Embed Size (px)
Citation preview
Introduction, inc. Addressing and Autoconfiguration
IPv6 workshop KrakowMay 2012
Carlos Friaças, [email protected] De Ghein, [email protected]
Contents
Introduction to IPv6
IPv6 Protocol (headers & options)
IPv6 Addressing
IPv6 Associated Protocols
Autoconfiguration
Introduction to IPv6
IPv6 workshop KrakowMay 2012
Why a new version for IP ?
Historical facts
IPv4 address space status
From Emergency measures …… to IPv6
Historical facts1983 : Research network for ~ 100 computers1992 : Internet is open to the commercial
sector : • Exponential growth• IETF urged to work on an IP next generation protocol
1993 : Exhaustion of the class B address space Forecast of network collapse for
1994 ! RFC 1519 (CIDR) published
• Updated by RFC 4632 in 2006
1995 : RFC 1883 (IPv6 specs) published• First RFC about IPv6
• Hierarchical & Regional
IANA
RIR RIR
NIR
LIR/ISP LIR/ISP
EU(ISP) EU EU End User
Regional Internet Registry
Internet Assigned Numbers Authority
National Internet Registry
Local Internet Registry / Internet Service Provider
How does address distribution work?
Source: http://www.nro.net/wp-content/uploads/nro_stats_2011_q2.ppt
IPv4 address space status
Source: http://www.nro.net/statistics
IPv4 Regional Allocations
The last /8 (~16.7 million addresses) will be distributed according to a different and more
restrictive policy
Exhaustion at the RIPENCC Service Region
RIR Allocation PoliciesAfriNIC: http://www.afrinic.net/IPv6/index.htm http://www.afrinic.net/docs/policies/afpol-v6200407-000.htm *APNIC: http://www.apnic.org/docs/index.html http://www.apnic.org/policy/ipv6-address-policy.html *ARIN: http://www.arin.net/policy/index.html http://www.arin.net/policy/nrpm.html#ipv6 *LACNIC: http://lacnic.net/sp/politicas/ http://lacnic.net/sp/politicas/ipv6.html *RIPE-NCC: http://www.ripe.net/ripe/docs/ipv6.html http://www.ripe.net/ripe/docs/ipv6policy.html *
• *describes policies for the allocation and assignment of globally unique IPv6 address space
RIR Allocation StatisticsAfriNIC:
• http://www.afrinic.net/statistics/index.htmAPNIC:
• http://www.apnic.org/info/reports/index.htmlARIN:
• http://www.arin.net/statistics/index.htmlLACNIC:
• http://lacnic.org/sp/est.htmlRIPE-NCC:
• http://www.ripe.net/info/stats/index.html
Emergency measures …
CIDR
Private addresses
NAT
CIDR …Allocate former “class B” addresses
exceptionally • known as /16 prefixes since then
Re-use “class C” address space• Without any more address classes
CIDR (Classless Internet Domain Routing) • RFC 1519 updated by RFC 4632• network address = {prefix/prefix length}• Classes abandon = less address waste• allows aggregation => reduces routing table size
Allow private addressing plansAddresses are used internallySimilar to security architecture with firewallUse of proxies or NAT to go outside
• RFC 2663, 2993 and 3022
Private addresses (RFC 1918)
NAT (continued)
Advantages:
• Reduce the need of official (public) addresses
• Ease the internal addressing plan
• Transparent to some applications
• “Security” vs obscurity
• Netadmins/sysadmin
Disadvantages:
• Translation sometimes complex (e.g. FTP)
• Apps using dynamic ports• Does not scale• Introduce states inside the
network: Multihomed networks
• Breaks the end-to-end paradigm
• Security with IPsec
=> Should be reserved for small sites in Client/Server mode
Emergency MeasuresThese emergency measures provided time to develop
a new version of IP, named IPv6
IPv6 keeps principles that have made the success of IP• Open architecture• CIDR usage
Corrects what was wrong with the current version (v4)• Header simplification
BUT are emergency measures enough?
From emergency to IPv6IPv6 is already there …
• Internet v6 is there today :• NRENs in EU, North America, Asia … are interconnected in IPv6• Lots of IXP are offering IPv6 connectivity• Several transit providers already have IPv6 at their services
portfolio• Several content providers have deployed it, and are actively
promoting IPv6• ISPs and Telcos exchange IPv6 routes• Vista and Windows 2008 (servers) are IPv6 enabled by default• Around 5400 ASNs already visible (source: CIDR report)
Then the question is not “if” but “when?” and “how?”
