Fred Bovy. IPv6 For Life! 2012 ©

First Edition

Fred Explains IPv6In-depth

1 This is why I wrote this very first book and a great tribute to my CISCO Colleagues from who I learned so many things!Then it also gives a pointer to the Web server that must be used with this book and the IPv6 Certifications.

Please read important information at the End of this Chapter!

Preface

1 PrefaceMy name is Fred Bovy, CCIE #3013, and I have been in the Networking industry for more than 20 years, with a focus primarily on IPv6 and Service Provider issues for about 10 years.

In 1999 I joined CISCO as a Network Consultant. My initial long term project involved helping a Service Provider and an enterprise deploy brand new MPLS-VPN backbones. Since then, I have been hooked, and have developed an expertise in this subject. I later joined the CISCO IPv6 IOS Engineering Team as a dev-tester. For more than 3 years, I focused on 6PE and 6VPE testing. During that time, I devel-oped many TCL scripts to test 6PE and 6VPE functionalities, routing and switching performance, scalability, High Availability, all the supported network design like Inter-net Access models, Carrier’s Carrier or Hub and Spoke and more. I also got deeply involved in testing Netflow for IPv6 and SeND.

In 2009 I resumed teaching, keeping the focus on IPv6 with special attention on the transition to IPv6. I believe that we have finally hit the tipping point for IPv6, given that all of the IPv4 addresses ran out in February. It’s time for everyone to realize, before companies and individuals lose their competitive edge, that IPv6 is fast be-coming a requirement that will enable the Next Generation Internet.

About

I have written this book to help anyone who needs to design, configure and trouble-shoot IPv6 Networks because this is the experience I have gathered in my life as an IPv6 Tester, Consultant and Trainer and also from my 20+ (almost 25) years of IP and CISCO Routers.

In this first book I will cover the Fundamentals. Following books will be about Routing Protocols, Transition To IPv6, Multicast, Security and more...The book must be used with the IPv6 TUTORIAL that can be found from http://www.ipv6forlife.com.

1.1 Tribute  to  CISCO  and  to  the  USA!

IPv6 is more than a Job to me; it is a hobby and a philosophy; it is a Community. It is open, and every-body is welcome to bring something!

IPv6 was designed about 20 years ago by people who thought that the Internet should be for every-body and not only for the lucky ones who can get a Class A or whatever IPv4 block... It was designed

to support ALL applications for EVERYONE! ! 12 years ago I decided to join the community of people who are building the new Internet for everyone and for the new applications that IPv6 enables!

I joined the CISCO IPv6 IOS® Engineering Team to help the development of 6PE and 6VPE for about 3 years then Netflow for IPv6 and finally SeND and related IPv6 Security for about 3 years.

I would like to thank Eric Levy-Abegnoly, who was my IPv6 Team Leader and mentor (with Luc Revar-del), who designed and developed 6PE, 6VPE, SeND and more, Ole Troan, another Great IPv6 Team Leader, who designed most of the IPv6 IOS Code, Benoit Lourdelet, who is the IPv6 Product man-ager, Patrick Grossetete before him and many other great CISCO people I have been working with. I learned so much with them. I was a CCIE and a CCSI when I joined CISCO, but I learned more about the Networks during the 10 years working for CISCO than all I had learned before. Special thanks to Jim Guichard (my first mentor who went with me to the customers in my first 6 months within CISCO), Peter Psenak (who was the NSA Engineer for EQUANT before me and also helped me a lot during the transition. He is now one of the best OSPF Engineers WorldWide. Networks are transparent for him.), Arjen Boers (The multicast man who hired me with Valerio), JP Vasseur (CISCO Fellow Guru who worked with me on the MPLS-TE Fast Re-Route project for EQUANT and such a nice guy !), Francois Le Faucheur (Another Brain, the Architects of QoS in MPLS Network who invented DiffServ-TE, QoS Models in MPLS Networks), Robert Hanzl (The Customer support Engineer who helped me on my first crisis with a customer and then became an MPLS Team Leader), Robert Rasczuk (The MPLS Deployment Engineer who helped me on my first big crisis with a customer facing a major Back-bone instability), Luc Revardel (who taught me the basics of IPv6 Testing Automation), Greg Boland, Steve Glaus, Mandy Mac Diarmid, Mado Bourgoin and all my managers who helped me to focus on my work starting with Valerio Muzzolini, Serge Dupouy, Nick Gale.... And all the good guys and girls who I am forgetting, who are the CISCO Assets.

These 10 years were the best school, university, experience and also basis for human values, not only technical...

This was not only a matter of knowledge and people, it was also a way to manage the people that I had never found in any French companies or International companies not managed by Americans. During my interviews when I got hired, someone asked me what I was expecting from my manage-ment. I answered support to keep me focused on my technical job, and I was correct! This was typi-cally what I found with all my managers with an exception of the French SE (Pre Sales) Manager I got when I joined the Account Team to help the customer validation process for free as this was normally a service charged to the customer. But except this one, I only got great managers who always sup-ported me when I was a Network Consulting and a Software Engineer. I was always supported to fo-cus on my job and didn't have to worry about the political cases that the French really enjoy in most big companies. I had the benefit of working for a big company, but at the same time I was so free to organize my work and received awards every time I was doing something good that I had the feeling I was working for my own company. This was the first time that I was also working for a company where the technical skills were considered and you did not have to become a (often bad) manager when you were good in your Technical role as a reward! At last I found people like me, people working like me! Working for CISCO was my best experience in my carreer.

After CISCO I resumed my trainer and consultant life and started to teach what I had learned with my CISCO masters and more! I am a self-employed IPv6 Expert working as a Fast Lane IPv6 Course Subject Matter Expert with other CISCO partners and for myself as well.

2

2 About the book

2.1 IPv6  FundamentalsIPv6 cannot be understood if the Fundamentals are not. That's why the first Module of this book is essential.

You can find some help in the "IPv6 For Life!" Tutorial from the home page: http://www.ipv6forlife.com.

This Tutorial has several chapters for the Fundamental Module:Fundamentals #1. Introduction and IPv6 Addressing

Fundamentals #2. More about IPv6 Addressing. ICMPv6 and an Intro about Neighbor Discovery

Fundamentals #3. DHCPv6, DNS, MOBILE IPV6 and derived applications

Our first chapter will introduce the IPv6 basics.

Then we will study the IPv6 Addressing which is the main reason why IPv6 was developed, to provide an addressing which will match the requirements of the Internet for the next century.

There was a day one missed requirement which was the Multihoming requirement. This should have been managed by the IPv6 Stack as a service like Mobile IPv6, but the Engineers just missed to ad-dress this issue which is still not completely resolved with a long term solution commonly accepted.

The next chapter will be about the IPv6 header, the long addresses, the Extension Headers and other interesting improvements for more efficiency.

Then ICMPv6 basics, quite close to IPv4 and more interesting, the Neighbor Discovery Protocol which is described in two separate RFCs. Many solutions are provided by ND like Autoconfiguration or Router Discovery and more.

Finally we will describe all the most important Services which are not implemented for all platforms. Linux is the best platform to test and support all the IPv6 Services.

2.2 IPv6  Cer5fica5ons

2.2.1 IPv6  Forum  Cer5fica5on

There are many certifications at the IPv6 Forum with 2 levels, Silver and Gold for Engineer and Trainer. The Trainer is more advanced than the Engineers.

For the moment, all you need is to apply on the IPv6 Forum Web Server and provide a few proof of achievements to get certified.

2.2.2 Hurricane  Electric

Hurricane Electric propose a very challenging certification with multiple levels up to Sage Level.

Each step requires both theory and practical exercise.

You need to have a host connected to the Internet to do the proposed exer-cises and to validate that you were able to provide the correct answers.

This is Free and very interesting certification.

2.2.3 CISCO  CCIE  Rou5ng  &  Switching

Cisco has one main 5 days training course and a derivated training from this one I have designed for CISCO which is aimed at the SP Market

2.3 Important  informa5onTHIS BOOK CAN BE READ COVER TO COVER OR YOU CAN PICK UP ANY PAGE FROM ANY CHAPTER WHEN NEEDED.THIS E-BOOK IS ALIVE. MANY VIDEO LINKS ARE FLASH PRESENTATIONS AND YOU WILL NEED A LARGE SCREEN AND FLASH® (ADOBE) SOFTWARE ENABLED BROWSER. PLEASE CHECK http://www.adobe.com.I AM ADDING NEW PRESENTATIONS ON A REGULAR BASIS AND I WILL UP-DATE THE LINKS IN THIS BOOK. WHEN YOU GET A NEW VERSION OF THIS E-BOOK YOU WILL GET PLENTY OF NEW PRESENTATIONS.FOR ALL THE LINKS YOU WILL NEED To ACCESS IPv6 FOR LIFE® WEB SERVER: http://www.ipv6forlife.comDespite I am based in France I have been speaking and writing more in English than French for the last 25 years but I still may do some mistakes that I need you to forgive me if it happens in this book!

The IPv6 Internet belongs to everybody. Thanks for reading me!

Kindest Regards,

Fred Bovy

3

2 This chapter how we arrived to IPv6 in 2012 and the long path we walked by since the 80s!Address depletion is not a new issue and IPv4 was never intended to scale a Global Public Internet!

Introduction to IPv6

5

1 Introduction to IPv6

1.1 History

IPv4 was developed in the 80s for a military network with a few thousands hosts maximum by the DoD of the USA.

There was no need for security as it was a private network in the DoD Buildings. There was no need for Autoconfiguration or Mobility and many things.

IPv4 Addresses were widely distributed until they were no more enough for everyone. In the early 90s, IPv4 Address depletion started to be a problem.

I posted something about it in my blog about this history:

http://ipv6forlife.net/wordpress/?p=61

1.1.1 OSI  Protocols

The first serious candidate to replace TCP/IP was the OSI Protocols. The Open Systems Interconnec-tion (OSI) protocols are a family of information exchange standards developed jointly by the ISO and the ITU-T starting in 1977.

OSI defined a Layered Model with 7 Layers while TCP/IP just had 5 since OSI Layers 5, 6 and 7 were actually managed by the TCP/IP Application Layer.

OSI Protocols was providing a Datagram Service like IP called Connectionless Network Service (CLNS) with an address of up to 20 bytes (160 bits) long.

Its routing protocol, ISIS, very close to OSPF immediately interested many service providers since it was an Integrated routing protocol which could support IPv4 as well (RFC1195). Actually it was more SP Oriented and could support many more routers in the same area. It is also a much easier protocol to troubleshoot. A simple look at its Database will convince any Network Engineer in 5 minutes.

Digital Equipment thought that OSI would replace IPv4 and that DecNET Phase V was actually OSI Protocols.

1.1.2 ATM  and  Frame-­‐relay  

But at the same time the convergence of Data and Voice Networks had started since the middle of the 80s, and we were looking for a network which could manage both Real Time (Voice, Video) and Non-Real Time data with multiple levels of Precedence as IPv4 was already doing. Some people were working very hard for a converged network and they came up with a new protocol called ATM (Asyn-chronous Transfer Mode).

ATM could manage any kind of Traffic: Voice, Video, Business Data, Bulk Data. ATM was really a Net-work Scientist Protocol Architecture, its routing protocol PNNI was able to react in Real-Time to any change in the Network to find paths which could match any Class of Service Traffic.

ATM was based on 53 bytes cells at the Physical Level for Real-Time and Non Real-Time traffic to be interleaved.

ATM was designed for 155 Mbps Sonet SDH Fiber links minimum, and this was not really widely avail-able at this time. Also, the ASICS to manage the 53 Bytes Cells were not yet available or very expen-sive as it was not made at a sufficient large scale to get a reasonable price. So, an interim technology

Chapter 2

Introduction to IPv6

6

was also created to transport Data and Voice while ATM was growing. This was Frame-Relay, a stripped down version of X.25 with PVC only. SVCs came later, but they were never as popular as PVC.

In the mid 90s ATM was the only serious candidate to support these converged Networks, and VoIP was not an option in the networking business world.

At the end of the 90s, most people realized that ATM would not scale with MultiGigabit Links, which were arriving slowly. Also, some ATM Protocols like LAN Emulations collapsed under traffic as the Node dedicated to replicate the Broadcast and Multicast was too much solicited. ATM, which was great on paper, proved to be not scalable, and a complex and expensive solution, so VoIP came back as a viable solution.

But all this work made for ATM was not thrashed, and many protocols built for ATM are still in use in many solutions. A lot of of the QoS, a protocol like NHRP, which was developed for ATM Classical IP, is now used for CISCO DMVPN.

1.1.3 MPLS  

And also, there was the idea to replace a long address by a label that was already used by the old X.25, then ATM networks gave the idea of replacing the IPv4 header with a short label! Epsilon's IP Switching, Cisco's tag switching and many other Vendors provided such a solution with an initial moti-vation to make faster routers.

Then CISCO also saw that with Tag Switching it was possible to add some services which were not possible with IP like Tag-VPN. Tag-VPN permitted providing each connected customer with a Virtual Private Network having its own IPv4 Addresses.

Tag-VPN was based on a Multi-Protocol BGP Extension with a new BGP vpnv4 address family as it was adding a 32 bit prefix to the the IPv4 address, called a Route Distinguisher (RD) for the BGP pre-fix to be unique in the Service Provider Backbone BGP Table.

In addition to the RD, an Extended Community BGP Attribute was added to the BGP Prefix before it was advertised to a remote BGP Router. This Extended Attribute was then used to recognize a prefix and import it into the Customer Virtual Routing Table.

The Benefits of Tag-VPN on the previous Layer 3 VPN based on IP were that:

The Backbone routers (P) did not have to know any of the the Customers Route. Only the BGP Next-Hop, the exit point host route for each Provider Edge (PE) Router which was connecting to the Cus-tomer Edge (CE) Router was enough.

Before Tag-VPN, in the SP Point of Presence, each Customers needed to have a dedicated router which was importing all the BGP Routes with a given Community Attribute. With Tag-VPN. the same PE could be shared by all the customers with each customer having its own Virtual Route.

Customers could have overlapping addresses without any problem.

The provisoning and the management of the VPN were very much simplified.

Traffic Engineering was another great service of Tag-VPN, allowing the SP to use more than the best route links in their backbone to use all the available bandwidth of the core.

Tag-Switching was then standardised by the IETF to MPLS,

So in the late 90s and in the early y2k, most service providers were upgrading their backbone to MPLS!

1.1.4  IPv6  

Later, in the early Y2Ks when IPv6 became the next version approved by the IETF and more and more requested by the Customers, CISCO's reply was to provide an IPv6 Service over IPv4/MPLS without any need to upgrade the backbone.

They invented 6PE designed and developed in the South of France from an Architecture (RFC) of Francois Le Faucheur and other companies and then designed and coded by Eric Levy-Abegnoly.

In the early Y2K, the first large scale IPv6 offers from SPs were mostly brought by 6PE in Asia and in the USA.

Later came 6VPE which was actually 6PE in the VRF, allowing the customers to have a dual-stack VPN supporting both IPv4 and IPv6.

We will cover 6PE and 6VPE later with all details...

1.2  IPv4  Address  Deple5onAs we have seen earlier, the IPv4 address Depletion started to be a problem in the 90s, and while some people were working on new protocols to replace IPv4, some others were working on a work-around to keep on working longer with IPv4.

!

7

They came up with NAT and Private Addresses (RFC1918). Before RFC1918, some people were already doing some private addressing, but it was at their own risk if they were choosing an address already in use, and they could need one day to join like for instance 7.0.0.0/8 or 9.0.0.0/8. One of these was used in my company in the early 90s with Proxies to reach the Internet for http or ftp protocols.

Now with RFC1918, some block were reserved for private address-ing, and with NATPT aka PAT, it was possible to use one public ad-dress for a whole building or all the PCs of a residential user.

Let's take a shortcut and call NAT: NAT, NATPT or PAT.

NAT immediately solved the problem for many years, but at the same time, it killed some concepts which created the popularity of the Inter-net like the End-to-End Addressing or peer to peer capabilities.

In the 90s, this was the time for Downsizing and Client-Server Applica-tions. Many companies moved to TCP/IP for this reason.

Downsizing was the migration of Applications from Mainframes to Servers running on RISC Workstations, Mini Computers (AS/400) or even PCs and PS/2s.

Client-Server Applications was the migration from hierarchical Applica-tions runnning on a Mainframe and accessed by dumb terminals to Applications on Servers accessed by smart Clients, mostly micro com-puters or Unix Plaforms, PCs or RISC based.

To keep on working with NAT, now we have to provision a public ad-dress for each server and configure a Static NAT Translation for each Server. This can become tedious when you have a lot of servers to manage. And we cannot save anymore addresses. Still each server requires a Public Address.

NAT introduced many states in the IP Network, which was a datagram best-effort model, and this has many Architectural Implications. Just make a search in the IETF Server for all the RFCs about NAT or PAT or NAPT, and you will find more than 80 documents explaining the limitations, how to workaround NAT to support most of the Network Applications.

NAT seems an easy and cheap solution, but when you look into it, you find that it actually cost a fortune in hidden costs and thousands of lines of code to support it!

To support Voice application, Skype workaround is to use a Server in the middle of your connection, and your Smartphone must send keepalive on a regular basis to keep the NAT States up draining your batteries.

Skype makes it with the cost of a server and keepalives, but many voice applications are still impossi-ble because of NAT!

A 10.0.0/8 block looks like a big block for the needs of most companies, but it is still too small for some very large companies or some Service Providers. That's why the Cable SPs requested that DOCSIS 3.0 supports IPv6!

Today, even with the use of NAT, we are now running out of IPv4 Addresses in most regions of the World!

And even if the Service Provider was running NAT a second time in the SP Backbone to share an IPv4 Address among multiple Customers (NAT444), this could not give enough addresses to match the need of all the emerging countries, the need for more than one IPv4 address per user. We must now support plenty of new connected devices which did not exist in the 90s: Smartphones, iPADs, and so on...

So today the question is no more if we need to move to IPv6 but when!

1.3 The  Current  Market  NeedsWe have seen that IPv4 even with double NAT could not provide enough addresses for all the Emerg-ing Countries, new devices and new applications which require more and more addresses and even more and more ports (Ajax)!

The Cable Networks Operators have requested that the last DOCSIS Cable standard MUST support IPv6.

Voice Applications suffer more and more from the NAT limitations and Mobile IPv6 or Proxy Mobile IPv6 can bring solutions impossible to solve for IPv4.

!

8

We need

autono-mous devices which not only do autoconfiguration, but also can form Networks dynamically after they automatically discover neighbors. This is Wireless Sensors Networks (6LowPAN) applications.

1.4 Transi5on  RichnessSince the IPv6 introduction, tools for a soft transition were provided. They have evolved with the time and the demand.

In 1996, IPv6 was shipped with a dual-stack and static tunnels.

While the Internet is still growing very fast with more connected devices every day, the available IPv4 addresses have declined and IANA has been completely depleted since February 2011. As IPv6 has been now implemented for more than 15 years and available on most Operating Systems and Net-work vendors, most Service Providers and even more companies have not yet switched to the next generation Internet protocol. As a consequence we still need to buy some time to allow a smooth tran-sition to IPv6. It is planned that we will need to support mixed IPv4 and IPv6 networks.

Clearly, maximum performances, security and other benefits we can think about with running IPv6 will be achieved when the transition is complete.

During the transition we will need to compromise features, performances and security for the benefit of supporting old IPv4 nodes and applications.We have to address the four following problems:

• To Support a maximum of new IPv4 customers with the few remaining IPv4 Public Addresses.

This implies more sharing of the remaining addresses.

The current solutions to address this problem are the Stateful Carrier Grade NAT (CGN) aka Large Scale NAT (LSN) and the Stateless dIVI-pd or A+P Solutions.

• SPs with IPv4 Backbones need to provide IPv6 Access to the IPv6 Internet or among IPv6 customers. This is based on 6PE or 6VPE for MPLS/IPv4 or 6RD for IPv4 Backbone.

• SPs with IPv6 Backbone need to provide IPv4 Access to the IPv4 Internet or among IPv4 Cus-tomers.

This is based on DS-Lite or 4RD based Solutions. • To Provide access to IPv4 Resources for IPv6 ONLY Customers.

This is based on Address Family Translators with NAT64 and DNS64 as currently the best solu-tions. These translators permit to translate IPv6 to IPv4 packets originating from the IPv6 side.

With Stateless it is a One-to-One translation using a reserved IPv6 prefix.With Stateful NAT64, multiple IPv6 addresses can be translated to one IPv4 addresses

.

There is a Stateless implementation on Linux called TAYGA. They say on theire Web site that to get a stateful NAT64 one just needs to combine their TAYGA with a Statefull NAT44 also available on Linux.

IPv4Internet

ISP IPv4 Private

Network10.0.0.0/8

172.17.0.0/12

RFC 1918172.16.0.0/12

NAT44 (CGN/LSN)

10.0.0.0 -> 202.45.3.0

ISP Control

172.18.0.0/12

NAT44172.19.0.0 -> 10.0.0.0

172.19.0.0/12

NAT44

NAT44

DHCPv6 Client

IPv6Internet

STATEFULNAT64

101.12.13.1/24

2001:db8:678::1/64 (SLAAC)

DHCPv6-PD ClientUse LL for the p2p Link Address to SP

IPv6 Private Network

2001:db8:658::/48

2001:db8:678:1::/568 bits for Subnets

2001:db8:678:3::/568 bits for Subnets

2001:db8:678:2::/568 bits for Subnets

First Subnet 2001:db8:678::/64

2001:db8:678:30::/642001:db8:678:31::/64...

2001:db8:678:20::/642001:db8:678:21::/64...

2001:db8:678:10::/642001:db8:678:11::/64...

12

All IPv6 Addresses of a building Xlate to one IPv4 Addresses: 2001:DB8:678:1000::/48 -> IP 10.12.13.2/242001:DB8:678:1000::/48 -> IP 10.12.13.3/242001:DB8:678:1000::/48 -> IP 10.12.13.4/24

IPv4 Only Host

10.12.13.1/24

10.12.13.2/24

10.12.13.3/24

9

This will be more developed in the next book with a module or a full book about Translation to IPv6. There are so many possibilies and so many technologies being tested if we really want to cover all the experience currently or lately performed.

SP are not very happy with the CGN or LSN based solutions since they have to run a stateful protocol in their backbone. The Capacity Planning is almost impossible in most cases so they may have to over provision the NAT64 or NAT444 with big CPU and a lot of RAM just in case you have to manage twice more translation for an occasion like a global sport event like the Olympic Games. If TV is not working for the Olympic Games or a Mundial soccer event it would be a reason for many users to move to a competitor! Protocol like 4RD, dIVI-PD.

With CGN/LSN the SP must keep the logs which represent some Tera Bytes of Data each month. Transition protocols are expensive and as all SPs are transitioning to IPv6, I have serious doubts now that dual-stack will be supported for a long time. The "Good" Internet User who complies with IPv6 will not want to pay the bill of the one who is doing nothing for 15 years?

