
Cisco presentation2Cisco presentation2
Cisco presentation2ehsan nazer
 
IPv6 The Big Move
IPv6 The Big MoveIPv6 The Big Move
IPv6 The Big Movefrenildand
 
Lesson 3: IPv6 Fundamentals
Lesson 3: IPv6 FundamentalsLesson 3: IPv6 Fundamentals
Lesson 3: IPv6 FundamentalsMahmmoud Mahdi
 

Semelhante a Ipv6 1-091110143246-phpapp01 (20)

ipv6_cheat_sheet.pdf
ipv6_cheat_sheet.pdfipv6_cheat_sheet.pdf
ipv6_cheat_sheet.pdf
 
IPv6 Addressing Architecture
IPv6 Addressing ArchitectureIPv6 Addressing Architecture
IPv6 Addressing Architecture
 
I pv6
I pv6I pv6
I pv6
 
I pv6
I pv6I pv6
I pv6
 
I pv6
I pv6I pv6
I pv6
 
IETF 106 - IPv6 Formal Anycast Addresses and Functional Anycast Addresses
IETF 106 - IPv6 Formal Anycast Addresses and Functional Anycast AddressesIETF 106 - IPv6 Formal Anycast Addresses and Functional Anycast Addresses
IETF 106 - IPv6 Formal Anycast Addresses and Functional Anycast Addresses
 
Ipv6up
Ipv6upIpv6up
Ipv6up
 
Computer network (12)
Computer network (12)Computer network (12)
Computer network (12)
 
Fedv6tf-IPv6-new-friends
Fedv6tf-IPv6-new-friendsFedv6tf-IPv6-new-friends
Fedv6tf-IPv6-new-friends
 
IPv4.pdf
IPv4.pdfIPv4.pdf
IPv4.pdf
 
Ippptspk 3
Ippptspk 3Ippptspk 3
Ippptspk 3
 
Networking essentials lect2
Networking essentials lect2Networking essentials lect2
Networking essentials lect2
 
IPv6
IPv6IPv6
IPv6
 
Your app lives on the network - networking for web developers
Your app lives on the network - networking for web developersYour app lives on the network - networking for web developers
Your app lives on the network - networking for web developers
 
Deploy ipv6 multicast_v0_1
Deploy ipv6 multicast_v0_1Deploy ipv6 multicast_v0_1
Deploy ipv6 multicast_v0_1
 
Вопросы балансировки трафика
Вопросы балансировки трафикаВопросы балансировки трафика
Вопросы балансировки трафика
 
Cisco presentation2
Cisco presentation2Cisco presentation2
Cisco presentation2
 
IPv6 The Big Move
IPv6 The Big MoveIPv6 The Big Move
IPv6 The Big Move
 
Ipv6 Alp
Ipv6 AlpIpv6 Alp
Ipv6 Alp
 
Lesson 3: IPv6 Fundamentals
Lesson 3: IPv6 FundamentalsLesson 3: IPv6 Fundamentals
Lesson 3: IPv6 Fundamentals
 

Último

Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptxQ4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptxlancelewisportillo
 
Student Profile Sample - We help schools to connect the data they have, with ...
Student Profile Sample - We help schools to connect the data they have, with ...Student Profile Sample - We help schools to connect the data they have, with ...
Student Profile Sample - We help schools to connect the data they have, with ...Seán Kennedy
 
How to Add Barcode on PDF Report in Odoo 17
How to Add Barcode on PDF Report in Odoo 17How to Add Barcode on PDF Report in Odoo 17
How to Add Barcode on PDF Report in Odoo 17Celine George
 
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptxAUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptxiammrhaywood
 
EMBODO Lesson Plan Grade 9 Law of Sines.docx
EMBODO Lesson Plan Grade 9 Law of Sines.docxEMBODO Lesson Plan Grade 9 Law of Sines.docx
EMBODO Lesson Plan Grade 9 Law of Sines.docxElton John Embodo
 
Integumentary System SMP B. Pharm Sem I.ppt
Integumentary System SMP B. Pharm Sem I.pptIntegumentary System SMP B. Pharm Sem I.ppt
Integumentary System SMP B. Pharm Sem I.pptshraddhaparab530
 
Choosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for ParentsChoosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for Parentsnavabharathschool99
 
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATIONTHEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATIONHumphrey A Beña
 
Presentation Activity 2. Unit 3 transv.pptx
Presentation Activity 2. Unit 3 transv.pptxPresentation Activity 2. Unit 3 transv.pptx
Presentation Activity 2. Unit 3 transv.pptxRosabel UA
 
How to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERPHow to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERPCeline George
 
The Contemporary World: The Globalization of World Politics
The Contemporary World: The Globalization of World PoliticsThe Contemporary World: The Globalization of World Politics
The Contemporary World: The Globalization of World PoliticsRommel Regala
 
Activity 2-unit 2-update 2024. English translation
Activity 2-unit 2-update 2024. English translationActivity 2-unit 2-update 2024. English translation
Activity 2-unit 2-update 2024. English translationRosabel UA
 
ICS2208 Lecture6 Notes for SL spaces.pdf
ICS2208 Lecture6 Notes for SL spaces.pdfICS2208 Lecture6 Notes for SL spaces.pdf
ICS2208 Lecture6 Notes for SL spaces.pdfVanessa Camilleri
 
TEACHER REFLECTION FORM (NEW SET........).docx
TEACHER REFLECTION FORM (NEW SET........).docxTEACHER REFLECTION FORM (NEW SET........).docx
TEACHER REFLECTION FORM (NEW SET........).docxruthvilladarez
 
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxMULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxAnupkumar Sharma
 
Keynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-designKeynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-designMIPLM
 

Último (20)

Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptxQ4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
 
Student Profile Sample - We help schools to connect the data they have, with ...
Student Profile Sample - We help schools to connect the data they have, with ...Student Profile Sample - We help schools to connect the data they have, with ...
Student Profile Sample - We help schools to connect the data they have, with ...
 
How to Add Barcode on PDF Report in Odoo 17
How to Add Barcode on PDF Report in Odoo 17How to Add Barcode on PDF Report in Odoo 17
How to Add Barcode on PDF Report in Odoo 17
 
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptxAUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
AUDIENCE THEORY -CULTIVATION THEORY - GERBNER.pptx
 
Paradigm shift in nursing research by RS MEHTA
Paradigm shift in nursing research by RS MEHTAParadigm shift in nursing research by RS MEHTA
Paradigm shift in nursing research by RS MEHTA
 
EMBODO Lesson Plan Grade 9 Law of Sines.docx
EMBODO Lesson Plan Grade 9 Law of Sines.docxEMBODO Lesson Plan Grade 9 Law of Sines.docx
EMBODO Lesson Plan Grade 9 Law of Sines.docx
 
Integumentary System SMP B. Pharm Sem I.ppt
Integumentary System SMP B. Pharm Sem I.pptIntegumentary System SMP B. Pharm Sem I.ppt
Integumentary System SMP B. Pharm Sem I.ppt
 
YOUVE GOT EMAIL_FINALS_EL_DORADO_2024.pptx
YOUVE GOT EMAIL_FINALS_EL_DORADO_2024.pptxYOUVE GOT EMAIL_FINALS_EL_DORADO_2024.pptx
YOUVE GOT EMAIL_FINALS_EL_DORADO_2024.pptx
 
Choosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for ParentsChoosing the Right CBSE School A Comprehensive Guide for Parents
Choosing the Right CBSE School A Comprehensive Guide for Parents
 
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATIONTHEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
 
Presentation Activity 2. Unit 3 transv.pptx
Presentation Activity 2. Unit 3 transv.pptxPresentation Activity 2. Unit 3 transv.pptx
Presentation Activity 2. Unit 3 transv.pptx
 
How to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERPHow to do quick user assign in kanban in Odoo 17 ERP
How to do quick user assign in kanban in Odoo 17 ERP
 
YOUVE_GOT_EMAIL_PRELIMS_EL_DORADO_2024.pptx
YOUVE_GOT_EMAIL_PRELIMS_EL_DORADO_2024.pptxYOUVE_GOT_EMAIL_PRELIMS_EL_DORADO_2024.pptx
YOUVE_GOT_EMAIL_PRELIMS_EL_DORADO_2024.pptx
 
