Upload
ally-dock
View
218
Download
4
Tags:
Embed Size (px)
Citation preview
Agenda
• IPv6 Basics• Deployment• Best practice and current
issues challenges
| Basel
Limitations of IPv4
IPv6 Basics
An IPv4 address walks into a bar and says: “Quick, give me a drink. I am exhausted!”
Limitations of IPv4
• Exponential growth of the Internet and the exhaustion of the IPv4 address space
• Need for simpler configuration• Requirement for security at the IP level• Need for better support for prioritized and
real-time delivery of data
Limitations of IPv4
The modern Internet has grown beyond its original intent
21st Century Internet Pure IPv4 Implication
Types of Users Researchers, Scientists Everyone
Encryption, authentication increasingly important
Number of Hosts Millions Billions Not enough public, unique addresses to share
Session Duration Always Connected, Many Hosts
Address depletion. Long lived sessions result in fewer available addresses
Level of Movement Stationary and Mobile Not designed for mobility beyond the LAN
Network Topology Flat Complex Increasingly complex network design
What about IPv5?
The world is moving from IPv4 and going straight to IPv6 because Chuck Norris doesn’t like the number 5!
When Alexander Bell invented the telephone he had 3 missed calls from Chuck Norris.
| Basel
Capabilities of IPv6
IPv6 Basics
An IPv6 packet walks into a bar. Nobody talks to him.
Capabilities of IPv6
• More efficient packet header format • Globally scalable address space • Stateless and stateful address configuration• Standardized support for Internet Security
protocols• Better support for prioritized delivery• More efficient node discovery• Extensibility
IPv4 vs. IPv6Feature IPv4 IPv6Address length 32 bits 128 bits
IPsec header support Optional Required
Prioritized delivery support Some Better
Fragmentation Hosts and routers Hosts only
Packet size 576 bytes 1280 bytes
Link-layer address resolution ARP (broadcast) Multicast Neighbor Discovery
Multicast membership IGMP Multicast Listener Discovery (MLD)
Router Discovery Optional Required
Uses broadcasts Yes No
Configuration Manual, DHCP Automatic, DHCPv6
DNS name queries Uses A records Uses AAAA records
DNS reverse queries Uses IN-ADDR.ARPA Uses IP6.ARPA
IPv6 terminologyNode - Any device that runs an implementation of IPv6. Router - A node that can forward IPv6 packets not explicitly addressed to itself.Host - A node that cannot forward IPv6 packets not explicitly addressed to itself (a non router). Upper-layer protocol - A protocol above IPv6 that uses IPv6 as its transport. Link - The set of network interfaces that are bounded by routers and that use the same 64-bit IPv6 unicast address prefix. Network - Two or more subnets connected by routers. Neighbors - Nodes connected to the same link. Interface - The representation of a physical or logical attachment of a node to a link. Address - An identifier that can be used as the source or destination of IPv6 packets that is assigned at the IPv6 layer to an interface or set of interfaces.Packet - The protocol data unit (PDU) that exists at the IPv6 layer and is composed of an IPv6 header and payload.
The case for a IPv6 deployment
• IPv6 solves the address depletion problem• IPv6 solves the disjoint address space problem• IPv6 solves the international address allocation
problem• IPv6 restores end-to-end communication• IPv6 uses scoped addresses and address selection• IPv6 has more efficient forwarding• IPv6 has support for security and mobility
| Basel
IPv6 Address Space
IPv6 Basics
IPv4 is soon dead:beef.
