No Slide Title · (RFC950) NAT (RFC1631) CIDR, DHCP (RFC1519,1531) loss of E2E Architecture. 7 Registered IPv4 Address Allocation History 0.00% 20.00% 40.00% 60.00% 80.00% 100.00%

IPv6 TutorialIPv6 Tutorialhttp://www.usipv6.comhttp://www.usipv6.com

12/8/0312/8/03

2

Instructors

Michael P. BrigMichael P. BrigSenior Network EngineerSenior Network EngineerEmail: [email protected]: 703-882-2435

Brian McGehee Native6, Inc. Email: [email protected]: 206-682-0275

3

Hotel

4

Agenda

1. Developing IPv6 08:30-10:15break 10:15-10:30

2. Exploring IPv6 10:30-12:00lunch 12:00-13:00

3. Integrating IPv6 13:00-14:30break 14:30-14:45

4. Advanced IPv6 Topics 14:45-16:00break 16:00-16:10

5. Deploying IPv6 16:10-17:00

5

1. Developing IPv6

• Background• IPng requirements and competition• Rational for a new IP

6

Background

0301999795939189878583817977

02009896949290888684828078

NCPIPv4

IPv6CLNS (GOSSIP)

Commerce DeptICANN

DoD

Killer Application 1: Email

Killer Application 2: Web

Apps with potential: File Xfer, Chat, VOIP, Video, Gaming, Messaging

???

Subneting(RFC950)

NAT(RFC1631)

CIDR, DHCP(RFC1519,1531)

loss of E2E Architecture

7

Registered IPv4 AddressAllocation History

0.00%

20.00%

40.00%

60.00%

80.00%

100.00%

1980 1985 1990 1995 2000 2005 2010

8

IPv4 Issues compound the Digital Divide

NATNAT

Public IPv4 Internet

Private

Intranet Private

Intranet

DHCP

Server & Client

Server & Client

Client

9

Restoring the E2E Architecture

NAT/PAT Breaks Peer-to-PeerNAT/PAT Breaks Peer-to-Peer

IPv4Internet

IPv6Internet

IPv6Internet

• Restores the “Promise”of Multimedia Collaboration– IP Telephony for Enterprise, Mobile, and Residential– IP Video Conferencing– Instant Messaging– Distributed Gaming

• “Always On” for everyone – no need to ration with IPv6.

10

IPv6 Narrows the Digital Divide

Server & Client

Server & Client

Public IPv6 Internet

11

IPv4 BGP Routing System

12

Triggers for IPng

• Class B address space exhaustion.• IPv4 address space exhaustion in

general.• Routing table growth.

13

Technical Criteria for Choosing IPng

• Complete specification• Architectural simplicity• Scale• Topological flexibility • Performance• Robust service• Transition• Media independence• Datagram service• Configuration ease

• Security• Unique names• Access to standards• Multicast support• Extensibility• Service classes• Mobility• Control protocol• Tunneling support

14

IPng Process and Competition

(RFC1550) IP: Next Generation (IPng) White Paper Solicitation(RFC1726) Technical Criteria for Choosing IP The Next Generation (IPng)(RFC1752) The Recommendation for the IP Next Generation Protocol(RFC1883) Internet Protocol, Version 6 (IPv6) Specification(RFC2460) Internet Protocol, Version 6 (IPv6) Specification

Nimrod

CNAT

IPEncaps

SimpleCLNP TUBA

(IPv9)

IPAE

SIP(IPv6)

PIP(IPv8)

TP/IX(IPv7)

SIPP

CATNIP

IPv5 =??? ST protocol

RFC2460(supersedes RFC 1883)

95

RFC1550RFC1726

969492 93

RFC1752 RFC1883

97 98

15

Rational for a new IPThe Internet must keep growing!

• Billions of new users (Japan, China, India,…)• Multiple devices per user.• Billions of new devices (mobile phones, cars,

appliances, etc…)• Always-on access (cable, xDSL, ethernet-to-the-

home, etc…)• Many applications are difficult, expensive, or

impossible to operate through NATs.• IPv6 is needed for the long-term health and viability

of the Internet… routing, multihoming, mobility

16

Expect many years with IPv4/v6

IPv4

IPv6

FY01 FY02 FY03 FY04 FY05 FY06 FY07 FY08 FY09 FY10

IPv4:

Mandatory Standard

IPv6:

Emerging Standard

IPv4:

Mandatory Standard

IPv6:

Mandatory Standard

IPv6:

Mandatory Standard

17

2. Exploring IPv6

• The IPv6 spec and related RFCs• Header format and optimizations• ICMPv6• Auto-configuration• IPv6 address architecture and

formats.• Routing Protocols

18

Impacts to the TCP/IP Model

FTPHTTP SMTPNFS DNS

Transport

Network

Physical

Application

TCP UDP

IPv6 & ICMPv6

ISDN ATM SDH Eth. WDM

Core Specification

19

The IPv6 spec and related RFCs

• IETF Draft Standards– RFC 2460: Internet Protocol, Version 6 (IPv6) Specification – RFC 2461: Neighbor Discovery for IP Version 6 (IPv6)– RFC 2462: IPv6 Stateless Address Autoconfiguration– RFC 2463: ICMPv6 Specification

• IETF Proposed Standards– RFC 1981: Path MTU Discovery for IP version 6– RFC 2028: RIPng for IPv6– RFC 2401: Security Architecture for the Internet Protocol– RFC 2428: FTP Extensions for IPv6 and NATs– RFC 2452: IP Version 6 Management Information Base for the Transmission Control Protocol– RFC 2454: IP Version 6 Management Information Base for the User Datagram Protocol– RFC 2564: Transmission of IPv6 Packets over Ethernet Networks– RFC 2565: Management Information Base for IP Version 6: Textual Conventions and General Group– RFC 2566: Management Information Base for IP Version 6: ICMPv6 Group– RFC 2567: Transmission of IPv6 Packets over FDDI Networks– RFC 2470: Transmission of IPv6 Packets over Token Ring Networks– RFC 2472: IP Version 6 over PPP– RFC 2473: Generic Packet Tunneling in IPv6 Specification– RFC 2491: IPv6 over Non-Broadcast Multiple Access (NBMA) networks– RFC 2495: IPv6 over ATM Networks– RFC 2547: Transmission of IPv6 Packets over ARCnet Networks– RFC 2626: Reserved IPv6 Subnet Anycast Addresses– RFC 2529: Transmission of IPv6 over IPv4 Domains without Explicit Tunnels– RFC 2545: Use of BGP-4 Multiprotocol Extensions for IPv6 Inter-Domain Routing

