Tech Talk CodiLime 23.10.2018 Adam Kułagowski: IPv6 - introduction

1. IPv6 - introduction

2. IPv6 - Internet Protocol ver. 6
1) Yes there was IPv1/v2/v3 (pre: TCP - “We are screwing up in our design of internet
protocols by violating the principle of layering.”)
2) Yes there was even IPv5 (developed for streaming) as well
1) 2)

3. Agenda
● Why?
● IPv6: basics
● IPv6 address on the interface
● Transition methods
● Codilime story
● IPv6 and hardware
● Who is using?
● Q & A

4. Why?
Year 1981 declarations:
● "640KB ought to be enough for anybody."
● 2^32 IP address space (however):
○ 12.0.0.0/8 AT&T Services
○ 16.0.0.0/8 Hewlett-Packard Company
○ 17.0.0.0/8 Apple Inc.
○ 12 x X.0.0.0/8 US Department of Defense
○ etc. (there are at least 40 x /8 allocated ~15% of IPv4 address space)

5. APNIC: 19-Apr-2011 (0.2800 - /8)
RIPE NCC: 14-IX-2012 (0.4720 - /8)
LACNIC: 10-VI-2014 (0.1224 - /8)
ARIN: 24-IX-2015 (phase 4, IPv4 depleted)
AFRINIC: ~ IX-2019
Year 2018
Why?
https://ipv4.potaroo.net/

6. ● APNIC - On 15 April 2011, the APNIC pool reached the last /8 of available
IPv4 addresses, triggering the “Final /8 policy”. Each LIR (Local Internet
Registry) is to received only one small block (a /22), and that APNIC
regularly receives returned IPv4 resources when LIRs close.
● RIPE NCC - On 14 September 2012, the RIPE NCC began to allocate IPv4
address space from the last /8 of IPv4 address space.RIPE NCC members
can request a one time /22 allocation (1,024 IPv4 addresses). No new IPv4
Provider Independent (PI) space will be assigned.
● LACNIC - From 15 February 2017 only assignments from the equivalent of
a /22 to a /24 may be made from this pool. Each new member may only
receive one initial assignment from this space.
● ARIN - On 24 September 2015, ARIN issued the final IPv4 addresses in its
free pool. ARIN will continue to process and approve requests for IPv4
address blocks. Those approved requests may be fulfilled via the Wait
List for Unmet IPv4 Requests, or through the IPv4 Transfer Market.
● AFRINIC - AFRINIC has IPv4 address space available in its free pool. It can
assign IPv4 address space to its members according to justified need as
documented in the current policy.
Why?
Year 2018

7. Why?
IPv4 advertised prefixes
by https://bgp.potaroo.net/
BGP - FIB size
● each prefix segmentation
consumes FIB memory
● convergence time matters
● old equipment (Cisco 6500/7600
were limited to 512K entries)
● it will only get worse

8. IPv6: basics
Since 1998 till now
● described in RFC 2460 (year 1998)
● 2^128b address space
● NOT backwards compatible w/ IPv4
● every (well almost) IPv6 address is a
public one
● transparent support int DNS (AAAA)
IPv6 advertised prefixes
https://bgp.potaroo.net/

9. Main differences
IPv4
● 32 bit address space
● min. packet size: 576B
● can be fragmented in transit
● IP header size varies from 20B
(IHL field)
● NAT on daily basis
● broadcast & multicast
● ARPs
IPv6: basics
IPv6
● 128 bit address space
● min. packet size: 1280B
● only sender do fragmentation
● fixed header size 40B (optional ext.
headers)
● no NAT by design (w/ exceptions)
● no broadcast (just multicast)
● ARPs replaced by ICMPv6
IPv4/IPv6 by Cisco

