| Basel

IPv6 – now what?

Philipp KuhnPremier Field Engineer, Global Business Supportphkuhn@microsoft.com

Agenda

• IPv6 Basics• Deployment• Best practice and current

issues challenges

| Basel

Limitations of IPv4

IPv6 Basics

An IPv4 address walks into a bar and says: “Quick, give me a drink. I am exhausted!”

Limitations of IPv4

• Exponential growth of the Internet and the exhaustion of the IPv4 address space

• Need for simpler configuration• Requirement for security at the IP level• Need for better support for prioritized and

real-time delivery of data

Limitations of IPv4

The modern Internet has grown beyond its original intent

21st Century Internet Pure IPv4 Implication

Types of Users Researchers, Scientists Everyone

Encryption, authentication increasingly important

Number of Hosts Millions Billions Not enough public, unique addresses to share

Session Duration Always Connected, Many Hosts

Address depletion. Long lived sessions result in fewer available addresses

Level of Movement Stationary and Mobile Not designed for mobility beyond the LAN

Network Topology Flat Complex Increasingly complex network design

What about IPv5?

The world is moving from IPv4 and going straight to IPv6 because Chuck Norris doesn’t like the number 5!

When Alexander Bell invented the telephone he had 3 missed calls from Chuck Norris.

| Basel

Capabilities of IPv6

IPv6 Basics

An IPv6 packet walks into a bar. Nobody talks to him.

Capabilities of IPv6

• More efficient packet header format • Globally scalable address space • Stateless and stateful address configuration• Standardized support for Internet Security

protocols• Better support for prioritized delivery• More efficient node discovery• Extensibility

IPv4 vs. IPv6Feature IPv4 IPv6Address length 32 bits 128 bits

IPsec header support Optional Required

Prioritized delivery support Some Better

Fragmentation Hosts and routers Hosts only

Packet size 576 bytes 1280 bytes

Link-layer address resolution ARP (broadcast) Multicast Neighbor Discovery

Multicast membership IGMP Multicast Listener Discovery (MLD)

Router Discovery Optional Required

Uses broadcasts Yes No

Configuration Manual, DHCP Automatic, DHCPv6

DNS name queries Uses A records Uses AAAA records

DNS reverse queries Uses IN-ADDR.ARPA Uses IP6.ARPA

IPv6 terminologyNode - Any device that runs an implementation of IPv6. Router - A node that can forward IPv6 packets not explicitly addressed to itself.Host - A node that cannot forward IPv6 packets not explicitly addressed to itself (a non router). Upper-layer protocol - A protocol above IPv6 that uses IPv6 as its transport. Link - The set of network interfaces that are bounded by routers and that use the same 64-bit IPv6 unicast address prefix. Network - Two or more subnets connected by routers. Neighbors - Nodes connected to the same link. Interface - The representation of a physical or logical attachment of a node to a link. Address - An identifier that can be used as the source or destination of IPv6 packets that is assigned at the IPv6 layer to an interface or set of interfaces.Packet - The protocol data unit (PDU) that exists at the IPv6 layer and is composed of an IPv6 header and payload.

The case for a IPv6 deployment

• IPv6 solves the address depletion problem• IPv6 solves the disjoint address space problem• IPv6 solves the international address allocation

problem• IPv6 restores end-to-end communication• IPv6 uses scoped addresses and address selection• IPv6 has more efficient forwarding• IPv6 has support for security and mobility

| Basel

IPv6 Address Space

IPv6 Basics

IPv4 is soon dead:beef.