20

The IPv6 spec and related RFCs

• IETF Proposed Standards (Continued)– RFC 2590: Transmission of IPv6 Packets over Frame Relay Networks Specification– RFC 2675: IPv6 Jumbograms– RFC 2710: Multicast Listener Discovery (MLD) for IPv6– RFC 2711: IPv6 Router Alert Option– RFC 2734: Format for Literal IPv6 Addresses in URL's– RFC 2740: OSPF for IPv6– RFC 2893: Transition Mechanisms for IPv6 Hosts and Routers– RFC 2894: Router Renumbering for IPv6– RFC 3021: Privacy Extensions for Stateless Address Autoconfiguration in IPv6– RFC 3056: Connection of IPv6 Domains via IPv4 Clouds– RFC 3111: Service Location Protocol Modifications for IPv6– RFC 3122: Extensions to IPv6 Neighbor Discovery for Inverse Discovery Specification– RFC 3146: Transmission of IPv6 Packets over IEEE 1394 Networks– RFC 3162: RADIUS and IPv6– RFC 3175: Aggregation of RSVP for IPv4 and IPv6 Reservations– RFC 3226: DNSSEC and IPv6 A6 aware server/resolver message size requirements– RFC 3266: Support for IPv6 in Session Description Protocol (SDP)– RFC 3306: Unicast-Prefix-based IPv6 Multicast Addresses– RFC 3307: Allocation Guidelines for IPv6 Multicast Addresses– RFC 3315: Dynamic Host Configuration Protocol for IPv6– RFC 3484: Default Address Selection for Internet Protocol version 6 (IPv6)– RFC 3513: Internet Protocol Version 6 (IPv6) Addressing Architecture– RFC 3595: Textual Conventions for IPv6 Flow Label

• IETF Experimental RFCs– RFC 2874: DNS Extensions to Support IPv6 Address Aggregation and Renumbering.– RFC 2471: IPv6 Testing Address Allocation– RFC 1888: OSI NSAPs and IPv6

• Many many Internet Drafts and Informational RFCs

21

IPv4 Header

ver IHL TOS LengthID Flgs Frag Offset

TTL Protocol HDR Checksum

Destination AddressOptions Padding

Source Address

• Version – Indicates the format of the IP header. This field = 4 for IPv4• Internet Header Length - The length of the internet header in 32 bit words, and thus points to the beginning of

data.• Type of Service - An indication of the abstract parameters of the quality of service desired for the packet.• Length - The total length of the datagram, measured in octets, including internet header and data.• Identification - A value assigned by the sender to aid in reassembling the fragments of a datagram.• Flags – Various control flags.• Frag Offset - Field indicating where in the datagram this fragment belongs. It is measured in units of 64 bits. • Time to Live – Field indicating the maximum time the datagram is allowed to remain in the internet system.• Protocol - Field indicating the next level protocol used in the data portion of the internet datagram.• HDR Checksum - A checksum on the header only. Since some header fields are modified (e.g., time to live), this is

recomputed and verified at each point that the internet header is processed.• Source Address – 32 bit IPv4 source address.• Destination Address – 32 bit IPv4 destination address.• Options – A variable length grouping of zero or more option values.• Padding - This variable length field ensures the internet header ends on a 32 bit boundary. The padding is zero.

32 bits

22

IPv6 Header Streamlining

ver IHL TOS Length

Identification Flgs

TTL

FragmentOffset

Protocol Header Checksum

Destination Address

Options Padding

Source Address

IPv4

ver Flow label

Payload Length NextHeader Hop Limit

TrafficClass

IPv6

Destination Address

Source Address

32 bits

Fields retained/renamed from IPv4Fields deleted from IPv4

New fields in IPv6

23

IPv6 Header

ver Flow label

Payload Length NextHeader Hop Limit

TrafficClass

Destination Address

Source Address

• Version – 4-bit Internet Protocol version number = 6.• Traffic Class - 8-bit traffic class field. • Flow Label - 20-bit flow label.• Payload Length - 16-bit unsigned integer. Length of the

IPv6 payload, i.e., the rest of the packet following the IPv6 header, in octets.

• Next Header – 8-bit selector. Identifies the type of header immediately following the IPv6 header. Uses the same values as the IPv4 Protocol field [RFC-1700 et seq.].

• Hop Limit - 8-bit unsigned integer. Decremented by 1 by each node that forwards the packet. The packet is discarded if Hop Limit is decremented to zero.

• Source Address – 128-bit address of the originator of the packet.

• Destination Address – 128-bit address of the intended recipient of the packet (possibly not the ultimate recipient, if a Routing header is present).

24

Summary of Optimizations

• No hop-by-hop IP layer checksum.• No broadcast… only multicast.• No packet fragmentation.• 64 bit alignment vs 32 bit alignment with IPv4.• IPv6 minimum MTU of 1280 bytes up from 576

bytes with IPv4• No header options… just chains of structured

header extensions.

25

Extension Headers

Base IPv6 Header(40 bytes)

Any number of extension headers

Next Header Extension Header Length

Extension Header Data

• Processed only by node identified in IPv6 destination address field. Only exception is the Hop-by-Hop Options header

• Much lower overhead than IPv4 options

• Eliminated IPv4’s 40-octet limit on options.

– in IPv6, limit is total packet size, or Path MTU in some cases

26

Authentication Header (AH)

Authentication Data (variable)

Sequence Number Field

Security Parameter Index (SPI)

RESERVEDPayload LenNext Header

32 bits

• AH provides connectionless integrity and data origin authentication for IP datagrams, and to provide protection against replays.

• AH may be applied alone, in combination with the IP Encapsulating Security Payload, or in a nested fashion through the use of tunnel mode.

• Defined in IETF “Proposed Standard” RFC 2402• A next header value of 51 indicates the next extension header is

the AH.

27

Destination Options Header

Options

HDR Ext LenNext Header

32 bits

• DOH carries optional information that need be examined only by apacket's destination node(s).

• Defined in IETF “Draft Standard” RFC 2460• A next header value of 60 indicates the next extension header is

the DOH.

28

Encapsulating Security Payload (ESP) Header

Payload Data (variable)

Sequence Number Field

Security Parameter Index (SPI)

32 bits

Padding (0-255 bytes)

Authentication Data (variable)

Next HeaderPad Length

• ESP is used to provide confidentiality, data origin authentication, connectionless integrity, an anti-replay service, and limited traffic flow confidentiality.

• ESP may be applied alone, in combination with the Authentication Header, or in a nested fashion, e.g., through the use of tunnel mode.

• Defined in IETF “Proposed Standard” RFC 2406• A next header value of 50 indicates the next extension header is the ESP

extension header.

29

Fragment Header

Identification

Fragment OffsetRESERVEDNext Header

32 bits

RES M

• The FH is used by an IPv6 source to send a packet larger than would fit in the path MTU to its destination.

• Unlike IPv4, fragmentation in IPv6 is performed only by source nodes, not by routers along a packet's delivery path.

• Defined in IETF “Draft Standard” RFC 2460.• A next header value of 44 indicates the next extension header is

the FH.

30

Hop-by-Hop Options Header

Options

HDR Ext LenNext Header

32 bits

• The HH is used to carry optional information that must be examined by every node along a packet's delivery path.


the DOH.

31

Routing Header

Type Specific Data

HDR Ext LenNext Header Segment LeftRouting Type

32 bits

• The RH is used by an IPv6 source to list one or more intermediate nodes to be "visited" on the way to a packet's destination.


the RH.

32

Order of Extension Headers

• Header extensions should appear in the following order after the base IPv6 header:

– Hop-by-Hop Options header– Destination Options header (*1)– Routing header– Fragment header– Authentication header (RFC 1826)– Encapsulating Security Payload header (RFC 1827) (*2)– Destination Options header (*3)– Upper-layer header

*1 for options to be processed by the first destination that appears in the IPv6 Destination Address field plus subsequent destinations listed in the Routing header. *2 additional recommendations regarding the relative order of the Authentication and Encapsulating Security Payload headers are given in [RFC-2406].*3 for options to be processed only by the final destination of the packet.