10. Making IPV6 address shorter
● we drop leading leading 0’s in each octet
● we aggregate octets build only from “0” to ::
Example A:
1. 2001:0db8:0000:0000:0000:ff00:0042:8329
2. 2001:db8:0:0:0:ff00:42:8329
3. 2001:db8::ff00:42:8329
Example B (loopback 127.0.0.1):
1. 0000:0000:0000:0000:0000:0000:0000:0001
2. ::1
acebook IPv6:
2a03:2880:f003:c07:face:b00c::2
IPv6: basics
IPv4/IPv4 notation:
64:ff9b::c000:0201
same as:
64:ff9b::[c0.0.2.1]
64:ff9b::[192.0.2.1]

11. Main address ranges in IPv6
1. fe80::/10 – link-local unicast addressing. Unique IPv6 address on one L2
segment (similar to 169.254.X.X)
2. ::1/128 – IPv6 loopback (127.0.0.1)
3. fc00::/7 – unique local addresses (ULA) (RFC1918 equivalent)
4. ff00::/8 – multicast range (from ICMPv6 NS/NA, via DHCP up to PIM)
5. 64:ff9b::/96 - used for mappings between address families (NAT64)
IPv6: addresses

12. Addressing IPv6 interface
● IPv6 compliant machine must support more than one address
on each interface
● each interface must have assigned address from fe80::/10 range
● often mask /64 is used (for one L2 segment)
● last 64 bits can be based on hardware MAC (EUI-64):
IPv6: addresses
adam@sw-core-0p-1> show interfaces ge-0/0/39
[...]
Current address: ec:13:db:fb:a4:2a, Hardware address:ec:13:db:fb:a4:2a
adam@sw-core-0p-1> show interfaces ge-0/0/39.1010
[...]
Destination: fe80::/64, Local: fe80::ee13:db03:f2fb:a42a

13. Addressing IPv6 interface (cont.)
● Router advertisement (each router advertises periodically via multicast):
○ GW address
○ IPv6 prefix (ie 2001:1a68:10:1::/64)
○ DNSs
○ lifetime
○ bit stating if DHCP be used as well (to get extra info)
● DHCP:
○ different ports than on IPv4
○ client no longer identified by MAC (DUID)
○ GW is not provided! (see RA)
○ no broadcast - multicast + fe80::/10 class
● Static
IPv6: addresses

14. ICMPv6
● Neighbor Solicitation (replaces ARP request)
○ sent from link-local unicast address
○ sent towards specific ff02::[EUI-64] multicast address
○ used as well for DAD
● Neighbor Advertisement (replaces ARP reply)
○ sent from link-local unicast address
○ sent towards link-local unicast address
● Router Solicitation
○ hosts uses Router Solicitation messages to locate routers on an attached link.
● Router Advertisement
○ Router response/periodic advertisement regarding LAN configuration
IPv6: addresses

15. Transition
Why is it taking so long?
● IPv4 still works / plenty of NATs /
somehow it will be
● HW / SW incompatibility / issues
● 🐔/ problem:
○ no content (there are no users)
○ no users (there is no content)
Broken link-local support in VMware ESXi 5

16. Existing technologies:
● Dual Stack
● NAT64, DS-Lite, MAP-T
● PCP
● 6in4 tunnels
Countries with IPv6 traffic
exceeding 15%
Transition

17. Dual Stack
● each machine has IPv4 and IPv6 stack running at the same time
● IPv6 protocol is preferred over IPv4
● Ideal scenarios involves public IPv4 address, although RFC1918 is
acceptable (NAT444 on CGN)
Transition

18. DS-Lite
● CPE connected only via IPv6 on WAN
● PC on LAN is getting IPv4 (RFC1918) and IPv6
address
● All IPv4 traffic toward Internet is encapsulated into
IPv6, forwarded to CG-NAT and NATted there.
(multiple customers using one public IPv4 address)
Transition

19. NAT64
● CPE/device connected via IPv6 uplink
● Each DNS requested (for IPV4 resource)
is translated to 64:ff9b:: IPV6 space
● That space is translated on on
IPv6->IPv4 NAT
● 464XLAT extension for pure (DNSless)
IPV4 traffic (or ALG like FTP, SIP, Skype etc)
Transition

