2. Agenda
IPV6 Introduction
Limitation of IPV4
Features of IPV6
Difference between IPV4 and
IPV6
Benefit in case of deploying
IPV6
IPV6 address syntax and packet
Types of IPv6 addresses.
ICMPv6
Path MTU Discovery
Neighbor Discovery Protocol
Tunnelling
DHCPv6
RIPng
OSPFv3
BGP4+
IPv6 Filtering (Access Control Lists)
IPv6 firewall Handling
IPv4-v6 Co-existence/Transition
IPv6 Support – Operating Systems
IPv6 Deployment Analysis
Deployment Issues
3. IPv6
• An Internet Layer protocol for packet-
switched internetworks. Designated as
the successor of IPv4
4. Limitation of IPv4
• Recent exponential growth of the Internet and the impending exhaustion
of the IPv4 address space
• Need for simpler configuration: Most current IPv4 implementations are
either manually configured or use a stateful address configuration
protocol such as Dynamic Host Configuration Protocol (DHCP).
• No security at the Internet layer
• Need better support for prioritized and real-time delivery of data
5. Features of IPv6
• Simplification of header format:
The IPv6 header is much simpler than the IPv4 header and has a fixed
length of 40 bytes. This allows for faster processing. It basically
accommodates two times16 bytes for the Source and Destination
address and only 8 bytes for general header information.
• Large address space :
• IPv6 has 128-bit (16-byte) source and destination addresses
• Improved support for options and extensions
IPv4 integrates options in the base header, whereas IPv6 carries
options in so called extension headers, which are inserted only if
they’re needed. Again, this allows for faster processing of packets. The
base specification describes a set of six extension headers, including
headers for routing, Mobile IPv6, and quality of service and security.
• Efficient and hierarchical addressing and routing infrastructure
• Stateless and stateful address configuration
6. Features of IPV6 (contd.)
• Better support for prioritized delivery :
• Traffic Class field and Flow Label field in header helps in supporting
prioritized delivery.
• New protocol for neighboring node interaction :
• The Neighbor Discovery protocol replaces and extends the Address
Resolution Protocol, ICMPv4 Router Discovery, and ICMPv4 Redirect
messages with efficient multicast and unicast Neighbor Discovery
messages.
.
7. Difference between IPv6 and IPv4
IPv4
• Source and destination addresses
are 32 bits (4 bytes) in length.
• IPsec header support is optional
• No identification of packet flow
for prioritized delivery handling
by routers is present within the
IPv4 header.
• Fragmentation is performed by
the sending host and at routers,
slowing router performance.
IPv6
• Source and destination addresses
are 128 bits (16 bytes) in length.
• IPsec header support is required.
• Packet flow identification for
prioritized delivery handling by
routers is present within the IPv6
header using the Flow Label field.
• Fragmentation is performed only
by the sending host.
8. Difference between IPv6 and IPv4 (contd.)
IPv4
• Has no link-layer packet-size
requirements, and must be able
to reassemble a 576-byte packet
• Header includes a checksum.
• Header includes options.
• ARP uses broadcast ARP Request
frames to resolve an IPv4 address
to a link-layer address.
IPv6
• Link layer must support a 1280-
byte packet and be able to
reassemble a 1500-byte packet.
• Header does not include a
checksum.
• All optional data is moved to IPv6
extension headers.
• ARP Request frames are replaced
with multicast Neighbor
Solicitation messages.
9. Difference between IPv6 and IPv4 (contd.)
IPv4
• Broadcast addresses are used to
send traffic to all nodes on a
subnet.
• Must be configured either
manually or through DHCP for
IPv4.
IPv6
• There are no IPv6 broadcast
addresses. Instead, a link-local
scope all-nodes multicast address
is used.
• Does not require manual
configuration or DHCP for IPv6.
10. Benefits in the case to deploy IPv6
• Solves the Address Depletion Problem
• Solves the Disjoint Address Space Problem
• Solves the International Address Allocation Problem
• Restores End-To-End Communication
• Uses Scoped Addresses and Address Selection
• Has More Efficient Forwarding
• Has Support for Security and Mobility
11. IPv6 Address Syntax
An IPv6 address has 128 bits, or 16 bytes. The address is divided into eight 16-
bit
hexadecimal blocks separated by colons. For example:
2001:DB8:0000:0000:0202:B3FF:FE1E:8329
To make life easier, some abbreviations are possible. For instance, leading zeros in a
16-bit block can be skipped. The example address now looks like this:
2001:DB8:0:0:202:B3FF:FE1E:8329
A double colon can replace consecutive zeros or leading or trailing zeros within the
address. If we apply this rule, our address looks as follows:
2001:DB8::202:B3FF:FE1E:8329.
More than one double-colon abbreviation in an address is invalid
So the IPv6 address 2001:DB8:0000:0056:0000:ABCD:EF12:1234 can be represented
in the following ways (note the two possible positions for the double colon):
2001:DB8:0000:0056:0000:ABCD:EF12:1234
2001:DB8:0:56:0:ABCD:EF12:1234
2001:DB8::56:0:ABCD:EF12:1234
2001:DB8:0:56::ABCD:EF12:1234
12. IPv6 Address Syntax (contd.)
IPv6 address in binary form
00100000000000010000110110111000000000000000000000101111001110
1 0000001010101010000000001111111111111110 001010001 0
01110001011010
Divided along 16-bit boundaries
0010000000000001 0000110110111000 0000000000000000
0010111100111011 0000001010101010 0000000011111111
1111111000101000 1001110001011010
Each 16-bit block is converted to hexadecimal and delimited by using colons
2001:0DB8:0000:2F3B:02AA:00FF:FE28:9C5A
Suppress leading zeros within each block
2001:DB8:0:2F3B:2AA:FF:FE28:9C5A
13. Prefix Representation
Representation of prefix is just like CIDR
In this representation you attach the prefix length
Like IPv4 address:198.10.0.0/16
IPv6 address is represented the same way: 2001:db8:12::/40
16. Packet Description
Version
Version 6 (4-bit IP version).