33

Internet Control MessageProtocol v6 (ICMPv6)

ICMPv6 Type ICMPv6 Code Checksum

ICMPv6 Data

IPv6 base header

ICMPv6 packet

• ICMPv6 is used to report errors encountered in processing packets, and to perform other internet-layer functions, such as diagnostics.

• Two kinds of messages– Error– Informational

• Next header value of 58

34

ICMP Messages

Description ICMP Type (RFC792) ICMPv6 Type (RFC2463,2461)Destination unreachable

Source Quench

Packet too big

Time Exceeded

Parameter Problem

Time stamp

Timestamp Reply

Information Request

Information Reply

Echo Request

Echo Reply

Router Advertisement

Neighbor Solicitation

Neighbor Advertisement

3

Router Redirect

1

4

13

15

16

14

2

3

4

128

129

134

135

136

11

12

8

0

1375

ICMP messages common to both IPv4 and IPv6.

ICMP messages specific to IPv4.

ICMP messages specific to IPv6.

35

Router Advertisement

RA RA

ICMP Type = 134 RA

Src = Router Link-local Address

Dst = All-nodes multicast address (FF02::2)

Data= options, prefix, lifetime, autoconfig flag

• Routers send periodic Router Advertisements (RA) to the all-nodes multicast address.

• Hosts may also request with a router solicitation message.

36

Path MTU DiscoverySource

Destination

MTU = 1500

MTU = 1500

MTU = 1300

MTU = 1400

Packet with MTU=1500

ICMP error: packet too big. Use MTU = 1400


ICMP error: packet too big. Use MTU = 1300


Packet received

Path MTU = 1300

37

Neighbor Discovery

A B

ICMP type = 136 NASrc = BDst = AData = link-layer address of B

ICMP type = 135 NSSrc = ADst = Solicited-node multicast of BData = link-layer address of AQuery = what is your link level address?

A and B can now exchange packets on this link

• Solicited Node Multicast is prefix: ff02:0:0:0:0:1:ff00/104 + the low order 24 bits of the IPv6 address.

• All hosts listen to their SNM Address.

38

Duplicate Address Detection

A B

ICMP type = 135 NSSrc = ::Dst = Solicited-node multicast of AData = link-layer address of AQuery = what is your link local address?

• Duplicate Address Detection (DAD) uses neighbor solicitation to verify the uniqueness of an IPv6 address before an interface configures an address.

• All addresses are verified before use.

39

Router Redirect

Redirect:Src = R2Dst = AData = good router = R13FFE:B00:C18:2::/64

R1

A B R2

Src = A Dst IP = 3FFE:B00:C18:2::1 Dst Ethernet = R2 (default router)

• Redirect is used by a router to signal the re-route of a packet to a better router.

40

Host Auto-Configuration

RA Indicates Site/Subnet PREFIX

SUBNET PREFIX + MAC ADDRESS


Site/Subnet PREFIX + MAC ADDRESS





Site/Subnet PREFIX + MAC ADDRESS• IETF “Draft Standard” RFC2462

– Host autonomously configures its own Link-Local address.– Router solicitation is sent by host requesting RA for configuring the global

address of its interface.– Host performs Duplicate Address Detection (DAD).

• Host Renumbering– Host renumbering is done by modifying the RA to announce the old prefix

with a shorter lifetime than the new prefix.

Link-LocalSite-LocalGlobal

41

IPv6 Address Representations

• Preferred Form• Compressed Form• Mixed Forms

42

Preferred Form

x:x:x:x:x:x:x:x

• 'x's are the hexadecimal values of the eight 16-bit pieces of the address.

• It is not necessary to place leading zeros in a field.

• Examples:

FEDC:BA98:7654:3210:FEDC:BA98:7654:32101080:0:0:0:8:800:200C:417A

43

Compressed Form

x:x::x:x

• The use of "::" indicates one or more groups of 16 bits of zeros.

• The "::" can only appear once in an address.

• Examples:

1080:0:0:0:8:800:200C:417A = 1080::8:800:200C:417A0:0:0:0:0:0:0:1 = ::1

44

Mixed Form

x:x:x:x:x:x:d.d.d.d

• ‘x’s are the hexadecimal values of the six high-order 16-bit pieces of the address.

• ‘d’s are the decimal values of the four low-order 8-bit pieces of the address (standard IPv4 representation).

• Examples:

0:0:0:0:0:0:13.1.68.30:0:0:0:0:FFFF:129.144.52.38

45

IPv6 Address Types

• Unicast (One to One)

• Multicast (One to a Many)

• Anycast (One to Nearest)

46

Unicast Addresses

• IPv6 unicast addresses identify interfaces and sub-interfaces.

• An interface may be assigned one or more IPv6 unicast addresses. This is also true for IPv6 multicast and anycast addresses.

• An IPv6 unicast address on any interface of a node may be used to identify that node.

47

Unspecified andLoopback Addresses

• Unspecified Address 00…00 (::)– Indicates the absence of permanent IPv6 address; therefore, must never be

permanently assigned to any interface of a host.– Typically used during the initialization phase of auto-configuration.

The unspecified address must not be used as the destination address of IPv6 packets or in IPv6 Routing Headers.An IPv6 packet with an unspecified source address must never be forwarded by an IPv6 router.

• Loopback Address 00…01(::1)– Used by a host to send an IPv6 packet to itself.– Is considered a “logical” interface; therefore, must never be assigned to any physical

interface or sub-interface.

The loopback address must not be used as the source address in IPv6 packets that are sent outside of a single host. An IPv6 packet with a destination address of loopback must never be sent outside of a single host and must never be forwarded by an IPv6 router.A packet received on an interface with destination address of loopback must be dropped.

48

Link-Local andSite-Local Addresses

• Link-Local IPv6 Addresses (FE80…)

– Used for automatic address configuration, neighbor discovery, or when no routers are present .

– Routers must not forward any packets with link-local source or destination addresses to other links.

• Site-Local IPv6 Addresses (FE8C…)

– Used for addressing inside of a site without the need for a global prefix. Although a subnet ID may be up to 54-bits long, it is expected that globally-connected sites will use the same 16-bit subnet IDs for site-local and global prefixes.

– Routers must not forward any packets with site-local source or destination addresses outside of the site.

1111111011 subnet ID interface ID

10 54 64

1111111010 00000000000000 interface ID

10 54 64

49

Global Unicast Addresses

• Global Unicast Addresses

– The global routing prefix is a (typically hierarchically-structured) value assigned to a site.

– The subnet ID is an identifier of a link within the site.– Global unicast addresses starting with binary 000 have no constraint on

the size or structure of the interface ID field. Those not starting with binary 000 have a 64-bit interface ID field which is constructed in modified EUI-64 format.

Global Routing Prefix subnet ID interface ID

n bits m bits 128–m–n bits

50

IPv4 Addr within IPv6 Addr

• IPv4-compatible IPv6 Addresses

– A coexistence mechanism for hosts and routers to dynamically tunnel IPv6 packets over IPv4 routing infrastructure.

– The IPv4 address must be globally unique.

• IPv4-mapped IPv6 Addresses

– This address type is used to represent the address of an IPv4 node as an IPv6 address.