1.5 What  are  the  IPv6  improvements?

1.5.1 128  bits  Addresses

1.5.1.1 IPv6  addresses  -­‐  how  many  is  that  in  numbers?IPv6 is our Word of the Day today. The big difference between it and IPv4 is the increase in address space. IPv4 addresses are 32 bits; IPv6 addresses are 128 bits. That’s a lot more, for sure, but what does it look like in numbers? What could we compare it to in real-world terms?

DevDevin did the math:

How many IP addresses does IPv6 support? Well, without knowing the exact implementation details, we can get a rough estimate based on the fact that it uses 128 bits. So 2 to the power of 128 ends up being 340,282,366,920,938,000,000,000,000,000,000,000,000 unique IP addresses.

How do you say that, though? 340 trillion, 282 billion, 366 million, 920 thousand, 938 — followed by 24 zeroes. There’s no short way to say it in numbers without resorting to math.

Here’s how Wikipedia expresses it:

The very large IPv6 address space supports a total of 2128 (about 3.4×1038) addresses - or approxi-mately 5×1028 (roughly 295) addresses for each of the roughly 6.5 billion (6.5×109) people alive to-day. In a different perspective, this is 252 addresses for every observable star in the known universe.

Steve Leibson takes a shot at putting it in real world terms. It’s big — grains of sand don’t even enter into it. No, he’s got to take it to the atomic level. Here’s his conclusion:

So we could assign an IPv6 address to EVERY ATOM ON THE SURFACE OF THE EARTH, and still have enough addresses left to do another 100+ earths. It isn’t remotely likely that we’ll run out of IPV6 addresses at any time in the future.

1.5.2 Extension  Headers

In IPv4 we had a limited amount of Option which could not provide for any new Extension. In IPv6 we have Extension Headers instead. These Extension Headers can be daisy chained so it is now possi-ble to put as many Options as we want in an IPv6 packet to support any new IPv6 Level Applications.

The first great example of what we can do with Extension Headers is Mobile IPv6 and all derived appli-cations: Mobile router (NEMO), MANET, Wireless Sensors Networks (6LowPAN), PMIPv6. As we can tweak Addresses at the Network Layer it becomes transparent for the Transport or Application Level.

1.5.3 More  Efficient  Packets  Switching

No more Header Checksum in IPv6. This field has been completely removed.Header aligned on 64 bits for more efficient access.Routers are no more responsible for fragmentation. If fragmentation must be done, it must be done by the source. The fragmentation information are no more carried in each packet but in an Extension Header if needed.

3 This chapter introduces the key feature of IPv6 which is an address that scales the Internet requirements of 2012 until we all die!

IPv6 Addresses Addresses

Topics

1. Introduction

2. What does 128 bit represent?

3. All types of IPv6 Addresses:

1. Unicast

1. Unique Local Unicast

2. Global Unicast Addresses

3. Special Addresses

2. Multicast

3. Anycast

11

1 IPv6 Addresses

1.1 Introduc5onIPv6 not only makes longer addresses, but also makes a better use of addresses and how to manage them. For instance if you have a small LAN without any routers, the workstations will be able to pick up an address automatically, which will only be valid on this LAN (Link-local) and will permit the Node to be automatically configured with a local address. Then if a router comes up, new prefixes will be advertised by the router, and the Workstation will automatically configure addresses derived from these prefixes. The most important things are:

There is no more Broadcast, only Multicast!• Link-Local addresses only valid on the link where it is configured. This leads to the concept of

Zone. This Link-local address belongs to a zone with its own routing table.• Anycast Addresses which is an address to the nearest Service. This was already existing in

IPv4 but now it is fully managed.• Routers are discovered Automatically• ARP has been dramatically improved in the Neighbor Discovery protocol. There is no more

just a TImeout for the MAC to IP Address cache, but the Neighbors are Managed in the cache by a Finite State Machine. Useless entries of dead neighbors are cleared. When a Timer ex-pires, a few probes are sent to the neighbor (About 35 seconds with default).

• The concept of zone is also important in IPv6. For the moment it mostly applies to Multicast and Link-local Addresses, but it could be used to creat VPN. Still each zone has its own Rout-ing Table (Please see RFC4007 "Scoped Zone Architecture" for more details).

See RFC4291 for IPv6 Address Architecture

1.2 What  does  128  bit  represent?

We could assign an IPv6 address to EVERY ATOM ON THE SURFACE OF THE EARTH, and still have enough addresses left to do another 100+ earths. It isn’t remotely likely that we’ll run out of IPV6 addresses at any time in the future!

So we must change the way we design networks and stop trying to save IP Addresses!

We must give large blocks when needed as wasting IPv6 Addresses is not to use the huge amount of available address to make scalable Networks rather than saving each single bit of Address! Wasting Addresses does not mean the same thing in IPv6 as in IPv4!

1.3 How  to  write  an  IPv6  Address?The 128 bits Address is written as 8 16 bits digits written in Hexa and separated by a colon :.

Leading zeros can be ignored. You can write:

Chapter 2

IPv6 Addresses

12

2001:db8:1:459d:f123:98ab:d0:e1instead of:

2001:0db8:0001:459d:f123:98ab:00d0:00e1.Once in the address you can replace a long list of zeroes with double colons ::

You can write:

2001:db8::1instead of:

2001:db8:0:0:0:0:0:1

1.3.1 The  IPv6  Addresses  are:

• Unicast: One to One• Global Unicast Addresses (Public)• Unique Local Addresses (Private)• Link-Local Address • Special addresses: loopback, unspecified, IPv4 Mapped• Anycast: One to Any• Multicast: One to Many

1.4 IPv6  Unicast  Addresses

1.4.1 Global  Unicast  Addresses  (Public)

The Global Unicast Addresses are similar to the Public IPv4 addresses and are routable in the IPv6 Internet.

Global Routing Prefix SLA Interface ID

Provider . 48 bits Site . 16 bits Host. 64 bits

Global Unicast Address

In the Internet 2000::/3 (binary 0010) is reserved by IANA for the global unicast address. You will find more details on the Internet here and RFC4291 for IPv6 Address Architecture:

ThAs the Global Routing Prefix contains the IANA prefix for Global Unicast Adddress, a prefix which identifies the Regional Internet Registries (RIPE in Europe for instance) and eventually another prefix which identifies the ISP:http://www.iana.org/assignments/ipv6-unicast-address-assignments/ipv6-unicast-address-assignments.xml

http://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xml

IPv6 addresses are made of 128 bits, but we still find the same 3 parts that we have in an IPv4 Address:

ARIN Subnet ID Interface ID

3

16bits

Host. 64 bits

001

9 bits 16 Bits

RIR or ISP

36 bits

IPv6 Unicast Addresses

1.4.1.1 Global  Rou>ng  PrefixAn ISP Customer Prefix used to route the packet to the customer. This Prefix itself is built of a com-mon prefix for all the Global Unicast Addresses 0010 or 2000::/3. Then you have a prefix matching a Regional Internet Registry, a RIR and then the part of the Address which addresses the customer. The most common prefixes are typically a /48 Prefix for each site. This may seem overkill, but we do not waste addresses if we use them. We waste them if we don't!

2001:db8::/16 is reserved for documentation and labs!

1.4.1.2 The  Subnets  bitsThese bits can be used by the customer to address many subnets for each site. We may find that us-ing a /48 prefix for each site may be a waste of Addresses with our IPv4 reflexes, but this is actually the other way around as we have so many addresses available that it would be wasting addresses if we were trying to save addresses instead of using them generously to maximize the scalability of the addressing and allow easy growing of the sites.

1.4.1.3 The  Interface  IDThe Interface ID is similar to the IPv4 Host Address. It is used to identify the Host itself.

1.4.1.3.1EUI-­‐64  or  Modified  EUI-­‐64This address is generally derived from the Interface MAC Address which is 48 bit. 0xFFFFE is added in the middle of the MAC address to make a 64 bits address:

00 90 59 02 E0 F9

00 90 59 02 E0 F9 FF FE

000000X0 EUI-64 Address

In this example, the MAC Address is 00-90-59-02-E0-F9.The EUI-64 Address will be: 90:59ff:ff02:e0f9And the Modified EUI-64 Address will be: 290:59ff:fe02:e0f9

13

For the Modified EUI-64 address X=1 which means that the address is a Locally Administratively Man-aged Address.

1.4.1.3.2Temporary  Random  Prefix  (RFC4941)As NAT is no more used and the Interface ID of a Laptop may not change, a user may be tracked by its address. To avoid this possible problem it is possible to use a Random Temporary Interface ID and change it everyday!

This is configurable on all the available platforms (Windows, MAC OS, Linux).

1.4.1.3.3Manually  ConfiguredOn Routers or some servers, it may be better to assign static addresses instead of a EUI or Random Interface ID.

For instance, in a Datacenter your router HSRPv6 Group could be 2001:db8:a01::1 and you may con-figure a static default route on all your Servers.

You make sure that your system will not waste anytime or receive any Rogue information!

IPv6 Global unicast address Format (RFC 3587)

Initial Format IETF assigned 001 for Global Unicast, 2620::/12 assigned to American Registry for Internet Numbers

RFC 2374: Aggregatable Global Unicast Address Structure

© Frédéric Bovy - October 2011 - 37

Global Routing Prefix Subnet ID Interface ID

Provider . n bits 64 .n bits Host. 64 bits

ARIN Subnet ID Interface ID

3 Host. 64 bits

001

9 bits

NLA ID SLA ID Interface ID

3 64 bits

FP TLA ID RES

13 8 24 16

16 Bits

Public Topology Site Topology Interface Identifier

RIR or ISP

36 bits

IPv6 Global Unicast Address Format (RFC 3587)

1.4.2 Unique  Local  Addresses  (Private.  RFC4193)

The ULA are Private Unicast Addresses not routable on the Internet.

Global ID 40 bits Subnet ID Interface ID

1111 1100 1111 1101

FC00::/7 FD00::/8

Unique local Address

The big benefits of ULA other RFC1918 in IPv4 is that you have 40 bits to make your Prefix Unique. So in case one day you need to merge two Private Networks using ULA Addresses you may not have to renumber your Network.

Actually there are two kinds of ULA, the Locally Managed and the Centrally Managed. If you make a Reservation and use the Centrally Managed Addresses, there is absolutely no risk of finding a dupli-cate subnet. With Locally Managed, the risk exist.

You can make a reservation at this URL:

http://www.sixxs.net/tools/grh/ula/

At the beginning of IPv6, they was no ULA but a prefix for site-local addresses: fec0::/10. But with this approach we had the same problem as with RFC1928 IPv4 Addresses so this prefix is no more re-served for Site-Local Addresses, which are deprecated and replaced by ULA.

To access the Internet from a ULA Address you may need Proxies. For instance, if your internal Serv-ers only need http or ftp access to the Internet for SW Updates at night, ULA + Proxy may be the right approach.

1.4.3 Link-­‐local  Addresses

Link-local Addresses are the Only Mandatories Addresses for each interface. When an IPv6 interface is coming up, the first step is to validate that its Link-local address is unique (Valid). If not, the IPv6 Interface is disabled. The interface could be used for other protocols but not IPv6!

IPv6 Link-local addresses are only valid on the interface where they are configured. If you have many interfaces on a host or a router, it is no problem to use the same address for all the interfaces.

They all start with the prefix fe80::/10.

Tout à 0 Interface ID

128bits

FE80::/10

111111010

64 bits

Link-local Address

When you are using a Link-local address in a command, you must specify the Outgoing interface by its name or its index with the % sign in between like:

fe80::34f:a011:2:d78%FastEthernet1 on Cisco Router or

14

fe80::34f:a011:2:d78%15 on Microsoft Windows, 15 is the interface index.

In IPv4 it is similar to the 169.254.0.0/16 address (RFC 3927).

All the Next Hop but recursive static or BGP routes use a Link-local address.

1.4.4 Special  Addresses

1.4.4.1 Unspecified  Address  is  ::/0The Unspecified is only used as a source address when a node is booting, and it is verifying its Link-local Address.

A router MUST NOT route a packet with an unspecified source address.

1.4.4.2 Loopback  Address  is  ::1The loopback address is a Link-local address to the node itself. It must not be assigned to any physi-cal interface. It is similar to the IPv4 127.0.0.1 address.

1.4.4.3 IPv4  Mapped  AddressThis is used when you need to code an IPv4 address in the IPv6 format. For instance with 6PE or 6VPE, the destination IPv6 Address will have the Egress PE IPv4 Loopback interface. This is illegal for BGP to advertise a destination with a next hop of another Address Family. So the Next Hop is coded as an IPv4 Mapped Address.

You got 80 bit set to 0, then 16 bits set to ffff and then the 32 bits of your IPv4 address:

If the next hop was 192.9.0.1, it would be coded:

0:0:0:0:0:ffff:<32 bits IPv4 Address>

::ffff:192.9.0.1 or

::ffff:c009:1

1.4.4.4 Encapsula>on  of  IPv6  in  Ethernet

IPv6 Protocol is 0x86dd

Dest Ethernet Adress Source Ethernet

Adress 0x86DD IPv6 Header and charge IPv6 in Ethernet

1.5  IPv6  Anycast  AddressesThis is a one to any addressing.

Anycast Addresses are like duplicated Unicast Addresses. The goal is to find the nearest server imple-menting a function.

It was already existing in IPv4 for the DNS Root Servers. We have only 13 addresses, which repre-sent more than 200 physical servers.

In IPv4 it was also used by Anycast RP to find the nearest RP in a redundant RP mode using MSDP to make the RPs communicate with each other.

These addresses do not have any reserved prefix so you cannot recognize an Anycast Address from a Unicast.

1.6  IPv6  Mul5cast  AddressesThis is a one to many addressing.

There is no Broadcast in IPv6 only Multicast. But you have an address for all IPv6 nodes (ff02::1) as in IPv4 an address for all IPv4 nodes (224.0.0.1). The prefix ff02:: is reserved just like 224.0.0.x for IPv4.

Multicast Addresses are used like in IPv4, when a source needs to send a packet to a Group of Re-ceivers.

The Flags are used for the Embedded RP Address. This is new in IPv6 and allows the RP Address to be embedded in the Group Address. We will study the Flags when we cover the Multicast in detail.

The Scope is also new in IPv6 and allowed to set the Scope of the Mul-ticast Group:

1 is Node Local2 is Link-local scope. Example:ff02::14 is Admin-local5 is Site-local8 is Organization-localE is a Global GroupExample:

ff02::1:2 All DHCP Servers and Relay. Link-local Scope

ff05::1:3 All DHCP Servers. Site-local Scope (used by Relays)

ff02::2 All IPv6 Routers. Link-local Scope

ff02::5 All IPv6 OSPFv3 Routers. Link-local Scope

ff02::6 All IPv6 OSPFv3 DR Routers. Link-local Scope

ff02::9 All IPv6 RIPng Routers. Link-local Scope

ff02::A All IPv6 EIGRP Routers. Link-local Scope

Only the Link-local Scope is automatically filtered and not forwarded by Routers. All the other Scopes must be implemented with ACLs.

15

For each unicast or anycast address configured, the IPv6 node automatically configures a Solicited Node Multicast Address derived address. This address is setup with a common Multicast Prefix and the last 24 bits of the Unicast Address.

Example:

Unicast Address

2001:DB8:DC28::FC57:D4C8:1FFF

Solicited Node Multicast Prefix

FF02:0:0:0:0:1:FF

Solicited-node multicast address

FF02:0:0:0:0:1:FFC8:1FFF

The solicited node multicast address derived from the unicast

Préfixe Interface Identifier

FF02 O 0001 FF 24 bits

128 bits

1.7 IPv6  Address  Plan  Example

2001:db8:abcd::/48 has been assigned for the USA offices of this company.

Each Regional largest office aggregates the traffic for the area as a /52 route. In the address 2001:db8:abcd:9000::/52, 9 identifies the West Coast.

Each office has a /56 prefix. In the address 2001:db8:abcd:9100::/56, 91 identifies San Francisco Of-fice.

Then 2001:db8:abcd:9101::/64 may be the first LAN in SF.

IPv6 Address Plan Example

2001:db8:abcd::/48 has been assigned for the USA offices of this company.

Each Regional largest office aggregates the traffic for the area as a /52 route. In the address 2001:db8:abcd:9000::/52, 9 identifies the West Coast.

Each office has a /56 prefix. In the address 2001:db8:abcd:9100::/56, 91 identifies the San Francisco Office.

Then 2001:db8:abcd:9101::/64 may be the first LAN in SF.

16

1.8 The  Mul5homing  Issue

1.8.1 IPv6  Addressing  Hierarchy

ISP1 21ae:db8::/32

Cust1 21ae:db8:1::/48

RIR1 21ae::/8

Cust2 21ae:db9:1::/48

IANA 2000::/3

RIR2 2001::/8

Cust4 2001:db8:2::/48

ISP3 2001:db8::/32

ISP2 21ae:db9::/32

Cust3 2001:db8:1::/48

IPv6 Addressing Aggregation

Having an address 4 times bigger, the IPv6 designers didn't want to need 4 times more memory! So they designed a model to maximize Aggregation.

IANA has allocated the block 2000::/3 for Global Unicast Addresses. Then in your address you will have a Prefix which identifies each Regional Internet Registry: RIPE-NCC, ARIN, APNIC, AfricNIC, LACNIC. And a Prefix for each SP

The end user does not own a Prefix, and if he changes the SP, he will have to renumber its Network with a new Prefix.

The goal is to maximize route Aggregation, allowing each SP to summarize all its client with one or a few Prefixes. This is what we call Provider Assigned (PA) Prefixes.

Internet Admin hierarchy

IANA

RIR ISP/LIR

EU/ISP

EU

RIR NIR ISP/LIR EU

Regional Internet Registries (ARIN, APNIC, RIPE, NCC)

National Internet Registries

Local Internet Registries

End Users

http://www.ripe.net/ripe/docs/ripe-512

1.8.2 Mul5homing  Issue  and  solu5ons

This works very well as long as a customer does not want to use more than one SP for Redundancy or other reasons like best price in different regions of the world for instance.

In this case, the customer will have to deal with multiple Prefixes. This is not a problem again as any IPv6 interface can be configured with multiple Prefixes.

The problem is for resiliency and load-balancing.

There is a Flash animation in my Free On-Line Tutorial Fundamentals #2.

ISP1 2001::db8::/32

2001:db8:1::/48

ISP2 2001:db9::/32

2001:db9:100::/48

2001:db9:100::/48 2001:db8:1::/48 2001:db8:1::/48

2001:db9:100::/48

Provider Assigned Address

17

1.8.3 Provider  Independant  Addresses

The best solution, which may be expensive in some regions, is the P

Provider Indendant (PI) Prefixes.

They have been available since 2009, and we can see that the number of IPv6 prefixes has started to increase tremendously since this date. First, because there was no solution to this problem before and then because we cannot Aggregate the PI PRefix since it punched a hole in the summary address for each SP where it does not fall into one of its summary and must be advertised independantly.

ISP1

ISP2

  Better route from ISP2   A session is started

2001:db9:100::/48

2001:db9:100:99:42:345F:1:1/64 2001:db8:1:99:42:345F:1:1/64

2001:db8:1::/48

In this case your RIR will allocate a Prefix to the end-user who is authorized to advertise its own prefix to multiple SPs. Below is an example. 2001:678:e01::/48 has been assigned to this company and the same prefix is advertised to SP ACME and

ABC! So each of these SPs will have to advertise this Prefix in the IPv6 Internet if it does not fall under the summaries of each SP.

It is seen as a short term solution as a long term solution should permit maximum aggregation and must be managed by Hosts or Routers.

ISP1 ISP2

  A new session must be started

2001:db9:100::/48

2001:db9:100:99:42:345F:1:1/64 2001:db8:1:99:42:345F:1:1/64

2001:db8:1::/48

ISP1 2001:db8:1::/48

2001:db8:66::/48

ISP2 2001:db8:100::/48 2001:db8:66::/48

2001:db8:66::/48

2001:db8:1::/48

2001:db8:1::/48 2001:db8:100::/48 2001:db8:66::/48

2001:db8:100::/48

ISP1 ISP2

  Dest thru ISP2 is no longer reachable   The session fails

2001:db9:100::/48 2001:db8:1::/48

2001:db9:100:99:42:345F:1:1/64 2001:db8:1:99:42:345F:1:1/64

18

Internet

Bldg 2-12001:678:1001:f1100::/52

2001:678:1001:f100::/56

2001:678:1001:f101::/64

255 user /64 LANs per Building

Bldg B 1-12001:678:1001:f102::/64

Bldg 2-22001:678:1001:f1200::/52

2001:678:e01::/482001:db8:1001:f000::/52

2001:678:e01::/482001:db8:1001:f1000::/52

2001:678:1001:f1000::/52

2001:678:1001:f000::/52

Campus 1 Backbone Router

Campus 2 BB Router

Campus 3 BB Router

2001:678:e01:3000::/52

Bldg 3-22001:678:e01:3100::/52

Bldg 3-22001:678:e01:3200::/52

ISP ACMEISP ABC

1.8.4 Other  Solu5ons

There are some host based and routers based solutions to solve this problem without losing the maxi-mum Aggregation of the PA Prefixes. Some solutions are host based like shim6 or HIP, which also managed Mobility, and some others are managed by the routers like LISP.

"The basic idea behind the Loc/ID split is that the current Internet routing and addressing architecture combines two functions: Routing Locators (RLOCs), which describe how a device is attached to the network, and Endpoint Identifiers (EIDs), which define 'who'

the device is, in a single numbering space, the IP address. Proponents of the Loc/ID split argue that this "overloading" of functions makes it virtually impossible to build an efficient routing system without forcing unacceptable constraints on end-system use of addresses. Splitting these functions apart by using different numbering spaces for EIDs and RLOCs yields several advantages, including improved scalability of the routing system through greater aggregation of RLOCs. To achieve this aggregation, we must allocate RLOCs in a way that is congruent with the topology of the network ("Rekhter's Law"). Today's 'provider-allocated' IP address space is an example of such an allocation scheme. EIDs, on the other hand, are typically allocated along organizational boundaries. Because the network topology and organizational hierarchies are rarely congruent, it is difficult (if not impossible) to make a single numbering space efficiently serve both purposes without imposing unacceptable constraints (such as requiring renumbering upon provider changes) on the use of that space.

LISP, as a specific instance of the Loc/ID split, aims to decouple location and identity. This decoupling will facilitate improved aggregation of the RLOC space, implement persistent identity in the EID space, and, in some cases, increase the security and efficiency of network mobility."

http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_11-1/111_lisp.html

4 To summarize the IPv6 Header we could say: longer addresses and a simple efficient versatile, flexible, powerful Network Layer!The daisy chained IPv6 Extension header is a major important step for any application in the future! Mobile IPv6 is the first example of this power!