The Contemporary World: The Globalization of World Politics
The Contemporary World: The Globalization of World PoliticsThe Contemporary World: The Globalization of World Politics
The Contemporary World: The Globalization of World Politics
 
Activity 2-unit 2-update 2024. English translation
Activity 2-unit 2-update 2024. English translationActivity 2-unit 2-update 2024. English translation
Activity 2-unit 2-update 2024. English translation
 
ICS2208 Lecture6 Notes for SL spaces.pdf
ICS2208 Lecture6 Notes for SL spaces.pdfICS2208 Lecture6 Notes for SL spaces.pdf
ICS2208 Lecture6 Notes for SL spaces.pdf
 
LEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptx
LEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptxLEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptx
LEFT_ON_C'N_ PRELIMS_EL_DORADO_2024.pptx
 
TEACHER REFLECTION FORM (NEW SET........).docx
TEACHER REFLECTION FORM (NEW SET........).docxTEACHER REFLECTION FORM (NEW SET........).docx
TEACHER REFLECTION FORM (NEW SET........).docx
 
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxMULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
 
Keynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-designKeynote by Prof. Wurzer at Nordex about IP-design
Keynote by Prof. Wurzer at Nordex about IP-design
 

Ipv6 1-091110143246-phpapp01

  • 1. IPv6 What, Why, How Jen Linkova aka Furry furry – at -openwall.com Openwall, Inc http://www.openwall.com Revision 1.0
  • 2. IPv4 Address Distibution 32-bit number 4 294 967 296 addresses 256 /8 network blocks IPv4 address distibution IETF Reserved 35 IANA Pool 38 Allocated 18 Assigned 51 Advertised 114 0 20 40 60 80 100 120 /8 blocks 2
  • 3. Lies, Damned Lies, Statistics 3 Source: «IPv4 Address Report», http://www.potaroo.net/tools/ipv4/
  • 4. You have two choices: spend less... Address allocation policy for LIR (/19, /20, /21...) Address translation (NAT, NAPT): breaks end2end model affects protocols/applications provides a false sense of security See also: RFC 2775 «Internet Transparency» RFC 3027 «Protocol Complication with the IP Network Address Translator» RFC 2993 «Architectural Implications of NAT» Internet-Draft «Security implication of Network Address Translators» 4
  • 5. ...or earn more! ;-) IPv6 address: 340 282 366 920 938 463 463 374 607 431 768 211 456 total addresses 2^64 nodes per subnet fixed subnet size 5
  • 6. Is it still enough? Assume...: RIRs request new block every 18 month Then... The block currently assigned by IETF (1/8TH IPv6 space) is about to run out by 2158 More than 5/8TH IPv6 address space will be still available (NB: 000/3 and 111/3 prefixes are reserved for special use) Source: David Conrad, General Manager, IANA, 2007 http://www.iana.org/about/presentations/conrad-buenosaires-citel-060913.pdf 6
  • 7. IPv6 Address Format X:X:X:X:X:X:X:X where X = 0000 ... FFFF (hex) 2001:0DB8:0000:0000:0008:8000:0000:417A 2001:DB8:0:0:8:8000:0:417A 2001:DB8::8:8000:0:417A 2001:DB8:0:0:8:8000::417A 2001:db8::8:8000:417A 7
  • 8. Examples loopback address 0:0:0:0:0:0:0:1 or ::1 unspecified address 0:0:0:0:0:0:0:0 or :: special exception: IPv4-mapped 0:0:0:0:0:FFFF:192.0.2.1 ::FFFF:192.0.2.1 ● 8
  • 10. IPv6 Address Types Address Type Binary Prefix Prefix unspecified 000...0 (128 bits) ::/128 loopback 0000...01 (128 bits) ::1/128 link-local unicast 1111 1110 10 FE80::/10 multicast 1111 1111 FF00::/8 Global unicast all other addresses 10
  • 11. Link-local Addresses FE80::/10 prefix Analogous to IPv4 169.254.0.0/16 Automatically assigned to an interface Valid in the scope of the given link! Not to be routed! To be used for auto-address configuration neighbour discovery 11