Traffic class
Packet priority (8-bits). Priority values subdivide into ranges: traffic
where the source provides congestion control and non-congestion
control traffic.
Flow label
QoS management (20 bits). For real time applications
Payload length
Payload length in bytes (16 bits).
Next header
Specifies the next encapsulated protocol.
Hop limit
Replaces the time to live field of IPv4 (8 bits).
Source and destination addresses
128 bits each.
18. Types of IPv6 addresses
Unicast
• A unicast
address uniquely
identifies an
interface of an
IPv6 node. A
packet sent to a
unicast address
is delivered to
the interface
identified by
that address.
Multicast
• A multicast
address
identifies a
group of IPv6
interfaces. A
packet sent to a
multicast
address is
processed by all
members of the
multicast group.
Anycast
• An anycast
address is
assigned to
multiple
interfaces
(usually on
multiple nodes).
• A packet sent to
an anycast
address is
delivered to only
one of these
interfaces,
usually the
nearest one.No
more broadcast
Address
20. Global Unicast Addresses
• Equivalent to public IPv4 addresses
• Globally routable and reachable
• Scope is the entire IPv6 Internet
21. Link-local Unicast Addresses
Link-Local Addresses Used For:
• Mandatory Address for Communication between two IPv6 device (Like
ARP but at Layer 3).
• Automatically assigned by Router as soon as IPv6 is enabled.
• Also used for Next-Hop calculation in Routing Protocols.
• Only Link Specific scope.
• Remaining 54 bits could be Zero or any manual configured value.
22. Site-local Unicast Addresses
Do not have a global scope and can be reused. Scope is site.
Used between nodes communicating with other nodes in the same
organization
Not automatically configured and must be assigned either through
stateless or stateful address auto configuration
This is specially used for two purpose, for the replacement of ARP, and
DAD.
23. Unique Local Addresses
• Provide a private addressing alternative to global addresses for intranet
traffic
• Address unique across all the sites of the organization
• Used For Local communications and Inter-site VPNs
• Not routable on the Internet
24. Special IPv6 Addresses
• Unspecified address
• The unspecified address (0:0:0:0:0:0:0:0 or ::) is used only to indicate
the absence of an address
• Used as a source address when a unique address has not yet been
determined
• Never assigned to an interface or used as a destination address.
• Equivalent to the IPv4 unspecified address of 0.0.0.0
• Loopback Address
• The loopback address (0:0:0:0:0:0:0:1 or ::1) is assigned to a loopback
interface, enabling a node to send packets to itself.
• Equivalent to the IPv4 loopback address of 127.0.0.1
• Packets addressed to the loopback address must never be sent on a
link or forwarded by an IPv6 router
25. Multicast IPv6 Addresses
• Cannot be used as source addresses or as intermediate destinations in
a Routing extension header
26. Multicast IPv6 Addresses (contd.)
• Flag
• first low-order bit is the Transient (T) flag.0 -> permanent address. 1->
temporary address
• second low-order bit is for the Prefix (P) flag, which indicates whether
the multicast address is based on a unicast address prefix.
• The third low-order bit is for the Rendezvous Point Address (R) flag,
which indicates whether the multicast address contains an embedded
rendezvous point address.
Scope
• Indicates the scope of the IPv6 network for which the multicast traffic
is intended to be delivered .Ex 2-> link local scope,5->site local scope,
E-> global scope
27. Solicited-Node Address
• Facilitates the efficient querying of network nodes during link-layer
address resolution
• IPv6 uses the Neighbor Solicitation message to perform link-layer
address resolution which uses solicited-node multicast address
• The solicited-node multicast address is constructed from the prefix
FF02::1:FF00:0/104 and the last 24 bits (6 hexadecimal digits) of a
unicast IPv6 address
28. Anycast Address Assignment
• Routers along the path to the destination just process the packets based
on network prefix.
• Routers configured to respond to anycast packets will do so when they
receive a packet send to the anycast address.
• Anycast allows a source node to transmit IP datagrams to a single
destination node out of a group destination nodes with same subnet id
based on the routing metrics
32. ICMPv6
ICMPv6, while similar in strategy to ICMPv4, has changes that makes it
more suitable for IPv6. ICMPv6 has absorbed some protocols that were
independent in version 4.
One of the fundamental differences between IPv6 ND and its IPv4
counterpart suite of protocols (ARP, IPCP, and so on) is the positioning in
the IP protocol stack. Although IPv4 same-link-related protocols are split
between ARP/RARP, right above the link layer, and ICMP, running above IP,
IPv6 ND is implemented entirely within ICMPv6.
34. Path MTU Discovery (PMTUD) for IPv6
Fragmentation in IPv6 is not performed by intermediary
routers.