IPv6 Protocol (headers & options)
IPv6 workshop KrakowMay 2012
IPv6 HeaderComparison with IPv4
IPv6 optional headers (extensions)
Processing IPv6 headersComparison with IPv4
IPv6 Header
The IPv6 header is designed• To minimize header overhead • and reduce the header process for most of the
packets• Less important information and option fields
are moved to extension headers
IPv6 & IPv4 headers are not interoperable
IPv4 Header
Ver.
fragmentIdentifier
Total Length
flags
20 B
ytes
32 bits
ToS
Options
IHL
TTL Protocol Checksum
Source Address
Destination Address
32 bits
32 bits
Ver.
Hop LimitPayload length
Flow label
Next Header
Source Address
Destination Address
40 B
ytes
32 bits
Traffic Class
(Extensions)Data
IPv6 Header simplification
128 bits
128 bits
IPv6: optional Extensions
New “mechanism” replacing IPv4 optionsAn IPv6 extension :
• Every extension has its own message format• Is a n x 8-byte datagram• Starts with a 1-byte ‘Next Header’ field
Pointing to either another extension or a L-4 protocol
Hop-by-hop (jumbogram, router alert)• Always the first extension• Analyzed by every router.
IPv6: optional Extensions
DestinationRouting (loose source routing)FragmentationSecurity
• Authentication (AH)• Encapsulating Security Payload (ESP) :
confidentiality
IPv4 header options processing
IPv4 options : processed in each routerslow down packets
A
B
A -> R1
B
A -> B
R1R1
R1
IPv6 ext. header processing
IPv6 extensions (except Hop-by-Hop) are processed only by the destination.
A
B
A -> R1
B
A -> B
R1R1
R1
ConclusionMain changes in IPv6 protocol are within address
format and datagram headers
• A lot of fields in the IPv6 header have disappeared More efficient processing in the (intermediate) routers
• Optional extensions allow more functionalities (source routing, authentication, …)
• Optional header mechanism allows new options introduction without modifying the protocol
IPv6 Addressing
IPv6 workshop KrakowMay 2012
IPv6 AddressingSchemeTypesFormatsType PrefixesSpaceProduction Addressing SchemePlans
IPv6 Addressing Scheme
Defined in RFC 4291 (2006)Updated by RFC5952 and RFC6052 (2010)Several previous versions
Oldest is from 1995 (RFC1884)
128 bits Addresses (hierarchy & flexibility)
Hexadecimal representation (0 to F)
1 Interface can have several IPv6 addresses
IPv6 Addressing Scheme
There is no broadcast nor network address
Global Unicast IPv6 addresses format defined in RFC 3587
CIDR principles usage:Prefix / Prefix length (or mask)
2001:660:3003::/482001:660:3003:2:a00:20ff:fe18:964c/64
Aggregation reduces routing table size
IPv6 Address TypesUnicast (one-to-one)
• global• link-local• site-local (deprecated)• Unique Local (ULA)• IPv4-compatible (deprecated)• IPv6-mapped
Multicast (one-to-many)Anycast (one-to-nearest)Reserved
Source:http://www.iana.org/assignments/ipv6-address-space/ipv6-address-space.xml
• Basic Format (Global, 16 bytes/128 bits) :
• Compact Format
• Literal Format[2001:0DB8:3003:0001:0000:0000:6543:210F]
2001:0DB8:3003:0001:0000:0000:6543:210F
2001:0660:3003:0001:0000:0000:6543:210F2001:0660:3003:0001:0000:0000:6543:210F2001:660:3003:1:0:0:6543:210F2001:660:3003:1:0:0:6543:210F2001:DB8:3003:1::6543:210F
IPv6 Addressing Formats
IPv6 Address Type Prefixes
Global Unicast assigments actually use 2000::/3 (001 prefix)Anycast addresses allocated from unicast prefixes
Address Type Binary Prefix IPv6 Notation
Unspecified 00…0 (128 bits) ::/128
Loopback 00…1 (128 bits) ::1/128
Multicast 1111 1111 FF00::/8
Link-Local Unicast 1111 1110 10 FE80::/10
ULA 1111 110 FC00::/7
Global Unicast (everything else)
IPv4-mapped 00…0:1111 1111:IPv4
::FFFF:IPv4/128
Site-Local Unicast (deprecated)
1111 1110 11 FEC0::/10
IPv4-compatible (deprecated)
00…0 (96 bits) ::IPv4/128
IPv6 Address SpaceAggregatable Global Unicast Addresses (001): 1/8Unique Local Unicast addresses (1111 1110 00):
1/128Link-Local Unicast Addresses (1111 1110 10): 1/1024Multicast Addresses (1111 1111): 1/256