  • 12. Multicast Addresses 8 bits 4 bits 4 bits 8 bits 8 bits 64 bits 32 bits 1111 1111 0RPT scope reserved plen net prefix group id flags T=0 – permanently-assigned (“well-known”) address, T=1 – non-permanently-assigned (“transient”) Scope 1 – node-local 2 – link-local 5 – site-local 14 – global (Internet) Group ID identififes the mulicast group within the given scope. For example: 1 – all nodes (scope = 1,2) 2 – all routers (scope = 1,2,5) 101 – all NTP servers Examples: FF02::101 – all NTP-servers on the same link as a sender FF02::2 – all routers on the same link as a sender 12 FF05::101 – all NTP-servers on the same site as a sender ●
  • 13. Global Unicast Address Type Binary prefix Prefix unspecified 000...0 (128 bits) ::/128 loopback 0000...01 (128 bits) ::1/128 000...01111111111111111(96 Ipv4-mapped bits) ::FFFF/96 ULA 1111 110 FC00::/7 Assigned to RIRs 001 2000::/3 Global unicast all other addresses 13
  • 14. Unique Local Unicast Addresses (ULA) FC00::/7 prefix (RFC4193) For local communications (site or limited set of sites) High probability of uniqueness Not expected to be routable on Internet Well-know prefixes => Easy filtering If leaked outside – no conflicts with other addresses 14
  • 15. ULA Address Format L = 1 the prefix is locally assigned L = 0 for future use Global ID a globally unique prefix identifier Subnet ID the identifier of a subnet within a site Pseudo-Random Global ID Algorithm: 1) Obtain the current time of day in 64-bit NTP format 2) Obtain EUI-64 identifier (from MAC for example) or any suitably unique ID 3) Concatenate the time (1) with the system ID (2) 4) Compute SHA-1 digest of (3) and use the least significant 40 bits as 15 Global ID
  • 16. Interface Identifier How to configure Manual configuration Autoconfiguration (EUI-64-based interface ID) DHCPv6 Pseudo-random interface ID Cryptographically generated ID 16
  • 17. Extended Unique Identifier EUI-64 Therefore: ::1 – globally assigned EUI-64, but locally assigned MEUI-64 17
  • 20. IPv6 Header Fixed length All optional/additional info is encoded in Extension Header(s) Is not protected by checksum Payload Length instead of Total Length “Time To Live” field is replaced by “Hop Limit” one to better reflect its functions 20
  • 21. Extension Headers IPv6 header Hop-by-Hop options Destination options next header = next header = next header = Hop-by-Hop options Destination options Routing header Routing header Fragment header AH next header = next header = next header = Fragment header AH ESP header ESP header Destination header upper-layer PDU next header = next header = (TCP/UDP/ICMP/..) Destination options upper-layer PDU 21
  • 22. Extension Headers Processing All EHs (except for Hop-by-Hop options) are processed by the destination node only! Packet is dropped if any extension header isn't recognised Recommended order of headers (except for Hop-by-Hop Option) Reserved next header value: 59, «no next header» 22
  • 23. Options Headers Separating Hop-by-hop and Destination is useful: not all options are examined along a packet's delivery path encryption fragmentation Hop-by-Hop Options: for every nodes along a path Destination Options: for a packet's destination node(s) A variable number of variable-length options 23
  • 24. TLV-encoding (Type-Length-Value) Type: identifier of type of option Two highest bits of Type: unrecognised option processing: 00 – skip over the option and continue 01 – discard the packet 10 – discard the packet and send ICMPv6 11 – discard the packet and send ICMPv6 only if destination isn't IPv6 multicast address Third highest-order bit of Type: whether (1) or not (0) Option Data can change en-route to the final destination Length: length of the Option Data, in octets 24
  • 25. Fragment Header Offset: the offset, in 8-octet units, of the data following this header, relative to the start of the Fragmentable Part of the packet M flag: 1 – more fragments, 0 – last fragment 25
  • 26. Control Protocol(s) ● IPv4 Control Protocols: ARP (for Ethernet) ICMP IGMP ● IPv6 Control Protocol: ICMPv6 (IPv6 Next Header value = 58) Must be fully implemented & supported! 26