The source node may fragment packets by itself only when
the path MTU is smaller than the packets to deliver.
36. Example of PMTUD for IPv6 used by a source
node.(cont)
First, the source node that sends the first IPv6 packet to a destination
node uses 1500 bytes as the MTU value (1). Then, the intermediary
Router A replies to the source node using an ICMPv6 message Type 2,
Packet Too Big, and specifies 1400 bytes as the lower MTU value in the
ICMPv6 packet (2). The source node then sends the packet but instead
uses 1400 bytes as the MTU value; the packet passes through Router A
(3). However, along the path, intermediary Router B replies to the
source node using an ICMPv6 message Type 2 and specifies 1300 bytes
as the MTU value (4). Finally, the source node resends the packet using
1300 bytes as the MTU value. The packet passes through both
intermediary routers and is delivered to the destination node (5). The
session is now established between source and destination nodes, and
all packets sent between them use 1300 bytes as the MTU value (6).
37. Neighbor Discovery (ND)
Protocol built on top of ICMPv6 (RFC 2463)
The Neighbor Discovery Protocol (ND) is a protocol in the Internet Protocol
Suite used with Internet Protocol Version 6 (IPv6). It operates at the
Network Layer of the Internet model and is responsible for address
autoconfiguration of nodes, discovery of other nodes on the link,
determining the Link Layer addresses of other nodes, duplicate address
detection, finding available routers and Domain Name (DNS) servers,
address prefix discovery, and maintaining reachability information about
the paths to other active neighbor nodes
Combination of IPv4 protocols (ARP, ICMP, IGMP,…)
38. IPv6 nodes use Neighbor Discovery for the
following purposes
Router discovery: hosts can locate routers residing on attached links.
Prefix discovery: hosts can discover address prefixes that are on-link for
attached links.
Parameter discovery: hosts can find link parameters (e.g., MTU).
Address autoconfiguration: stateless configuration of addresses of
network interfaces.
Address resolution: mapping between IP addresses and link-layer
addresses.
Next-hop determination: hosts can find next-hop routers for a destination.
Neighbor unreachability detection (NUD): determine that a neighbor is no
longer reachable on the link.
Duplicate address detection (DAD): nodes can check whether an address is
already in use.
Redirect: router can inform a node about better first-hop routers.
39. ICMPv6 Messages Defined for NDP
Router Solicitation
Router Advertisement
Neighbor Solicitation
Neighbor Advertisement
Redirect
40. Router Solicitation (RS)
When an interface becomes enabled, hosts may send out Router
Solicitations that request routers to generate Router Advertisements
immediately rather than at their next scheduled time.
RS is ICMPv6 type 133 and Code 0
Source address of the IPv6 Packet encapsulating the RS can be one of the
two
1. IPv6 address of the originating interface
2. Unspecified address ::/0 (All Zeros) if the host interface has not yet
been assigned an IPv6 address
The destination address is the All-Routers multicast address which is
FF02::2
The options field can carry the following information
1. Link layer address of the RS originating interface
2. If the source IPv6 address is sent as unspecified then the link layer
address is not included in the options field
41. Router Advertisement (RA)
Routers advertise their presence together with various link and Internet
parameters either periodically, or in response to a Router Solicitation
message.
RA is ICMPv6 Type 134 and Code 0.
Source address of the Ipv6 packet encapsulating the RA is always IPv6 Link-
Local address of the interface.
The Destination address can be either the link-local address of the host which
sent an RS requesting for an RA or ALL-Nodes multicast address FF02::1 for
the RA generated periodically by the router with the default being
600Seconds (can be set between 4 and 1800 seconds) and the minimum
period between advertisement of RAs is 200 Seconds by default).
Unsolicited RAs are to be generated periodically by the router to make the
presence of the router known on the link. The Period between transmission
of the RAs can be between 4 and 1800 seconds, and the default is 600
seconds. Also the minimum period between advertisement of RAs is 200
seconds by default.
42. Neighbor Solicitation (NS)
Sent by a node to determine the link-layer address of a neighbor, or to verify
that a neighbor is still reachable via a cached link-layer address. Neighbor
Solicitations are also used for Duplicate Address Detection.
NS is ICMPv6 Type 135 and Code 0
Source address of the IPv6 Packet encapsulating the NS can be one of the two
1. IPv6 address of the originating interface
2. Unspecified address ::/0 (All Zeros) if the NS is sent for Duplicate Address
Detection
The destination address of NS can be one of the two
1. Solicited-Node Multicast Address corresponding to the the target address
2. The Target address itself
note: Target address is the IPv6 address of the target of the solicitation and is
never a multicast address.
Options Field of the NS can contain the link-layer address of the interface
originating the NS
43. Neighbor Advertisement (NA)
A response to a Neighbor Solicitation message. A node may also send
unsolicited Neighbor Advertisements to announce a link-layer address
change..
NA is ICMPv6 Type 136 and Code 0
Source Address of the IPv6 packet encapsulating the NS is always the IPv6
address of the originating interface.
The Destination address can be one of the Two
1. Source address of the packet containing the NS for which the NA is being
sent in response.
2. All-Nodes Multicast Address FF02::1
Flags:
R: The Router Flag, is set when the originator of the NA is a router.
S: The Solicited Flag, is set when the NA is being sent in response to an NS
O: The override Flag, is set to indicate that the information in this NA should
override any existing neighbor cache entry and update the link layer address.