IPv6 address space
• 128-bit address space• 2128 possible addresses• 340,282,366,920,938,463,463,374,607,431,768,2
11,456 addresses (3.4 x 1038 or 340 undecillion)• 6.65 x 1023 addresses for every square meter of
the Earth’s surface• 128 bits to allow flexibility in creating a multi-level,
hierarchical, routing infrastructure• 64-bit subnet prefix and a 64-bit interface
identifier
IPv6 address syntax
• IPv6 address in binary form• 00100000000000010000110110111000000000000000000000101111001
11011 0000001010101010000000001111111111111110001010001001110001011010
• Divided along 16-bit boundaries• 0010000000000001 0000110110111000 0000000000000000
0010111100111011 0000001010101010 0000000011111111 1111111000101000 1001110001011010
• Each 16-bit chunk is further broken down into four discreet 4-bit chunks called “nibbles”. Each nibble will represent a different hexadecimal value
• Each 16-bit block is converted to hexadecimal and delimited with colons• 2001:0DB8:0000:2F3B:02AA:00FF:FE28:9C5A
• Suppress leading zeros within each block• 2001:DB8:0:2F3B:2AA:FF:FE28:9C5A
Compressing zeros
• A single contiguous sequence of 16-bit blocks set to 0 can be compressed to “::” (double-colon)
• Example:• FE80:0:0:0:2AA:FF:FE9A:4CA2 becomes
FE80::2AA:FF:FE9A:4CA2• FF02:0:0:0:0:0:0:2 becomes FF02::2
• Cannot use zero compression to include part of a 16-bit block
• FF02:30:0:0:0:0:0:5 does not become FF02:3::5, but FF02:30::5
• A double-colon can only be used once when compressing an address.
IPv6 prefixes
• Express routes, address spaces, or address ranges
• IPv6 always uses address/prefix-length notation
• Similar to CIDR notation• Examples
• 2001:DB8:0:2F3B::/64 for a subnet prefix• 2001:DB8:3F::/48 for a route prefix
IPv6 address types
• Global addresses• Local-use addresses (Link-local)• Unique local addresses• Special addresses
Global addresses• Address scope is the entire IPv6 Internet
• Equivalent to public IPv4 addresses• Structure
• Global Routing Prefix (part of the Public Routing Topology – along with 001 prefix)
• Subnet ID (Site Topology)• Interface ID
Link-local addresses• Address scope is a single link
• Equivalent to APIPA IPv4 addresses• FE80::/64 prefix• Used for:• Single subnet, routerless configurations• Neighbor Discovery processes
Zone IDs• Link-local addresses are ambiguous
• Multiple links (common)• Multiple sites (uncommon)
• Zone ID is used to identify a specific interface (e.g. multiple NICs)
• Zone ID is typically set to the interface index of the sending interface
• Examples:• ping fe80::2b0:d0ff:fee9:4143%3• tracert fe80::f282:2b0:d0ff:fee9:4143%2
• Zone IDs are only used for link-local addresses since routable addresses are non-ambiguous
Unique local addresses• Private to an organization, yet unique across all of the
sites of the organization • FD00::/8 prefix• Replacement for site-local addresses• Global scope, no zone ID required
Special addresses
• Unspecified Address• 0:0:0:0:0:0:0:0 or ::
• Loopback Address• 0:0:0:0:0:0:0:1 or ::1
Well-known multicast addresses• All multicast addresses begin with FF (1111 1111)• Prefixes
• FF01 – Node-local• FF02 – Link-local• FF05 – Site Local
• Suffixes• 1 – All nodes• 2 – All routers• 1:2 – DHCP Servers + Relay Agents• 1:3 – LLMNR
IPv4 addresses and IPv6 equivalentsIPv4 Address IPv6 Address
Multicast addresses (224.0.0.0/4) IPv6 multicast addresses (FF00::/8)
Broadcast addresses N/A
Unspecified address is 0.0.0.0 Unspecified address is ::
Loopback address is 127.0.0.1 Loopback address is ::1
Public IP addresses Global unicast addresses
Private IP addresses Unique-local addresses (FD00::/8)
APIPA addresses Link-local addresses (FE80::/64)
Dotted decimal notation Colon hexadecimal format
Subnet mask or prefix length Prefix length notation only
| Basel
IPv6 Interface Identifiers
IPv6 Basics
A TCP packet walks in to a bar and says “I want a beer”,barman says “you want a beer?” and TCP packet says “yes, a beer”.