IPv6 Header

Topics

1. IPv6 versus IPv4 headers

2. Path MTU discovery

3. Extension Headers

4. Encapsulations of Packets in Layer 2

20

Section 1

IPv6 Header

21

.1 IPv6  vs  IPv4  Headers• No more Fragmentation fields (Fragment ID, Frag Offset, Flags). Fragmentation is no

longer performed by Routers but only the source of the Traffic and an Extension Header will be used for the Fragmentation information

• No more Header Checksum as it was redundant with the Link Layer and Transport Check-sum

• Other fields have been renamed with more explicit names like Hop Limit instead of TTL• The Traffic Class used instead of ToS/Precedence but still transports a DSCP for QoS• IPv6 Addresses are 4 times larger.• The Protocol field is replaced with a Next Header as now the Headers can be daisy

chained to add several options to a packet!• A new field pretty much unused so far: the Flow Label. It should be used to identify a flow with

the Source and Destination Addresses. It is not used for two reasons:

There is no common agreement to use it in a standard way.

People are scared that a non default Flow Label (0) would give information to hackers about the sensi-tive traffic!

The data are aligned on 64 bits for better memory access

.2 Path  MTU  DiscoveryFragmentation is expensive as it consumes resources on the Router or the Host which fragments the packet, and it also consumes resources on the destination host which reassembles the packets.

Some Firewall or NAT devices do the reassembly as they need the information contained in the first fragment like the Port numbers.

Fragmentation is also a very easy to initiate DoS Attack, as a station sending traffic requiring a lot of Fragmentation or Reassembly can kill this station overwhelming its CPU!

So Fragmentation is avoided in IPv4 already systematically for all TCP Traffic with a protocol called Path MTU Discovery!

An IPv6 router is not allowed to fragment a packet, only a source of a connection can, including a router is it is the head-end of a tunnel and it encapsulates IPv6 in IPv6 but this is a special case.

The principle is that the station starts sending at the maximum MTU, and every time a Router cannot route the packet because of MTU it drops the packet rather than fragmenting and sends an ICMP Re-port providing the next Link MTU. The source sends the next packet at this MTU, and the operation may eventually be repeated.

MINIMUM MTU FOR IPv6 IS 1280 BYTES

.3 Extension  Headers

The biggest improvement which really gives IPv6 more Flexibility and Versatility is the use of daisy chained Extension Headers. Now, it becomes possible to push many headers in an IPv6 packet and as these Headers are TLV (Type, Length, Value) you can add a new Header Extension to support a new Network Layer Application.

The first great example of what we can do will be introduced in a later Module. This is for Mobile IPv6 and the derived applications.

The Extension Headers are the following and SHOULD follow this order:• Hop-by-hop. This Option MUST be checked by each router in the path. In IPv4 we had the

Router Alert to do the same, and this Router Alert is transported in this Option when needed. It is used by Multicast (IGMP or PIM), RSVP and other applications.

Router Alert OptionThe Router Alert Option (RFC2711) tells the router that it must take a look at the packet. It is car-ried in an hop-by-hop option.

Example :Frame 3836 (90 bytes on wire, 90 bytes captured)Ethernet II, Src: ca:00:06:a9:00:1c (ca:00:06:a9:00:1c), Dst: IPv6mcast_00:00:00:01 (33:33:00:00:00:01) Destination: IPv6mcast_00:00:00:01 (33:33:00:00:00:01) Source: ca:00:06:a9:00:1c (ca:00:06:a9:00:1c) Type: IPv6 (0x86dd)

22

Internet Protocol Version 6 0110 .... = Version: 6 .... 1110 0000 .... .... .... .... .... = Traffic class: 0x000000e0 .... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000 Payload length: 36 Next header: IPv6 hop-by-hop option (0x00) Hop limit: 1 Source: fe80::c800:6ff:fea9:1c (fe80::c800:6ff:fea9:1c) Destination: ff02::1 (ff02::1) Hop-by-Hop Option Next header: ICMPv6 (0x3a) Length: 0 (8 bytes) Router alert: MLD (4 bytes) PadN: 2 bytesInternet Control Message Protocol v6 Type: 130 (Multicast listener query) Code: 0 Checksum: 0x88d1 [correct] Maximum response delay[ms]: 10000 Multicast Address: :: S Flag: OFF Robustness: 2 QQI: 125

• Destination options. This Option is only checked by the Destination of the packet. Mobile IPv6 uses this Option.

If a routing header is present it tells what to do to each intermediary router. If there is no routing header, it is only for the final destination.

Example:Frame 609 (114 bytes on wire, 114 bytes captured)Ethernet II, Src: ca:00:06:a9:00:1c (ca:00:06:a9:00:1c), Dst: ca:01:06:a9:00:1c (ca:01:06:a9:00:1c)Internet Protocol Version 6 0110 .... = Version: 6 .... 1010 0000 .... .... .... .... .... = Traffic class: 0x000000a0 .... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000 Payload length: 60 Next header: IPv6 hop-by-hop option (0x00) Hop limit: 64 Source: 2001:db8:c0a8:b:c800:6ff:fea9:1c (2001:db8:c0a8:b:c800:6ff:fea9:1c) Destination: 2001:db8:c0a8:b:c801:6ff:fea9:1c (2001:db8:c0a8:b:c801:6ff:fea9:1c) Hop-by-Hop Option Next header: IPv6 destination option (0x3c) Length: 0 (8 bytes) PadN: 6 bytes Destination Option Next header: UDP (0x11) Length: 0 (8 bytes) PadN: 6 bytesUser Datagram Protocol, Src Port: 57768 (57768), Dst Port: echo (7) Echo

Routing Header. 3 Types. Type 0 and 1 are now deprecated and should not be used anymore, too dangerous. Type 2 is still used by Mobile IPv6.

o Type 0. There is a list of addresses in the header, and the packet must go through each of the routers listed. There is a pointer for the router to know where in the list we are. The destination IP address of the IP packet is the next hop of the source routing header. This was not the case in IPv4 where the IP source and destination IP ad-dresses were not modified by source routing. It is now deprecated since RFC5095.

o Type 1 is deprecated for a long time.o Type 2 are used by Mobile IPv6. It is used to specify the home address of the mobile

node. Only one hop!

Example of a capture. Note that the addresses used are the deprecated site-local addresses :

Frame:+ Ethernet: Etype = IPv6

- Ipv6: Next Protocol = ICMPv6, Payload Length = 64 + Versions: IPv6, Internet Protocol, DSCP 0 PayloadLength: 64 (0x40) NextProtocol: IPv6 Routing header, 43(0x2b) HopLimit: 127 (0x7F) SourceAddress: FEC0:0:0:2:2B0:D0FF:FEE9:4133 DestinationAddress: FEC0:0:0:2:260:97FF:FE02:578F - RoutingHeader: NextHeader: ICMPv6 ExtHdrLen: 2(24 bytes) RoutingType: 0 (0x0) SegmentsLeft: 1 (0x1) Reserved: 0 (0x0) RouteAddress: FEC0:0:0:1:260:8FF:FE32:F9D8Icmpv6: Echo request, ID = 0x0, Seq = 0x3d1a

o Fragment. If the Source must fragment the packet.o IPSec Authentication (AH)o IPSec Authentication and Encryption (ESP)o Mobility. Used for the signaling of Mobile IPv6.o Destination option (if routing absent)o Jumbo Payload optionThe Jumbo payload option allow for larger datagram than the 65,536 permitted by plain IPv6. With Jumbo payload option, it can be up to 4,294,967,295 octets (RFC2675).

Upper layer

23

.4 MAC  Encapsula5on  of  IPv6  PacketsEthernet Protocol Encapsulation

Dest Ethernet Address Source Ethernet

Address 0x86DD IPv6 Datagram

Protocol: 0x86dd

In IPv4 it was 0x800 and 0x806 for ARP

.4.1 Mul5cast  MAC  Address  Mapping

!  IPv6 Multicast Address !  FF02:0:0:0:0:1:FF90:FE53 !  128 bits

!  Mac Address !  33:33:FF:90:FE:53 !  48 bits

FF02:0:0:0:0:1:FF90:FE53

33:33:FF:90:FE:53

24

25

26

.

27

5 IPv6 ICMP is very similar to IPv4 but NEighbor Discovery which is encapsulated in ICMPv6 brings many IPv6 key features such as Address Autoconfiguration, Default Router Discovery or simple functions like an optimized version of ARP!

IPv6 ICMP & Neighbor Discovery

Topic

1. ICMPv6

1. Introduction

2. Error Messages

3. Echo

4. Options

2. Neighbor Discovery Protocol

1. Introduction

2. ND Packets and Options

3. Neighbor Discovery (ND)

4. Duplicate Address Discovery (DAD)

5. Neighbor Unreachability Detection (NUD)

6. Router Discovery (RD)

7. Autoconfig (SLAAC)

29

Section 1

ICMPv6 & ND

30

1 IPv6 ICMP

1.1 Introduc5on

Type Code Checksum

Message Body

ICMPv6 can be used to report problems and to ping a destination.

The Type identifies which kind of packet, which problem we want to report such as a "Destination Un-reachable" or "Echo Request".

The Code gives more details about the problem. Why the destination is unreachable? The problem with the destination address? port? filtered by an ACL? When ICMP is used to transport other proto-cols like "Neighbor Discovery" (next chapter), the code is null.

ICMPv6 manage much more in IPv6 than its IPv4 counterpart. For instance, Neighbor Discovery and Multicast Listener Discovery are now part of ICMPv6.

Much ICMP Information is provided in some standard ICMP Options which are Mandatory with some requests.

1.2 ICMP  Error  MessagesError Messages:Destination Unreachable (Type 1)Packet Too Big (Type 2)Time Exceeded (Type 3)Parameter Problem (Type 4)

1.2.1 ICMPv6  Des5na5on  Unreachable  (Type  1)

Payload length: 1960 Next header: IPv6 hop-by-hop option (0x00) Hop limit: 64 Source: 2001:db8::1 (2001:db8::1) Destination: 2001:db8::2 (2001:db8::2) Hop-by-Hop Option Next header: IPv6 destination option (0x3c) Length: 0 (8 bytes) PadN: 6 bytes Destination Option Next header: UDP (0x11) Length: 0 (8 bytes)

PadN: 6 bytes User Datagram Protocol, Src Port: 56486 (56486), Dst Port: echo (7) Source port: 56486 (56486) Destination port: echo (7) Length: 1944 Checksum: 0xa5bd [unchecked, not all data available] Echo

1.2.2 Packet  Too  Big  (Type  2)

When a datagram is too big to be switched on an interface, an ICMP mesage packet that is too big must be sent back to the sender. MTU of the outgoing link is provided

Frame:+ Ethernet: Etype = IPv6- Ipv6: Next Protocol = ICMPv6, Payload Length = 1240 + Versions: IPv6, Internet Protocol, DSCP 0 PayloadLength: 1240 (0x4D8) NextProtocol: ICMPv6, 58(0x3a) HopLimit: 64 (0x40) SourceAddress: FEC0:0:0:F282:201:2FF:FE44:87D1 DestinationAddress: FEC0:0:0:F282:2B0:D0FF:FEE9:4143- Icmpv6: Packet too big MessageType: Packet too big, 2(0x2) - PacketTooBig: Code: 0 (0x0) Checksum: 44349 (0xAD3D) MTU: 1280 (0x500) - InvokingPacket: Next Protocol = ICMPv6, Payload Length = 1460 + Versions: IPv6, Internet Protocol, DSCP 0

PayloadLength: 1460 (0x5B4) NextProtocol: ICMPv6, 58(0x3a) HopLimit: 63 (0x3F) SourceAddress: FEC0:0:0:F282:2B:D0FF:FEE9:4143 DestinationAddress: FEC0:0:0:0:fredoc0:0:0:1

1.2.3 Time  Exceed  (type  3)

If Code = 0. Hop Limit Exceeded in Tansit.

!

31

If Code = 1. Fragment Reassembly Time Exceeded. The receiving station could not reassemble the original datagram within 60 seconds.

1.2.4 Parameter  Problem  (type  4)

Code

0 - Erroneous header field encountered

1 - Unrecognized Next Header type encountered

2 - Unrecognized IPv6 option encountered

1.3 ICMPv6  Informa5onal  Messages

1.3.1 ICMPv6  Echo  Request.  (Type  128)

Frame 5219 (114 bytes on wire, 114 bytes captured)

Ethernet II, Src: ca:00:06:a9:00:1c (ca:00:06:a9:00:1c), Dst: ca:01:06:a9:00:1c (ca:01:06:a9:00:1c)

Destination: ca:01:06:a9:00:1c (ca:01:06:a9:00:1c) Source: ca:00:06:a9:00:1c (ca:00:06:a9:00:1c) Type: IPv6 (0x86dd)Internet Protocol Version 6 0110 .... = Version: 6 .... 0000 0000 .... .... .... .... .... = Traffic class: 0x00000000 .... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000 Payload length: 60 Next header: ICMPv6 (0x3a) Hop limit: 64 Source: 2001:db8:c0a8:b:c800:6ff:fea9:1c (2001:db8:c0a8:b:c800:6ff:fea9:1c) Destination: 2001:db8:c0a8:b:c801:6ff:fea9:1c (2001:db8:c0a8:b:c801:6ff:fea9:1c)Internet Control Message Protocol v6 Type: 128 (Echo request) Code: 0 Checksum: 0x401b [correct] ID: 0x062b Sequence: 0x0002 Data (52 bytes)

1.3.2 Echo  Reply  (Type  129)

Please note that in IPv6 the packet which triggers the MAC Address resolution is not dropped but buff-ered, waiting for the resolution. This could be a potential target for DoS attack, but you can see ping reached 100% even the first time you ping a destination.Frame 5220 (114 bytes on wire, 114 bytes captured)Ethernet II, Src: ca:01:06:a9:00:1c (ca:01:06:a9:00:1c), Dst: ca:00:06:a9:00:1c (ca:00:06:a9:00:1c)

Destination: ca:00:06:a9:00:1c (ca:00:06:a9:00:1c) Source: ca:01:06:a9:00:1c (ca:01:06:a9:00:1c) Type: IPv6 (0x86dd)Internet Protocol Version 6 0110 .... = Version: 6 .... 0000 0000 .... .... .... .... .... = Traffic class: 0x00000000 .... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000 Payload length: 60 Next header: ICMPv6 (0x3a) Hop limit: 64 Source: 2001:db8:c0a8:b:c801:6ff:fea9:1c (2001:db8:c0a8:b:c801:6ff:fea9:1c) Destination: 2001:db8:c0a8:b:c800:6ff:fea9:1c (2001:db8:c0a8:b:c800:6ff:fea9:1c)Internet Control Message Protocol v6 Type: 129 (Echo reply) Code: 0 Checksum: 0x3f1b [correct] ID: 0x062b Sequence: 0x0002 Data (52 bytes)

R0>ping 2001:DB8:C0A8:B:C801:6FF:FEA9:1C

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 2001:DB8:C0A8:B:C801:6FF:FEA9:1C, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 8/19/32 ms

1.4 Other  Protocols  supported  by  ICMPICMPv6 also supports Neighbor Discovery, SEcured Neighbor Discovery, MLDv1 and MLDv2 for Mul-ticast.

We are going to study ND in the next paragraph and Multicast later in this book.

This will be an Intro to Multicast for IPv6 only as I will develop Multicast for IPv6 in another book.

32

2 Neighbor Discovery Protocol

2.1 Introduc5onIPv6 Nodes on the same link use NDP (rfc4861, rfc4862) to discover each other’s presence and link-layer addresses, to find routers, and to maintain reachability information about the paths to active neighbors. Both hosts and routers use NDP.

Its functions include Neighbor Discovery (ND) and MAC or Layer 2 Address Resolution, Router Discov-ery (RD), Address Autoconfiguration, Address Resolution, Neighbor Unreachability Detection (NUD), Duplicate Address Detection (DAD), and Redirection. It is much more sophisticated than ARP was and uses a Finite State Machine (FSM) to manage its Neighbor Cache.

2.1.1 NDP  use  the  5  messages  (PDU)  and  5  Op5ons.

2.1.1.1 The  5  bases  PDUs  are: Neighbor Solicitation (NS)/Advertisements (NA) Router Solicitation (RS)/Advertisements (RA) Redirection

2.1.1.2 The  5  Op>ons: Source Link-Layer Address (SLLA). Option 1 Target Link-Layer Address (TLLA). Option 2 Prefix Information. Option 3 Redirected Header. Option 4 MTU. Option 5

2.2 ND  PACKETS  AND  OPTIONS

2.2.1 ND  Packets

2.2.2 Router  Solicita5on

Sent by a host to get information from local routers.

MAC Layer Source MAC Address is NIC address

Destination is all routers MAC address 33-33-00-00-00-02

IPv6 Layer Link local or unspecified IPv6 address.

Link local all routers IPv6 address

ICMPv6 Layer Type 133 Code 0

ICMPv6 Checksum

Source Link-Layer Address optionICMPv6 Option (Source link-layer address) Type: Source link-layer address (1) Length: 8 Link-layer address: ca:02:06:a9:00:54

Sent by a host to get information from local routers.

MAC Layer Source MAC Address is NIC address

Destination is all routers MAC address 33-33-00-00-00-02

IPv6 Layer Link local or unspecified IPv6 address.

Link local all routers IPv6 addressr

ICMPv6 Layer Type 133

Code 0

ICMPv6 Checksum

Source Link-Layer Address optionICMPv6 Option (Source link-layer address) Type: Source link-layer address (1) Length: 8 Link-layer address: ca:02:06:a9:00:54

33

2.2.3 Router  Adver5sement

Sent on a regular basis or as an answer to a router solicitation.

Ethernet Layer Source MAC of the sending NIC

Destination will be 33-33-00-00-00-01 or unicast

IPv6 Layer Link local source

Destination will be all-nodes: FF02::1 or unicast address of station which has sent the Router Solicita-tion

Hop Limit 255

ICMPv6 LayerRouter Advertisement Type 134

Code 0

Checksum ICMPv6

Current Hop Limit

Managed Address Configuration Flag for Statefull DHCPv6.

Other Stateful Configuration Flag for Stateless DHCPv6

Router Lifetime

Retransmission timer

Source Link-Layer Address Option

MTU Option

Prefix Information Options

Advertisement Interval Option

Home Agent Information Option for Mobile IPv6

Frame 5801 (118 bytes on wire, 118 bytes captured)

2.2.4 Neighbor  Solicita5on

Source Address. Either an address assigned to the interface from which this message is sent or (if Duplicate Address Detection is in progress) the unspecified address.

Destination Address. Either the solicited-node multicast address corresponding to the target address, or the target address.

Hop Limit is 255

ICMPv6 Layer Type 135

Code 0

Target Address

Possible Option:

Source Link-Layer Address Option

Used to ask the link layer address of a neighborFrame 5344 (86 bytes on wire, 86 bytes captured)Ethernet II, Src: ca:01:06:a9:00:1c (ca:01:06:a9:00:1c), Dst: ca:00:06:a9:00:1c (ca:00:06:a9:00:1c) Destination: ca:00:06:a9:00:1c (ca:00:06:a9:00:1c) Source: ca:01:06:a9:00:1c (ca:01:06:a9:00:1c) Type: IPv6 (0x86dd)Internet Protocol Version 6 0110 .... = Version: 6 .... 1110 0000 .... .... .... .... .... = Traffic class: 0x000000e0 .... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000 Payload length: 32

34

Next header: ICMPv6 (0x3a) Hop limit: 255 Source: fe80::c801:6ff:fea9:1c (fe80::c801:6ff:fea9:1c) Destination: 2001:db8:c0a8:b:c800:6ff:fea9:1c (2001:db8:c0a8:b:c800:6ff:fea9:1c)Internet Control Message Protocol v6 Type: 135 (Neighbor solicitation) Code: 0 Checksum: 0x6230 [correct] Target: 2001:db8:c0a8:b:c800:6ff:fea9:1c (2001:db8:c0a8:b:c800:6ff:fea9:1c) ICMPv6 Option (Source link-layer address) Type: Source link-layer address (1) Length: 8

Link-layer address: ca:01:06:a9:00:1c

2.2.5 Neighbor  Adver5sement

They can be solicited or unsolicited.

ICMPv6 Layer

Type 136

Code 0

Router Flag if this is a Router

Solicited flag if this is an answer to a Solicitation

Override Flag if it must override an entry in the cache

Target Address. For solicited advertisements, the Target Address field in the Neighbor Solicitation message that prompted this advertisement. For an unsolicited advertisement, the address whose link-layer address has changed. The Target Address MUST NOT be a multicast address.

Possible Option:

Target Link-Layer Address Option

2.2.6 Redirect

Inform a neighbor of a better next hop to reach a particular destination. Redirect messages can be dangerous and can be ignored by configuration on most platforms (Windows, MAC OS X, Linux).

Source Address. Either an address assigned to the interface from which this message is sent or (if Duplicate Address Detection is in progress) the unspecified address.

Destination Address. Either the solicited-node multicast address corresponding to the target address, or the target address.

Hop Limit is 255

ICMPv6 Layer Type 135

Code 0

Target Address

Possible Option:

Source Link-Layer Address Option

Used to ask the link layer address of a neighborFrame 5344 (86 bytes on wire, 86 bytes captured)Ethernet II, Src: ca:01:06:a9:00:1c (ca:01:06:a9:00:1c), Dst: ca:00:06:a9:00:1c (ca:00:06:a9:00:1c) Destination: ca:00:06:a9:00:1c (ca:00:06:a9:00:1c) Source: ca:01:06:a9:00:1c (ca:01:06:a9:00:1c) Type: IPv6 (0x86dd)Internet Protocol Version 6 0110 .... = Version: 6 .... 1110 0000 .... .... .... .... .... = Traffic class: 0x000000e0 .... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000 Payload length: 32 Next header: ICMPv6 (0x3a) Hop limit: 255 Source: fe80::c801:6ff:fea9:1c (fe80::c801:6ff:fea9:1c) Destination: 2001:db8:c0a8:b:c800:6ff:fea9:1c (2001:db8:c0a8:b:c800:6ff:fea9:1c)Internet Control Message Protocol v6 Type: 135 (Neighbor solicitation) Code: 0 Checksum: 0x6230 [correct] Target: 2001:db8:c0a8:b:c800:6ff:fea9:1c (2001:db8:c0a8:b:c800:6ff:fea9:1c) ICMPv6 Option (Source link-layer address) Type: Source link-layer address (1) Length: 8

Link-layer address: ca:01:06:a9:00:1c

2.2.7  Neighbor  Discovery  Op5ons

2.2.7.1  Source  Link-­‐Layer  address  Op>onIt is used by Neighbor Solicitation and Router Advertisement.Frame 56 (118 bytes on wire, 118 bytes captured)Ethernet II, Src: ca:02:06:a9:00:54 (ca:02:06:a9:00:54), Dst: IPv6mcast_00:00:00:01 (33:33:00:00:00:01) Destination: IPv6mcast_00:00:00:01 (33:33:00:00:00:01) Source: ca:02:06:a9:00:54 (ca:02:06:a9:00:54) Type: IPv6 (0x86dd)Internet Protocol Version 6 0110 .... = Version: 6.... 1110 0000 .... .... .... .... .... = Traffic class: 0x000000e0 .... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000 Payload length: 64 Next header: ICMPv6 (0x3a)

35

Hop limit: 255 Source: fe80::c802:6ff:fea9:54 (fe80::c802:6ff:fea9:54) Destination: ff02::1 (ff02::1)Internet Control Message Protocol v6 Type: 134 (Router advertisement) Code: 0 Checksum: 0x9040 [correct] Cur hop limit: 64 Flags: 0x00 Router lifetime: 1800 Reachable time: 0 Retrans timer: 0 ICMPv6 Option (Source link-layer address) Type: Source link-layer address (1) Length: 8 Link-layer address: ca:02:06:a9:00:54 ICMPv6 Option (MTU) Type: MTU (5) .... 1110 0000 .... .... .... .... .... = Traffic class: 0x000000e0 .... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000 Payload length: 64 Next header: ICMPv6 (0x3a) Hop limit: 255 Source: fe80::c802:6ff:fea9:54 (fe80::c802:6ff:fea9:54) Destination: ff02::1 (ff02::1)Internet Control Message Protocol v6 Type: 134 (Router advertisement) Code: 0 Checksum: 0x9040 [correct] Cur hop limit: 64 Flags: 0x00 Router lifetime: 1800 Reachable time: 0 Retrans timer: 0 ICMPv6 Option (Source link-layer address) Type: Source link-layer address (1) Length: 8 Link-layer address: ca:02:06:a9:00:54 ICMPv6 Option (MTU) Type: MTU (5) Length: 8 MTU: 1500 ICMPv6 Option (Prefix information) Type: Prefix information (3) Length: 32 Prefix length: 64 Flags: 0xc0 Valid lifetime: 2592000 Preferred lifetime: 604800 Prefix: 2001:db8:c0a8:3::

2.2.7.2 Target  Link-­‐Layer  address  Op>on

It is used by Neighbor Advertisement and Redirect packets.