20. MAP-T
● Provides stateless IPv6-IPv4 translation - stateful part (NAT) is done on CPE
● Customer gets only part of one IPv4 address (ie IP [202.254.1.2] + range of
ports [1000-2000]) - so one IP is shared between multiple users
● All NAT translation is done on CPE and IPV4 addresses are encoded into IPv6
ones:
○ packet from 192.168.1.100 port 9020 to 3.3.3.3 port 1050
○ becomes 2001::[202.254.1.2] port 1048 to 4001::[3.3.3.3] port 1050 (after CPE)
○ becomes 202.254.1.2 port 1048 to 3.3.3.3 port 1050 (after CGN)
● IPv4 extraction is done on ISP core devices statelessy
● MAP-E is similar but encapsulation is used instead of IPv6 / IPv4 encoding
Transition

21. PCP
● Port Control Protocol (PCP) allows to control how the incoming IPv4/v6
packets are translated and forwarded by upstream CG-NAT
● Allows to set explicit port forwarding rules on ISP CGN
● Successor to the NAT Port Mapping Protocol (NAT-PMP)
● Operations:
○ MAP - Creates or renews a mapping for inbound forwarding (port forward)
○ PEER - Creates or renews an outbound mapping (translate out. traffic to specific IP/port)
Transition

22. 6in4 tunnels
● Uses tunneling to encapsulate IPv6 traffic over pure IPv4 networks
● Traffic is sent inside IPv4 packets whose IP headers have the IP protocol
number set to 41 (it’s not a L4 protocol - beware of NAT)
● Free providers are available: Hurricane Electric (USA), 6project.org (USA),
pemsy (EU), IP4Market (Russia)
● One can get from /128 up to /48 IPv6 class for her/his use
Transition

23. Codilime story
Four parts story (from edge to center):
● Request IPv6 prefix from ISP
● Enable IPv6 protocol on edge FWs
● Enable IPv6 on core/access switches
● Those little things

24. Codilime story
Request IPv6 prefix
● It’s free
● We’ve got /48 prefix
○ 65k of /64 networks
● But not always available
○ primary ISP responded on NBD
○ secondary ISP has no support for IPv6 at all

25. Codilime story
Enable IPv6 on FWs
● We added family inet6 on interconnecting interfaces
○ link-local address is OK for most of the cases - no need to put public IPv6 there
● OSPFv3 protocol/FW policies had to be added/adjusted
● No changes needed on policy rules for forwarding traffic (in most of the cases)
● However IPv6 flow mode had to be enabled on FW (otwherwise all IPv6 traffic was dropped)
adam@fw# set security forwarding-options family inet6 mode flow-based
[edit]
adam@fw# commit
warning: You have enabled/disabled inet6 flow.
You must reboot the system for your change to take effect.
If you have deployed a cluster, be sure to reboot all nodes.
commit complete

26. Codilime story
Enable IPv6 on core switches
Enabling IPv6 on core switches was more fluent but the checklist was long:
● Add family inet6 on dedicated interfaces
○ remember to allow multicast/link-local addresses on interface filters
● Filter protect-re for IPv6 family had to specified separately
● We had to enable OSPFv3 protocol as well to exchange IPv6 prefixes
● Explicitly blackholed /48 prefix on core to avoid routing loop between our FW and ISP PE
● To enable RA on users interfaces, the protocol router-advertisement had to be enabled:
adam@sw-core1> show configuration protocols router-advertisement
interface irb.1120 {
max-advertisement-interval 60;
prefix 2001:1a68:10:1::/64;
}

27. Codilime story
Those little things
● enable IPv6 on DNS’s (Currently in backlog - since AAAA over IPv4 is working
fine)
● enable/configure ip6tables on servers
● update sFlow collector to interpret IPv6 records correctly
● inform users in advance (FAIL 😉)
“Since when do we have native IPv6 😲?”