– The IPv4 address must be globally unique.

00000000000000000000 0000 IPv4 Address

80 bits 16 bits 32 bits

00000000000000000000 FFFF IPv4 Address


51

Interface IDs

• Administratively assigned• Randomly assigned• Auto-Configured

52

IEEE 802 Addresses

24 bits 24 bits

ccccccug cccccccc cccccccc xxxxxxxx xxxxxxxx xxxxxxxx

• The first 24 bits is the IEEE assigned manufacturer ID.

• The last 24 bits is the Board ID assigned by the manufacturer.

• Universal/Local bit (U/L)– Determines if the address is globally or locally administered. When set to

0, the IEEE designates a unique company ID. When set to 1, the address is assigned by local administration.

• Individual/Group (I/G)– Determines if the address is a unicast or multicast address. When set to

0, it is a unicast address. When set to 1, it is a multicast address.

53

Modified EUI-64 Identifier

24 bits 24 bits

ccccccug cccccccc cccccccc xxxxxxxx xxxxxxxx xxxxxxxx

ccccccug cccccccc cccccccc xxxxxxxx xxxxxxxx xxxxxxxx11111111 11111110

ccccccug cccccccc cccccccc 11111111 11111110 xxxxxxxx xxxxxxxx xxxxxxxx

Step 2. complement U/L bit

64 bits

Step 1. Insert FFFE

IEEE 802 address

EUI-64 address

IPv6 InterfaceID

54

IPv6 Anycast Addresses

• A packet sent to an anycast address is routed to the "nearest" interface having that address.

• Assigned from the unicast address space.• Subnet Router anycast address (only currently

required)

• There is little operational experience with anycast addresses– An anycast address must not be used as the source

address of an IPv6 packet.– An anycast address must not be assigned to an IPv6

host, that is, it may be assigned to an IPv6 router only.

n bits 128-n bits

00000000000000000000Subnet ID

55

Multicast IPv6 Addresses

Group ID

8 bits

scopflgs11111111


• An identifier for a group of interfaces (typically on different nodes).• An interface may belong to any number of multicast groups.• Flags [000T]

– The high-order 3 flags are reserved, and must currently be initialized to 0s. – T = 0; a permanently-assigned multicast address assigned by IANA.– T = 1; indicates a transient multicast address.

• Scope – [xxxx]– 0 reserved– 1 interface-local scope– 2 link-local scope– 3 reserved– 4 admin-local scope– 5 site-local scope– 6 (unassigned)– 7 (unassigned)– "unassigned" scopes are available for administrators to define additional

multicast regions.

– 8 organization-local scope– 9 (unassigned)– A (unassigned)– B (unassigned)– C (unassigned)– D (unassigned)– E global scope– F reserved

56

Reserved Multicast Addresses

Address Meaning ScopeFF01::1 All Nodes Node-local (loopback)

FF02::1 All Nodes Link-local

FF01::2 All Routers Node-local

FF02::2 All Routers Link-local

FF05::2 All Routers Site-local

FF02::1:FFXX:XXXX Solicited-Node Link-local

• These multicast addresses are reserved and shall never be assigned to any multicast group.

– FF00:0:0:0:0:0:0:0 => FF0F:0:0:0:0:0:0:0

57

A Host Must Recognize

• Link-Local Addresses for each of the host's interfaces.• Any additional Unicast and Anycast Addresses that have

been configured for the host's interfaces (manually or automatically).

• The loopback address.• The All-Nodes Multicast Addresses.• The Solicited-Node Multicast Address for each of the

host's unicast and anycast addresses.• Multicast Addresses of all other groups to which the host

belongs.

58

A Router Must Recognize

• All addresses that a host is required to recognize plus: • The Subnet-Router Anycast Addresses for all interfaces

for which it is configured to act as a router.• All other Anycast Addresses with which the router has

been configured.• The All-Routers Multicast Addresses.

59

Routing Protocols

• As with IPv4, IPv6 has 2 families of routing protocols: IGRP and EGRP.

• IPv6 still uses the longest-prefix match routing algorithm.

•• EGPEGP : MPMP--BGP4BGP4•• IGPIGP

–– RIPngRIPng–– OSPFv3OSPFv3–– Integrated ISIntegrated IS--ISIS

60

MP-BGP4

• IETF “Proposed Standard” RFC 2858 defines BGP4 extensions to enable it to carry routing information for multiple Network Layer protocols (e.g., IPv6, IPX, etc...).

• IETF “Proposed Standard” RFC 2545 defines MP-BGP4 extension attributes for IPv6 Inter-domain Routing.

• MP-BGP4 routes are configurable.– IPv4 routes only.– IPv6 routes only.– Both IPv4 and IPv6 routes.

• MP-BGP4 transport is configurable over IPv4 or IPv6

61

RIPng

• IETF “Proposed Standard” RFC 2080 describes the minimum changes to the Routing Information Protocol (RIP), as specified in RFC 1058 and RFC 1723, necessary for operation with IPv6.

• Based on RIPv2 with IPv6 specific updates– IPv6 prefix, next-hop IPv6 address– Uses the multicast group FF02::9, the all-rip-routers multicast group,

as the destination address for RIP updates.– Uses IPv6 for transport

• RIPng routes are IPv6 only.• RIPng transport is over IPv6 only.

62

OSPFv3

• IETF “Proposed Standard” RFC 2740 describes the the modifications to OSPF to support IPv6.

• Based on OSPFv2 with IPv6 updates• OSPFv3 routes are IPv6 only.• OSPFv3 transport is over IPv6 only.

63

Integrated ISIS

• IETF Internet Draft-ietf-isis-ipv6-05 describes the changes to ISIS necessary for operation with IPv6.

• Integrated ISIS routes are configurable.– IPv4 routes only.– IPv6 routes only.– OSI routes only.– IPv4, IPv6, and OSI routes or combinations.

• Integrated ISIS transport is configurable over IPv4, IPv6, or OSI.

64

3. Integrating IPv6

DNSApplicationsCoexistence mechanisms

65

Domain Name System (DNS)

• DNS is critical to the success of the IPv6 transition!

• IETF “Draft Standards” RFC 3596– New AAAA resource record for IPv6– Common forward DNS lookup tree for IPv4 and IPv6.

• Roots of forward tree may or may not be the same.– A resource record retained for IPv4– Reverse lookup tree in-addr.arpa retained for IPv4.

• IETF “Best Current Practice” RFC 3152– New reverse lookup tree ip6.arpa for IPv6.

• IETF “Experimental”RFC 2874 (Deprecated)– A6 resource records.

66

Domain Name System (DNS)

• Most DNS Server implementations, such as BIND, have support for IPv6 resource records and can respond to forward and reverse DNS queries over IPv6.

• Many DNS Client implementations can perform forward and reverse IPv6 queries and transport these queries over IPv6.

67

Applications

“Old” Application

TCP UDP

IPv4 IPv6

Data Link (Ethernet)

0x0800 0x086dd

“New” Application

TCP UDP

IPv4 IPv6

Data Link (Ethernet)

0x0800 0x086dd

•Dual stack node means:Both IPv4 and IPv6 stacks enabled and applications talk to both.Choice of the IP version in use is based upon name lookup andapplication preference.