Frame 25 (86 bytes on wire, 86 bytes captured)

Ethernet II, Src: ca:01:06:a9:00:54 (ca:01:06:a9:00:54), Dst: ca:02:06:a9:00:54 (ca:02:06:a9:00:54) Destination: ca:02:06:a9:00:54 (ca:02:06:a9:00:54) Source: ca:01:06:a9:00:54 (ca:01:06:a9:00:54) Type: IPv6 (0x86dd)Internet Protocol Version 6 0110 .... = Version: 6 .... 1110 0000 .... .... .... .... .... = Traffic class: 0x000000e0 .... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000 Payload length: 32 Next header: ICMPv6 (0x3a) Hop limit: 255 Source: fe80::c801:6ff:fea9:54 (fe80::c801:6ff:fea9:54) Destination: fe80::c802:6ff:fea9:54 (fe80::c802:6ff:fea9:54)Internet Control Message Protocol v6 Type: 136 (Neighbor advertisement) Code: 0 Checksum: 0x5f24 [correct] Flags: 0xe0000000 Target: fe80::c801:6ff:fea9:54 (fe80::c801:6ff:fea9:54) ICMPv6 Option (Target link-layer address) Type: Target link-layer address (2) Length: 8 Link-layer address: ca:01:06:a9:00:54

2.2.7.3  Prefix  Informa>on  Op>onCan be sent with a Router Advertisement to advertise Prefixes. More than one prefixes can be in-cluded.

Type. 3

Length. 4.

Prefix Length. 8 bits. Generally 64.

On-Link Flag. 1 bit. If the prefix must be used to derive an address during SLAAC.

Autonomous Flag. 1 bit. If the prefix must be used to derive an address during SLAAC.

Router Address flag. Defined in RFC 3775 for Mobile IPv6

Site Prefix Flag.

Valid Lifetime. How long the address derived from this prefix is Valid without any refreshment before the address is removed from the interface. A value of ALL ONEs bits represents infinity (for Static Ad-dresses).

Prefered Lifetime. If not refreshed and the Preferred Timer expires, the address becomes deprecated and cannot be used to establish a new connection but the address is still valid for existing. A value of ALL ONEs bits represents infinity (for Static Addresses).

Frame 56 (118 bytes on wire, 118 bytes captured)Ethernet II, Src: ca:02:06:a9:00:54 (ca:02:06:a9:00:54), Dst: IPv6mcast_00:00:00:01 (33:33:00:00:00:01)

36

Destination: IPv6mcast_00:00:00:01 (33:33:00:00:00:01) Source: ca:02:06:a9:00:54 (ca:02:06:a9:00:54) Type: IPv6 (0x86dd)Internet Protocol Version 6 0110 .... = Version: 6 .... 1110 0000 .... .... .... .... .... = Traffic class: 0x000000e0 .... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000 Payload length: 64 Next header: ICMPv6 (0x3a) Hop limit: 255 Source: fe80::c802:6ff:fea9:54 (fe80::c802:6ff:fea9:54) Destination: ff02::1 (ff02::1)Internet Control Message Protocol v6 Type: 134 (Router advertisement) Code: 0 Checksum: 0x9040 [correct] Cur hop limit: 64 Flags: 0x00 Router lifetime: 1800 Reachable time: 0The MTU option is used in the ICMPv6 Packet too big and in the ND Router Advertisement.

Ethernet II, Src: ca:02:06:a9:00:54 (ca:02:06:a9:00:54), Dst: IPv6mcast_00:00:00:01 (33:33:00:00:00:01) Destination: IPv6mcast_00:00:00:01 (33:33:00:00:00:01) Source: ca:02:06:a9:00:54 (ca:02:06:a9:00:54) Type: IPv6 (0x86dd)Internet Protocol Version 6 0110 .... = Version: 6 .... 1110 0000 .... .... .... .... .... = Traffic class: 0x000000e0 .... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000 Payload length: 64 Next header: ICMPv6 (0x3a) Hop limit: 255 Source: fe80::c802:6ff:fea9:54 (fe80::c802:6ff:fea9:54) Destination: ff02::1 (ff02::1)Internet Control Message Protocol v6 Type: 134 (Router advertisement) Code: 0 Checksum: 0x9040 [correct] Cur hop limit: 64 Flags: 0x00 Router lifetime: 1800 Reachable time: 0 Retrans timer: 0 ICMPv6 Option (Source link-layer address) Type: Source link-layer address (1) Length: 8 Link-layer address: ca:02:06:a9:00:54 ICMPv6 Option (MTU) Type: MTU (5) Length: 8 MTU: 1500 ICMPv6 Option (Prefix information) Type: Prefix information (3) Length: 32 Prefix length: 64 Flags: 0xc0 Valid lifetime: 2592000

Preferred lifetime: 604800 Prefix: 2001:db8:c0a8:3::

2.2.7.4 Redirected  Header  Op>on

It is only used in the ND Redirect packet

Frame 92 (214 bytes on wire, 214 bytes captured)Ethernet II, Src: ca:01:06:a9:00:1c (ca:01:06:a9:00:1c), Dst: ca:02:06:a9:00:1c (ca:02:06:a9:00:1c) Destination: ca:02:06:a9:00:1c (ca:02:06:a9:00:1c) Source: ca:01:06:a9:00:1c (ca:01:06:a9:00:1c) Type: IPv6 (0x86dd)Internet Protocol Version 6 0110 .... = Version: 6 .... 1110 0000 .... .... .... .... .... = Traffic class: 0x000000e0 .... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000 Payload length: 160 Next header: ICMPv6 (0x3a) Hop limit: 255 Source: fe80::c801:6ff:fea9:1c (fe80::c801:6ff:fea9:1c) Destination: 2001:db8:c0a8:b::1 (2001:db8:c0a8:b::1)Internet Control Message Protocol v6 Type: 137 (Redirect) Code: 0 Checksum: 0xd231 [correct] Target: 2001:db8:c0a8:a:c800:6ff:fea9:1c (2001:db8:c0a8:a:c800:6ff:fea9:1c) Destination: 2001:db8:c0a8:a:c800:6ff:fea9:1c (2001:db8:c0a8:a:c800:6ff:fea9:1c) ICMPv6 Option (Target link-layer address) Type: Target link-layer address (2) Length: 8 Link-layer address: ca:00:06:a9:00:1c ICMPv6 Option (Redirected header) Type: Redirected header (4) Length: 112 Reserved: 0 (correct) Redirected packet Internet Protocol Version 6 0110 .... = Version: 6 .... 0000 0000 .... .... .... .... .... = Traffic class: 0x00000000 .... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000 Payload length: 60 Next header: ICMPv6 (0x3a) Hop limit: 63 Source: 2001:db8:c0a8:b::1 (2001:db8:c0a8:b::1) Destination: 2001:db8:c0a8:a:c800:6ff:fea9:1c (2001:db8:c0a8:a:c800:6ff:fea9:1c) Internet Control Message Protocol v6 Type: 128 (Echo request) Code: 0 Checksum: 0xbce7 [correct] ID: 0x22ef Sequence: 0x0004 Data (52 bytes)

37

2.2.7.5 MTU  Op>on

The MTU option is used in the ICMPv6 Packet too big and in the ND Router Advertisement.

Ethernet II, Src: ca:02:06:a9:00:54 (ca:02:06:a9:00:54), Dst: IPv6mcast_00:00:00:01 (33:33:00:00:00:01)

Destination: IPv6mcast_00:00:00:01 (33:33:00:00:00:01)

Sourcrbbre: ca:02:06:a9:00:54 (ca:02:06:a9:00:54)

Type: IPv6 (0x86dd)

Internet Protocol Version 6

0110 .... = Version: 6

.... 1110 0000 .... .... .... .... .... = Traffic class: 0x000000e0

.... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000

Payload length: 64

Next header: ICMPv6 (0x3a)

Hop limit: 255

Source: fe80::c802:6ff:fea9:54 (fe80::c802:6ff:fea9:54)

Destination: ff02::1 (ff02::1)

Internet Control Message Protocol v6

Type: 134 (Router advertisement)

Code: 0

Checksum: 0x9040 [correct]

Cur hop limit: 64

Flags: 0x00

Router lifetime: 1800

Reachable time: 0

Retrans timer: 0

ICMPv6 Option (Source link-layer address)

Type: Source link-layer address (1)

Length: 8

Link-layer address: ca:02:06:a9:00:54

ICMPv6 Option (MTU)

Type: MTU (5)

Length: 8

MTU: 1500

ICMPv6 Option (Prefix information)

Type: Prefix information (3)

Length: 32

Prefix length: 64

Flags: 0xc0

Valid lifetime: 2592000

Preferred lifetime: 604800

Prefix: 2001:db8:c0a8:3::

2.2.7.6 Route  Informa>on  Op>on

Sent in Router Advertisement (see RFC4191.).

It is used to give a preference to a router and to advertise routes (SHOULD not send more than 17 routes). It SHOULD not a be default behavior.

Possible Option: Route Information You can also advertise a more specific Route information Recur-sive

2.2.7.7 DNS  Server  Op>on

DNS Server address can also be advertised in RA (RFC 5006):

This is a very simple option with Length, Lifetime and the addrresses of all the DNS Servers.

So you do not need to setup DHCPv6 Lite to advertise the DNS Server Address!

With Linux it can be advertised by radvd daemon.

2.3 Neighbor  DiscoveryIPv6 uses ND to manage its Neighbor Cache. This includes resolving the MAC Address of the Neigh-bor and checking its Reachability (NUD).

Neighbor Discovery uses Neighbor Solicitation (NS) and Neighbor Advertisements (NA).

NS are used to discover the Neighbor MAC Address, to check if our new address is a DUPlicate or to check if a Neighbor is still Reachable (NUD).

38

2.3.1 MAC  Address  Resolu5on

When a host needs to send a packet to a destination, it verifies if it is a Neighbor. In this case it sends the packet directly to the Neighbor. There is an algorithm to check if the destination is a Neighbor as there can be many prefixes on the same cable.

Once this is verified, the host creates an entry with state INCOMPLETE and the IPv6 Address of the destination in the Neighbor cache and sends a Neighbor Solicitation to its Solicited Node Multicast Address. The NS contains the MAC Address of the Requester in the SLLA Option to save the reverse operation (below in Red).

Example of NS/NA between two UBUNTU Hosts

2.3.1.1 Neighbor  Solicita5on

Internet Protocol Version 6, Src: fe80::f6ca:e5ff:fe44:10ef (fe80::f6ca:e5ff:fe44:10ef), Dst: ff02::1:ff8c:e4ac (ff02::1:ff8c:e4ac)

0110 .... = Version: 6

.... 0000 0000 .... .... .... .... .... = Traffic class: 0x00000000

.... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000

Payload length: 32

Next header: ICMPv6 (0x3a)

Hop limit: 255

Source: fe80::f6ca:e5ff:fe44:10ef (fe80::f6ca:e5ff:fe44:10ef)

[Source SA MAC: FreeboxS_44:10:ef (f4:ca:e5:44:10:ef)]

Destination: ff02::1:ff8c:e4ac (ff02::1:ff8c:e4ac)

Internet Control Message Protocol v6

Type: Neighbor Solicitation (135)

Code: 0

Checksum: 0xc88d [correct]

Reserved: 00000000

Target Address: 2a01:e35:2f26:d340:e:6a75:6c8c:e4ac

ICMPv6 Option (Source link-layer address : f4:ca:e5:44:10:ef)

Type: Source link-layer address (1)

Length: 1 (8 bytes)

Link-layer address: FreeboxS_44:10:ef (f4:ca:e5:44:10:ef)

2.3.1.2 Neighbor  Adver5sement

Internet Protocol Version 6, Src: 2a01:e35:2f26:d340:e:6a75:6c8c:e4ac , Dst: fe80::f6ca:e5ff:fe44:10ef 0110 .... = Version: 6 .... 0000 0000 .... .... .... .... .... = Traffic class: 0x00000000 .... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000 Payload length: 32 Next header: ICMPv6 (0x3a) Hop limit: 255 Source: 2a01:e35:2f26:d340:e:6a75:6c8c:e4ac (2a01:e35:2f26:d340:e:6a75:6c8c:e4ac) Destination: fe80::f6ca:e5ff:fe44:10ef (fe80::f6ca:e5ff:fe44:10ef) [Destination SA MAC: FreeboxS_44:10:ef (f4:ca:e5:44:10:ef)]Internet Control Message Protocol v6

Type: Neighbor Advertisement (136)

Code: 0

Checksum: 0xe1ad [correct]

Flags: 0x60000000

0... .... .... .... .... .... .... .... = Router: Not set

.1.. .... .... .... .... .... .... .... = Solicited: Set

..1. .... .... .... .... .... .... .... = Override: Set

...0 0000 0000 0000 0000 0000 0000 0000 = Reserved: 0

Target Address: 2a01:e35:2f26:d340:e:6a75:6c8c:e4ac

ICMPv6 Option (Target link-layer address : 00:0c:29:30:33:86)

Type: Target link-layer address (2)

Length: 1 (8 bytes)

Link-layer address: Vmware_30:33:86 (00:0c:29:30:33:86)

Please note the Flags in the NA with a Router bit if we are a Router. A Solicited bit if this is a reply to a solicitation using NS and the Override bit to enable the replacement of a cache entry! This is why the dis-play of your neighbor cache table tells you if an entry is a Router.

The requester provides its MAC address in tbe SLLA Option.The Replier provides its MAC address in the TLLA Option.

Once it has received an answer, it updates the Neighbor MAC Address from the reply and sets the neighbor state as REACHable.

39

If the Neighbor does not reply, it retries a MAX_UNICAST_SOLICIT (default: 3) time with a configured interval of RETRANS_TIMER (default: 1 second) between to request, and if no reply is received, it clears the entry in the Cache.

2.4 Duplicate  Address  Detec5on  (DAD)This process is used when an interface is coming up or every time a new address is added on an IPv6 Interface.

Its purpose is to check that the new address is not a Duplicate Address. It is a local process so the checking is only done on the link where the address is added.

This is a very simple process that is just to send a NS to our own Solicited Node Multicast Address to request the MAC Address of our newly configured address.

We expect NO ANSWER.

If somebody does, it means that there is another myself on the Network and my Address is a DUP.

If I don't receive any NA, we send a NA to claim the Address for ourself and initialize the address.

We can see the DAD process in the capture at the very beginning, using the unspecified source ad-dress ::/0.

DAD Example on a CISCO Router:ICMPv6-ND: L3 came up on GigabitEthernet0/2IPv6-Addrmgr-ND: DAD request for 2000:1::1 on GigabitEthernet0/2ICMPv6-ND: Sending NS for 2000:1::1 on GigabitEthernet0/2IPv6-Addrmgr-ND: DAD: 2000:1::1 is unique.ICMPv6-ND: Sending NA for 2000:1::1 on GigabitEthernet0/2IPv6-Address: Address 2000:1::1/64 is up on GigabitEthernet0/2

DAD ATTACK:💀💀

DAD Process can be the target of a local attacker. The bad guy just listen to all the Neighbor Solicitation messages and replies to all as if all addresses are already in use. DAD fails and the interface is disabled for IPv6. You can get a tool which perform a DAD Attack from thc web site: http://www.thc.org/thc-ipv6/

2.5 Neighbor  Unreachability  Detec5on  (NUD)As long as the host communicates with this Neighbor, the Upper Layer will reset the Reachable Timer so it is never reached and the Neighbor remains in the state REACHable.

If the Upper Layer stops communication with the Neighbor for a time of the Reachable Timer (default: 30 seconds), the entry moves to a STALE state.

Then the host does nothing until a packet is sent to the Neighbor. When a packet is sent to this Neigh-bor, the entry is moved to the DELAY state (default: 5 seconds) to give some time for the Upper Layer protocol to check the availability of the Neighbor.

If no positive packet is received, the entry is moved to PROBE and the host starts sending the Unicast NS to the neighbor (Probe) every Retransmit Interval (default: 1 second). After MAX_UNICAST_SO-LICIT (default: 3) attempts, the Neighbor is considered as Unreachable and its entry is cleared in the Cache.

FIGURE 6.16 Address Autoconfiguration StatesVALID

Preferred Deprecated

Preferred Lifetime

Valid Lifetime

Tent Invalid

40

FIGURE 6.11 NA Sent during DAD Process (UBUNTU)

FIGURE 6.10 Full DAD Process and UBUNTU Interface Startup

FIGURE 6.9 NS Send during DAD Process (UBUNTU)

2.6 Router  DiscoveryBy default the hosts do not have to configure a default router. This is done automatically thanks to ND Protocol.

The Routers send Unsolicited Router Advertisements on a regular basis (min interval is 3 seconds).

The hosts listen to the RA to refresh prefixes or update some parameters.

When a host is booting and needs RA Information immediately, it sends a Router Solicitation message to the All Routers Multicast Address FF02::2.

The RA contains the following information:o Default Link Parameters (Default Hop Limit, MTU)o Neighbor Unreachability Detection Parameters. These are Reachable Timer and Retransmit Inter-

val, The value zero means unspecified which actually means that the configured information on the hosts must not be hanged by the RA.

o Prefix availables on the Link with Timers and Flags for each Prefix about Autoconfiguration (SLAAC, Stateless Address Autoconfiguration

o If the Router is a Candidate as Default Gateway (Lifetime, Preference). The Lifetime parameter is only there to say how long this advertisement is valid without being refreshed to use this router as a default Router Candidate. A RA with Lifetime=0 means: "stop using me as your default router immediately"!

o Router IPv6 and MAC Addresseso DNS Server Addresses (RFC6106)o If DHCPv6 is available in the Network and if it must be used to configure Address and Everything

or Everything but Addresses. If the Router is a Home Agent (Mobile IPv6)?

2.7 Autoconfigura5on  (SLAAC)If you got 2 Minutes:

o follow the whole process you can follow this quick presentation URL (Flash Video):

http://www.ipv6forlife.com/Tutorial/IPv6Startup.html

And if you have 30 minutes and if you prefer to have all the details of Autoconfig with IPv6, get this .mov video presentation of Autoconfig (.mov) on the Web which is the long version of the short flash presentation as it last about 30 minutes:

http://www.youtube.com/watch?v=1DnDqxA7c_g

It is also on slideshare

The whole process is summarized on the next two figures from start when the interface is starting to stop when it is ready or disabled!

41

!

2.7.1 Introduc5on

An IPv6 node must be able to configure its Network Access unattended with or without the presence of Routers on the Link(s).

Autoconfiguration was one of the main requirements for IPv6 since day 1.

In any case if not disable on Linux, the Workstation performs Stateless Address Autoconfiguration (SLAAC) when the Interfaces are coming Up.

But an IPv6 DHCPv6 can be added to configure addresses and additional information. This is stateful DHCPv6. The additional information without addresses is stateless DHCPv6.

42

A DHCPv6 Server only needs to keep states when it allocates some addresses order tos poll a Work-station which did not renew its reservation and get the reserved address back in the pool if the client fails to answer. DHCPv6 will be studied in details later in this book. Right now we are going to focus on the Stateless Address Autoconfiguration (SLAAC) process itself. Just keep in mind that DHCPv6 cannot replace it but just be a complement to SLAAC. For instance, a default route cannot be config-ured with DHCPv6.

SLAAC is stateless because no state is kept on the router when the default SLAAC is used to config-ure Addresses and any other things on the node.

2.7.2 SLAAC  Process

SLAAC is enabled by default on most platforms. I have seen some Linux distribution where it must be enabled.

It is possible to configure everything statically and may be interesting for some Datacenter where we have only Servers and Routers to configure. We may then want to configure the addresses manually and the default route to an HSRP or GLBP Virtual IPv6 Link-local Address also configured statically. So you will not lose any time with protocols and don't risk anything with Rogue devices and advertise-ments.

For instance a Rogue RA, DNS or DHCP can be forged on the local link if an employee wants to break the Company Network. For the RA, it must be on the local link since the most ND Packets, RA included, MUST have the Hop Limit = 255 to be valid or they are dropped!

So SLAAC will be performed in most cases and here is the full process:

Here is the full process. Between A and B, this is the Prefix-list verification process detailed in the next column. Let's explain it Step-by-Step or Click here for an animation:

http://www.ipv6forlife.com/Tutorial/IPv6Startup.html

2.7.2.1 Valida>on  of  the  Link-­‐local  AddressThe Interface is brought up or the host is booting. The interface enters the TENTATIVE Mode. No user traffic can be exchanged until we reach the Stop Red State which is the end of the SLAAC process.From the Start, we can see that the very first step is to figure out the Link-local address with an EUI-64 or Static Interface ID and to verify it using the DAD Process.

We send a NS to our own Solicited Node Multicast Address for our own IPv6 address and expect no answer.

If somebody replies, our link-local is not unique nor valid and the Interface is disabled for IPv6. Only if we use SeND, we are doing two more attempts before we quit and log an error! We are most probably under a DoS Attack!

2.7.2.2 Send  a  Router  Solicita>onThen, the next Step is to send a RS to the All Router Link-Local Scope Multicast Address: FF02::1

If we don't receive any RA, we try DHCPv6 and we exit the SLAAC process.

Otherwise, we configure the IPv6 interface from the parameter received in the RA: MTU, Hop Limit, Reachable Timer and Retransmit Interval, Router Lifetime, and so on...