IPv6 address space

• 128-bit address space• 2128 possible addresses• 340,282,366,920,938,463,463,374,607,431,768,2

11,456 addresses (3.4 x 1038 or 340 undecillion)• 6.65 x 1023 addresses for every square meter of

the Earth’s surface• 128 bits to allow flexibility in creating a multi-level,

hierarchical, routing infrastructure• 64-bit subnet prefix and a 64-bit interface

identifier

IPv6 address syntax

• IPv6 address in binary form• 00100000000000010000110110111000000000000000000000101111001

11011 0000001010101010000000001111111111111110001010001001110001011010

• Divided along 16-bit boundaries• 0010000000000001 0000110110111000 0000000000000000

0010111100111011 0000001010101010 0000000011111111 1111111000101000 1001110001011010

• Each 16-bit chunk is further broken down into four discreet 4-bit chunks called “nibbles”. Each nibble will represent a different hexadecimal value

• Each 16-bit block is converted to hexadecimal and delimited with colons• 2001:0DB8:0000:2F3B:02AA:00FF:FE28:9C5A

• Suppress leading zeros within each block• 2001:DB8:0:2F3B:2AA:FF:FE28:9C5A

Compressing zeros

• A single contiguous sequence of 16-bit blocks set to 0 can be compressed to “::” (double-colon)

• Example:• FE80:0:0:0:2AA:FF:FE9A:4CA2 becomes

FE80::2AA:FF:FE9A:4CA2• FF02:0:0:0:0:0:0:2 becomes FF02::2

• Cannot use zero compression to include part of a 16-bit block

• FF02:30:0:0:0:0:0:5 does not become FF02:3::5, but FF02:30::5

• A double-colon can only be used once when compressing an address.

IPv6 prefixes

• Express routes, address spaces, or address ranges

• IPv6 always uses address/prefix-length notation

• Similar to CIDR notation• Examples

• 2001:DB8:0:2F3B::/64 for a subnet prefix• 2001:DB8:3F::/48 for a route prefix

IPv6 address types

• Global addresses• Local-use addresses (Link-local)• Unique local addresses• Special addresses

Global addresses• Address scope is the entire IPv6 Internet

• Equivalent to public IPv4 addresses• Structure

• Global Routing Prefix (part of the Public Routing Topology – along with 001 prefix)

• Subnet ID (Site Topology)• Interface ID

Link-local addresses• Address scope is a single link

• Equivalent to APIPA IPv4 addresses• FE80::/64 prefix• Used for:• Single subnet, routerless configurations• Neighbor Discovery processes

Zone IDs• Link-local addresses are ambiguous

• Multiple links (common)• Multiple sites (uncommon)

• Zone ID is used to identify a specific interface (e.g. multiple NICs)

• Zone ID is typically set to the interface index of the sending interface

• Examples:• ping fe80::2b0:d0ff:fee9:4143%3• tracert fe80::f282:2b0:d0ff:fee9:4143%2

• Zone IDs are only used for link-local addresses since routable addresses are non-ambiguous

Unique local addresses• Private to an organization, yet unique across all of the

sites of the organization • FD00::/8 prefix• Replacement for site-local addresses• Global scope, no zone ID required

Special addresses

• Unspecified Address• 0:0:0:0:0:0:0:0 or ::

• Loopback Address• 0:0:0:0:0:0:0:1 or ::1

Well-known multicast addresses• All multicast addresses begin with FF (1111 1111)• Prefixes

• FF01 – Node-local• FF02 – Link-local• FF05 – Site Local

• Suffixes• 1 – All nodes• 2 – All routers• 1:2 – DHCP Servers + Relay Agents• 1:3 – LLMNR

IPv4 addresses and IPv6 equivalentsIPv4 Address IPv6 Address

Multicast addresses (224.0.0.0/4) IPv6 multicast addresses (FF00::/8)

Broadcast addresses N/A

Unspecified address is 0.0.0.0 Unspecified address is ::

Loopback address is 127.0.0.1 Loopback address is ::1

Public IP addresses Global unicast addresses

Private IP addresses Unique-local addresses (FD00::/8)

APIPA addresses Link-local addresses (FE80::/64)

Dotted decimal notation Colon hexadecimal format

Subnet mask or prefix length Prefix length notation only

| Basel

IPv6 Interface Identifiers

IPv6 Basics

A TCP packet walks in to a bar and says “I want a beer”,barman says “you want a beer?” and TCP packet says “yes, a beer”.