More info:http://www.iana.org/assignments/ipv6-address-space
For Future Use In Use
1/2 1/4 1/8 1/8
Production Addressing Scheme (1)
IANA
RIR RIR
NIR
LIR/ISP LIR/ISP
EU(ISP) EU EU End User
Regional Internet Registry
Internet Assigned Numbers Authority
National Internet Registry
Local Internet Registry / Internet Service Provider
Production Addressing Scheme (2)
LIRs receive by default /32• Production addresses today are from prefixes 2001, 2003, 2400, etc.• Can request for more if justified
/48 used only within the LIR network, with some exceptions for critical infrastructures
/48 to /128 is delegated to end users• Recommendations following RFC6177 (2011) and current policies• /48 general case, /47 if justified for bigger networks• /64 if one and only one network is required• /128 if it is sure that one and only one device is going to be
connected
Subnet ID(16 bits)
Interface Identifier(64 bits)
interface ID001 subnet IDGlob. Rout. prefix
Global Routable Prefix (45 bits)
Production Addressing Scheme (3)Source:http://www.iana.org/assignments/ipv6-unicast-address-
assignments
IPv6 Global Unicast Address Assignments [0][last updated 2008-05-13]Global Unicast Prefix Assignment Date Note--------------------- ---------- ------ ----2001:0000::/23 IANA 01 Jul 99 [1]2001:0200::/23 APNIC 01 Jul 992001:0400::/23 ARIN 01 Jul 992001:0600::/23 RIPE NCC 01 Jul 992001:0800::/23 RIPE NCC 01 May 022001:0A00::/23 RIPE NCC 02 Nov 022001:0C00::/23 APNIC 01 May 02 [2]2001:0E00::/23 APNIC 01 Jan 032001:1200::/23 LACNIC 01 Nov 02
Production Addressing Scheme (4)
3 16 64 bits
Fixed Prefix
IANA/RIR/LIR End User Interface ID
Public topology /48
Network portion /64
Host portion /64
45
Site topology /80
• Preparing an IPv6 addressing plan is not a trivial task
• Needs timely planning– All remote network points and existing
topologies need to be remembered
• Keep in mind: • Aggregation = YES• Conservation = NO
Addressing Plans
• Do we perform reservations? If yes, which size?
• All departments have the same relevance/status? And the same networking needs?
• Where to start performing assignments? Where to assign the “2nd block”?
• Which block is to be used on infrastructure? Which network masks are we going to use for plain point-to-point connections?
Decisions
1 23 45 6 7 8910
11
12
13
14
15
16
Visualization
• Address is defined with:• Embedded MAC Addressor• Fixed
• The automatic address obtained through autoconfiguration, when the NIC is changed, forces:
– A DNS AAAA record update– Check services’ configs– Update scripts which use the address in a
static way
LANs – last 64 bits?
IPv6 Associated Protocols
IPv6 workshop KrakowMay 2012
IPv6 Associated ProtocolsNew ProtocolsNeighbor Discovery (NDP)Address ResolutionPath MTU Discovery
New features are specified in IPv6 Protocol -RFC 2460 DS
Neighbor Discovery (NDP) -RFC 4861 DS• Updated by RFC 5942
Auto-configuration :• Stateless Address Auto-configuration -RFC 4862 DS
• DHCPv6: Dynamic Host Configuration Protocol for IPv6
-RFC 4361 PS (updated by RFC 5494)
• Path MTU discovery (pMTU) -RFC1981 DS
New Protocols (1)
MLD (Multicast Listener Discovery) –RFC 2710 PS• Updated by RFC 3590 and RFC 3810
• Multicast group management over an IPv6 link
• Based on IGMPv2
• MLDv2 (equivalent to IGMPv3 in IPv4)
ICMPv6 (RFC 4443 DS):• Updated by RFC 4884
• Covers ICMP (v4) features (Error control, Administration, …)
• Transports ND messages
• Transports MLD messages (Queries, Reports, …)
New Protocols (2)
IPv6 nodes (hosts and routers) on the same physical medium (link) use Neighbor Discovery (NDP) to:• discover their mutual presence• determine link-layer addresses of their neighbors• find neighboring routers that are willing to forward
packets on their behalf• maintain neighbors’ reachability information (NUD)• not directly applicable to NBMA (Non Broadcast Multi
Access) networks NDP uses link-layer multicast for some of its
services.