  • 27. ICMPv6 Type field: 0 – 127: error messages 128 – 255: informational messages Body includes the the start of the invoking packet! Must not be fragmented! Must not be originated in response to ICMPv6 error or redirect messages multicast/broadcast packets addresses (with some exceptions) 27
  • 28. MULTIfunctions of MULTIcast IPv6 node MUST support multicast! Broadcast == «all nodes on this link» multicast group don't forget to enable IGMP snooping/GMRP on switches All nodes with “similar” addresses share the same solicited-node multicast address Solicited-node multicast address format: Globally-assigned prefix FF02::1:FF00:0:/104 low-order 24 bits of a node address Example: a node 2001:db8::1:20cd:f345:5432:51d8 joins the multicast group FF02::1:FF00:0:32:51d8 28
  • 29. Neighbor Discovery (ND) ICMPv6 is used for ND messages Multicast is used (unlike ARP) To request the link-layer address: neighbor solicitation (NS) query To provide some info: neighbor advertisement (NA) Soliced flag: S=1 – in response to NS S=0 – «unsolicited» NA Information is stored in: neighbor cache (NC) destination cache (DC) Information exchange with upper-layer! 29
  • 30. 30
  • 31. ND-proxy The target host or a ND-proxy could respond to NS query. Nodes should give preference to non-proxy NA Flag «O» (override) ND-proxy: O=0 (REACHABLE -> STALE) target host: O=1 (Neighbor Cache is updated) 31
  • 32. ARP is Dead, Long Live ND! Much more than ARP (see Router Discovery and redirects) Reducing network load (multicast vs broadcast) Improving robustness of packet delivery Neighbor unreachability detection (incl. half-link failures detection) Notification from/to upper-layer! 32
  • 33. Anycast ● ● The same “anycast” address is assigned to a group of interfaces (nodes) ● A packet sent to an anycast address is delivered to the “nearest” interface (node) having this address ● Allow to increase the service reliability ● Allocated from the unicast address space 33
  • 34. IPv6 Node Configuration IPv6 address configuration: Interface ID manual auto (stateful or stateless) Network ID manual auto (stateful or stateless) pre-defined well-known prefix (link-local, FE80::/10) additional parameters (routes, e.g.) 34
  • 35. Interface Autoconfiguration Modified EUI-64 constructed from MAC see next slides for some alternatives What about collisions? duplicate MAC addresses duplicate interface ID (manual configuration, e.g.) Neighbor Discovery locates the owner of given IP address Duplicate Address Detection (DAD) based on ND 35
  • 36. Duplicate Address Detection 1. Node X is going to assign IP address A on its interface “I” 2. Interface “I” joins the multicast groups: 1. FF02::1 (“all nodes”) 2. FF02::1:FF00:0:A' (the solicited-node multicast address «all nodes with IP = A») 3. Is there any NS queries? (dst ip = FF02::1:FF00:0:A, src ip = ::) 4. X sends NS query (dst ip = FF02::1:FF00:0:A, src ip = ::) 5. Is there any NA (flag S = 0) sent to address FF02::1? 6. In case of events 3 or 5 - the address isn't unique! 7. Else – the address is unique Must be performed on all unicast addresses (except for anycast) 36
  • 37. StateLess Address Auto Configuration (SLAAC) Link-local address is already here: well-know network ID modified EUI-64 as interface ID DAD to ensure uniqueness Ready to communicate with neighbors! What's next? other IPv6 network IDs (global, e.g.) default gateway(s) routing table Routers have this info already! 37
  • 38. Your Router Is Your Neighbor! ● Neighbor Discovery (RFC4861) ● Routers join the “all routers” multicast group FF02::2 ● Cliens send a «Router Solicitation» query (RS) ● Routers send out «Router Advertisiment» messages (RA) – periodically – in response to the RS query 38