When O bit is cleared the NA will not override the existing neighbor cache
entry
44. Neighbor Advertisement (NA) (contd.)
Target Address: IS the address to which the NA is directed to, so it will be
the source address of the NS to which the NA is being sent to as a
response.
If the NA is being sent as an Unsolicited NA (that is not in response to any
NS), then the target address is the originator's address. An Unsolicited NA
is sent only to advertise a change, that is if the node has changed its link
layer address then to advertise it , an unsolicited NA is sent, and therefor
lists its own address as the target address.
The Options field of the NA can contain the target link-layer address, the
link layer address of the NA's originating interface.
45. Redirect
Used by routers to inform hosts of a better first hop for a destination
Redirect is ICMPv6 Type 137 and Code 0.
Source Address of the IPv6 packet encapsulating the Redirect message is always
the Link-Local IPv6 address of the interface which has originated the Redirect.
The Destination address is always the source address of the packet which triggered
the Redirect.
The Target address of the Redirect is usually the Link-Local address of another
router on the same link.
The Destination address Field in the Redirect message will contain the IPv6 address
of the destination that will be redirected to the target address.
The Options field will contain the link layer address of the target.
The Options field will have a value of Type/Length/Value (TLV) triplets. The TLV
consists of 8-Bit Type which specifies the type of information its carrying, 8 Bit
length which specifies the length in units of 8 octets of the value field, and it also
contains the variable length value field.
The Redirect message can contain a max value of 1280 bytes.
49. Differences between IPv6 ND and its IPv4
counterpart suite of protocols
One of the fundamental differences between IPv6 ND and its IPv4 counterpart
suite of protocols (ARP, IPCP, and so on) is the positioning in the IP protocol stack.
Although IPv4 same-link-related protocols are split between ARP/RARP, right above
the link layer, and ICMP, running above IP, IPv6 ND is implemented entirely within
ICMPv6.
50. IPv6 and DNS
IPv4 IPv6
Hostname to
IP address
A record:
www.abc.test. A
192.168.30.1
AAAA record:
www.abc.test AAAA 3FFE:B00:C18:1::2
IP address to
hostname
PTR record:
1.30.168.192.in-addr.arpa.
PTR www.abc.test.
PTR record:
2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.0.8.1
.c.0.
0.0.b.0.e.f.f.3.ip6.arpa PTR
www.abc.test.
51. DHCPv6
Dynamic Host Configuration Protocol (DHCP) has been updated to support
IPv6. DHCPv6 can provide stateful autoconfiguration to IPv6 hosts. DHCPv6
handles the addressing architecture and new features of the IPv6 protocol
as follows:
It enables more control on nodes than stateless autoconfiguration.
It can be used concurrently on networks where stateless
autoconfiguration is available.
It can provide IPv6 addresses to hosts in the absence of routers on a
network.
It can be used to delegate /48 or /64 prefixes to Customer Premises
Equipment (CPE) routers such as a home gateway.
DHCPv6 Addressing
All_DHCP_Agents: ff02::1:2
All_DHCP_Servers: ff05::1:3
52. IPv6 auto-configuration
IP configuration in IPV6 is carried out by IPV6 auto-
configuration
IPv6 auto-configuration
Stateless
nodes configure addresses themselves with information from
routers (if available);
no managed addresses
Stateful
nodes use DHCPv6 to obtain addresses.
Duplicate address detection (DAD) used to avoid duplicated
addresses
54. DHCPv6 Message Type Options
Message Type Meaning
SOLICIT(1) A client sends a Solicit message to locate servers.
ADVERTISE (2) A server sends an Advertise message to indicate that it is
available for DHCP service, in response to a Solicit message
received from a client.
REQUEST (3) A client sends a Request message to request configuration
parameters, including IP addresses, from a specific server.
REPLY (4) A server sends a Reply message containing assigned addresses
and configuration parameters in response to a Solicit, Request,
Renew, Rebind message received from a Client.
RENEW (5) A client sends a Renew message to the server that originally
provided the client's addresses and configuration parameters to
extend the lifetimes on the addresses assigned to the client.
REBIND (6) A client sends a Rebind message to any available server to
extend the lifetimes on the addresses assigned to the client.
56. DHCP Messages
Messages exchanged using UDP
Client port – udp/546
Server Port – udp/547
Client uses Link-Local address or addresses determined using other
methods to transmit and receive DHCP messages.
Server receives messages from clients using a reserved, Link-Scoped
multicast address.
57. DHCP Multicast Addresses
All_DHCP_Relay_Agents_and_Servers
Link-scoped multicast address used by a client to communicate with
on-link relay agents and servers
FF02::1:2
All_DHCP_Servers
Site-scoped multicast address used by a relay agent to communicate
with servers
FF05::1:3
58. DHCPv6 option format and base option
Option-code Option length
0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7
Options data(option –len octets)
• Client Identifier
• Server Identifier
• Identity Association for Non-temporary
Addresses
• Identity Association for Temporary
Addresses
• IA Address
• Option Request
• Preference
• Elapsed Time
• Relay Message
• Authentication
• Server Unicast
• Status Code
• Rapid Commit
• User Class
• Vendor Class
• Vendor-specific Information
• Interface-Id
• Reconfigure Message
• Reconfigure Accept
59. DHCP Unique Identifer (DUID)
Each DHCP client and server has a DUID. DHCP servers use DUIDs to
identify clients for the selection of configuration parameters and in client
Identity Associations.