Original plan…• Last 64 bits of an auto-configured IPv6 address would be

populated with the interface’s MAC address• But…

• MAC is only 48 bits, so EUI-64 was created to allow a predictable and repeatable transformation from 48 bits to 64 bits

• But…• Privacy advocates argued that all internet communications

could now be traced to a person• Beginning with Windows Vista and Windows Server 2008, a

randomized method is utilized to determine the Interface ID instead of EUI-64

• Netsh int ipv6 set global randomizeidentifiers=enabled|disabled

How does a host obtain an IPv6 address?• There are four general methods for obtaining an IPv6

address:• Statically configured• Stateless Address Auto Configuration (SLAAC)• Stateless DHCPv6• Stateful DHCPv6

• The host decides which method to used based on the configuration of a Router Advertisement message

• Note: Link-local addresses are always generated regardless of any other options

Router advertisements• IPv6 enabled hosts, are always listening for RA’s• Additionally, a host will request a RA by sending a

Router Solicitation when the host’s configuration changes

• Host powers up• Network Change Notification

• An RA is usually sent by a Layer 3 device, and has specific options available

• RA’s control both addressing and routing on the host

Router advertisement optionsRFC 4861

• Autonomous flag (A bit) – Hosts will generate an address based on this RA and if this bit is enabled.

• Valid Lifetime – a 32-bit number representing the length of time (in seconds) that a prefix will be used in the host’s routing table

• Managed Address Configuration flag (M bit) – Hosts will contact a DHCPv6 server to obtain an IPv6 address if this bit is set

• Other Stateful Configuration flag (O bit) – Hosts will contact a DHCPv6 server to obtain non-address configuration information if this bit is set.

| Basel

A typical IPv6 deployment…

Deployment

DHCP jokes are leased.

Overall IPv6 deployment strategy

• IPv6 Deployment is not your “typical” IT project• With proper planning, an organization’s IPv6

deployment should happen as a normal evolution over the course of time

• Specific IT investments focused on IPv6 should be very limited

• Ensure IPv6 capabilities as part of normal refresh interval in infrastructure components

• Readiness planning process is key to success• Communications across groups has become much

more important

Overall IPv6 deployment strategy

• People• “What do we know about IPv6?”

• Process• “How will our existing processes be impacted by

IPv6?”• Technology

• “What impact will IPv6 have on our existing hardware/software landscape?”

• Inventory is key• Develop and revise a scorecard to track progress• Schedule Quarterly Review with stakeholders

Factors in determining project duration• Scope of the deployment• Scale of the deployment • Required organizational preparedness activities • Protocol dependencies of the application inventory• IPv6 capabilities of the operating systems• IPv6 capabilities of the networking hardware• Monitoring and management capabilities of the

network• IPv6 capability of the directory infrastructure• And others …

Preparing for an IPv6 deploymentInfrastructure technology pieces

• An IPv6 Addressing Plan• DNS Servers for name resolution of IPv6 AAAA records• Packet inspection technologies that can operate with

IPv6• IPv6 configuration at the network edge• IPv6 capability of network computers• For Native IPv6:

• DHCP Servers capable of issuing DHCP options to IPv6 clients

• IPv6-capable routers configured following an IPv6 routing design

Implementing the IPv6 deploymentIntroduce a Pool of IPv6 Addresses• Best Option: Acquire an IPv6 prefix

• Traditionally from ISP• Provider Independent if multi-homed

• Other options include:• 6to4 address corresponding to current public IPv4

address• Unique Local IPv6 Unicast

• Configure IPv6-Compatible Name Resolution• AAAA Records• IP6.ARPA for PTR records

Implementing the IPv6 deploymentIntroduce a Pool of IPv6 Addresses• There will be IPv4-only resources that you want to

expose over IPv6• You want to avoid full IPv4 NAT• Introduce some IPv6-to-IPv4 translation points in your

network• NAT64• Network Address Translation/Protocol Translation (NAT-

PT) device This has been deprecated as an IETF standard in favor of NAT64

• DNS64

| Basel

IPv6 support in Microsoft products

Best practice and current issues challenges

WHOIS going to tell us a Domain Name joke?