  • 39. Router Advertisement bits 8 10 16 32 type = 134 code = 0 checksum hop limit M O reserved router lifetime reachable time retransmit timer options (variable length) Src IP = link-local, Dst IP = the source IP of the RS query or FF02::1 M,O flags: indicate that addresses (M) or other configuration info (O) is available via DHCPv6 Router lifetime (in seconds) – the lifetime associated with the default router (0 - the router isn't default router, shouldn't appear on the default router list) Reachable time (millisecs) – how long the neighbor is reachable after receiving a reachability confirmation (NC record goes from Reachable -> Stale then) Retransmit timer (millisecs) – the interval between retransmitted NS 39 messages
  • 40. RA: possible options Additional configuration info: Prefixes prefix ID and length Lifetime usage: for stateless configuration or destination cache MTU Link-layer address of the interface from which RA is sent NB: Unmatched advertised parameters could lead to unstable network! 40
  • 41. How to secure ND ND takes place on-link (between adjacent nodes) ND messages are not to be routed Routers decrement TTL (Hop Count) TTL < 255 may mean 'the packet was routed' (NB: «0 – 1=255»!!) Generalized TTL Security Mechanism (GTSM) (RFC5082) 41
  • 42. How to secure ND (cont.) One of major threats: address spoofing attacks How to authenticate NA? Cryptography is our friend! Symmetric: key protection is an issue Asymmetric: key distribution is an issue. how to authenticate the peer? 42
  • 43. Give me the place to stand, and I shall move the earth Neighbor IP address is already known! IP address can be used to authenticate the peer IP and public key are associated Public key is attached to ND message Public key is verified against IP address Cryptographically Generated Addresses (CGA, RFC3972) 43
  • 44. Cryptographically Generated Address 1.A private/public key pair is generated for a node 2.Interface ID is calculated as an public key fingerprint 3.Subnet prefix and interface ID are concatenated 4.Duplicate Address Detection is performed (CGA is re- calculated if necessary – up to 3 times) 5.CGA parameter is formed: ● IPv6 address ● Public key ● Some additional parameters 6.DNS and other records are updated.. The random modifier allows to change the fingerprint (IP address) periodically 44
  • 45. CGA Verification 1. The verifier know the sender IP address (CGA) 2. The verifier gets the sender public key from CGA parameter 3. The verifier checks the association between IPv6 CGA and the corresponding pubic key 4. After then, the digital signature of ND message is verified No PKI, CA or trusted servers is needed! SEcure Neihgbor Discovery (SEND, RFC3971) describes Neighbor Discovery threats and protection 45
  • 46. SEND: SLAAC protection Router Advertisement IP address can be spoofed RA IP is unknown => GCA can not be used Routers ARE authorised to act as routers Routers MAY be authorised to advertise prefixes Routers are given certificates from a trust anchor The hosts are configured with trust anchor(s) 46
  • 47. Big Brother is watching you! MAC addresses are globally unique (in most cases) SLAAC: Interface ID is derived from MAC Users are mobile (home – office – internet-cafe – business trips – travels – office - home..): network prefixes are changing interface ID remains constant over time! User can be identified and tracked! 47
  • 48. Privacy Extensions for SLAAC Task: provide privacy for users Requirements: do not broke SLAAC Approach: change the interface ID over time Interface ID must be locally (on-link) unique Interface ID can be random Duplicate Address Detection ensures uniqueness In case of collision a new random address is generated 48
  • 49. Default Address Selection There are a number of ways to assign IPv6 addresses Requirements may be conflicting: Corporate environment: easily identification of a node Internet-connectivity: privacy is an issue IPv6 nodes are multi-addressed usually (+link-local) What address to choose for communication? See RFC5220 «Problem Statement for Default Address Selection in Multi-Prefix Environments: Operational Issues of RFC 3484 Default Rules» 49