Unique across all clients and servers
Should not change over time (if possible)
Must be < 128 octets long
60. Identity Association
An identity association (IA) is a construct through which a server and client
can identify, group, and manage a set of related IP addresses.
Client must associate at least one distinct IA with each network
interface requesting assignment of IP addresses from DHCP server
(IAID)
Must be associated with exactly one interface
Must be consistent across restarts by the client
63. Dhcpv6 operation
Client sends messages to link-local multicast address
Server unicasts response to client
Information-Request / Reply - provide client configuration information but
no addresses
Confirm / Reply - assist in determining whether client moved
Reconfigure - allow servers to initiate a client reconfiguration
Basic client/server authentication capabilities in base standard.
DHCP Unique Identifier (DUID) used to identify clients & servers
Identity Association ID (IAID) used to identify a collection of addresses
Relay Agents used when server not on-link
Relay Agents may be chained
64. DHCPv6 Installation (Linux)
Dhcpv6 server :
Update with dhcpv6-0.10-11_FC3.i386.rpm using
# rpm -U dhcpv6-0.10-11_FC3.i386.rpm
Create a database directory
#mkdir /var/db/dhcpv6
Copy sample server configuration file
# cp dhcp6s.conf /etc/dhcp6s.conf
Start the server daemon using
# dhcp6s –dDf eth0
65. DHCPv6 Installation (Linux) (contd.)
Dhcpv6 client :
Update with dhcpv6_client-0.10-11_FC3.i386.rpm using
# rpm -U dhcpv6_client-0.10-11_FC3.i386.rpm
Copy sample client configuration file
# cp dhcp6c.conf /etc/dhcp6c.conf
Start the client daemon using
# dhcp6c –dDf eth0
66. DHCPv6 Configuration
In Fedora core 3 following files are configured :
Server configuration :
/etc/sysconfig/dhcp6s
/etc/dhcp6s.conf
File : /etc/sysconfig/dhcp6s
Specify the interface for dhcp6s
DHCP6SIF=eth0
67. DHCPv6 Server configuration...
File : /etc/dhcp6s.conf
interface eth0 {
server-preference 255;
renew-time 60;
rebind-time 90;
prefer-life-time 130;
valid-life-time 200;
allow rapid-commit;
link BBB {
pool{
range 2001:0E30:1402:2::4 to 2001:0E30:1402:2::ffff/64;
prefix 2001:0E30:1402::/48;
};
};
};
69. Testing DHCPv6
Start the server daemon in debug mode in foreground
#dhcp6s –dDf eth0
Restart the network service of client
#service network restart
See the address assignment
#ifconfig
70. RIPng
Routing Information Protocol next generation (RIPng) is the counterpart of
RIPv2, but for IPv6. As defined in RFC 2080, RIPng for IPv6, RIPng has most of
the same capabilities of RIPv2
Distance vector—RIPng is a distance vector protocol based on the
Bellman-Ford algorithm.
Radius of operation—Like RIP, RIPng is limited to a radius of 15 hops.
UDP-based protocol—RIPng uses UDP datagrams to send and receive
routing information.
Broadcast information—Periodic broadcasts can be sent using
multicast addresses to reduce traffic on nodes that are not listening to
RIP messages.
71. Updates Added in RIPng
Destination prefix—Destination prefixes are based on 128-bit instead of
32-bit (as in IPv4).
Next-hop address—Next-hop addresses are based on 128-bit instead of
32-bit (as in IPv4).
Transport—RIPng messages are sent over IPv6 packets.
UDP port number—The standard UDP port number for IPv6 is 521 instead
of 520, as in IPv4.This UDP port sends and receives routing information
between RIPng routers.
Link-local address—RIPng updates are sent to adjacent RIPng routers
using the link-local address FE80::/10 as the source address.
Multicast address—The standard multicast address used with RIPng is
FF02::9, instead of 224.0.0.9 in IPv4. The FF02::9 represents the all-RIP-
routers multicast address on the link-local scope.
72. OSPFv3
The OSPFv3 specification is mainly based on OSPFv2, but with some
enhancements. Adding IPv6 support in the OSPFv2 protocol required
important rewrites of the code to remove the IPv4 dependencies, such as the
multicast IPv4 addresses 224.0.0.5 and 224.0.0.6, which are not useful in
IPv6. After having been updated to support IPv6, OSPFv3 can distribute IPv6
prefixes and run natively over IPv6. Both OSPFv2 and OSPFv3 can be used
concurrently, because each address family has a separate SPF.
73. OSPFv3 has some similarities to OSPFv2
OSPFv3 uses the same basic packet types as OSPFv2 such as hello, DBD
(also called DDP database description packets), LSR (link-state request),
LSU (link-state update), and LSA (linkstate advertisement).
Mechanisms for neighbor discovery and adjacency formation are identical.
Operations of OSPFv3 over the RFC-compliant nonbroadcast multiaccess
(NBMA) and point-to-multipoint topology modes are supported.
LSA flooding and aging are the same for both OSPFv2 and OSPFv3.
74. Differences between OSPFv3 and OSPFv2
OSPFv3 runs over a link—The network statement in the router subcommand
mode of OSPFv2 is replaced by an OSPFv3 command to apply to the interface
configuration. It is possible to have multiple instances per link.
Router ID—This 32-bit number indicates that the router is not IPv6-specific.