Neighbor Discovery for IPv6 (1)
Protocol features:• Router Discovery• Prefix(es) Discovery• Parameters Discovery (link MTU, Max Hop Limit, ...)• Address Autoconfiguration • Address Resolution• Next Hop Determination• Neighbor Unreachability Detection• Duplicate Address Detection• Redirect
NDP for IPv6 (2)
The IPv6 Neighbor Discovery protocol corresponds to a combination of the IPv4 protocols:• Address Resolution Protocol (ARP)• ICMP Router Discovery (RDISC)• ICMP Redirect (ICMPv4)
Improvements over the IPv4 set of protocols:• Router Discovery is part of the base protocol set• Router Advertisements carry link-layer addresses and prefixes
for a link, and enable Address Autoconfiguration• Multiple prefixes can be associated with the same link.• Neighbor Unreachability Detection is part of the base protocol
set• Detects half-link failures and avoids sending traffic to
neighbors with which two-way connectivity is absent• By setting the Hop Limit to 255, Neighbor Discovery is
immune to off-link senders that accidentally or intentionally send ND messages.
NDP (3) : comparison with IPv4
NDP specifies 5 types of ICMP packets :• Router Advertisement (RA) :
ICMP type = 134, code 0 periodic advertisement or response to RS message (of the
availability of a router) which contains:– list of prefixes used on the link (autoconf)– Flags for address configuration mechanism (M & O)– a possible value for Max Hop Limit (TTL of IPv4)– value of MTU
• Router Solicitation (RS) : the host needs RA immediately (at boot time)
NDP (4)
• Neighbor Solicitation (NS): to determine the link-layer @ of a neighbor or to check a neighbor is still reachable via a cached L2 @ also used to detect duplicate addresses (DAD)
• Neighbor Advertisement (NA): answer to a NS message to advertise the change of physical address
• Redirect : Used by routers to inform hosts of a better first hop for a
destination
NDP (5)
Address resolution is the process through which a node determines the link-layer address of a neighbor given only its IP address.
Find the mapping: Dst IP @ Link-Layer (MAC) @
Recalling IPv4 & ARP• ARP Request is broadcasted
e.g. ethernet @: FF-FF-FF-FF-FF-FF Btw, it contains the Src’s LL @
• ARP Reply is sent in unicast to the Src It contains the Dst’s LL @
Address resolution
At boot time, every IPv6 node has to join 2 special multicast groups for each network interface:
All-nodes multicast group: ff02::1 Solicited-node multicast group: ff02::1:ffxx:xxxx
– derived from the lower 24 bits of the node’s address
H1: IP1, MAC1 H2: IP2, MAC2HA: IPA, MACA HB: IPB, MACB
NS ? D2 ( MACB) D3=Multi(IPB)) S2 = MACA S3 = IPA
NA D2 = MACAD3 = IPA S2 = MACB S3 = IPB
Address resolution (2) with NDP
Derived from RFC1191 (IPv4 version of the protocol)
Path = set of links • followed by an IPv6 packet between source and destination
Link MTU = maximum packet length (bytes) • that can be transmitted on a given link without fragmentation
Path MTU (or pMTU) = min { link MTUs } • for a given path
Path MTU Discovery = automatic pMTU discovery for a given path
Path MTU discovery (RFC 1981)
Protocol operation• makes assumption that pMTU = link MTU to reach a
neighbor (first hop)• if there is an intermediate router such that
link MTU < pMTU it sends an ICMPv6 message: "Packet size Too Large"
• source reduces pMTU by using information found in the ICMPv6 message
• …
=> Intermediate network element aren’t allowed to perform packet fragmentation
Path MTU discovery (2)
Autoconfiguration
IPv6 workshop KrakowMay 2012
AgendaStateless AutoconfigurationStateful Autoconfiguration (DHCPv6)Conclusions
Stateless AutoconfigurationProvides plug & play networking for hosts
On network initialisation a node can obtain:• IPv6 prefix(es)• Default router address(es)• Hop limit• (link local) MTU• validity lifetime
DNS server addresses are not normally supplied• RFC6106 (2010) - IPv6 Router Advertisement Options for DNS
Configuration Though not yet available in any OS