Original plan…• Last 64 bits of an auto-configured IPv6 address would be
populated with the interface’s MAC address• But…
• MAC is only 48 bits, so EUI-64 was created to allow a predictable and repeatable transformation from 48 bits to 64 bits
• But…• Privacy advocates argued that all internet communications
could now be traced to a person• Beginning with Windows Vista and Windows Server 2008, a
randomized method is utilized to determine the Interface ID instead of EUI-64
• Netsh int ipv6 set global randomizeidentifiers=enabled|disabled
How does a host obtain an IPv6 address?• There are four general methods for obtaining an IPv6
address:• Statically configured• Stateless Address Auto Configuration (SLAAC)• Stateless DHCPv6• Stateful DHCPv6
• The host decides which method to used based on the configuration of a Router Advertisement message
• Note: Link-local addresses are always generated regardless of any other options
Router advertisements• IPv6 enabled hosts, are always listening for RA’s• Additionally, a host will request a RA by sending a
Router Solicitation when the host’s configuration changes
• Host powers up• Network Change Notification
• An RA is usually sent by a Layer 3 device, and has specific options available
• RA’s control both addressing and routing on the host
Router advertisement optionsRFC 4861
• Autonomous flag (A bit) – Hosts will generate an address based on this RA and if this bit is enabled.
• Valid Lifetime – a 32-bit number representing the length of time (in seconds) that a prefix will be used in the host’s routing table
• Managed Address Configuration flag (M bit) – Hosts will contact a DHCPv6 server to obtain an IPv6 address if this bit is set
• Other Stateful Configuration flag (O bit) – Hosts will contact a DHCPv6 server to obtain non-address configuration information if this bit is set.
| Basel
A typical IPv6 deployment…
Deployment
DHCP jokes are leased.
Overall IPv6 deployment strategy
• IPv6 Deployment is not your “typical” IT project• With proper planning, an organization’s IPv6
deployment should happen as a normal evolution over the course of time
• Specific IT investments focused on IPv6 should be very limited
• Ensure IPv6 capabilities as part of normal refresh interval in infrastructure components
• Readiness planning process is key to success• Communications across groups has become much
more important
Overall IPv6 deployment strategy
• People• “What do we know about IPv6?”
• Process• “How will our existing processes be impacted by
IPv6?”• Technology
• “What impact will IPv6 have on our existing hardware/software landscape?”
• Inventory is key• Develop and revise a scorecard to track progress• Schedule Quarterly Review with stakeholders
Factors in determining project duration• Scope of the deployment• Scale of the deployment • Required organizational preparedness activities • Protocol dependencies of the application inventory• IPv6 capabilities of the operating systems• IPv6 capabilities of the networking hardware• Monitoring and management capabilities of the
network• IPv6 capability of the directory infrastructure• And others …
Preparing for an IPv6 deploymentInfrastructure technology pieces
• An IPv6 Addressing Plan• DNS Servers for name resolution of IPv6 AAAA records• Packet inspection technologies that can operate with
IPv6• IPv6 configuration at the network edge• IPv6 capability of network computers• For Native IPv6:
• DHCP Servers capable of issuing DHCP options to IPv6 clients
• IPv6-capable routers configured following an IPv6 routing design
Implementing the IPv6 deploymentIntroduce a Pool of IPv6 Addresses• Best Option: Acquire an IPv6 prefix
• Traditionally from ISP• Provider Independent if multi-homed
• Other options include:• 6to4 address corresponding to current public IPv4
address• Unique Local IPv6 Unicast
• Configure IPv6-Compatible Name Resolution• AAAA Records• IP6.ARPA for PTR records
Implementing the IPv6 deploymentIntroduce a Pool of IPv6 Addresses• There will be IPv4-only resources that you want to
expose over IPv6• You want to avoid full IPv4 NAT• Introduce some IPv6-to-IPv4 translation points in your
network• NAT64• Network Address Translation/Protocol Translation (NAT-
PT) device This has been deprecated as an IETF standard in favor of NAT64
• DNS64
| Basel
IPv6 support in Microsoft products
Best practice and current issues challenges
WHOIS going to tell us a Domain Name joke?