The router ID number is still based on 32-bit. This router ID identifies the
OSPFv3 router. As for BGP4+, when no IPv4 address is configured, a router ID
must be set.
Link ID—This 32-bit number indicates that the links are not IPv6-specific. The
link ID number is still based on 32-bit.
Link-local address—OSPFv3 uses IPv6's link-local addresses to identify the
OSPFv3 adjacency neighbors.
New LSA types—The Link-LSA and Intra-Area-Prefix-LSA types are added in
OSPFv3:
Link-LSA (LSA type 0x0008)—There is one Link-LSA per link. This new type
provides the router's link-local address and lists all IPv6 prefixes attached to
the link.
75. Differences between OSPFv3 and OSPFv2
(contd)
Intra-Area-Prefix-LSA (LSA type 0x2009)—There are multiple LSAs with
different link-state IDs. The area flooding scope can be an associated prefix
with the transit network referencing a Network-LSA, or it can be an associated
prefix with a router or a stub referencing a Router-LSA.
Transport—OSPFv3 messages are sent over IPv6 datagrams, allowing the
configuration across IPv6-over-IPv4 tunnels.
Multicast address—Two standard multicast addresses are used with OSPFv3:
FF02::5—Represents all SPF routers on the link-local scope. This multicast
address is equivalent to 224.0.0.5 in OSPFv2.
FF02::6—Represents all Designated Router (DR) routers on the link-local
scope. This multicast address is equivalent to 224.0.0.6 in OSPFv2.
Security—OSPFv3 uses Authentication Headers (IPSec AH) and Encapsulating
Security Payload (IPSec ESP) extension headers as an authentication
mechanism instead of the variety of authentication schemes and procedures
defined in OSPFv2.
77. Fields of the OSPF header
• Version (1 byte)
OSPF for IPv6 uses version number 3.
• Type (1 byte)
Defines the type of OSPF messages.
• Packet length (2 bytes)
This is the length of the OSPF protocol packet in bytes, including the OSPF
header.
• Router ID (4 bytes)
The Router ID of the router originating this packet. Each router must have
a unique Router ID, a 32-bit number normally represented in dotted
decimal notation.The Router ID must be unique within the entire AS.
78. Fields of the OSPF header (contd)• Area ID (4 bytes)
The Area ID identifies the area to which this OSPF packet belongs.
• Checksum (2 bytes)
OSPF uses the standard checksum calculation for IPv6 applications.
The checksum is computed using the 16-bit one’s complement of the
one’s complement sum over the entire packet. The checksum field in
the OSPF packet header is set to 0.
• Instance ID (1 byte)
Identifies the OSPF instance to which this packet belongs. The Instance
ID is an 8-bit number assigned to each interface of the router. The
default value is 0. The Instance ID enables multiple OSPF protocol
instances to run on a single link. If the receiving router does not
recognize the Instance ID, it discards the packet. For example, routers
A, B, C, and D are connected to a common link n. A and B belong to an
AS different from the one to which C and D belong. To exchange OSPF
packets, A and B will use a different Instance ID from C and D. This
prevents routers from accepting incorrect OSPF packets. In OSPF for
IPv4, this was done using the Authentication field, which no longer
exists in OSPF for IPv6.
79. Two renamed LSAs
1. Interarea prefix LSAs for area border routers (ABRs) (type 3)
Type 3 LSAs advertise internal networks to routers in other areas
(interarea routes).
Type 3 LSAs may represent a single network or a set of networks
summarized into one advertisement.
Only ABRs generate summary LSAs.
In OSPF for IPv6, addresses for these LSAs are expressed as prefix,
prefix length instead of address, mask.
The default route is expressed as a prefix with length 0.
2. Interarea router LSAs for ASBRs (type 4)
Type 4 LSAs advertise the location of an ASBR.
Routers that are trying to reach an external network use these
advertisements to determine the best path to the next hop.
ASBRs generate type 4 LSAs
80. Two new LSAs
1. Link LSAs (type 8)
Information which is only significant to two directly connected neighbors.
Type 8 LSAs have link-local flooding scope and are never flooded beyond the
link with which they are associated.
Link LSAs provide the link-local address of the router to all other routers
attached to the link.
Link LSAs also inform other routers attached to the link of a list of IPv6 prefixes
to associate with the link, and allow the router to assert a collection of options
bits to associate with the network LSA that will be originated for the link.
2. Intra-area prefix LSAs (type 9)
Carries Prefixes for a referenced Link State ID.
Prefix changes in OSPFv2 (sent in Router and Network LSAs) causes an
SPF recalculation), but because they do not affect SPF tree, does not cause SPF
recalculation in OSPFv3.
Makes OSPFv3 more scalable for large networks with large number of
frequently changing prefixes
82. BGP Multiprotocol Extension for IPv6
BGP4+
BGP-4 carries only three pieces of information that are truly IPv4-specific:
NLRI (feasible and withdrawn) in the UPDATE message contains an IPv4
prefix.
NEXT_HOP path attribute in the UPDATE message contains an IPv4
address.
BGP Identifier is in the OPEN message and in the AGGREGATOR attribute.
To make BGP-4 available for other network layer protocols, the multiprotocol
NLRI and its next hop information must be added. RFC 2858 extends BGP to
support
multiple network layer protocols. IPv6 is one of the protocols supported, as
emphasized in a separate document (RFC 2545).