Stateless AutoconfigurationHosts can automatically get an IPv6 address
Only routers have to be manually configured • Or can use the Prefix Delegation option (RFC 3633)
Servers should be manually configured
Link-local (as opposed to Global) addresses are usually autoconfigured on all nodes
Stateless AutoconfigurationIPv6 Stateless Address Autoconfiguration
• Defined in RFC 4862
Hosts listen for Router Advertisements (RA) messages• Periodically sent out by routers on the local link, or requested by
the host using an RA using a solicitation message• RA messages provide information to allow for automatic
configuration
Hosts can create a Global unicast IPv6 address by combining:• Its interface’s EUI-64 (based on MAC) address or random ID• Link Prefix (obtained via Router Advertisement)
Global Address = Link Prefix + EUI-64 address
Stateless AutoconfigurationUsually, the router sending the RA messages is
the default router
If the RA doesn’t carry a prefix• The hosts don’t configure (automatically) any global IPv6
address (but may configure the default gateway address)
RA messages contain two flags• Indicate what type of stateful autoconfiguration (if any)
should be performed
IPv6 addresses usually based on NIC MAC address• Though hosts can use Privacy Extensions (RFC4941)
• E.g. Vista uses random EUI-64 as default
Internet
Router Advertisement2001:690:1:1
Router SolicitationDest. FF02::2
FF02::2 (All routers)
1. Create the link local address
2. Do a Duplicate Address Detection
MAC address is 00:0E:0C:31:C8:1F
EUI-64 address is 20E:0CFF:FE31:C81F
FE80::20E:0CFF:FE31:C81F
3. Send Router Solicitation4. Create global address 5. Do a DAD 6. Set Default Router
2001:690:1:1::20E:0CFF:FE31:C81F
FE80::20F:23FF:FEF0:551A
FE80::20F:23FF:FEf0:551A ::/0
And the DNS Server Address ?!
Packets flowing
Dynamic Host Configuration Protocol for IPv6• Defined in RFC 3315 (2003)• Updated by RFC 4361, RFC 5494, RFC 6221, RFC 6422• Stateful counterpart to IPv6 Stateless Address
Autoconfiguration.
According to RFC 3315 DHCPv6 is used when:• No router is found• Or if Router Advertisement message enables use of DHCP
Using ManagedFlag and OtherConfigFlag
There is also ‘stateless DHCPv6’ (RFC3736)• Used by clients that already have an address• Based upon standard DHCPv6
Stateful AutoconfigurationDHCPv6
DHCPv6 works in a client / server model• Server
Responds to requests from clients Optionally provides the client with:
– IPv6 addresses – Other configuration parameters (DNS servers…)
Listens on the following multicast addresses:– All_DHCP_Relay_Agents_and_Servers (FF02::1:2)– All_DHCP_Servers (FF05::1:3)
Provides means for securing access control to network resources
Usually storing client’s state, though ‘stateless operation’ is also possible (the usual method used for IPv4 today)
Stateful AutoconfigurationDHCPv6 (2)
• Client Initiates requests on a link to obtain configuration
parameters Uses its link local address to connect the server Sends requests to FF02::1:2 multicast address
(All_DHCP_Relay_Agents_and_Servers)
• Relay agent A node that acts as an intermediary to deliver DHCP
messages between clients and servers On the same link as the client Listens on multicast address:
– All_DHCP_Relay_Agents_and_Servers (FF02::1:2)
Statefull AutoconfigurationDHCPv6 (3)
Internet
Reply-messageDNS 2001:690:5:0::10
Information-Request(DNS Server’s address?)
2. Host execute an DHCPv6 Client
3. Client will send an Information-Request
1. What’s the DNS servers’ Address
4. Server responds with a Reply Message
5. Host configures the DNS server
Example: in /etc/resolve.conf file
FF02::1:2 (All_DHCP_Relay_Agents_and_Servers)
DHCPv6 Server
Packets flowing
The two types of configuration are complementary
In dual-stack networks we can obtain IPv4 DNS server addresses from DHCPv4
DHCPv6 clients not shipped in all Operating Systems• Vista/Windows7 contains DHCPv6 client• Third party clients are availble for all Oses
E.g. Dibbler, ISC DHCP, Red Hat DHCPv6
Conclusion
Questions
71