68

Components of Applications Impacted by IPv6 Porting

•Data structures.•New network function calls•Hard-coded IPv4 addresses•Some user interfaces•Some underlying protocols such as RPC.•New decision logic/code must be added.

69

Coexistence Mechanisms

• Dual Stack (Dual IP)– Complete support for both Internet protocols, IPv4 and IPv6, in hosts

and routers.– Most preferred mechanism.

• Tunneling Techniques– The encapsulation of packets of one IP version number within

packets of a second IP version number in order to traverse clouds of the second IP version number.

• Translation Techniques– Enables IPv6-only devices to communicate with IPv4-only devices

and vice versa.– Least desirable set of mechanisms.

70

Tunneling Techniques

• 6over4• ISATAP • 6to4• Configured

Tunnels• DSTM• Teredo• Tunnel Broker• BGP Tunnel

71

6over4

• Mechanism to automatically interconnect IPv6 hosts over an IPv4 multicast enabled network.

• Defined in IETF “Proposed Standard” RFC 2893• IPv4 multicast emulates the layer 2 functionality of IEEE 802

networks for IPv6 ND and RS/RA.• The local IPv4 network appears as a single IPv6 subnet.• Once IPv6 neighbours are known, hosts automatically tunnel

IPv6 to each other through the IPv4 network.• Not widely deployed due to the lack of IPv4 multicast enabled

networks.• Does not solve the problem of connecting hosts to the global

IPv6 Internet.• Utilizes IPv4-compatible IPv6 addresses

00000000000000000000 0000 IPv4 Address


72

6over4

IPv4/v6 hostsIPv4/v6 hosts

IPv4 InternetIPv4 Internet

IPv4 multicast enabled network

IPv6 within IPv4 tunnels

73

6to4

• Mechanism to automatically interconnect IPv6 sites via an IPv4 transport network.

• Defined in IETF “Proposed Standard” RFC 3056• 48 bit IPv6 site prefix is built using the 6to4 gateway

routers public IPv4 address.• 6to4 gateway routers initiate a tunnel to the IPv4

address of the 6to4 relay router6to4 relay router on the public Internet. The 6to4 relay router responds by building a reverse 6to4 relay router responds by building a reverse tunnel with the information provided.tunnel with the information provided.

interface ID

16 bits

IPv4 Address2002

32 bits 64 bits

subnet ID

16 bits

74

6to4



6to4 gateway 6to4 gateway routersrouters

6to4 relay router6to4 relay router


75

ISATAP

• Intra-Site Automatic Tunnel Addressing Protocol (ISATAP)

• Mechanism to automatically interconnect IPv6 hosts over an IPv4 network.

• Defined in Internet Draft draft-ietf-ngtrans-isatap-16• The local IPv4 network appears as a single IPv6

subnet.• IPv6 hosts can communicate by tunneling IPv6

packets to the IPv4 address in the IPv6 address suffix.• Can utilize public or private IPv4 addresses.

– When a public IPv4 address, 00025EFE. – When a private IPv4 address, 00005EFE.

IPv4 addressSubnet Prefix

64 bits 32 bits

000[0/2]5EFE

32 bits

76

ISATAP

IPv6 InternetIPv6 Internet IPv4/v6 hostsIPv4/v6 hosts


IPv4/v6 ISATAP routerIPv4/v6 ISATAP router


IPv4 network

77

Configured Tunnels

• Mechanism to interconnect IPv6 sites over an IPv4 transport network.

• Defined in IETF “Proposed Standard” RFC 2893• Tunnels are manually configured on each device with

a tunnel endpoint.• Configuration is static and therefore cannot change

dynamically as the network needs and routing change.

• Utilized extensively by the 6bone.

78

Configured Tunnels


IPv4 InternetIPv4 Internetstatic IPv6 in IPv4 tunnels

IPv4 network

79

DSTM

• Dual Stack Transition Mechanism (DSTM)• Mechanism that utilizes IPv4-over-IPv6 tunnels to carry

IPv4 traffic within an IPv6 dominant network• Defined in IETF ID draft-bound-dstm-exp-00• Provides a method to allocate a temporary IPv4 address

to Dual IP Layer IPv6/IPv4 capable nodes. • Intended to reduce the need for IPv4 NAT for certain early

IPv6 adopters.• Utilizes IPv4-mapped IPv6 addresses.


00000000000000000000 FFFF IPv4 Address

80

DSTM

IPv4 InternetIPv4 Internet IPv4/v6 hostsIPv4/v6 hosts

DSTM border routerDSTM border router

IPv4 in IPv6 tunnel

A IPv4 hostIPv4 host

IPv6 dominant network

DHCPv6 server B

81

Teredo

• Mechanism to automatically interconnect IPv6 hosts over an IPv4 network with NAT.

• AKA IPv4 NAT traversal for IPv6.• Defined in Internet Draft draft-huitema-v6ops-teredo-

00.• Utilizes IPv6/UDP/IPv4 tunneling.

Obs Ext pt Obs. Ext. IPv4 Address

16 bits 32 bits

Teredo Prefix T Server IPv4 Address Flags

16 bits32 bits32 bits

82

Teredo



TeredoTeredo RelayRelay

TeredoTeredo ServerServer

TeredoTeredo RelayRelay

TeredoTeredo ClientClientIPv4/v6 hostsIPv4/v6 hosts

TeredoTeredo ClientClient

83

Tunnel Broker

• Mechanism to automatically interconnect IPv6 hosts and small sites over an IPv4 network.

• Allows intuitive web based setup of configured tunnels.

• IETF “Informational” RFC 3053.• A Tunnel Broker is a server that a user connects with

to register and activate tunnels. It manages tunnel creation, modification and deletion on one or more dual-stacked tunnel servers on the behalf of the user.

84

Tunnel Broker

Tunnel BrokerTunnel Broker


IPv6 InternetIPv6 Internet IPv4/v6 hostIPv4/v6 host

Tunnel ServersTunnel Servers

85

BGP Tunnel

• Mechanism to interconnect IPv6 sites over an IPv4 transport network.

• IETF Internet Draft draft-ooms-v6ops-bgp-tunnel-00• A dual stack multi-protocol BGP edge router is required per IPv6

island.• MP-BGP information is utilized to configure tunnel endpoints.• Two Approachs

– MP-BGP over IPv4, relies on identification of MP-BGP-speaking edge routers by their IPv4 address and uses a trivial tunneling mechanism without any explicit tunnel configuration.

– MP-BGP over IPv6 relies on existing ngtrans tunneling mechanisms to tunnel packets.

86

BGP Tunnel



Dual stacked MP BGP speaking routers

IPv4 network

87

Translation Techniques

• SIIT• BIA• BIS• SOCKS• TRT• NAT-PT

88

Stateless IP/ICMP Translation Algorithm (SIIT)

• Mechanism defining IPv4 to IPv6 header conversion and vice versa.

• Mechanism also defines ICMP to ICMPv6 header conversion and vice versa.

• Defined in IETF “Proposed Standard” RFC 2765.• SIIT neither specifies address assignment nor routing to

and from the IPv6 hosts when they communicate with the IPv4-only hosts.

89

Bump in the API (BIA)

• Mechanism allows dual stacked hosts to communicate with other IPv6 hosts using existing IPv4 applications.

• Defined in IETF “Informational” RFC 3338• BIA utilizes an API SW translator which is inserted

between the TCP/IP module and network card driver. • API translator relies on a SIIT based IP conversion

mechanism.• BIAs implementation is also dependent upon the network

interface driver.