83. Changes in BGP for IPv6 support To accommodate the new requirement for multiprotocol support, BGP-4 adds
two new attributes to advertise and withdraw multiprotocol NLRI. The BGP
Identifier stays unchanged. BGP-4 routers with IPv6 extensions therefore still
need a local IPv4 address. To establish a BGP connection exchanging IPv6
prefixes, the peering routers need to advertise the optional parameter BGP
capability to indicate IPv6 support. BGP connections and route selection
remain unchanged. Each implementer needs to extend the RIB to
accommodate IPv6 routes. Policies need to take IPv6 NLRI and next hop
information into consideration for route selection.
An UPDATE message advertising only IPv6 NLRI sets the unfeasible route
length field to 0 and carries no IPv4 NLRI. All advertised or withdrawn IPv6
routes are carried within the MP_REACH_NLRI and MP_UNREACH_NLRI. The
UPDATE must carry the path attributes ORIGIN and AS_PATH; in IBGP
connections it must also carry LOCAL_PREF.
The NEXT_HOP attribute should not be carried. If the UPDATE message
contains the NEXT_HOP attribute, the receiving peer must ignore it. All other
attributes can be carried and are recognized.
84. Changes in BGP for IPv6 support (contd)
An UPDATE message can advertise both IPv6 NLRI and IPv4 NLRI having
the same path attributes. In this case, all fields can be used. For IPv6 NLRI,
however, the NEXT_HOP attribute should be ignored. IPv4 and IPv6 NLRI
are separated in the corresponding RIB.
MP_REACH_NLRI path attribute
This optional nontransitive attribute allows the exchange of feasible IPv6
NLRI to a peer, along with its next hop IPv6 address. The NLRI and the
next hop are delivered in one attribute.
MP_UNREACH_NLRI path attribute
This optional nontransitive attribute allows the sending peer to withdraw
multiple IPv6 routes that are no longer valid.
86. IPv6 Filtering (Access Control Lists)
IPv6 Standard Access Control Lists
• IPv6 access-lists (ACL) are used to filter traffic and restrict access to the
router
• IPv6 prefix-lists are used to filter routing protocol updates.
• IPv6 Standard ACL (Permit/Deny)
IPv6 source/destination addresses
IPv6 prefix-lists
On Inbound and Outbound interfaces
87. IPv6 Extended ACL
Adds support for IPv6 option header and upper layer filtering
Only named access-lists are supported for IPv6
IPv6 and IPv4 ACL functionality
Implicit deny any any as final rule in each ACL.
A reference to an empty ACL will permit any any.
ACLs are NEVER applied to self-originated traffic.
88. IPv6 ACL Implicit Rules
Implicit permit rules, enable neighbor discovery
The following implicit rules exist at the end of each IPv6 ACL to allow
ICMPv6 neighbor discovery:
permit icmp any any nd-na
permit icmp any any nd-ns
deny ipv6 any any
90. IPv6 architecture and firewall - requirements
• No need to NAT – same level of security with IPv6 possible as with IPv4
(security and privacy)
• Even better: e2e security with IPSec
• IPv6 does not require end-to-end connectivity, but provides end-to-end
addressability
• Support for IPv4/IPv6 transition and coexistence
• Support for IPv6 header chaining
• There are some IPv6-capable firewalls now Cisco ACL/PIX, iptables, ipfw,
Juniper NetScreen.
91. IPv6 firewall setup
Firewall must support ND/NA
Firewall should support filtering dynamic routing protocol
Firewall must support RS/RA if Stateless Address Auto-Configuration
(SLAAC) is used
Firewall must support MLD messages if multicast is required
92. IPv6 Firewall Filter Rules
When you live in a dual-stack network, you will have two security concepts:
one for the IPv4 world and another for the IPv6 world. And the two concepts
do not have to match; they have to be designed according to the
requirements of each protocol. Your firewalls may support both protocols,
having two separate filter sets (one for each protocol), or you may have two
boxes, one being the firewall for the IPv4 network and the other being the
firewall for your IPv6 network.
93. Security provisions and firewall filters that should be
considered Ingress filter at perimeter firewall for internally used addresses.
Filter unneeded services at the perimeter firewall.
Deploy host-based firewalls for a defense in depth.
Critical systems should have static, nonobvious (randomly generated) IPv6
addresses. Consider using static neighbor entries for critical systems (versus
letting them participate in ND).
Hosts for Mobile IPv6 operations should be separate systems (to protect them by
separate rules).
Ensure that end nodes do not forward packets with Routing Extension headers.
Layer 3 firewalls should never forward link-layer multicast packets.
Firewalls should support filtering based on Source and Destination address, IPv6
extension headers, and upper-layer protocol information.
Check your network for external packets that did not enter through your main
perimeter firewall as an indication of “backdoor” connections of surreptitious
tunneling.
94. IPv4-IPv6 Co-existence/Transition
A wide range of techniques have been identified and implemented, basically
falling into three categories:
Dual-stack techniques, to allow IPv4 and IPv6 to co-exist in the same
devices and networks
Tunneling techniques, to avoid order dependencies when upgrading
hosts, routers, or regions
Translation techniques, to allow IPv6-only devices to communicate
with IPv4-only devices
95. IPv6 tunneling
Tunneling provides a way to use an existing IPv4 routing infrastructure to
carry IPv6 traffic.