What does IPv6 compatible mean?

According to the Microsoft Common Engineering Criteria:

“All Microsoft server products are required to support both IPv6 and IPv4. In addition, all server products are required to be configurable to run in dual-stack (IPv4 and IPv6) or IPv6-only modes.”

http://www.microsoft.com/cec/en/us/cec-overview.aspx#data-ipv6Additionally:“The goal is feature parity. Whatever a customer can do using IPv4, they should be able to do using IPv6, with the same level of security, performance, and scalability.”

Microsoft products that do not support IPv6“Microsoft has informed Gartner that it does not plan to ship another full version of…Forefront Threat Management Gateway (TMG). The product is effectively in sustaining mode, with Microsoft continuing to ship Service Pack (SP) updates…for the standard support life cycle — five years of mainstream support and five years of extended support.”

Magic Quadrant for Secure Web Gateway, 25 May, 2011

Microsoft’s strategy with IPv6

• Microsoft plans to have full dual-stack and IPv6-only capabilities for all enterprise-class products

• Microsoft’s has been working on achieving this capability since 2007

| Basel

Current issues opportunities

Best practice and current issues challenges

An ARP request goes to McDonald’s and asks for a Big MAC.

Application dependencies• Most applications follow the OSI model, thus they are IP

agnostic (Recommended)• They pass a name to the TCP/IP stack and let the stack

determine how to connect (using RFC 3484)• Some applications try to handle IP connectivity on their

own by opening a socket (Not recommended)• These applications must specifically be coded to

support IPv6• Some applications (or scripts) assume that the returned

IP is in dotted decimal notation • They fail on reading an IPv6 address

Hardware dependencies• Network infrastructure hardware which inspect, modify,

or route IP packets must specifically support IPv6• Examples:

• Routers• Firewalls• Load Balancers• WAN Accelerators• Intrusion Detection/Prevention Systems• Proxy Servers• Network probes and protocol analyzers

Transition technologies• Transition Technologies can cause issues• Whenever a machine has a public IPv4 address

assigned it will automatically generate a 6to4 address as well

• 6to4 addresses are global routable addresses• 6to4 addresses register in DNS

• Solution: Don’t use public IPv4 addresses inside a corporate network or disable 6to4 using Group Policy

Stay up-to-date• Recommended updates for Windows 8/8.1/Server

2012/2012 R2• Make sure you install the monthly update rollups

• Recommended updates for Windows 7/Server 2008 R2• An enterprise hotfix rollup is available for Windows 7

SP1 and Windows Server 2008 R2 SP1 http://support.microsoft.com/kb/2775511

• An IPv6 readiness update is available for Windows 7 and for Windows Server 2008 R2http://support.microsoft.com/kb/2750841

| Basel

Disabling IPv6 – Don’t do it

Best practice and current issues challenges

How do you catch an Ether bunny? With an Ethernet.

Keeping IPv6 enabled

• Microsoft recommends leaving IPv6 enabled even when not in active use, although disabling IPv6 is a supported action

• Microsoft products are not tested with IPv6 disabled. Disabling IPv6 places that host and application into a less-tested state

• Leaving IPv6 enabled, even when not in use, does not impact production networks

Leave it enabled

Don’t remove this checkbox on a regular NIC

Unbinds IPv6 from that one interfaceCannot be scriptedIPv6 loopback is still enabled

In case you really need to…• Recommend using the DisabledComponents Registry

Key• Documented in http://support.microsoft.com/kb/929852• The DisabledComponents key does not exist by default

and must be created• Leave the IPv6 box checked in the NIC properties when

using the DisabledComponents Key• Only use this as a last resort. However there is no

technical reason to disable IPv6 in Windows

| Basel

Q&A

Done!

A UDP packet walks into a bar without a checksum. Nobody cares.

© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a

commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a

commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.