28. IPv6 and hardware
IPv6 support on network devices:
● Control Plane
● Forwarding plane
● > L4 services (NAT/PCP)
Juniper MX-Series routers and switches

29. IPv6 and hardware
Control plane
Routing protocols supporting IPv6 are divided into two approaches:
● integrated (IS-IS, MP-BGP4): can exchange both IPv4/v6 routing information at the same time:
+ efficiency: IPv4 and IPv6 addresses belonging to the same destination can be transported via
a single message
+ reactivity: if a fault or a network change occurs, the protocol discovers it for both address
families
- bugs: a problem in the protocol affects IPv4 and IPv6 networks in the same way
- migration: if the protocol uses IPv4 to transport Hello packets, IPv4 can not be abolished in
the network (MP-BGP4)

30. IPv6 and hardware
Control plane (cont.)
Routing protocols supporting IPv6 are divided into two approaches:
● native (RIPng, EIGRP, OSPFv3): can to exchange only IPv6 routing information:
- efficiency: given a destination, a message needs to be exchanged for its IPv4 address and
another message for its IPv6 address (twice as much Hellos)
- reactivity: if a fault or a network change occurs, both protocols have to discover it, each one
with its timings and duplicate messages
+ bugs: a problem in the protocol does not affect routing in the other one
+ migration: each routing protocol generates messages of the address family it belongs to.

31. IPv6 and hardware
Control plane (cont.)
Interoperability:
● RFC approval is taking time
○ VRRPv6: vendor “H” supporting final RFC for, vendor “J” is supporting draft version.
Result: both of them thinks that the second one is dead.
○ PCP (29 drafts! before RFC): CGN supports draft XXX/final RFC vs CPEs supports draft
YYY/final RFC (you can pick only two options)
● Communication with 3rd party components via IPv6 (AAA - Radius), logs, SNMP etc
● Router Advertisement, that is interpreted by hosts directly (Android, IOS, Linux, Windows, etc)

32. IPv6 and hardware
Forwarding plane:
● IPv6 is longer than IPv4 (128b vs 32b)
○ consumes more FIB memory
○ bigger address space -> more prefixes -> even more FIB memory needed
○ due to aboves: NH lookup takes longer
○ FIB size/speed vs IPv6 growth -> LISP protocol
● ICMPv6 protocol support is mandatory
● Traffic Class & Flow Label now takes 8 & 20 bits -> different QoS/ECMP handling
● ACL/policy (TCAM or ASIC) - first approach needs more memory, second different “code”
● On plus side - no fragmentation in transit (only ICMPv6 message to the packet origin)
● Some vendors has issues even now: “Recursive lookup is not working if gateway is link local
address”, “VPNv6 support” (both: “M” vendor)

33. IPv6 and hardware
> L4 services...
...while keeping IP core performance (>40/100/400Gb/s):
● Juniper MS-DPC / MS-MPC (DS-lite)
● Cisco Service card (DS-lite) or 400G / 200G Modular Line Cards and 4/8-Port 100 Gigabit
Ethernet Line Cards (MAP-T)
● Alcatel-Lucent/Nokia Multiservice Integrated Service Adapter (MS-ISA) (DS-lite)
All those services (DS-lite, NAT64, PCP):
● Introduces Layer 4 to core network devices
● Are stateful (which consumes Memory/CPU)
● Must support >10k-100k users at the same time
● Allows users to interact directly with core devices (PCP)

34. Who is using?
● Google / Youtube
● Facebook
● Netflix
● Wikipedia
● Yahoo
● Battle.net
● Github
● Orange / UPC (DS-lite and/or NAT64)
● Codilime 😉 (~ 20% of users traffic)
● Windows OS - since ver. 7
● Linux - since 2.6.x
● MAC OS X - since 10.7 (bugged)/ 10.11
● Android 5.0 + IOS 4.1
~ 80% of smartphones in USA largest providers
(AT&T, Sprint, T-Mobile i Verizon) are using IPv6.

35. Questions?
adam.kulagowski@codilime.com

36. Thank You!