The key to a successful IPv6 transition is compatibility with the existing
installed base of IPv4 hosts and routers.
Maintaining compatibility with IPv4 while deploying IPv6 streamlines the
task of transitioning the Internet to IPv6.
While the IPv6 infrastructure is being deployed, the existing IPv4 routing
infrastructure can remain functional, and can be used to carry IPv6 traffic.
96. Ways of Tunneling
Router-to-Router IPv6 or IPv4 routers interconnected by an IPv4
infrastructure can tunnel IPv6 packets between themselves. In this case,
the tunnel spans one segment of the end-to-end path that the IPv6 packet
takes.
Host-to-Router IPv6 or IPv4 hosts can tunnel IPv6 packets to an
intermediary IPv6 or IPv4 router that is reachable through an IPv4
infrastructure. This type of tunnel spans the first segment of the packet's
end-to-end path.
Host-to-Host IPv6 or IPv4 hosts that are interconnected by an IPv4
infrastructure can tunnel IPv6 packets between themselves. In this case,
the tunnel spans the entire end-to-end path that the packet takes.
Router-to-Host IPv6/IPv4 routers can tunnel IPv6 packets to their final
destination IPv6 or IPv4 host. This tunnel spans only the last segment of
the end-to-end path.
97. There are two types of tunnels in IPv6
1. Automatic tunnels: Automatic tunnels are configured by using IPv4
address information embedded in an IPv6 address – the IPv6 address of
the destination host includes information about which IPv4 address the
packet should be tunneled to.
2. Configured tunnels: Configured tunnels must be configured manually.
These tunnels are used when using IPv6 addresses that do not have any
embedded IPv4 information. The IPv6 and IPv4 addresses of the
endpoints of the tunnel must be specified.
99. Dual stack
Dual stack node means:
Both IPv4 and IPv6 stacks enabled
Applications can talk to both
100. IPv6 translation
Address and protocol translation mechanisms such as NAT-PT (Network
Address translation – protocol translation) and SIIT (Stateless IP-ICMP
translation) can be used to help an IPv6 host talk to an IPv4 host, by
converting v6 packets into v4 and vice-versa.
103. The Impact of IPv6 on Various Network Entities
How IPv6 affects layer 2
The layer 2 switches process packets based on MAC addresses which
are independent of IPv6.
Implementing IPv6 over layer 2 networks should not need significant
changes to the layer 2 switches. However, IPv6 support for protocol
VLANs may need hardware support. Functionality such as ACL (Access
Control Lists) and MLD snooping (equivalent to IPv4 IGMP snooping)
will need to take into account changes for IPv6.
How IPv6 affects layer 3
For layer 3 support, in addition to the basic IPv6 modules, the routing
and forwarding mechanism needs to be aware of IPv6. Hence,
protocols such as RIPng and OSPFv3 will need to be deployed and the
hardware will need to be IPv6 capable in order to do line rate
processing of IPv6 packets.
A significant change to hardware and software functionality will be
needed in routers to support IPv6.
104. The Impact of IPv6 on Various Network Entities
(Contd)
What IPv6 means to the desktop/hosts
The desktop operating system needs to support IPv6 in order to
deploy IPv6 on hosts.
The enterprise and consumer applications need to be ported to IPv6
so that there is an application base for IPv6. New IPv6 applications will
need to be developed that support end-to-end and peer-to-peer
communications models on the Internet.
For hosts to communicate using IPv6, the necessary infrastructure
needs to be in place to support IPv6. A transition plan needs to be
formulated for the network and the strategy will figure out whether
the transition will need specific software support from the host or
whether it will be seamless. Again, depending on the network
topology plan, DHCP or DNS support may be needed.
105. Deployment Issues
IPv6 technology promises to bring a number of benefits to network
communications. But given the complexity of the entire IPv6 protocol family and
the need for a robust infrastructure supporting the protocols, it would be wise for
an enterprise to give thoughtful consideration to issues concerning IPv6
deployment.
Protecting existing investment
Vendors need to protect existing investments in switches/routers/hosts.
Thus they need a strategy which will maximize the returns on current
investments
Return on investment (ROI)
IPv6 will need software and hardware upgrades on hosts, switches and
routers. It may need deployment of new applications. Also, IPv6 transition
needs to be carefully planned and a pilot network is typically done to
evaluate the strategy. All this requires time and adds to expenses. Hence,
a clear business case needs to be made to trigger migration of enterprise
networks to IPv6.
106. Deployment Issues (contd)
Network planning
IPv6 can be deployed in two ways: having completely independent
IPv6 and IPv4 networks or overlaying IPv4 and IPv6 networks. This
strategy can affect the IPv6 features required on hosts, switches and
routers.
Instability in some IPv6 features
Certain standards like mobile IPv6, flow label are not stable yet, and
this is necessary for successful deployment particularly to avoid
interoperability issues.
Service provider support
For enterprises which require IPv6 communication over the Internet, it
is necessary to look into what IPv6 services and applications are
offered by the service providers.
107. IPv6 on Windows
Full support
Windows XP SP 1 and later (Adv Net or SP2 recommended)
Windows Server 2003 (no full application support)
SP2 additions
Teredo client
host-specific relay support
IPv6 firewall
Autoconfiguration is working
netsh interface ipv6 4
interface 1 – loopback
interface 2 – ISATAP
interface 3 - 6to4 interface
interface 4... – real network interfaces
interface 5 – Teredo interface