90

BIA


Network Card Drivers

API Translator

IPv4 Applications

Network card drivers

name resolver addressmapper

Network cards

Socket API (IPv4,IPv6)

functionmapper

TCP(UDP)/IPv4 TCP(UDP)/IPv6

91

Bump in the Stack (BIS)

• Mechanism allows dual stacked hosts to communicate with other IPv6 hosts using existing IPv4 applications.

• Defined in IETF “Informational” RFC 2767• BIS utilizes a SW translation module inserted between the

TCP/IPv4 stack and network card driver.• SW translation module relies on a SIIT based IP

conversion mechanism.

92

BIS

Network Card DriversTCP/IPv4

IPv4 Applications

Network card drivers

extensionname resolver

addressmapper

translator

IPv6

Network cards


93

SOCKS

• Mechanism relays two "terminated" IPv4 and IPv6 connections at an application layer gateway.

• Defined in IETF “Informational” RFC 3089.• Based upon the SOCKSv5 protocol.• SOCKS requires modification to some hosts.• SOCKS does not utilize SIITS.

94

SOCKS

Client

TCP/IPv4

SOCKS Application Layer Gateway

Socket DNS

Network IF

TCP/IPv6

Application

TCP/IPv6

Network IF

Socket DNSSocket DNS

SOCKS Library

TCP/IPv4

Network IF

Application Destination

Network IF

IPv4 Internet IPv6 Internet

95

Transport Relay Translator (TRT)

• A TRT system, which is located between IPv6-only and IPv4-only hosts, translates TCP/IPv6 to TCP/IPv4 or UDP/IPv6 to UDP/IPv4, and vice versa.

• Defined in IETF “Informational” RFC 3142.• TRT is designed to require no extra modification on hosts.• TRT is a stateful translation method and does not utilize

SIIT.• Support bi-directional traffic only.

96

TRT

TCP/IPv4

TRT

Network IF

TCP/IPv6

Application

TCP/IPv6

Network IF

Socket DNS

Network IF

Application

TCP/IPv6

Network IF

Socket DNS


97

Network Address Translation –Protocol Translator (NAT-PT)

• This mechanism provides transparent routing to and from the IPv4 and IPv6 realms as well as translation. This is achieved using a combination of Network Address Translation and Protocol Translation.

• Defined in IETF “Proposed Standard” RFC 2766.• Utilizes a SIIT based IP conversion mechanism.• Uses a pool of globally unique IPv4 addresses for

assignment to IPv6 nodes on a dynamic basis as sessions are initiated.

• Suffers from the similar shortcomings as IPv4 NAT.

98

NAT-PT

TCP/IPv4

NAT-pt

Network IF

TCP/IPv6

Application

TCP/IPv6

Network IF

Socket DNS

Network IF

Application

TCP/IPv6

Network IF

Socket DNS


99

Advanced IPv6 Topics

• Mobility• Quality of Service• Security and IPsec

100

IPv6 Mobility Introduction

• What is IPv6 mobility?– Allows mobile computers (nodes) the ability

to maintain transport and upper-layer connections while the mobile node changes its location, connectivity to a network, and layer 3 address.

101

IPv6 Mobility Terminology

– Home Agent - a router on a mobile node's home network that maintains information about the device's current location

– Home Address – An IP address assigned to a mobile node within its home link.

– Home network(link) – The link on which a mobile nodes home subnet prefix is defined. Providing for IP routing.

102


– Mobile node – A node that can change its point of attachment from one link to another, while still being reachable via it’s home address.

– Movement – A change in a mobile node’s point of attachment to the Internet such that it is no longer connected to the same link as it was previously.

103


– Correspondent node – A peer node with which a mobile node is communicating. The correspondent node may be either mobile or stationary.

104


• Foreign link - Any link other than the mobile node’s home link

• Foreign agent - A router serving as a mobility agent for a mobile node

105


• Care-of address – An IP address associated with a mobile node while visiting a foreign link.

• Among the multiple care-of addresses that a mobile node may have at a time, the one registered with the mobile node’s home agent is called its “primary” care-of address.

106


The role of Mobile IP in current wireless networks:

Source: Martin Dunmore Mobile IPv6 Activities Mobile IPv6 Activities at Lancaster University

107


The role of Mobile IP in current wireless networks:

MOBILE IP

GSM WCDMA CDMA WIFI/L2

GPRS CN(GTP) CDMA2000

IP Network

Core

Source: Karim El Malki IPv6 mobility presentation June 2003 San Diego

108


• Mobility in IPv4– 1. MN discovers Foreign Agent (FA)– 2. MN obtains COA (FA - Care Of Address)– 3. MN registers with FA which relays

registration to HA– 4. HA tunnels packets from CN to MN

through FA– 5. FA forwards packets from MN to CN or

reverse tunnels through HA (rfc3024)

109


• How IPv6 Mobility varies from today’s IPv4 mobile model– No Foreign Agents– Use IPv6 auto-config– No Triangle routing– Mobile node can route directly to a

Corresponding node (and visa versa)

110


• Mobile IPv6 allows a mobile node to move from one link to another without changing the mobile node’s IP address

• A mobile node is always addressable by it’s “Home Address”

• A home address is assigned to a mobile node from it’s home subnet prefix on it’s home link

• Packets will be routed to the mobile node using this address regardless of the mobile node’s current point of attachment to the Internet.

111


• Features and Mechanisms of Mobile IPv6– Bi-directional movement detection mechanism– Uses IPv6 Routing header (type 2)– A “home agent” intercepts and delivers packets

destined for the mobile node– The home agent uses IPv6 anycast address rfc2526– Mobile IPv6 defines one new destination option, the

Home Address destination option – A new mobility extension header

112


• The Mobile IPv6 protocol is just as suitable for mobility across homogeneous media as for mobility across heterogeneous media

• The Mobile IPv6 protocol solves network-layer mobility management problems

• Transparently routes packets to and from mobile nodes while away from home

113


• Mobile IPv6 does not attempt to deal with– Links with partial reachability or unidirectional

connectivity– Access control on a link being visited by a mobile

node– Mobile routers– Service Discovery– Distinguishing between errors versus network

congestion

114


• Mobile IPv6 makes use of IPv6 features– Neighbor Discovery– Address Autoconfiguration– Extension Headers

115


• HMIPv6 - Hierarchical Mobile IPv6 mobility management – draft 8– Extends Mobile IPv6 and IPv6 ND

• Local mobile handling• Reduces the amount of signalling• Improves handoff speed

116

IPv6 Mobility Overview

• When mobile node is attached to home link standard IP routing is used for delivery

HomeAgent

home subnet prefix

mobile node

home address

117


• When mobile node experiences movement it’s care-of address changes

ForeignAgent

HomeAgent

home subnet prefix

mobile node

Proxy "listen"home address

Internet

Wireless

118


Internet

Corresponding NodeComm. Tower

MobilePDA

Home Agent

A correspondingnode (CN), on the Internet,wants to communicate witha mobile node (MN)

01

CN sendsa packet to theMNs "HomeAddress"