  • 50. Fragmentation “Fragmentation considered harmful” Inefficient use of resources of hosts, routers and bandwidth Degraded performance due to loss of fragments Reassembly is difficult Why fragmentation? MTU mismatch along the packet path (!tunnels!) TCP/IP implementations Blocking PMTUD leads to packets disappearing into “black hole” 50
  • 51. IPv6 Fragmentation By the source host only, not by routers along the packet's path! No “Don't Fragment” bit anymore Minimum MTU = 1280 bytes If a packet size > MTU, the packet is dropped, ICMPv6 is sent How to choose a packet's size: Always fragment to 1280 bytes (1232 bytes of payload) Use PMTUD, store MTU value in Destination Cache (DC) Applications can access IPv6 layer using API (Berkley sockets, e.g: see RFC3542) Socket Option Description IPV6_USE_MIN_MT U Disable PMTUD , use minimum MT U = 1280 bytes IPV6_PATHMT U Retrieve the c urrent MT U value for the s ocket IPV6_RECVPATHMT U Enable the r eceipt of the current MT U from recvfrom() IPV6_DO NTFRAG Disable the inserting of a fr agment header 51
  • 52. IPv6 & DNS New Resource Record introduced: AAAA furry:~ furry$ dig www.kame.net aaaa www.kame.net. IN AAAA 2001:200::8002:203:47ff:fea5:3085 Reverse Delegation: the pseudo-domain ipv6.arpa Each label is a nibble (4 bits, one hex number) Example: PTR RR for an IPv6 address 2001:db8::20:219f:bd8c:17af f.a.7.1.c.8.d.b.f.9.2.1.0.2.0.0.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ipv6.arpa. PTR Don't forget to use $ORIGIN to simplify your DNS zone file! 52
  • 53. Migration Dual-stack nodes (IPv6+IPv4) most workstations are IPv6-enabled Windows: prefers IPv6 in some cases uncontrolled connectivity is a security issue! Tunnels: connection of IPv6 domains via IPv4 clouds Address translations: interconnection between IPv6 and IPv4 domains 53
  • 54. Tunnelling 6to4 – the most common IPv6 over IPv4 tunnelling protocol. Tunnel endpoints must have public IPv4 addresses Teredo – encapsulating IPv6 inside IPv4/UDP NAT-T is supported Globally unique IPv6 address is assigned to each endpoint Windows Vista: enabled, but not active by default (teredo.ipv6.microsoft.com) Can be a security issue!! 54
  • 55. Tunnel brokers A service to provide encapsulated connectivity See RFC3053 “IPv6 Tunnel Broker” for details Extensive list can be found at: http://en.wikipedia.org/wiki/List_of_IPv6_tunnel_brokers 55
  • 56. Address Translation: NAT64 http://tools.ietf.org/html/draft-bagnulo-behave-nat64-02 Packet headers are translated according to Stateless IP/ICMP Translation Algorithm (SIIT) IPv6 {address + port} is mapped into IPv4 {address + port} IPv4 addresses are mapped into IPv6 addresses as Pref64::IPv4 (Pref64 is an /96 IPv6 address pool) 56
  • 57. Fragmentation & NAT64 IPv4 minimum MTU: 68 bytes IPv6 minimum MTU: 1280 bytes IPv4-node may originate ICMP “too big” with MTU < 1280 What IPv6-node can do? include a Fragment header or reduce the size of subsequent packets MTU>=1280 MTU= 1500 IPv4 cloud IPv6 cloud ICMP «too big» 57 MTU= 576 MTU= 576
  • 58. IPv6 Advantages More efficient address space allocation End-to-end addressing; no NAT anymore! Fragmentation only by the source host Routers do not calculate header checksum (speedup!) Multicasting instead of broadcasting Built-in security mechanisms Single control protocol (ICMPv6) Auto-configuration Modular headers structure 58
  • 59. Myths and Legends «How can I remember...» Use the Force (of DNS), Luke! Manual configuration: easy-readable addresses Use a compact notation (a lot of network prefixes to choose from) Just compare: furry:~ furry$ dig www.ipv6porn.co.nz aaaa www.ipv6porn.co.nz. 3324 IN AAAA 2002:3cea:4c32::1 (17 chars) www.ipv6porn.co.nz. 3324 IN AAAA 2001:388:f000::285 (18 chars) furry:~ furry$ dig www.ipv6porn.co.nz a www.ipv6porn.co.nz. 10000 IN A 60.234.76.50 (12 chars) 59
  • 60. Myths and Legends «I don't want it, I don't need it...» IPv6 is already here! Spontaneous self-organised and uncontrolled IPv6 networks are security issues Better be pro-active rather than reactive IPv6 is becoming more popular: get ready to meet it! 60
  • 61. ? 61