2.7.2.3 Check  the  Prefix-­‐List.Click on the diagram or the link below for a FLASH Animation:http://www.ipv6forlife.com/Tutorial/IPv6Startup.html

The next step is to examine the Prefix-List if there is any in the Router Advertisement.

If there is a list, we examine each prefix and check that the On-Link and Autonomous bit (Flag in the Capture) are set.

With each dynamic address, there are two timers: the Preferred and the Valid.

When the Preferred Timer has expired, the Address is deprecated but remains Valid until the Valid Timer has not expired. When the Address is deprecated, it is still there and can be used for an existing connection. On the other hand, a deprecated address cannot be used for a new connection. When the Valid Timer has expired, the address is removed from the Interface.

Then we must also check the Timers:

The Valid Timer MUST be NON NULL, >0

The Valid Timer MUST be > The preferred timers

43

If the bits and timers are OK, we derive an address using any of the configured mode for the Interface ID: Static, EUI-64, Random Temporary, CGA... And we check that this address is unique using DAD.

If DAD passed, we initialize the Address otherwise the address is not used. We go to the next Prefix until there is no more, and we get back from the Prefix-list inspection Loop.

The last step is to check if we need to call a DHCPv6 Server to configure Addresses and/or Other pa-rameters.

Once the dynamic addresses have been acquired, they must be refreshed by SLAAC or DHCPv6 or they will become invalid and vanish! Periodic RA refresh the prefix. With DHCPv6, this is the client which renew or rebind its address.

2.8 RenumberingAs we have seen before, the Prefix is not allocated to the end-user with IPv6 but to the SP. When you change SP, you will need to configure a new prefix in your network.

This process is Renumbering. With a good design and the right tools, it will not be a problem and will not take long to change the Prefix of your Network.

The principle of Renumbering is very simple. We have two Prefixes. One is Deprecated, and its Pre-ferred Timers are set to 0. This way no new connection will be established on the addresses derived from this prefix. These addresses can remain Deprecated but still valid for the rest of the day, the week or even more! We need to find a reasonable timer value to enable all the users to close their sessions and not force the disconnection.

All the new connections are established on the connections which addresses are derived from Pre-fixes which are still Preferred.

So, when the Addresses are derived from a Prefix with a Valid Timer now expired and the derived ad-dresses are removed from their interfaces, hopefully there will not be any existing users using these addresses.

This is how the Renumbering process operates.

3 Addi5onal  Informa5on  about  Prefix  Valida5on  in  the  SLAAC  Process

The Configuration of CISCO Router for SLAAC

Below is how to configure the Routers for SLAAC process.

© 2012 Fred Bovy. EIRL – IPv6 For Life! IPv6AutoConfig—1-35

Refreshing the SLAAC Addresses Timers •  An address which has been derived from a RA must

be refreshed by new RAs advertizing the same prefix •  The RA Interval must be consistent with the Preferred

and the Valid Timers for the addresses to be refreshed in time

ipv6 nd ra-interval 200 seconds by default ipv6 nd ra-lifetime 1800 seconds or 30 minutes default ipv6 nd managed-config-flag ipv6 nd other-config-flag ipv6 nd prefix <prefix/mask>[Valid][Preferred][no-advertise| off-link | no-autoconfig]

•  To Be used by SLAAC: -  The On-Link and Autonomous Bits Must be Set -  If Preferred Lifetime > Valid lifetime, ignore the Prefix

Information option. A node MAY wish to LOG a system management ERROR in this case….

6 IPv6 is now widely distributed and it is the default protocol for most if not all of them: Windows, Linux, MAC OS, iPhone, iPAD, HP LaserPrinter talk IPv6 and many, many others... All applications and most content on the Internet are available via IPv6: Yahoo, Google, Facebook, MS and others... This is NOW!

IPv6 On Hosts and Routers

IPv6 On Hosts & Cisco Routers

.1 Configura5on  and  Checking  on  Hosts

.1.1 Windows

IPv6 is loaded by default and now configured as the default preferred protocol.

On Windows XP it was loaded, but you had to enable it with a netsh command "netsh interface ipv6 install"

You cannot uninstall IPv6 in Windows 7, but you can disable IPv6 on a per-adapter basis. To do this,

follow these steps:

1. In Control Panel, open Network And Sharing Center.

2. Click Manage Network Connections and then double-click the connection you want to configure.

3. Clear the check box labeled Internet Protocol Version 6 (TCP/IPv6), and then click OK.

Note that if you disable IPv6 on all your network connections using the user interface method de-scribed in the preceding steps, IPv6 will still remain enabled on all tunnel interfaces and on the loop-back interface.

As an alternative to using the user interface to disable IPv6 on a per-adapter basis, you can selec-tively disable certain features of IPv6 by creating and configuring the following DWORD registry value:

HKLM\SYSTEM\CurrentControlSet\Services\tcpip6\Parameters\DisabledComponentsreally should disable them.

.

More Details:

.1.1.1 IPv6  Tools  with  Windows

.1.1.1.1 IPconfig

Windows IP Configuration

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : ectasie.example.com

IPv6 Address. . . . . . . . . . . : 2001:db8:21da:7:713e:a426:d167:37ab

Temporary IPv6 Address. . . . . . : 2001:db8:21da:7:5099:ba54:9881:2e54

Link-local IPv6 Address . . . . . : fe80::713e:a426:d167:37ab%6

IPv4 Address. . . . . . . . . . . : 157.60.14.11

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : fe80::20a:42ff:feb0:5400%6

157.60.14.1

Tunnel adapter Local Area Connection* 6:

Connection-specific DNS Suffix . :

IPv6 Address. . . . . . . . . . . : 2001:db8:908c:f70f:0:5efe:157.60.14.11

Link-local IPv6 Address . . . . . : fe80::5efe:157.60.14.11%9

Site-local IPv6 Address . . . . . : fec0::6ab4:0:5efe:157.60.14.11%1

Default Gateway . . . . . . . . . : fe80::5efe:131.107.25.1%9

fe80::5efe:131.107.25.2%9

Tunnel adapter Local Area Connection* 7:

Media State . . . . . . . . . . . : Media disconnected

Connection-specific DNS Suffix . :

.1.1.1.2 Route

IPv6 Routing Table

===========================================================================

Active Routes:

If Metric Network Destination Gateway

8 286 ::/0 fe80::3cec:bf16:505:eae6

1 306 ::1/128 On-link

45

Flag Low-Order bit

Result of Setting this bit to a value of 1

0Disables all IPv6 tunnel interfaces, including ISATAP, 6to4 and Teredo Tunnels

1 Disables all 6to4-based interfaces

2 Disables all ISATAP-based interfaces

3 Disables all Teredo-based interfaces

4Disables IPv6 over all non-tunnel interfaces, including LAN and PPP interfaces

5Modifies the default prefix policy table* to prefer IPv4 over IPv6 when attempting connections

8 38 2001:db8::/64 On-link

8 286 2001:db8::4074:2dce:b313:7c65/128

On-link

8 286 2001:db8::b500:734b:fe5b:3945/128

On-link

8 286 fe80::/64 On-link

17 296 fe80::5efe:10.0.0.3/128 On-link

8 286 fe80::b500:734b:fe5b:3945/128

On-link

1 306 ff00::/8 On-link

8 286 ff00::/8 On-link

===========================================================================

.1.1.1.3 Pingf:\>ping 2001:db8:1:f282:dd48:ab34:d07c:3914

Pinging 2001:db8:1:f282:dd48:ab34:d07c:3914 from 2001:db8:1:f282:3cec:bf16:505:eae6 with 32 bytes of data:Reply from 2001:db8:1:f282:dd48:ab34:d07c:3914: time<1msReply from 2001:db8:1:f282:dd48:ab34:d07c:3914: time<1msReply from 2001:db8:1:f282:dd48:ab34:d07c:3914: time<1msReply from 2001:db8:1:f282:dd48:ab34:d07c:3914: time<1ms

Ping statistics for 2001:db8:1:f282:dd48:ab34:d07c:3914: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms

.1.1.1.4 TracertF:\>tracert 2001:db8:1:f282:dd48:ab34:d07c:3914

Tracing route to 2001:db8:1:f282:dd48:ab34:d07c:3914 over a maximum of 30 hops

1 <1 ms <1 ms <1 ms 2001:db8:1:f241:2b0:d0ff:fea4:243d 2 <1 ms <1 ms <1 ms 2001:db8:1:f2ac:2b0:d0ff:fea5:d347 3 <1 ms <1 ms <1 ms 2001:db8:1:f282:dd48:ab34:d07c:3914

Trace complete.

.1.1.1.5 PathpingF:\>pathping 2001:db8:1:f282:dd48:ab34:d07c:3914

Tracing route to 2001:db8:1:f282:dd48:ab34:d07c:3914 over a maximum of 30 hops

0 server1.example.microsoft.com [2001:db8:1:f282:204:5aff:fe56:1006]

1 2001:db8:1:f282:dd48:ab34:d07c:3914

Computing statistics for 25 seconds...

Source to Here This Node/Link

Hop RTT Lost/Sent = Pct Lost/Sent = Pct Address

0 server1.example.microsoft.com

[2001:db8:1:f282:204:5aff:fe56:1006]

0/ 100 = 0% |

1 0ms 0/ 100 = 0% 0/ 100 = 0% 2001:db8:1:f282:dd48:ab34:d07c:

3914

Trace complete.

.1.1.1.6 netstat  -­‐sF:\>netstat -s

IPv4 Statistics

Packets Received = 187107 Received Header Errors = 0 Received Address Errors = 84248 Datagrams Forwarded = 0 Unknown Protocols Received = 0 Received Packets Discarded = 0 Received Packets Delivered = 186194 Output Requests = 27767 Routing Discards = 0 Discarded Output Packets = 0 Output Packet No Route = 0 Reassembly Required = 0 Reassembly Successful = 0 Reassembly Failures = 0 Datagrams Successfully Fragmented = 0 Datagrams Failing Fragmentation = 0 Fragments Created = 0

IPv6 Statistics

Packets Received = 53118 Received Header Errors = 0 Received Address Errors = 0 Datagrams Forwarded = 0 Unknown Protocols Received = 0 Received Packets Discarded = 0 Received Packets Delivered = 0 Output Requests = 60695 Routing Discards = 0 Discarded Output Packets = 0 Output Packet No Route = 0 Reassembly Required = 0 Reassembly Successful = 0 Reassembly Failures = 0 Datagrams Successfully Fragmented = 0 Datagrams Failing Fragmentation = 0

46

Fragments Created = 0

ICMPv4 Statistics

Received Sent Messages 682 881 Errors 0 0 Destination Unreachable 2 201 Time Exceeded 0 0 Parameter Problems 0 0 Source Quenches 0 0 Redirects 0 0 Echos 340 340 Echo Replies 340 340 Timestamps 0 0 Timestamp Replies 0 0 Address Masks 0 0 Address Mask Replies 0 0

ICMPv6 Statistics

Errors 0 0 Destination Unreachable 193 0 Echos 4 0 Echo Replies 0 4 MLD Reports 0 6 Router Solicitations 0 7 Router Advertisements 54 0 Neighbor Solicitations 31 32 Neighbor Advertisements 27 31

TCP Statistics for IPv4

Active Opens = 128 Passive Opens = 106 Failed Connection Attempts = 0 Reset Connections = 3 Current Connections = 16 Segments Received = 22708 Segments Sent = 26255 Segments Retransmitted = 37

TCP Statistics for IPv6

Active Opens = 74 Passive Opens = 72 Failed Connection Attempts = 1 Reset Connections = 0 Current Connections = 14 Segments Received = 52809

Segments Sent = 59813 Segments Retransmitted = 3

UDP Statistics for IPv4

Datagrams Received = 160982 No Ports = 2158 Receive Errors = 2 Datagrams Sent = 591

UDP Statistics for IPv6

Datagrams Received = 0 No Ports = 0 Receive Errors = 0 Datagrams Sent = 744

.1.1.1.7 Netsh  interface  ipv6  show  interfaceIdx Met MTU State Name

--- --- ----- ----------- -------------------

1 50 4294967295 enabled Loopback Pseudo-Interface 1

9 50 1280 enabled Local Area Connection* 6

6 20 1500 enabled Local Area Connection

10 50 1280 enabled Local Area Connection* 7

7 10 1500 disabled Local Area Connection 2

Netsh interface ipv6 show address

Interface 1: Loopback Pseudo-Interface 1

Addr Type DAD State Valid Life Pref. Life Address

--------- ----------- ---------- ---------- ------------------------

Other Preferred infinite infinite ::1

Interface 9: Local Area Connection* 6

Addr Type DAD State Valid Life Pref. Life Address

--------- ----------- ---------- ---------- ------------------------

Other Deprecated infinite infinite fe80::5efe:1.0.0.127%9

Interface 6: Local Area Connection

Addr Type DAD State Valid Life Pref. Life Address

--------- ----------- ---------- ---------- ------------------------

Public Preferred 29d23h59m59s 6d23h59m59s 2001:db8:21da:7:1f3e:9e51:2178:b9ob

Temporary Preferred 5d19h59m25s 5d19h59m25s 2001:db8:21da:7:a299:85ae:21da:59cc

Other Preferred infinite infinite fe80::713e:a426:d167:37ab%6

47

Interface 10: Local Area Connection* 7

Addr Type DAD State Valid Life Pref. Life Address

--------- ----------- ---------- ---------- ------------------------

Other Deprecated infinite infinite fe80::5efe:1.0.0.127%10

.1.1.1.8 Netsh  interface  ipv6  show  routePublish Type Met Prefix Idx Gateway/Interface Name

------- -------- --- ------------------------ --- -----------------------

No Manual 256 ::/0 8 fe80::3cec:bf16:505:eae6

No Manual 256 ::1/128 1 Loopback Pseudo-Interface 1

No Manual 8 2001:db8::/64 8 Local Area Connection

No Manual 256 2001:db8::4074:2dce:b313:7c65/128 8 Local Area Connec-tion

No Manual 256 2001:db8::b500:734b:fe5b:3945/128 8 Local Area Connec-tion

No Manual 1000 2002::/16 11 Local Area Connection* 7

No Manual 256 fe80::/64 10 Local Area Connection* 9

No Manual 256 fe80::/64 8 Local Area Connection

No Manual 256 fe80::100:7f:fffe/128 10 Local Area Connection* 9

No Manual 256 fe80::5efe:10.0.0.3/128 17 Local Area Connection* 6

No Manual 256 fe80::b500:734b:fe5b:3945/128 8 Local Area Connection

No Manual 256 ff00::/8 1 Loopback Pseudo-Interface 1

No Manual 256 ff00::/8 10 Local Area Connection* 9

No Manual 256 ff00::/8

.1.1.1.9 Netsh  interface  ipv6  show  neighborsInterface 1: Loopback Pseudo-Interface 1

Internet Address Physical Address Type

-------------------------------------------- ----------------- -----------

ff02::16 Permanent

ff02::1:3 Permanent

Interface 8: Local Area Connection

Internet Address Physical Address Type

-------------------------------------------- ----------------- -----------

2001:db8::3cec:bf16:505:eae6 00-13-72-2b-34-07 Stale (Router)

2001:db8::4074:2dce:b313:7c65 00-00-00-00-00-00 Unreachable

2001:db8::6c4b:bf6d:201a:ccbf 00-00-00-00-00-00 Unreachable

fe80::3cec:bf16:505:eae6 00-13-72-2b-34-07 Stale (Router)

ff02::16 33-33-00-00-00-16 Permanent

Interface 10: Local Area Connection* 9

Internet Address Physical Address Type

-------------------------------------------- ----------------- -----------

fe80::b500:734b:fe5b:3945 255.255.255.255:65535 Unreachable

ff02::16 255.255.255.255:65535 Permanent

.1.1.1.10Netsh  interface  ipv6  show  des>na>on  cache              Interface 8: Local Area Connection

PMTU Destination Address Next Hop Address---- --------------------------------------------- -------------------------1500 2001:db8::3cec:bf16:505:eae6 2001:db8::3cec:bf16:505:eae6

.1.2 MAC  OS  X

With LINUX and MAC OS all the IPv6 stack and usefull tools are available. Also, as Windows, the GUI cannot help much, and the CLI will be used for most commands.

Please note the percent sign which gives the interface name or index according to the OS. In IPv6 this refers to the zone (See RFC about Scoped Zone Architecture).

Each zone has its own routing table internally, and it is currently being used by 1) Link-local ad-dresses, 2) Multicast Addresses, 3) Unicast. It is very rare BUT one application which was requested for our IPv6 Group was 6VPE.

From an IPv6 point of view, 6VPE has no interest at all! MPLS-VPN was a great feature for IPv4 be-cause of address depletion. With IPv6 it is no longer very interesting, and the VRF that exists in IPv6 is called a Zone. The Zone has its own routing table internally, and there is no complex provisioning!

With MAC OS or Linux it is the name of the interface:

.1.2.1 netstat  -­‐in  ip6

power-mac-g5-de-fred-bovy-6:~ root# netstat -in ip6 Name Mtu Network Address Ipkts Ierrs Opkts Oerrs Colllo0 16384 <Link#1> 623227 0 623227 0 0lo0 16384 ::1/128 ::1 623227 - 623227 - -lo0 16384 fe80::1%lo0 fe80:1::1 623227 - 623227 - -lo0 16384 127 127.0.0.1 623227 - 623227 - -

48

lo0 16384 fd6e:28d7:6 fd6e:28d7:65b4:77 623227 - 623227 - -gif0* 1280 <Link#2> 0 0 0 0 0stf0* 1280 <Link#3> 0 0 0 0 0en0 1500 <Link#4> d4:9a:20:d0:f9:ae 0 0 0 0 0fw0 4078 <Link#5> d4:9a:20:ff:fe:c7:17:70 0 0 0 0 0en1 1500 <Link#6> 04:1e:64:ec:73:a9 3393882 0 2455868 0 0en1 1500 fe80::61e:6 fe80:6::61e:64ff: 3393882 - 2455868 - -en1 1500 192.168.0 192.168.0.10 3393882 - 2455868 - -en1 1500 2a01:e35:2f 2a01:e35:2f26:d34 3393882 - 2455868 - -vmnet 1500 <Link#8> 00:50:56:c0:00:01 0 0 0 0 0vmnet 1500 192.168.58 192.168.58.1 0 - 0 - -vmnet 1500 <Link#9> 00:50:56:c0:00:08 0 0 0 0 0vmnet 1500 172.16.4/24 172.16.4.1 0 - 0 - -utun0 1500 <Link#7> 26 0 31 0 0utun0 1500 fe80::d69a: fe80:7::d69a:20ff 26 - 31 - -utun0 1500 fd00:6587:5 fd00:6587:52d7:f8 26 - 31 - -

.1.2.2 ifconfig

power-mac-g5-de-fred-bovy-6:~ root# ifconfig

lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384

inet6 ::1 prefixlen 128

inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1

inet 127.0.0.1 netmask 0xff000000

inet6 fd6e:28d7:65b4:77b3:d69a:20ff:fed0:f9ae prefixlen 128

gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280

stf0: flags=0<> mtu 1280

en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500

ether d4:9a:20:d0:f9:ae

media: autoselect

status: inactive

fw0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 4078

lladdr d4:9a:20:ff:fe:c7:17:70

media: autoselect <full-duplex>

status: inactive

en1: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500

ether 04:1e:64:ec:73:a9

inet6 fe80::61e:64ff:feec:73a9%en1 prefixlen 64 scopeid 0x6

inet6 2a01:e35:2f26:d340:61e:64ff:feec:73a9 prefixlen 64 autoconf

.1.3 LinuxLinux is the best platform to support a maximum of services like Mobile IPv6, DHCPv6 and more. Mo-bile IPv6 and DHCPv6 as not suppported by Linux or MAC OX. MAC OS is afree BSD so there may be aa way to have it running on MAC but it is not a MACOS X Supported feature.

Also with Linux you can enable or disable SLAAC and many parameters for very fine tuning of ND

Tuning the Kernel

The /proc/sys/net/ipv6 filesystem exports a number of parameters that you might want to set. The Linux IPv6 HOWTO explains all available parameters, so let me just show you the ones I set in /etc/sysctl.d/ipv6.conf and load with a call to sysctl -p:net.ipv6.conf.default.autoconf = 0

net.ipv6.conf.default.accept_ra = 0

net.ipv6.conf.default.accept_ra_defrtr = 0

net.ipv6.conf.default.accept_ra_rtr_pref = 0

net.ipv6.conf.default.accept_ra_pinfo = 0

net.ipv6.conf.default.accept_source_route = 0

net.ipv6.conf.default.accept_redirects = 0

net.ipv6.conf.default.forwarding = 0

net.ipv6.conf.all.autoconf = 0

net.ipv6.conf.all.accept_ra = 0

net.ipv6.conf.all.accept_ra_defrtr = 0

net.ipv6.conf.all.accept_ra_rtr_pref = 0

net.ipv6.conf.all.accept_ra_pinfo = 0

net.ipv6.conf.all.accept_source_route = 0

net.ipv6.conf.all.accept_redirects = 0

net.ipv6.conf.all.forwarding = 0

.1.3.1 Add  an  address  to  an  interface

Ifconfig <interface> ipv6 add <prefix>/<length >

.1.3.2 Remove  an  address  from  an  interface

Ifconfig <interface> ipv6 del <prefix>/<length>

.1.3.3 Add  a  route

Route –A inet6 add <destination> gw <next-hop>

.1.3.4 Add  a  DNS  server  in  the  /etc/resolv.conf  file  

nameserver 2001:db8:233::1

49

There are many tools and services available with Linux and only Linu like DHCPv6, Mobile IPv6, IPSec etc....

Example below with both NDPmon and tcpdump utilities.

14:30:13.980542 IP6 (hlim 64, next-header TCP (6) payload length: 32) 2a01:e35:2f26:d340:105d:f22a:d1bd:635e.55318 > 2a00:1450:4009:808::1005.80: Flags [.], cksum 0xb983 (correct), seq 3060, ack 9779, win 32249, options [nop,nop,TS val 340919915 ecr 1985866212], length 0

0x0000: 6000 0000 0020 0640 2a01 0e35 2f26 d340 `......@*..5/&.@

0x0010: 105d f22a d1bd 635e 2a00 1450 4009 0808 .].*..c^*..P@...

0x0020: 0000 0000 0000 1005 d816 0050 a479 6453 ...........P.ydS

0x0030: 7a0b 605a 8010 7df9 b983 0000 0101 080a z.`Z..}.........

0x0040: 1452 066b 765d e9e4 .R.kv]..

14:30:13.981120 IP6 (hlim 64, next-header TCP (6) payload length: 32) 2a01:e35:2f26:d340:105d:f22a:d1bd:635e.55318 > 2a00:1450:4009:808::1005.80: Flags [.], cksum 0xb181 (correct), seq 3060, ack 11461, win 32616, options [nop,nop,TS val 340919916 ecr 1985866212], length 0

0x0000: 6000 0000 0020 0640 2a01 0e35 2f26 d340 `......@*..5/&.@

0x0010: 105d f22a d1bd 635e 2a00 1450 4009 0808 .].*..c^*..P@...