02

The HomeAgent proxy listensto the MNs HomeAddress

03 The home agentencapsulates the data andforwards to the MNs currentCare-of-Address (COA)

04

The MNuncapsulates thereceived data

05

The MN directlyresponds to the CNusing the MN's HomeAddress for the source

06

This triangle routing continues.The MN usings "binding updates" toinform the Home Agent or it's new COA

07

119


Internet

Corresponding NodeComm. Tower

MobilePDA

Home Agent

A correspondingnode (CN), on the Internet,wants to communicate witha mobile node (MN)

01

CN sendsa packet to theMNs "HomeAddress"

02

The HomeAgent proxy listensto the MNs HomeAddress

03 The home agentencapsulates the data andforwards to the MNs currentCare-of-Address (COA)

04

The MNuncapsulates thereceived data

05

The MN directlyresponds to the CN usingthe MN's COA addressand includes a bindingupdate

06

The CN can now communicatedirectly w/ the MN using it's COA.Binding updates keep this connectionalive as movement occurs

07

120

IPv6 Mobility – Return routability

• Securing Bindings between MN and CN– Uses Return Routability Procedure

Internet

Corresponding Node

MobilePDA

Home Agent

Initiate test for HoA/CoA

Test for HoA/CoA

Authenticated Binding

121


• MANET – Mobile Ad Hoc Networks– AODV – Ad Hoc On-Demand Distance

Vector routing protocol – draft 13– DSR – Dynamic Source Routing protocol –

draft 9– TBRPF - Topology Dissemination Based on

Reverse-Path Forwarding – draft 11– OLSR – Optimized Link State Routing – rfc3626

122

Quality of Service

• What is QOS and why is it needed– IP network's ability to successfully transport

IP packet within requirements of an application

– Ability to ensure delivery of packet– Ability to reserve resources in the network

for transport of packet– End-to-end QOS is important

123

QOS

• What is QOS and why is it needed– Network applications require guaranteed

delivery• VOIP versus “average” HTTP• Hierarchical requirements (Military chain of

command)

124

QOS

• TCP-applications– Packet loss causes retransmissions

• Longer times to transfer the files, images, web pages, etc…

• Extra packets that increase congestion

• UDP applications:– Delay sensitive

• packet becomes obsolete with long transfer delays– Packet loss sensitive

• application retransmissions or decreased performance of application

– In the worst case application does not work at all

125

QOS

• For QOS to work it should be– Scalable– Flexible– Robust– Ubiquitous

• QOS is only as strong as it’s weakest point

• Public Internet is “Best effort” IP delivery for ALL packets

126

QOS

• QOS mechanisms “today” remain the same in IPv6 as they exist in IPv4– Some work through translation mechanisms– RSVP, intserv, diffserv, etc.– QOS services that use the IPv4 TOS (type of

service) are compatible with IPv6

127

QOS – IPv4

Version=4 IHL Type of ServiceIdentifier Fragment OffsetFlags

Source AddressDestination Address

0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1Total Length

Time to Live Protocol Header Checksum

Options + Padding

1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3

128

QOS – IPv6

Version=6 Traffic Class Flow LabelPayload Length Hop LimitNext Header

Source Address 128 bits

Destination Address 128 bits

0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 11 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3

129

QOS – IPv6 – Flow Label

Version=6 Traffic Class Flow LabelPayload Length Hop LimitNext Header

Source Address 128 bits

Destination Address 128 bits

0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 11 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3

130

QOS – Future – IPv6 Flow Label

• Currently no “standard” exists that defines usage of Flow Label for any function

• Lots of discussion and ideas on how to apply– When and how to use flow label– How many bits should be defined– Can source apps use multiple flow labels for same

application

131


• Some example uses of flow label– Code upper layer information

• Difficult for nodes in transit to determine upper layer info due to encryption, fragmentation, etc…

• Provides Class of Service.– Use similar labeling as in 20 bit MPLS

• Different concepts not equally mapped– ISP use for creating billing tags of packets

• Allow ISP to correctly bill for multicasting

132


• Reference–draft-ietf-ipv6-flow-label-08.txt

133

Security and IPsec

– Current Solutions• Internet adoption grew

• Applications were designed and operated “ad hoc” security solutions

• Provides semi-trusted and semi-secure Internet access

• Don’t address fundamental issues• Mostly concerned with fighting symptoms

134

Security in IPv6

– Current Solutions• Packet Filters and Firewalls

• Filters traffic based on predefined rules• IP address• port numbers• virus patterns

• May determine “unusual” behavior

135

Security in IPv6 - example

136

Security in IPv6

• Basic Security Requirements and Techniques– Confidentiality

• The property that stored or transmitted information cannot be read or altered by an unauthorized party

– Integrity• The property that any alteration of transmitted or

stored information can be detected

137

Security in IPv6

– The IPSEC framework• A formally defined standard (RFC 2401)• Contains 6 distinct elements

• Description of security requirements and mechanisms on the network layer

• Security element for encryption (RFC 2406)• Security element for authentication (RFC 2402)• Concrete cryptographic algorithms for encryption and

authentication• Definition of Security policy and Security associations

between partners• IPSEC key management

• ISAKMP - RFC 2408 - Internet Security Association and Key Management Protocol

138

Security in IPv6

Source: “IPv6 Essentials”, O’Reilly Press, 2002The IPSEC framework

139

Security in IPv6

– Authentication in IPv6• Extension Header type 51 provides integrity and

authentication for end to end data

140

Security in IPv6

– Authentication in IPv6• Cryptographical checksum is also known as a message

digest or hash. Uses rules• IP Header, version, class, and flow label are excluded from

the computation. Hop Limit is assumed to contain zero• All Extension Headers that change en-route are computed as

a sequence of zero• If Routing Extension Header is present the IPv6 destination

address is set to the final destination• IPv6 implementations MUST support

• Keyed message digest No. 5 (MD5)• requires “key”• considered theoretically breakable• Secure Hash Algorithm No. 1 (SHA-1)

141

Security in IPv6

– Authentication in IPv6• Payload Authentication (Transport Mode)

• Transport mode authenticates all end to end payload plus selected headers (described previously)

• Payload Length• Next Header• Extension headers (not listed previously)• Upper layer headers and data• Some IP header fields are not protected• Will not work with NAT environment

142

Security in IPv6

– Authentication in IPv6• Header and Payload Authentication (Tunnel

Mode)• Accomplished by creating a tunnel between 2 gateways

• Gateway may be a router• May be a VPN implementation

• Wraps the original packet in a new packet• Applies checksum to entire packet

143

Security in IPv6

– Encryption in IPv6• Extension Header type 50 provides integrity and

confidentiality

144

Security in IPv6

– Encryption in IPv6• Support for Authentication• IPv6 specification contains one encryption

algorithm that must be supported by every implementation

• DES-CBC (Data Encryption Standard in Cipher Block Chaining Mode)

• Other stronger algorithms may be negotiated using corresponding SA and SPI

• Government export controls

145

Security in IPv6

– Encryption in IPv6• Payload encryption (Transport Mode)

• Transport mode encrypts all end to end extension headers and payload

• Extension headers must not be looked at in path

146

Security in IPv6

– Encryption in IPv6• Header and Payload encryption (Tunnel Mode)

• Accomplished by creating a tunnel between 2 gateways• Gateway may be a router• May be a VPN implementation