What does IPv6 compatible mean?
According to the Microsoft Common Engineering Criteria:
“All Microsoft server products are required to support both IPv6 and IPv4. In addition, all server products are required to be configurable to run in dual-stack (IPv4 and IPv6) or IPv6-only modes.”
http://www.microsoft.com/cec/en/us/cec-overview.aspx#data-ipv6Additionally:“The goal is feature parity. Whatever a customer can do using IPv4, they should be able to do using IPv6, with the same level of security, performance, and scalability.”
Microsoft products that do not support IPv6“Microsoft has informed Gartner that it does not plan to ship another full version of…Forefront Threat Management Gateway (TMG). The product is effectively in sustaining mode, with Microsoft continuing to ship Service Pack (SP) updates…for the standard support life cycle — five years of mainstream support and five years of extended support.”
Magic Quadrant for Secure Web Gateway, 25 May, 2011
Microsoft’s strategy with IPv6
• Microsoft plans to have full dual-stack and IPv6-only capabilities for all enterprise-class products
• Microsoft’s has been working on achieving this capability since 2007
| Basel
Current issues opportunities
Best practice and current issues challenges
An ARP request goes to McDonald’s and asks for a Big MAC.
Application dependencies• Most applications follow the OSI model, thus they are IP
agnostic (Recommended)• They pass a name to the TCP/IP stack and let the stack
determine how to connect (using RFC 3484)• Some applications try to handle IP connectivity on their
own by opening a socket (Not recommended)• These applications must specifically be coded to
support IPv6• Some applications (or scripts) assume that the returned
IP is in dotted decimal notation • They fail on reading an IPv6 address
Hardware dependencies• Network infrastructure hardware which inspect, modify,
or route IP packets must specifically support IPv6• Examples:
• Routers• Firewalls• Load Balancers• WAN Accelerators• Intrusion Detection/Prevention Systems• Proxy Servers• Network probes and protocol analyzers
Transition technologies• Transition Technologies can cause issues• Whenever a machine has a public IPv4 address
assigned it will automatically generate a 6to4 address as well
• 6to4 addresses are global routable addresses• 6to4 addresses register in DNS
• Solution: Don’t use public IPv4 addresses inside a corporate network or disable 6to4 using Group Policy
Stay up-to-date• Recommended updates for Windows 8/8.1/Server
2012/2012 R2• Make sure you install the monthly update rollups
• Recommended updates for Windows 7/Server 2008 R2• An enterprise hotfix rollup is available for Windows 7
SP1 and Windows Server 2008 R2 SP1 http://support.microsoft.com/kb/2775511
• An IPv6 readiness update is available for Windows 7 and for Windows Server 2008 R2http://support.microsoft.com/kb/2750841
| Basel
Disabling IPv6 – Don’t do it
Best practice and current issues challenges
How do you catch an Ether bunny? With an Ethernet.
Keeping IPv6 enabled
• Microsoft recommends leaving IPv6 enabled even when not in active use, although disabling IPv6 is a supported action
• Microsoft products are not tested with IPv6 disabled. Disabling IPv6 places that host and application into a less-tested state
• Leaving IPv6 enabled, even when not in use, does not impact production networks
Leave it enabled
Don’t remove this checkbox on a regular NIC
Unbinds IPv6 from that one interfaceCannot be scriptedIPv6 loopback is still enabled
In case you really need to…• Recommend using the DisabledComponents Registry
Key• Documented in http://support.microsoft.com/kb/929852• The DisabledComponents key does not exist by default
and must be created• Leave the IPv6 box checked in the NIC properties when
using the DisabledComponents Key• Only use this as a last resort. However there is no
technical reason to disable IPv6 in Windows
| Basel
Q&A
Done!
A UDP packet walks into a bar without a checksum. Nobody cares.
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a
commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
© 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a
commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.