0x0020: 0000 0000 0000 1005 d816 0050 a479 6453 ...........P.ydS

0x0030: 7a0b 66ec 8010 7f68 b181 0000 0101 080a z.f....h........

0x0040: 1452 066c 765d e9e4 .R.lv]..

----- ND_NEIGHBOR_SOLICIT -----

Reset timer for 4:1e:64:ec:73:a9 fe80:0:0:0:61e:64ff:feec:73a9

------------------

14:30:16.588733 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::61e:64ff:feec:73a9 > fe80::f6ca:e5ff:fe44:10ef: [icmp6 sum ok] ICMP6, neigh-bor solicitation, length 32, who has fe80::f6ca:e5ff:fe44:10ef

source link-address option (1), length 8 (1): 04:1e:64:ec:73:a9

0x0000: 041e 64ec 73a9

0x0000: 6000 0000 0020 3aff fe80 0000 0000 0000 `.....:.........

0x0010: 061e 64ff feec 73a9 fe80 0000 0000 0000 ..d...s.........

0x0020: f6ca e5ff fe44 10ef 8700 e9bb 0000 0000 .....D..........

0x0030: fe80 0000 0000 0000 f6ca e5ff fe44 10ef .............D..

0x0040: 0101 041e 64ec 73a9 ....d.s.

----- ND_NEIGHBOR_ADVERT -----

Reset timer for 4:1e:64:ec:73:a9 fe80:0:0:0:61e:64ff:feec:73a9

------------------

14:30:21.598154 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 24) fe80::61e:64ff:feec:73a9 > fe80::f6ca:e5ff:fe44:10ef: [icmp6 sum ok] ICMP6, neigh-bor advertisement, length 24, tgt is fe80::61e:64ff:feec:73a9, Flags [solicited]

0x0000: 6000 0000 0018 3aff fe80 0000 0000 0000 `.....:.........

0x0010: 061e 64ff feec 73a9 fe80 0000 0000 0000 ..d...s.........

0x0020: f6ca e5ff fe44 10ef 8800 94c3 4000 0000 .....D......@...

0x0030: fe80 0000 0000 0000 061e 64ff feec 73a9 ..........d...s.

----- ND_ROUTER_SOLICIT -----

Reset timer for 0:c:29:30:33:86 fe80:0:0:0:20c:29ff:fe30:3386

------------------

[SNIP]

Writing cache...

14:37:07.319548 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 64) fe80::20c:29ff:fe30:3386 > ff02::2: [icmp6 sum ok] ICMP6, router solicitation, length 64

source link-address option (1), length 56 (7): 00:0c:29:30:33:86:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:85:00:00:00:00:00:00:00:00:92:5e:aa:f8:cf:10:08:d4:c6:8b:bf:f4:6f:45:00:f4:4f:13

0x0000: 000c 2930 3386 0000 0000 0000 0000 0000

0x0010: 0000 0000 0000 0000 0000 0085 0000 0000

0x0020: 0000 0000 925e aaf8 cf10 08d4 c68b bff4

0x0030: 6f45 00f4 4f13

0x0000: 6000 0000 0040 3aff fe80 0000 0000 0000 `....@:.........

0x0010: 020c 29ff fe30 3386 ff02 0000 0000 0000 ..)..03.........

0x0020: 0000 0000 0000 0002 8500 65e5 0000 0000 ..........e.....

0x0030: 0107 000c 2930 3386 0000 0000 0000 0000 ....)03.........

0x0040: 0000 0000 0000 0000 0000 0000 0085 0000 ................

0x0050: 0000 0000 0000 925e aaf8 cf10 08d4 c68b .......^........

0x0060: bff4 6f45 00f4 4f13 ..oE..O.

----- ND_ROUTER_ADVERT -----

Reset timer for f4:ca:e5:44:10:ef fe80:0:0:0:f6ca:e5ff:fe44:10ef

Warning: wrong ipv6 router f4:ca:e5:44:10:ef fe80:0:0:0:f6ca:e5ff:fe44:10ef

------------------

14:37:07.322231 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 104) fe80::f6ca:e5ff:fe44:10ef > ff02::1: [icmp6 sum ok] ICMP6, router advertisement, length 104

hop limit 64, Flags [none], pref medium, router lifetime 1800s, reachable time 0s, retrans time 0s

prefix info option (3), length 32 (4): 2a01:e35:2f26:d340::/64, Flags [on-link, auto], valid time 86400s, pref. time 86400s

0x0000: 40c0 0001 5180 0001 5180 0000 0000 2a01

50

0x0010: 0e35 2f26 d340 0000 0000 0000 0000

rdnss option (25), length 40 (5): lifetime 600s, addr: 2a01:e00::2 addr: 2a01:e00::1

0x0000: 8000 0000 0258 2a01 0e00 0000 0000 0000

0x0010: 0000 0000 0002 2a01 0e00 0000 0000 0000

0x0020: 0000 0000 0001

mtu option (5), length 8 (1): 1480

0x0000: 0000 0000 05c8

source link-address option (1), length 8 (1): f4:ca:e5:44:10:ef

0x0000: f4ca e544 10ef

0x0000: 6000 0000 0068 3aff fe80 0000 0000 0000 `....h:.........

0x0010: f6ca e5ff fe44 10ef ff02 0000 0000 0000 .....D..........

0x0020: 0000 0000 0000 0001 8600 2541 4000 0708 ..........%A@...

0x0030: 0000 0000 0000 0000 0304 40c0 0001 5180 ..........@...Q.

0x0040: 0001 5180 0000 0000 2a01 0e35 2f26 d340 ..Q.....*..5/&.@

0x0050: 0000 0000 0000 0000 1905 8000 0000 0258 ...............X

0x0060: 2a01 0e00 0000 0000 0000 0000 0000 0002 *...............

0x0070: 2a01 0e00 0000 0000 0000 0000 0000 0001 *...............

0x0080: 0501 0000 0000 05c8 0101 f4ca e544 10ef .............D..

14:37:07.387405 IP6 (hlim 255, next-header UDP (17) payload length: 53) fe80::61e:64ff:feec:73a9.5353 > ff02::fb.5353: [udp sum ok] 0 [2q] A (QM)? server.exchange.local. AAAA (QM)? server.exchange.local. (45)

0x0000: 6000 0000 0035 11ff fe80 0000 0000 0000 `....5..........

0x0010: 061e 64ff feec 73a9 ff02 0000 0000 0000 ..d...s.........

0x0020: 0000 0000 0000 00fb 14e9 14e9 0035 117a .............5.z

0x0030: 0000 0000 0002 0000 0000 0000 0673 6572 .............ser

0x0040: 7665 7208 6578 6368 616e 6765 056c 6f63 ver.exchange.loc

0x0050: 616c 0000 0100 01c0 0c00 1c00 01 al...........

14:38:28.549702 IP6 (hlim 255, next-header UDP (17) payload length: 53) fe80::61e:64ff:feec:73a9.5353 > ff02::fb.5353: [udp sum ok] 0 [2q] A (QM)? server.exchange.local. AAAA (QM)? server.exchange.local. (45)

0x0000: 6000 0000 0035 11ff fe80 0000 0000 0000 `....5..........

0x0010: 061e 64ff feec 73a9 ff02 0000 0000 0000 ..d...s.........

0x0020: 0000 0000 0000 00fb 14e9 14e9 0035 117a .............5.z

0x0030: 0000 0000 0002 0000 0000 0000 0673 6572 .............ser

0x0040: 7665 7208 6578 6368 616e 6765 056c 6f63 ver.exchange.loc

0x0050: 616c 0000 0100 01c0 0c00 1c00 01 al...........

Example of Wireshark screen capture.of a Router Advertisement.

.1.4 Linux

Linux is the best platform to support a maximum of services such as Mobile IPv6, DHCPv6 and more. Mobile IPv6 and DHCPv6 is not suppported by Linux or MAC OX. MAC OS is a free BSD so there may be a way to have it running on MAC, but it is not a MAC OS X Supported feature.

Also with Linux you can enable or disable SLAAC and many parameters for very fine tuning of ND

.1.4.1  Tuning  the  Kernel  The /proc/sys/net/ipv6 filesystem exports a number of parameters that you might want to set. The Linux IPv6 HOWTO explains all available parameters, so let me just show you the ones I set in /etc/sysctl.d/ipv6.conf and load with a call to sysctl -p:

.2 Test  your  IPv6  Stack:  hdp://test-­‐ipv6.com/

51

.3 Test  the  IPv6  Web  Serverswqwqa

2

Configura5on  and  System  Checking  on  CISCO  Routers

2.1 CISCO  Routers  Mode

A CISCO Router has two main modes of Operation:

2.1.1 Exec  Mode  (Normal  or  Priviledged).  This mode is to run any commands to display to reset something. Actually there are 16 levels of privi-leges to give Authorization to each level. The Normal mode is the lowest mode when you enter the router by default. It is a kind of Read-Only mode where you cannot configure anything or cannot even dispaly the configuration file.

The default prompt is the Router name plus > if you are a Normal user or # for a privileged: R2(con-fig)> OR R2(config)#

2.1.2 Configura>on  Mode.  This mode is used to configure the Router. So before giving any configuration mode you must enter into this mode with the command "Configure Terminal". You must be a privileged user to use this com-mand. This mode has many submodes. For instance, if you want to configure an interface or a routing protocol, you must first select it to enter in this submode.

The default prompt for Router R2 in configuration mode is: R2(config)#

The next step is to configure IP routing with the config command:R2(config)# ipv6 routingIn the past you also had to configure CEFv6 has it was not enabled by default with the commandR2(config)# ipv6 unicast-routingorR2(config)#ipv6 unicast-routing distributed

For some platforms, you had the choice to run a distributed CEFv6 or not.

With distributed CEFv6, a copy of the CEFv6 tables are downloaded on the Line Cards and the in-gress LC which receives the packet Takes the switching decison. The router CPU card is not involved. The first troubleshooting command I was checking with a low performance problem was to check if CEF was properly started withR2# show ipv6 cef summaryR7#show ip cef summary IPv4 CEF is enabled and runningVRF Default 17 prefixes (17/0 fwd/non-fwd) Table id 0x0 Database epoch: 0 (17 entries at this epoch)

R7#show ipv6 cef summary IPv6 CEF is enabled and running centrally.VRF Default 14 prefixes (14/0 fwd/non-fwd) Table id 0x1E000000 Database epoch: 0 (14 entries at this epoch)

2.2 CEFv6

If you have to Troubleshoot CISCO device One day you will have to deal with CEF!No DATA PLANE Troubleshooting without CEFv6!...If you are looking for the Engineering Team with really high skills guys at cisco you are looking for the

CEF team! These guys need to do two things mutually exclusives and this all the time: They must sup-port a maximum number of services and at the same time they must design the fastest code because all the cisco switching performances rely on CEF! If an IP feature is not supported by CEF, the feature has no future if it has also to be Efficient. if it is

a slow terminal conversion things which need the speed of typing with one finger, fine! but if it must

support wire speed? Forget it!

WHY???We need to get back to the basics of computers to understand...

When a packet is received by an ASIC specialized to process the data coming from a Physical Media

port, an Interrupt is sent to the CPU. An interrupt is a Signal Transition like 0 to +5v or the opposite.

The Interrupt is raised by the Physical Media Processor to tell the CPU that it has a packet just like

the Postman set up the flag after it has dropped a few mails in your mailbox! Guess who is called first

by the CPU when it gets the interrupt signal? CEF...

52

Now CEF must take a decision either switch the packet in interrupt mode, either Q the packet for

further processing in a time sharing fashion. It is clear that Real-Time traffic will only be supported by

the Interrupt mode. So where is the problem? The process in interrupt mode disables any other

interrupt. The other Line Cards have a dedicated ASIC with MEmory to accomodate a few packet but

not too much...

The process must manage the packet as fast as possible for the protocol which is being routed and for the other traffic waiting to be processed. This is why complex operation cannot be supported by CEF and this has been the case of NAT-PT in IPv6!

For more details about CEFv6, please click on the link below:http://www.ipv6forlife.com/Docs/CEFv6InaNutshell.pdf

The Next step to configure a Cisco Router of ipv6 is

Then you might be interested to check some other commands listed be

Then you might be interested to check some other commands listed below:

2.3 CISCO  Routers  IPv6  Commands

R2(config)#ipv6 ?

access-list Configure access lists

cef Cisco Express Forwarding for IPv6

cga Configure IPv6 certified generated address

dhcp Configure IPv6 DHCP

general-prefix Configure a general IPv6 prefix

hop-limit Configure hop count limit

host Configure static hostnames

icmp Configure ICMP parameters

inspect Context-based Access Control Engine

local Specify local options

mfib Multicast Forwarding

mld Global mld commands

mobile Mobile IPv6

multicast IPv6 multicast

multicast-routing Enable IPv6 multicast

nat NAT-PT Configuration commands

nd Configure IPv6 ND

neighbor Neighbor

ospf OSPF

pim Configure Protocol Independent Multicast

port-map Port to application mapping (PAM) configuration commands

prefix-list Build a prefix list

route Configure static routes

router Enable an IPV6 routing process

source-route Process packets with source routing header options

unicast-routing Enable unicast routing

R2(config)#ipv6

R2(config-subif)#IPV6 ?

IPv6 interface subcommands:

address Configure IPv6 address on interface

authentication authentication subcommands

bandwidth-percent Set EIGRP bandwidth limit

cga Configure cga on the interface

dhcp IPv6 DHCP interface subcommands

eigrp Configure EIGRP IPv6 on interface

enable Enable IPv6 on interface

flow Flow related commands

hello-interval Configures IP-EIGRP hello interval

hold-time Configures IP-EIGRP hold time

inspect Apply inspect name

mfib Interface Specific MFIB Control

mld interface commands

mobile Mobile IPv6

mode Interface mode

mtu Set IPv6 Maximum Transmission Unit

multicast multicast

nat Enable IPv6 NAT on interface

nd IPv6 interface Neighbor Discovery subcommands

next-hop-self Configures IP-EIGRP next-hop-self

ospf OSPF interface commands

pim PIM interface commands

policy Enable IPv6 policy routing

redirects Enable sending of ICMP Redirect messages

rip Configure RIP routing protocol

router IPv6 Router interface commands

split-horizon Perform split horizon

summary-address Summary prefix

traffic-filter Access control list for packets

53

unnumbered Preferred interface for source address selection

unreachables Enable sending of ICMP Unreachable messages

verify Enable per packet validation

virtual-reassembly IPv6 Enable Virtual Fragment Reassembly

2.4 Display  the  IPv6  Traffic  Sta5s5cs

R2#show ipv6 traffic

IPv6 statistics:

Rcvd: 295 total, 251 local destination

0 source-routed, 0 truncated

0 format errors, 0 hop count exceeded

0 bad header, 0 unknown option, 0 bad source

0 unknown protocol, 0 not a router

0 fragments, 0 total reassembled

0 reassembly timeouts, 0 reassembly failures

Sent: 278 generated, 0 forwarded

0 fragmented into 0 fragments, 0 failed

0 encapsulation failed, 0 no route, 0 too big

0 RPF drops, 0 RPF suppressed drops

Mcast: 276 received, 259 sent

ICMP statistics:

Rcvd: 49 input, 0 checksum errors, 0 too short

0 unknown info type, 0 unknown error type

unreach: 0 routing, 0 admin, 0 neighbor, 0 address, 0 port

parameter: 0 error, 0 header, 0 option

0 hopcount expired, 0 reassembly timeout,0 too big

10 echo request, 0 echo reply

0 group query, 0 group report, 0 group reduce

0 router solicit, 20 router advert, 0 redirects

4 neighbor solicit, 5 neighbor advert

Sent: 46 output, 0 rate-limited

unreach: 0 routing, 0 admin, 0 neighbor, 0 address, 0 port

parameter: 0 error, 0 header, 0 option

0 hopcount expired, 0 reassembly timeout,0 too big

0 echo request, 10 echo reply

0 group query, 0 group report, 0 group reduce

0 router solicit, 23 router advert, 0 redirects

7 neighbor solicit, 6 neighbor advert

UDP statistics:

Rcvd: 212 input, 0 checksum errors, 0 length errors

0 no port, 0 dropped

Sent: 212 output

TCP statistics:

Rcvd: 0 input, 0 checksum errors

Sent: 0 output, 0 retransmitted

2.5 Display  the  Neighbor  Cache

R2# show ipv6 neighbor

IPv6 Address Age Link-layer Addr State Interface

2001:DB8:CAFE:11::1 52 ca00.0494.0006 STALE Fa0/1.11

FE80::C800:4FF:FE94:6 44 ca00.0494.0006 STALE Fa0/1.11

2.6  Display  the  Routers  Cache

R2# sh ipv6 routers

Router FE80::C800:4FF:FE94:6 on FastEthernet0/1.11, last update 0 min

Hops 64, Lifetime 1800 sec, AddrFlag=0, OtherFlag=0, MTU=1500

HomeAgentFlag=0, Preference=Medium

Reachable time 0 (unspecified), Retransmit time 0 (unspecified)

Prefix 2001:DB8:CAFE:11::/64 onlink autoconfig

Valid lifetime 2592000, preferred lifetime 604800

2.7 CEFv6  !!!  Mandatory  knowledge  to  Troubleshoot  the  Cisco  Routers  data  plane  !

When you want to trace the handling of a paquet in a CISCO router, you need to take a look at the CEFv6 table. IPv6 paquet switching is performed by CEFv6. CEFv6 resolves all the recursions that you may find in an IPv6 table and setup an optimized structure for very quick lookup and easy mainte-nance of a mtrie structure. CEFv6 table works with the help of adjacency table which gives the map between IPv6 packet and layer 2 address.R1#show ipv6 cef 2001:db8:cafe:10::/64 internal

2001:DB8:CAFE:10::/64, epoch 0, RIB[I], refcount 4, per-destination sharing

54

sources: RIB

feature space:

IPRM: 0x00038000

ifnums:

FastEthernet0/1.11(11): FE80::C801:4FF:FE94:6

path 6822BA1C, path list 6822A77C, share 1/1, type attached nexthop, for IPv6

nexthop FE80::C801:4FF:FE94:6 FastEthernet0/1.11, adjacency IPV6 adj out of FastEthernet0/1.11, addr FE80::C801:4FF:FE94:6 66F91C60

output chain: IPV6 adj out of FastEthernet0/1.11, addr FE80::C801:4FF:FE94:6 66F91C60

Once the CEFv6 entry is found, we need to look for the matching next-hop entry in the adja-cency table. In the adjacency entry we find the origin of the resolution like ND for IPv6 or ARP for IPv4.

If the router is currently resolving the IPv6 next hop to a layer 2 MAC Address, the entry will be in the state INCOMPLETE. The packet which has trigger the resolution must be buffered, waiting for the resolution to complete. Once the resolution is complete, the packet will be encapsulate and sent to its destination. This is different with IPv4 where the packet was dropped. We use to get 80% for the first time we ping a destination because first packet was dropped. This is no longer the case and we should get 100% even for the first time.

R1#show adjacency FE80::C801:4FF:FE94:6 Protocol Interface AddressIPV6 FastEthernet0/1.11 FE80::C801:4FF:FE94:6(7)

R1#show adjacency FE80::C801:4FF:FE94:6 internalProtocol Interface AddressIPV6 FastEthernet0/1.11 FE80::C801:4FF:FE94:6(7) 0 packets, 0 bytes epoch 0 sourced in sev-epoch 1 Encap length 18 CA0104940006CA00049400068100000B 86DD IPv6 ND Fast adjacency enabled [OK] L3 mtu 1500 Flags (0x11A9E) Fixup disabled HWIDB/IDB pointers 0x66CCDD10/0x67E58500 IP redirect enabled Switching vector: IPv6 adjacency oce Adjacency pointer 0x66F91C60

Addresses of an IPv6 Host.A link-local.

One or many unicast addresses

One loopback ::1

On each interface :

Local node scope all-nodes multicast address : FF01 ::1

A Link-local scope all-node multicast address : FF02 ::1

A solicited-node multicast address for each unicast.

Router IPv6 AddressesThe loopback ::1for the router

A link-locale for each link

As many global as needed

Multicast addresses such as all-nodes ff02 ::1, all-routers ff02 ::2

Example of a CISCO router :R0> show ipv6 int f1/0FastEthernet1/0 is up, line protocol is up IPv6 is enabled, link-local address is FE80::C800:6FF:FEA9:1C No Virtual link-local address(es): Global unicast address(es): 2001:DB8:C0A8:A:C800:6FF:FEA9:1C, subnet is 2001:DB8:C0A8:A::/64 [EUI] 2001:DB8:C0A8:B:C800:6FF:FEA9:1C, subnet is 2001:DB8:C0A8:B::/64 [EUI] Joined group address(es): FF02::1 FF02::2 FF02::1:FFA9:1C MTU is 1500 bytes ICMP error messages limited to one every 100 milliseconds ICMP redirects are enabled ICMP unreachables are sent ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds (using 30000) ND advertised reachable time is 0 (unspecified) ND advertised retransmit interval is 0 (unspecified) ND router advertisements are sent every 200 seconds ND router advertisements live for 1800 seconds ND advertised default router preference is Medium Hosts use stateless autoconfig for addresses.

55

7 We need to manage IPv6 addresses 4 times longer than IP6 and the good old spreadsheet that we were using for IPv4 does not make it any more!With long addresses a good names management is key for a successful deployment! New software named IPAM are now the MUST have for any network to solve this important question.

Addresses, Names & Services Mgmt.

DHCPv6 & DNS

1. Summary of dynamic addressing

2. SLAAC, DHCPv6 Stateful, Stateless Operations

3. DHCPv6

4. DHCP-PD Prefix Delegation

57

1 DHCPV6

1.1 Introduc5on

DHCPv6 is DHCP support for IPv6 and has been enhanced to support multiple modes of operations. It is documented in many RFCs as multiple modes exist.

The principal mode is described in RFC3315.

`Also, the presence of DHCPv6 must be advertised by the routers in the Router Advertisements (NDP) for the workstation to send requests or the DHCPv6 servers will be ignored.

DHCPv6 basic RFC3115 provides Authentication for the messages to avoid any sort of Rogue DHCP Server.

DHCPv6 can be used in 3 Modes:

Stateful DHCPv6. This is the standard DHCP Operation. The request includes both Addresses and Other Information.

Stateless DHCPv6 RFC3736. This is a new mode in IPv6 where we do not want to get any Address from the DHCPv6 Servers but only Other Information like domain name, DNS and other Servers ad-

Chapter 7

Addresses, Names & Services

IPv6 Supports 3 different methods to provide dynamic addressing which can be combined as they are not mutually exclusive!

Without any DHCPv6 it can be plug and play thanks to SLAAC.

A DHCPv6 Server can be added to get more details about4 the servers after we have figured out our IPv6 addresses without him.

DHCPv6 can be used to provide a full block to address the full site a site

DHCPv6 CANNOT REPLACE ND PROTOCOL (RA)

58

dresses. It is called stateless because in this mode the DHCPv6 Server does not need to keep any state because it does not allocate any address to remember and manage.

DHCPv6 Prefix Delegation RFC3633. This is also a new mode for DHCP. It is used to request a full block from the Service Provider. The block is allocated and then the block can be subnetted at will. This mode is very convenient for some SPs who can manage the Prefixes allocated to each customer from a DHCPv6 Server which gets the Prefix for each customer from a Radius Server.

We have seen that at the end of the SLAAC process, a boot Workstation of an interface coming up may eventually request a DHCPv6 Server for more configuration.

These bits are contained in a field called Flags.

If the Managed bit (M-bit) is set in Flags of the RA, the workstation makes a full request including Address(es) and other information. This is Stateful DHCPv6 because the server needs to keep states for the allocated addresses.

If the Other bit (O-bit) is set in the Flags of the RA, the workstation just requests Other information and NO ADDRESS. This is Stateless DHCPv6.

These bits MUST be set on the local routers interfaces where some workstations which need to re-quest DHCPv6 servers are located.

For a Quick Video Presentation of DHCPv6, there is a serie of Tutorial starting with Part1 from:

http://www.ipv6forlife.com/Tutorial/DHCPv6-Part1.html

1.2 DHCPv6  Commands  and  FieldsDHCPv6 protocol basic operations are not very different from IPv4; the messages names are different and multicasts are more used in IPv6, but it is pretty much the same protocols. A DHCPv6 Server can provide Address(es) for a client and Other Information like Domain name or any Server Addresses.

1.2.1 DUID

Each client and server is identified by its DHCP Unique Identifier (DUID). This Identifier is mostly de-rived from one of the DHCP Mac Addresses, but it can be :

1 Link-layer address plus time

2 Vendor-assigned unique ID based on Enterprise Number 3 Link-layer address

The DUID are very important for a protocol which uses a lot of Multicast messages to reach many Servers or Relays.

See RFC3315 section 9 for details of the ways in which a DUID may be constructed.

1.2.2 Transac5on  IDs

A Transaction ID is used to identify all the messages from the same Transaction. It permits pairing a solicit with a reply and should be chosen randomly with algorithms, making it quite impossible to guess!

1.2.3 IPv6  UDP  Ports  Number

It is encapsulated in UDP over IPv6.

DHCPv6 Clients use port 546 and Servers use 547.

1.2.4 IPv6  Mul5cast  Addresses

DHCPv6 also use IPv6 Multicast addresses:

- All_DHCP_Relay_Agents_and_Servers: (ff02::1:2)This is a Link-local IPv6 Multicast Address used by the Clients to communicate with all the local Serv-ers and Relays.

Only the DUID permits each one to see that the packet is for itself.

- All_DHCP_Servers (ff05::1:3)This is a Site-local IPv6 Multicast Address which is used by the Relays to forward the local Clients Requests to all the DHCPv6 Servers of the Site that have registered this Multicast group.

Multicast routing must be enabled on all the site routers.

DHCPv6 Relays can be used to encapsulate the messages from the Clients to the Servers and vice-versa.

1.2.5 Iden5ty  Associa5on  (IA)

Basically we need an Identity Association to request address(es) for each interface.

See RFC 3315 Section 10 for an excellent definition

'An "identity-association" (IA) is a construct through which a server and a client can identify, group, and manage a set of related IPv6 addresses. Each IA consists of an IAID and associated configura-tion information.

A client must associate at least one distinct IA with each of its network interfaces for which it is to re-quest the assignment of IPv6 addresses from a DHCP server. The client uses the IAs assigned to an interface to obtain configuration information from a server for that interface. Each IA must be associ-ated with exactly one interface.'

To get more details about how the addresses are allocated from the server, please see Section 11 of RFC3315.

Another exemple of the uses of IA would be a Virtual Server with many virtual interfaces. Each virtual group of Interface playing the same role will be using the same Identity Association.

1.2.6 Client/Server  ID

DHCPv6 uses a lot of Multicast. The SOLICIT and REQUEST messages are sent to the All_DH-CP_Relay_Agents_and_Servers (FF02::1:2). So it is important to identify both Client and Server with something other than the address.

59

1.2.7 DHCP  Messages

There are 13 messages to support the DHCPv6 Operations. There is no need to explain each mes-sage one by one, but we will explain most if not all of them as we get into the details of how DHCPv6 operates.

For a full list with explanations, please refer to Section 5.3 of RFC3315.

The 13 messages are:

SOLICIT 1

ADVERTISE 2

REQUEST 3

CONFIRM 4

RENEW 5

REBIND 6

REPLY 7

RELEASE 8

DECLINE 9

RECONFIGURE 10

INFORMATION-REQUEST 11

RELAY-FORW 12

RELAY-REPL 13

1.2.7.1 Used  during  the  startup  without  Relays

SOLICIT (1), ADVERTISE (2), REQUEST (3), REPLY (7)

1.2.7.2   If  a  Relay  is  used  we  must  add  to  previous

RELAY-FORW (12), RELAY-REPL (13)

1.2.7.3 To  Refresh  an  Address  Reserva5on

RENEW (5), REBIND (6), REPLY (7)

1.2.7.4 To  Request  Informa5on  Only  (Stateless  DHCPv6)

INFORMATION-REQUEST (11)

1.2.7.5 Client  don't  need  this  address  anymore

RELEASE (8)

1.2.7.6 Client  confirm  that  allocated  address  is  s5ll  OK

CONFIRM (4)

1.2.7.7 Client  refuse  an  address  already  in  use

DECLINE (9)

1.2.7.8 A  new  config  available  needs  a  new  Request

RECONFIGURE (10)

1.2.7.9 DHCP  Messages  Authen5ca5on

DHCPv6 messages can be authenticated, See Section 21 of RFC3315. This would make Rogue DHCP Server impossible. It is open to any Authentication Protocol and can manage the keys of a DHCPv6 Server Realm.

A DHCPv6 Realm is a name used to identify the DHCP administrative domain from which a DHCP authentication key was selected.

1.2.8 DHCP  Op5ons

All the Information which is requested by a client or given by a Server are actually coded in a DHCPv6 Options.

The full list is :OPTION_CLIENTID 1

OPTION_SERVERID 2

OPTION_IA_NA 3

OPTION_IA_TA 4

OPTION_IAADDR 5

OPTION_ORO 6

OPTION_PREFERENCE 7

OPTION_ELAPSED_TIME 8

OPTION_RELAY_MSG 9

OPTION_AUTH 11

OPTION_UNICAST 12

OPTION_STATUS_CODE 13

OPTION_RAPID_COMMIT 14

OPTION_USER_CLASS 15

OPTION_VENDOR_CLASS 16

OPTION_VENDOR_OPTS 17

OPTION_INTERFACE_ID 18

OPTION_RECONF_MSG 19

60

OPTION_RECONF_ACCEPT 20

There are actually MORE OPTIONS which are added by RFC:

IA_PD (RFC3633. Section 10) for DHCP-Prefix Delegation

For all details, please see section 22 of RFC3115.

DNS Configuration options for Dynamic Host Configuration Protocol for IPv6 (DHCPv6)

http://tools.ietf.org/html/rfc3646

1.2.8.1 Client  ID  and  Server,  ID  Op5on

These options carry the Client DUID to the Server and the Server DUID to the Client. Generally, a MAC Address is used.

1.2.8.2 Addresses

1.2.8.2.1  IAADDR  Op>on

The IAADDR Option permit to carry the IPv6 Dynamic Addresses allocated by the Server.

Like the Prefixes advertised to the RA which permit deriving IPv6 Addresses for the interfaces, the IAADDR Option has a a Preferred Lifetime and a Valid Lifetime for each allocated Address. This permits IPv6 to manage the dynamic addresses Lifecycle like the addresses derived from Pre-fixes contained in the RA. See the figure for more details about the states of a dynamic Address.

Remember that an Address must remain in the Preferred State if we want to use it, so Preferred and Valid Lifetime must be chosen carefully.

The IAADDR IPv6 Dynamic Address Option must be encapsulated in one of the following IA_NA or IA_TA. We can see the IAADDR Options with a yellow background and Red letters in both IA_NA and IA_TA figures.

1.2.8.2.2  IA_NA  Op>on

The IA_NA is used to encapsulate Non-Temporary Addresses.

There are two timers associated with the Refreshing of IPv6 Addresses.

T1 is the timer when to query the DHCPv6 Server which has allocated the Address.

T2 is the Timer to query any DHCPv6 Server for an Address.

Care should be taken in setting T1 or T2 to 0xffffffff ("infinity"). A client will never attempt to extend the lifetimes of any addresses in an IA with T1 set to 0xffffffff. A client will never attempt to use a Rebind message to locate a different server to extend the lifetimes of any addresses in an IA with T2 set to 0xffffffff.

1.2.8.2.3  IA_TA  Op>onThe IA_TA is used to encapsulate Temporary Addresses (Privacy Extension RFC4941). There is no Timer associated with it.

1.2.8.3 Prefix  Delega5on

This is used in DHCP-PD RFC3633 to request and provide a full block like 2001:db8:678::/48 to allocate all the building of a Company in a City for instance.

1.2.8.4 Op>on  Request  Op>on  (ORO)The ORO is used to provide the list of the Options which are requested by a client or need to be recon-figured from the server. For instance, if the Client requested the Domain Name, it is in the ORO Op-tion.

"A client MAY include an Option Request option in a Solicit, Request, Renew, Rebind, Confirm or Information-request message to inform the server about options the client wants the server to send to the client. A server MAY include an Option Request option in a Reconfigure option to indicate which options the client should request from the server."

http://tools.ietf.org/html/rfc3315#section-22.7

Example of a Captured ORO:

1.2.9 Status  Code  Op5on

It is used to report the status of an operation. If it does not appear where it should, success is as-sumed.

1.2.10 Preference  Op5on

It is possible for the servers to give a level of preference when multiple servers are available. When the client receives multiple ADVERTISE messages, the client will prefer the server with the highest Preference.

Elapsed Time Option

This is used by the client to measure the duration of an exchange. For instance, if an exchange lasts too long, the client may use a secondary server.

1.2.11 Relay

1.2.11.1 Relay  Message  Op>onIt contains the DHCP message encapsulated by the replay in a Relay-Forward or a Relay-Reply Mes-sage.

1.2.11.2 Interface-­‐ID  Op>onThis option may be added by a Relay to add the Interface-Id by which the message was received. It will use it to forward the reply back to the right interface.

1.2.12 Authen5ca5on  Op5on

Used for DHCP message Authentication. Useful to avoid Rogue DHCP Servers.

61

1.2.13 Server  Unicast  Op5on

The server sends this option to a client to indicate to the client. This way the client can bypass any Relay and send messages directly to the server.

RFC3115 Section 18.1.

"Use of unicast may avoid delays due to the relaying of messages by relay agents, as well as avoid overhead and duplicate responses by servers due to the delivery of client messages to multiple serv-ers. Requiring the client to relay all DHCP messages through a relay agent enables the inclusion of relay agent options in all messages sent by the client. The server should enable the use of unicast only when relay agent options will not be used."

1.2.14 Rapid  Commit  Op5on

This option permits some transactions to be only 2 ways: Solicit, Reply instead of 4. It is set in the So-licit message by the client.

1.2.15 User    Class  Op5on

This option permits one to configure a multiple class of users that do not need the same parameters.

For instance, some clients may need a SIP server address and some don't.

1.2.16 Vendor

1.2.16.1 Vendor  Class  Op>onThis option set by the client tells the server on which Vendor the client is running.

1.2.16.2 Vendor-­‐Specific  Informa>on  Op>onThis Option allows some Vendor-Specific information to be exchanged between the Client and the Server.

1.2.17 Reconfigure

1.2.17.1 Reconfigure  Message  Op>onThis Option is used when a server has been reconfigured. It is asking the client to send a message to get a new config. In a Reconfigure message, this Option tells the client if it must respond with a Re-new message to request an address or an Information-Request message to request Other Informa-tion.

1.2.17.2 Reconfigure  Accept  Op>onA client uses this message to tell the server if it accepts the Reconfigure message.

The server uses this option to tell the client whether to accept or not the Reconfigure message.

62

1.3 DHCPv6  StartupThe DHCPv6 messages used during the initialization to request Addresses and/or Other Information are the following.

1.3.1 Client  &  Server(s)  are  on  the  same  link

1.3.1.1 Solicit

The client first sends a Solicit discovery message. It is not a reservation request when an address is needed, just a discovery to figure out which server around is available and could provide the informa-tion needed.

The destination address is the All Servers and Relays Link-local Multicast Address ff02::1:2, Source is the Workstation Link-local Address.

The information needed by the client is in the Option Request Object (ORO).

1.3.1.2 Adver>zeThe Server(s) reply(ies) with an Advertise including all the available resources matching the client ORO. This is sent back to the Link-Local address of the Client.

1.3.1.3 RequestThe Request is sent to the All Servers and Relays Link-local Multicast Address ff02::1:2, Source is the Workstation Link-local Address.

The DUID of the Server is used to identify which server we want to use.

1.3.1.4 ReplyThe Server provides the Reservation if an address has been requested and Information or Information Only if this is what we have requested (Information-Request)

1.3.2 Client  &  Server(s)  use  a  Relay

If the Server is not located on the same link than the client needs a Relay in between. The Relay will encapsulate the request to the Server as Unicast Messages of any kind, Anycast or a Well-known Mul-ticast site-local ff05::1:3.

The Relay encapsulates the request in a Relay-Forward to the Server, and the server encapsulates its response in in Relay-Reply Message

1.3.3 DHCP-­‐PD  Startup  Example

In this example, the client sends a solicit with an IA_PD requesting a Prefix from the server. It is for-warded by the Relay. The server Advertises a Prefix and gives the Server Unicast Option for the Client to send its request in a Unicast message.

This is why the Request and the Reply bypass the Relay.

The Server provides a block, for instance 2001:db8:678::/48, which can be used and subnetted by the DHCP-PD client.

1.4 DHCPv6  Configura5on  Management

"A client uses Request, Renew, Rebind, Release and Decline messages during the normal life cycle of addresses. It uses Confirm to validate addresses when it may have moved to a new link. It uses Information-Request messages when it needs configuration information but no addresses." (Section 18.1 RFC3115).

1.4.1 Address  Refreshment  ini5ated  by  the  Client

Once the Address has been allocated, it must be maintained and Refreshed as soon as required. IA_NA and IA_PD Addresses are provided with the DHCP timers, which trigger the process.

T1 and T2 are provided. These 2 timers must be set consistently with the Preferred and Valid Ad-dresses. Remember that an address MUST remain as a Preferred Address. So the T1/T2 Timers Pre-fixes must be set accordingly.

IPv6 Addresses come with two Timers, the Preferred and the Valid Timers. For Static Addresses, these timers are usually set to Infinity which is ALL ONEs.

For Dynamic Addresses, they must be refreshed to reset these timers for the Addresses or Derived Addresses remain in the Preferred State.

In figure 6.18 we can see how these timers are Reset with Unsolicited RA.

With DHCPv6, the Preferred Timers and Valid Timers must also be Refreshed when the DHCPv6 RE-NEWs its reservation. These timers are included in the IAADDR Option which is encapsulated in the IA_NA or IA_PD Option. Both IA_NA and IA_TA Options have also two timers related to DHCPv6 pro-tocol.

When T1 expires, the client sends RENEW to the server from which it has learned its configuration.

If the client Timesout for the RENEW with the Server which had provided the initial configuration, it will send a REBIND to all the available servers.

RFC3115. Section 18.1.4.

"The message exchange is terminated when the valid lifetimes of all the addresses assigned to the IA expire (see section 10), at which time the client has several alternative actions to choose from.

For example:

The client may choose to use a Solicit message to locate a new DHCP server and send a Request for the expired IA to the new server.

The client may have other addresses in other IAs, so the client may choose to discard the expired IA and use the addresses in the other IAs."

1.4.2 A  client  may  have  mooved

http://tools.ietf.org/html/rfc3315#section-18.1.3

63

In any situation when a client may have moved to a new link, the client MUST initiate a Confirm/Reply message exchange.

For Example:

The client reboots.

The client is physically connected to a wired connection.

The client returns from sleep mode.

The client using a wireless technology changes access points.

1.4.3 A  client  doesn't  need  an  Address  anymore

The client sends a Release Message to the Server

1.4.4 A  client  detect  a  DUPlicated  Address

The client sends a Decline Message to the Server.

1.4.5 Server  Configura5on  has  changed

The Server must inform the client with a RECONFIGURE message.

The RECONFIGURE message includes the Reconfigure Message Option to tell the client if it must send a Renew providing Addresses or an Information-Request not providing Address(es).

1.4.6 Constants

1.4.7 DHCP  Reliability

Because UDP does not provide reliablity, it must be provided by the Application. The client begins the message exchange by transmitting a message to the server. The message exchange terminates when either the client successfully receives the appropriate response or responses from a server or servers, or when the message exchange is considered to have failed according to the retransmission mechanism described below.

1.5 Capture  Example

1.5.1 Solicit  Message

1.5.2 Adver5se  Message

Option Server ID, Client ID, IA_NA with IAADDR and Domain Search List

1.6 SUMMARY

64

2 DNS

2.1 Introduc5onDNS was introduced in RFC1035. The objects of DNS are organized as a tree structure. The root is the ".".

It is transported by IPv6 then encapsulated over UDP port 53 for most messages but for some ex-changes like zone-transfer where TCP is more appropriate.

The initial RFC1035 had a serious limitation for IPv6, which is the UDP size limit of 512 octets.

So we had actually two problems to solve:

The Maximum Size of 512 bytes for UDP Messages

How to Code IPv6 Names to Addresses and vice-versa

Many Objects are used for DNS:

NS for Name Servers, MX for Mail Exchange. DNS is playing a key role on Mail routing in the Internet, A for IPv4 Addresses, AAAA for IPv6 Addresses.

And more...

2.1.1 Servers  hierarchy

2.1.1.1  ROOT  ServersAt the very top, we have the ROOT Servers.

They manage the list of each Top-Level domain Servers like .com or .uk and they return their ad-dresses.

13 IPv4 anycast addresses are used and last time I checked 9 IPv6 Addresses were also ready:

13 ipv4 addresses can be sent in a 512 (436) bytes UDP message ! Remember that 512 octets were the size limit for an UDP message in RFC 1035! Adding 13 IPv6 addresses was certainly going over the limit (800+ bytes)!

There is actually 200+ physical servers around the globe.

Domain root-servers.net: a.root-servers.net through m.root-servers.net

In Europe RIPE Servers k.root-servers.net are located in Amsterdam, Athens, Doha, Frankfurt, Lon-don and Milan. IPv4:193.0.14.129, IPv6:2001:7fd::1

IPv6 addresses are already supported by 9 of the 13 root-servers

Requirements of a Root Server are in RFC2870

http://www.iana.org/domains/root/

2.1.2 Top  Level  Domain  Servers

They return the address of the NS for a User domain for example fredbovy.com.

The full list is at http://www.iana.org/domains/root/db/

There are two kinds of TLD:

2.1.2.1 The  Generic  Top-­‐Level-­‐Domains  (gTLD)  .com, .edu, .net, .mil,

But there are also some other registered gTLDs:

• The .org domain is intended to serve the noncommercial community.

• The .aero domain is reserved for members of the air transport industry.

• The .biz domain is reserved for businesses.

• The .coop domain is reserved for cooperative associations.

• The .int domain is only used for registering organizations established by international treaties be-tween governments.

• The .museum domain is reserved for museums.

• The .name domain is reserved for individuqals.

• The .pro domain is being established; it will be restricted to credited professionals and related enti-ties.

2.1.2.2 The  Country  Code  Top-­‐Level-­‐Domains  (ccTLD) There is one for each country: .us, .ca, .fr, .uk.

2.1.3 The  Authorita5ve  Domain  Servers

To increase performance and reliability of DNS, there is more than one DNS server for each domain.

2.1.3.1 Primary  or  Master  DNS  ServerThe Master Zone file describing the zone (Zone config file) is located on the Primary server.

2.1.3.2 Secondary  or  Slave  DNS  ServerThe Secondary Server is synchronized with the Primary thanks to Zone Transfer over TCP.

2.1.3.3 Caching  only  ServersThe Caching Server is used to cache the answer on a local Server so when the same query is re-quested, it will be available locally.

2.2 Clients  Query  ModesThe are two modes for Clients to resolve the IPv6 Name to Address:

2.2.1 Itera5ve  (supported  by  all  NS)  

This mode actually involves more the requester than the local NS.

65

2.2.2 Recursive

The Recursive mode actually involves more the Local Server than the Requester.

2.3 Support  of  IPv6  for  DNS

2.3.1 EDNS0

RFC1035 specifies the maximum DNS UDP message to 512 bytes

13 IPv4 anycast addresses was used to represent 200+ Servers for the announce to fit in a 512 bytes message, 436 bytes actually to leave room for some options.

With only 5 IPv6 addresses added to the Additional Section of the DNS Type NS response message root server operators return during the priming exchange, the size of the response message increases from 436 bytes to 576 bytes.

9 Root Servers have been assigned IPv6 addresses

When all 13 root name servers are assigned IPv6 addresses, the priming response will increase in size to 811 bytes !

2.3.2 Priming  Exchange

The priming exchange is done when the list of Root Servers are requested. Conditions for the success-ful completion of a priming exchange:

Resolvers and any intermediate systems that are situated between resolvers and root name servers must be able to process DNS messages containing Type AAAA resource records.

Additionally, Resolvers must use DNS Extensions (EDNS0, RFC 2671) to notify root name servers that are able to process DNS response messages larger than the 512 byte maximum DNS message size specified in RFC1035.

Intermediate systems must be configured to forward UDP-encapsulated DNS response messages larger than the 512 byte maximum DNS message size specified in RFC1035 to resolvers that issued the priming request.

2.3.3 Test  EDNS0  Implementa5on

To test the action a firewall implementation takes when it receives a UDP-encapsulated DNS re-sponse message larger than 512 bytes, a network or firewall administrator can perform the following DNS lookup using:

This command should elicit a 699 bytes response that contains AAAA resource records

If no response is received, network and firewall administrators should first determine if a security pol-icy other than the vendor's default processing for DNS messages is blocking large response mes-sages or large UDP messages. If no policy other than the vendor's default processing is configured, note the implementation and version and contact your vendor to determine if an upgrade or hot fix is available.

2.4 DNSSECDNSSEC is an effort to make DNS more secure with some Authentication of the messages.

DNSSEC is detailed in RFC4033, RFC4034 and RFC4035. A discussion of operational practices relat-ing to DNSSEC can be found in RFC4641.

In DNSSEC a secure response to a query is one which is cryptographically signed and validated.

No Protection against DoS attack

DNSSEC adds new Resource Record types: Resource Record Signature (RRSIG), DNS Public Key (DNSKEY), Delegation Signer (DS) and Next Secure (NSEC)

A signed zone will contain the 4 additional security-related records

DNSSEC requires support for EDNS0 (RFC2671) and DNSSEC OK (DO) EDNS bit EDNS0 (RFC 3225)

Root Zone is Signed

http://data.iana.org/root-anchors/draft-icann-dnssec-trust-anchor.html

66

2.5 Configura5on  of  DNS  Bind  Server  on  Linux

2.5.1 Zones  and  Zones  Files

A Zone file translates the domain names into addresses.

A Zone File contains:

Data that describes the zone authority known as the Start of the Authority (S0A) Resource Record.

All the hosts within the zones.

A Resource Record for an IPv4 AddressAAAA Resource Record for an IPv6 Address

Data that describes global information for the zone. MX Resource Records for the domain’s mail serv-ers and NS Resource Records for the Name Servers

In the case of a subdomain delegation, the name servers responsible for this subdomain.

A Zone file looks like this:

2.5.2 Reverse-­‐Mapping  Zone

2.5.3 Transport  of  IPv6  Informa5on  in  IPv6

DNS requests must be transported in IPv6

DNS Root servers and Top-level domains must support IPv6

9 of the 13 root-servers are IPv6 ready !

DNS messages larger than 512 bytes are supported since DNS Extension 0 (EDNS0. RFC2671)

The old Firewalls were blocking the DNS UDP messages bigger than 512 Octets. It has been fixed for a long time, but if you are at a customer site which has not upgraded its Sw for a long time too, you may hit this issue.

67

2.6 Dynamic  DNSDNS Servers can be updated dynamically

An address allocated with DHCPv6 or SLAAC automatically updates the DNS Servers by sending Updates to the Servers. So this is not only possble with Servers doing both DHCPv6 and DNS. The Authentication process between the client and the servers is not defined by the RFC but is left to the convenience of the designers.

Dynamic Updates in the Domain Name System (DNS UPDATE): http://tools.ietf.org/html/RFC2136

Secure Domain Name System (DNS) Dynamic Update: http://tools.ietf.org/html/RFC3007

Operational Considerations and Issues with IPv6 DNS: http://tools.ietf.org/html/rfc4472

2.7 Capture  of  DNS  Traffic

8 IPv6 Multicast is not very different from its IPv4 Counterpart. Only the non scalable protocols have been removed like PIM-DM or MSDP and the others have been ported with a new name sometime like MLD instead of IGMP.

Multicast

Topic

1. Introduction

2. Protocol Independent Multicast (PIM)

1. PIM Sparse Mode or ASM

2. PIM Source Specific Multicast (SSM)

3. PIM BIDIR

3. Embedded Rendez-vous Point

4. Multicast on Layer 2

69

1 IntroductionIPv6 Multicast is not very different from the IPv6 Counterpart. Only the non scalable protocols have been removed: PIM-DM, and the other have been ported with a new name sometime like MLD instead of IGMP.

PIM is used for the routing of Multicast and for the receivers management, IGMP has been ported as MLD.

The very long addresses of IPv6 allowed the Embedded RP which is great not to have to configure the RP on each router. The IPv6 multicast router configuration can then be summa-rized in only one command on CISCO IOS®: “ipv6 multicast-routing”and that’s it.

When multicast users are connected with Layer switches, MLD Snooping should be used where IGMP snooping was for IPv4.

The common rule for all Multicast routing is the Reverse Path Forwarding or RPF. This rule says that a packet MUST always be received on the interface which has the best cost to get back to the Source Address of the packet. Otherwise we say that RPF fails and packet get silently dropped. This is a basic rule to avoid Multicast Routing loops.

Chapter 8

Multicast

70

!  Unicast Address !  805B:2D9D:DC28::FC57:D4C8:1FFF

!  Prefix !  FF02:0:0:0:0:1:FF

!  Solicited-node multicast adress !  FF02:0:0:0:0:1:FFC8:1FFF

!  Automatically configured for each unicast

Préfixe Interface Identifier

FF02 O 0001 FF 24 bits

128 bits

Solicited Node IPv6 Multicast Address

Just remember the Solicited Node Multicast address example which is derived from the Unicast address for the ND MAC Ad-dress Resolution Protocol.

Other example of Applications which use Multicast are NTP or DHCP.

For this Chapter you will need a Web connection and a Display unit supporting Flash® Presentation for these presentations:

IPv6 Multicast Part 1 http://www.ipv6forlife.com/Tutorial/IPv6Multicast-Part1.html

IPv6 Multicast Part 2 http://www.ipv6forlife.com/Tutorial/IPv6Multicast-Part2.html

IPv6 Multicast Part 3 http://www.ipv6forlife.com/Tutorial/IPv6Multicast-Part3.html

On the other hands, the Powerpoint Presentations can be found in PPS Slideshow format from IPv6 for Life Web Site and in PDF from the Public Slideshare Server so you can also down-load it from there.

71

2 Protocol Independent MulticastPIM is Independent because it does not build a separate Unicast Routing Table to run the RPF. Instead it uses the exist-ing routing table but the same good old RPF rule still applies.

At the beginning there was two flavors PIM Dense Mode and PIM Sparse Mode. The first one has not been ported to IPv6 be-cause it was clearly not scalable. On the other hand PIM-SM is still in use for IPv6 Networks.

With PIM-SM, the Multicast Receivers are not supposed to know the addresses of the Sources when they register to listen for a particular Group with the local MLD Querier. The Mul-ticast sources do not need any signaling to send any traffic. This must be managed by its directly connected router that we call a PIM Designated Router or PIM-DR.

So we need a place somewhere in the network for any Source, thanks to its PIM-DR to meet the receivers thanks to the local MLD Querier. This meeting place is called a Rendez-Vous Point.

For a detailed presentation of PIM-SM Operations and other topic addressed in this chapter, please use this presentation:

http://www.ipv6forlife.com/Docs/MulticastIPv6.pps

This presentation and other is also located on the public site

Slideshare.com, look for Fred Bovy, IPv6 For Life Presenta-tions.

PIM-SM is also explained in these short Flash Presentations:

IPv6 Multicast Part 1 http://www.ipv6forlife.com/Tutorial/IPv6Multicast-Part1.html

IPv6 Multicast Part 2 http://www.ipv6forlife.com/Tutorial/IPv6Multicast-Part2.html

IPv6 Multicast Part 3 http://www.ipv6forlife.com/Tutorial/IPv6Multicast-Part3.html

With PIM-SSM, the Receivers know the address of the Source. When the receiver register with the MLD Querier, it provides both the Group address it wants to listen to and the IPv6 unicast address of the source. So there is no need for a Rendez-Vous Point and its associated shared tree. We are al-ways on the Shortest-Path Tree.

PIM-BIDIR is actually the Shortest Path Tree of PIM-SM (see the Flash Presentation but the Sources can also Receive and the Receivers can also Send.

72

3 Embedded Rendez-Vous Point

The Embedded-RP is also fully covered in the PPT Slideshow given earlier. But it is really easy to explain quickly.

The idea is to code a 128 address in another /128 so what we do is that we only advertise a prefix which can be up to /64 long and then using only 4 bit we can code 16 RP from this prefix.

For the Prefix let’s see how it is coded. We got a Prefix length whoch is here 30hex or 48 decimal. Prefix is 2001:db8:9abc::/48

FF7E:0130:2001:db8:9abc::4321

Plen = 30 Hex = 48 dec 2001:db8:9abc::

Embedded RP Prefix

and for the rest, let’s see this now:

FF7E:0130:2001:db8:9abc::4321

Rendez-Vous Point Address 2001:db8:9abc::1 o  RFC3956

Embedded RP Address

The IPv6 Address FLAGS are R, P and T. T is for Temporary ad-dress. R and P are both an Embedded RP information.

The we see that the RP Address is 1, so the full address for this RP will be 2001:db8:9abc::1.

Then on the CISCO routers you just need to go on each router and type the coommand “ipv6 multicast-routing”and that’s it! Your work is done, the customer can sign the papers and you can get back home early today!

73

4 IPv6 Multicast on Layer 2IPv6 is encapsulate in Ethernet Frame using a prefix MAC Ad-dress of 33:33 instead of 01:00:5e for IPv4. Then we find the last 32 bits of the IPv6 Address.

!  IPv6 Multicast Address !  FF02:0:0:0:0:1:FF90:FE53 !  128 bits

!  Mac Address !  33:33:FF:90:FE:53 !  48 bits

FF02:0:0:0:0:1:FF90:FE53

33:33:FF:90:FE:53

IPv6 Encapsulation in Ethernet

When switches are used we use MLD Snooping to only for-ward traffic on the p2p links with attached interested Receivers.

This is only possible because now switching is performed in the silicium with fast ASICS because this feature requires that the switch looks in the MLD Packet to find the unsolicited reports MLD messages to figure out that there is a receiver

MLD Snooping

33:33This is the MAC address prefix for IPv6 encapsulated address. The next 32 bits are the IPv6 last IPv6 address bits.

Related Glossary Terms

Index

Chapter 8 - Multicast

Faire glisser ici les termes connexes

Rechercher un terme

ASICSA chip which perform a special task in the silicium like Layer 2 switching in our case.

Related Glossary Terms

Index

Chapter 8 - Multicast

Faire glisser ici les termes connexes

Rechercher un terme

ASMAny Source Multicast. This is another name for PIM Sparse Mode (see PIM)

Related Glossary Terms

Index

Chapter 8 - Multicast

Faire glisser ici les termes connexes

Rechercher un terme

BIDIRBi-directional. This is for PIM BIDIR which is actually the PIM-SM Shared Tree where Sources can Receive and Receivers can Send.

Related Glossary Terms

Index

Chapter 8 - Multicast

Faire glisser ici les termes connexes

Rechercher un terme

CCIECisco Certified Internet Expert. It started with number 1023. With #3013 I deserve the CISCO dinosaur distinction. When I was younger and I passed at first attempts both the written and the lab test, cheating was impossible and the answers were not avail-able for $20 from the Web. It was a Great distinction! And you must be recertified every two years. Again it is not so old that you can get the answers before taking it and I had to take the written test every two years since 97 to be still active. I also find in the field many consultant who say that they are CCIE but they only have the written exam or they are not recertified for 10 years but they get hired as cheap “CCIE”! This is really unfair!

Related Glossary Terms

Index

Chapter 1 - Preface

Faire glisser ici les termes connexes

Rechercher un terme

CostThis is the metric of Link-State Routing protocol. The lower the path cost is the better the route will be. The lowest path cost is used for routing.

Related Glossary Terms

Index

Chapter 8 - Multicast

Faire glisser ici les termes connexes

Rechercher un terme

DADDuplicate Address Detection, the Neighbor Discovery process to check that an ad-dress is not in use before using it. This is enabled by default on LAN interface on CISCO routers but disable on Serial interfaces.

Related Glossary Terms

Index

Chapter 5 - ICMPv6 & ND

Faire glisser ici les termes connexes

Rechercher un terme

DHCPDynamic Host Control Protocol used to configure the workstations with IPv6 address and/or Other information. With IPv6 there are much more variation than IPv4 because IPv6 has a Stateless built-in Autoconfiguration feature with Neighbor Discovery Proto-col (RFC 4862, RFC 4861).

So DHCPv6 can be used for Other information but address. This is Stateless DHCPv6.

DHCPv6 can also be used to provide a Site Prefix instead of individual Addresses. The prefix can then be subnetted. This is DHCP Prefix Delegation or DHCP-PD.

Related Glossary Terms

Index

Chapter 8 - Multicast

Faire glisser ici les termes connexes

Rechercher un terme

DHCP-PDDHCP Prefix Delegation. See DHCP.

Related Glossary Terms

Index

Chapter 7 - Addresses, Names & Services

Faire glisser ici les termes connexes

Rechercher un terme

DHCPv6DHCP for IPv6. See DHCP.

Related Glossary Terms

Index

Chapter 5 - ICMPv6 & ND

Faire glisser ici les termes connexes

Rechercher un terme

Embedded RPThis is a method to code the PIM-SM Rendez-Vous Point in the group address. With Embedded RP you only need ONE command to have your multicast Routing config-ured on a CISCO IOS® Router, “ipv6 multicast-routing”.

Related Glossary Terms

Index

Chapter 8 - Multicast

Faire glisser ici les termes connexes

Rechercher un terme

IGMPInternet Group Membership Protocol. The protocol to manage the signaling between the Receivers and the Multicast Last Hop Router, the IGMP Querier. For IPv6 it has been renamed MLD. (see MLD).

Related Glossary Terms

Index

Chapter 8 - MulticastChapter 8 - Multicast

Faire glisser ici les termes connexes

Rechercher un terme

IOS®Internetwork Operating System, the historical CISCO Operating System. A Great survi-vor pretty much like me! A big Monolith with a round-robin scheduler to manage the processes. A simple OS written and programmable in plain C Code. A basic Time Shared Scheduler which can be interrupted to switch a packet in “Real-time” when it is possible to make it shortly. Otherwise the incoming packet is punted to be switched later on. This is IOS and we love it!

Related Glossary Terms

Index

Chapter 1 - Preface

Faire glisser ici les termes connexes

Rechercher un terme

IPAMIP Address Management Tools. With IPv4, many Service PRoviders were using Spreadsheet to manage their IPv4 addresses using home made macros and every-body was very happy. The 128 bits addresses of IPv6 made it impossible and new Soft-ware were introduced to manage these very long addresses. IPAM was born. The next step was to link these big databases with DNS and DHCP et voila!

Today it is just insane or just impossible to plan any decent network without an IPAM to manage your IPv6 Addresses and node names.

Related Glossary Terms

Index

Chapter 7 - Untitled

Faire glisser ici les termes connexes

Rechercher un terme

IPv4Internet Protocol version 4. The protocol which started the Internet in the late 70s. Like Jim Morrison or Jimmy Hendrix IPv4 will die one day as it is clearly not designed to sustain the Internet of 2012.

It was requested by the USA Department of Defense (DoD) to build a Private Internet when a few thousands hosts was just the impossible boundary that will never get reached. For the DoD and the 70s Mainframes technology, IPv4 with its 32 bits was here to last forever!

Related Glossary Terms

Index

Chapter 8 - Multicast

Faire glisser ici les termes connexes

Rechercher un terme

IPv6Internet Protocol version 6. The protocol developed in the 90s to scale the y2k Internet and replace IPv4 forever.

http://www.tcpipguide.com/free/t_IPv6AddressSizeandAddressSpace-2.htm

“Since IPv6 addresses are 128 bits long, the theoretical address space if all addresses were used is 2128 addresses. This number, when expanded out, is 340,282,366,920,938,463,463,374,607,431,768,211,456, which is normally expressed in scientific notation as about 3.4*1038 addresses. That's about 340 trillion, trillion, tril-lion addresses. As I said, it's pretty hard to grasp just how large this number is. Con-sider:

" ◦" It's enough addresses for many trillions of addresses to be assigned to every human being on the planet.

" ◦" The earth is about 4.5 billion years old. If we had been assigning IPv6 ad-dresses at a rate of 1 billion per second since the earth was formed, we would have by now used up less than one trillionth of the address space.

" ◦" The earth's surface area is about 510 trillion square meters. If a typical com-puter has a footprint of about a tenth of a square meter, we would have to stack com-puters 10 billion high blanketing the entire surface of the earth to use up that same tril-lionth of the address space.”

Related Glossary Terms

Index

Chapter 8 - Multicast

Faire glisser ici les termes connexes

Rechercher un terme

MACMAC Addresses are used at Layer 2 to address an Ethernet workstation on a LAN.

Related Glossary Terms

Index

Chapter 8 - Multicast

Faire glisser ici les termes connexes

Rechercher un terme

MLDMulticast Listener Discovery. MLD is IGMP ported to IPv6.

MLDv1 is IGMPv2 and MLDv2 is IGMPv3.

This is the signaling between the Receiver and the last hop router.

Hosts use MLD to tell the local router that they want to receive a Group. Then the MLD Router propagate the MLD exchange with PIM protocol to build the Shared or Shortest Path Tree.

Related Glossary Terms

Index

Chapter 8 - MulticastChapter 8 - Multicast

Faire glisser ici les termes connexes

Rechercher un terme

MLD SnoopingDoes for IPv6 what IGMP snooping was doing for IPv4. It listens the Multicast traffic and looks into the MLD packet to find the control packet of a Receiver saying that it wanna join a given group. Then the switch will only forward the Multicast on the port where it knows that it has a receiver interested by this Group.

Related Glossary Terms

Index

Chapter 8 - Multicast

Faire glisser ici les termes connexes

Rechercher un terme

MSDPMulticast Source Discovery Protocol. A protocol above TCP that was used to join two separate shared Tree. It was useful when you had multiple Rendez-Vous Point for the Source a Rendez-Vous point will find the Receivers registered on another RP.

It was used by the Service Provider to setup Redundant RPs with a feature called Any-cast RP.

Problem is that MSDP sessions must be full meshed leading to a O(n)2 Complexity.

They were configuring 2 RPs in each country for Redundancy. For 40 Countries you had to configure (80*79)/2 MSDP over TCP sessions and reasonable size routers were not supporting that much MSDP Sessions and collapsed.

MSDP and Anycast RP using MSDP have not been ported to IPv6.

Related Glossary Terms

Index

Faire glisser ici les termes connexes

Rechercher un terme

NATNetwork Address Translation. A workaround which broke the peer to peer IP capability which was a key driver in th 80s for people to switch to TCP/IP. Just before they switch to TCP/IP, IBM proposed SNA LU6.2 based APPN Solution to move from a hierarchical model to a peer-to-peer. In the early 80s, Peer-to-peer and downsizing to port applica-tion from Mainframes down to Mini or RISC and Micro Computers was the way to go!

But in the 90s Peer-to-Peer was broken by NAT which is breaking many applications and is a security weakness seen as a security feature by some NAT proponents! They are grasping IPv4 and NAT as if their life would have no reason to be without NAT!

NAT was never a security feature. The best Security is true end-to-end security which does not work if someone change anything in the original Address. Because you can-not be identified from your address anymore = no security. Someone who does some really bad things using a NATed address will never get caught.

Related Glossary Terms

Index

Chapter 2 - Introduction to IPv6

Faire glisser ici les termes connexes

Rechercher un terme

NDNeighbor Discovery Protocol defined in RFC 4861 is a key protocol for IPv6.

Related Glossary Terms

Index

Chapter 5 - ICMPv6 & ND

Faire glisser ici les termes connexes

Rechercher un terme

NTPNetwork Time Protocol to synchronize all the system clocks in a Network.

Related Glossary Terms

Index

Chapter 8 - Multicast

Faire glisser ici les termes connexes

Rechercher un terme

NUDNeighbor Unreachability Detection is a par of ND and is used to check that a NEighbor is still alive and clean up the entry if the node fails to reply.

Related Glossary Terms

Index

Chapter 5 - ICMPv6 & ND

Faire glisser ici les termes connexes

Rechercher un terme

P2pPoint-to-Point Network.

Related Glossary Terms

Index

Chapter 8 - Multicast

Faire glisser ici les termes connexes

Rechercher un terme

PIMProtocol Independent Multicast Protocol. It is independent because it uses the default Unicast Routing Table to run RPF Algorithm instead of building a separate table.

Related Glossary Terms

Index

Chapter 8 - Multicast

Faire glisser ici les termes connexes

Rechercher un terme

PIM-BIDIRPIM-BIDIR see PIM

Related Glossary Terms

Index

Chapter 8 - Multicast

Faire glisser ici les termes connexes

Rechercher un terme

PIM-DMPIM Dense Mode†. Deprecated. It was not scalable. (See PIM)

Related Glossary Terms

Index

Chapter 8 - MulticastChapter 8 - Multicast

Faire glisser ici les termes connexes

Rechercher un terme

PIM-DRPIM Designated Router. The router which is directly connected to a Multicast Source. The highest priority wins. The highest IP address is used as a tie breaker. See PIM.

Related Glossary Terms

Index

Chapter 8 - Multicast

Faire glisser ici les termes connexes

Rechercher un terme

PIM-SSMPIM Single Source Multicast. Only work with the Shortest Path Tree as the Receivers know the Source Address(es) when they register for a Group (see PIM).

Related Glossary Terms

Index

Chapter 8 - Multicast

Faire glisser ici les termes connexes

Rechercher un terme

QuerierMLD for IPv6 or IGMP for IPv4 Querier is the router which has directly connected Re-ceivers. The Lowest IP Address is the Elected Querier when multiple candidate are available.

Related Glossary Terms

Index

Chapter 8 - Multicast

Faire glisser ici les termes connexes

Rechercher un terme

RDPIM Rendez-Vous point is the place where the PIM-SM Source meets the Receivers.

Related Glossary Terms

Index

Chapter 5 - ICMPv6 & ND

Faire glisser ici les termes connexes

Rechercher un terme

Rendez-VousSee PIM-SP

Related Glossary Terms

Index

Chapter 8 - Multicast

Faire glisser ici les termes connexes

Rechercher un terme

Reverse Path ForwardingThe Reverse Path Forwarding Rule is the IP Multicast universal rule.

To avoid routing loops a multicast router checks each packet receive on each interface against the Source Address. The packet MUST be received on the Interface which has the best (lower) path cost to get back to the Source or it gets dropped whe RPF failed.

Related Glossary Terms

Index

Faire glisser ici les termes connexes

Rechercher un terme

RPFSee Reverse Path Forwarding

Related Glossary Terms

Index

Chapter 8 - Multicast

Faire glisser ici les termes connexes

Rechercher un terme

SLAACStateless Address Auto Configuration. This is a process to get an interface automati-cally configured with address using NEighbor Discovery Protocol (RFC 4861).

SLAAC is described in RFC 4862.

Related Glossary Terms

Index

Chapter 5 - ICMPv6 & ND

Faire glisser ici les termes connexes

Rechercher un terme

SSMPIM Source Specific Multicast. (See PIM)

Related Glossary Terms

Index

Chapter 8 - Multicast

Faire glisser ici les termes connexes

Rechercher un terme

StatefulStateful means that a Server must keep some state for each allocation to manage the entry.

For instance when DHCP allocate an Address, it keeps an entry for this allocated ad-dress and if the neighbor fails to RENEW the address, it will get back to the unused pool and will be allocated for another node.

Stateful devices are easy target for DoS Attacks and should be protected with some mitigation technics to limit the effects of the attack!

Related Glossary Terms

Index

Chapter 7 - Addresses, Names & Services

Faire glisser ici les termes connexes

Rechercher un terme

StatelessWhen DHCP is not used to allocate Addresses it is called Stateless DHCPv6 and only provides information, not addresses.

Related Glossary Terms

Index

Chapter 7 - Addresses, Names & Services

Faire glisser ici les termes connexes

Rechercher un terme

ULAUnique Local Addresses are used when Private Addresses are needed. ULA can be centrally managed or locally administrated. The idea was not to repeat the IPv4 mis-takes, We have 40 bits to make the ULA unique and avoir any risk of having overlap-ping addresses when we merge two networks.

Related Glossary Terms

Index

Chapter 3 - IPv6 Addresses

Faire glisser ici les termes connexes

Rechercher un terme