• Wraps the original packet in a new packet• Applies checksum to entire packet

147

Security in IPv6

– Encryption in IPv6• Combining Authentication and Encryption

• It was originally intended to use both extension headers• But increased IPv6 packet size was not good• Included AH functionality in ESP

148

Security in IPv6

– Deploying security• Requires Security Policy Database (SPD)

• Configures Security Associations (SA)

Node A Node B

SPDA -> B ESP keyB -> A ESP key

Security Associations

SPDA -> B ESP keyB -> A ESP key

149

Security in IPv6

– IPSEC may solve many issues on the Internet

• FTP, Telnet, DNS, and SNMP– However other issues exist

• IPSEC tunnels break through firewalls or NAT• Tunneled IPSEC traffic may contain malicious

data• QOS doesn’t work in IPSEC• Mobility issues

• Dynamic IP addresses cause IPSEC to fail

150

Security in IPv6

– IPv6 deployment slowed due to IPv4 workarounds• NAT and CIDR• SSL• SSH• S/MIME, PGP

– IPSEC deployment issues• lack of public key infrastructure• lack of vendor/IPv6 adoption

151

New - IPsec deployment pushes end-node firewall deployment

– By definition, end-to-end encryption makes intermediate packet inspection by firewalls and IDS devices impossible

– AH-secured packets – protected from tampering and source address spoofing can still be inspected

– Look for increased migration of network firewalls to host-based (centrally managed) solutions

152

New - IPsec deployment pushes end-node firewall deployment


intranet

Firewall

encapsulatedIPv6 packets

153

New - ICMP Traffic Needs Increase

• “Protected” nodes need ICMPv6 from intermediary nodes (i.e. routers)– Cannot block all ICMPv6 at edge of – Inbound ICMP (specific types) must be

allowed– Increases opportunity for DoS attacks

154

New – ICMPTraffic Needs Increase

• New advanced use of ICMPv6 opens up new DoS attacks– Neighbor Discovery– Router advertisements

155

New - Privacy Extensions

• Privacy extensions– allow end-node to create randomly

generated IPv6 Identifier– Changes periodically

• IPv6 prefix still “ISP” Based

156

New - Security not really “fixed” in IPv6

• Required IPsec is an improvement to Internet security

• Only secures “network” layer (Transport)

• Attacks against host services (buffer overflow) or computer users (eMail viruses) are not resolved by secure transport layer

157

New - Disuse of NAT really only an issue in home networks

• Enterprise network administrators can secure environment without NAT using stateful firewalls and other packet filters

• End-to-end reachability utopia of IPv6 will probably not be embraced by enterprise soon – NAT or no NAT

158

Transition Security

• Basic Security Element– IPv4 network secure

• Behind firewall• Using NAT

159

Security - example

160

Transition Security

• Introduction of various transition mechanisms may compromise network– IPv6 connectivity point– Tunnel– UDP NAT traversal– Other…

161

Transition Security

– IPv6 connectivity point


intranet

Firewall

162

Transition Security

– Tunnel– UDP NAT traversal


intranet

Firewall

encapsulatedIPv6 packets

163

Transition Security

– Other

ISATAPnetwork


6to4relay

ISATAP & 6to4router

164

Transition Security

– Other– BIA IPv4 Applications

Socket API (IPv4, IPv6)

API Translatorname

resolveraddressmapper

functonmapper

TCP(UDP)/IPv4 TCP(UDP)/IPv6

165

5. Deploying IPv6

• Current deployment and trends• IPv6 capable products and services• Early lessons learned

166

Countries on the IPv6 Internet

0

20

40

60

Jul-99

Oct-99

Jan-00

Apr-00

Jul-00

Oct-00

Jan-01

Apr-01

Jul-01

Oct-01

Jan-02

Apr-02

Jul-02

Oct-02

Jan-03

Apr-03

Jul-03

Oct-03

Linear Growth averaging 1 country

per month

54 Countries

167

IPv6 ISPs per country

# Country ISPs

1 Japan 65

2 US 64

6 Sweden 17

7 France 17

11 Taiwan 12

17 China 8

12 Finland 11

16 Switzerland 8

3 Germany 51

4 Netherlands 28

5 UK 22

9 Italy 15

15 Portugal 8

10 Austria 13

13 Canada 10

14 Spain 9

8 South Korea 17

# Country ISPs

52 N. Guinea 1

53 India 1

54 Philippines 1

# Country ISPs

35 Lithuania 2

39 Yugoslavia 2

36 Turkey 2

40 Indonesia 2

41 Chile 1

37 Romania 2

38 Iran 2

42 Dom. Republic 1

49 Israel 1

50 Slovenia 1

43 Greece 1

46 UAE 1

51 Saudi Arabia 1

44 Hungary 1

45 Cyprus 1

48 Croatia 1

47 Tunisia 1

# Country ISPs

18 Czech Rep. 7

31 Belgium 3

34 Brazil 2

19 Mexico 7

22 Australia 6

25 South Africa 4

20 Poland 7

24 Singapore 5

28 Luxembourg 4

21 Europe 6

26 Denmark 4

27 Estonia 4

23 Norway 5

30 Ireland 3

32 Thailand 3

29 Russia 3

33 Malaysia 3

168

IPv6 ISPs verses time

0

100

200

300

400

500

Jul-99

Oct-99

Jan-00

Apr-00

Jul-00

Oct-00

Jan-01

Apr-01

Jul-01

Oct-01

Jan-02

Apr-02

Jul-02

Oct-02

Jan-03

Apr-03

Jul-03

Oct-03

June 30, 00 - 36

June 30, 01 - 84

June 30, 02 - 154

June 30, 03 - 399

December 3, 03 - 482

169

Future ISP Growth Trends

0

2000

4000

6000

8000

Jul-9

9Ju

l-00

Jul-0

1Ju

l-02

Jul-0

3Ju

l-04

Jul-0

5Ju

l-06

Jul-0

7Ju

l-08

Jul-0

9

Doubles 6 months Doubles annually

Doubles bi-annually

170

IPv6 ISPs per Region

56%26%

17%1%

Eurasia

Asia-Pacific

NorthAmericaLatinAmerica

171

IPv6 ISPs per Function

Commercial

Research & Education

Government

0102030405060708090

100

Aug-99Nov-99Feb

-00May

-00Aug-00Nov-00Feb

-01May

-01Aug-01Nov-01Feb

-02May

-02Aug-02Nov-02Feb

-03May

-03Aug-03Nov-03

Percent

Time

Commercial Sector is driving the deployment of IPv6.

172

IPv6 CapableOperating Systems

Vendor Versions More Info

Microsoft W2003 ServerXP (SP1) and .NETCE .NET (Pocket PC 4.1)

http://www.microsoft.com/ipv6

Sun Solaris 8 and 9 http://wwws.sun.com/software/solaris/ipv6/IBM z/OS Rel. 4

AIX 4.3 - >OS/390 V2R6 eNCS

http://www-1.ibm.com/servers/eserver/ zseries/zos/unix/release/bpxa1zr4.htmlhttp://www-3.ibm.com/software/network/ commserver/library/publications/ipv6.html

BSD FreeBSD 4.0 - >OpenBSD 2.7 - >NetBSD 1.5 - >BSD/OS 4.2 - >

http://www.kame.net/

Linux RH 6.2 - >Mandrake 8.0 - >SuSE 7.1 - >Debian 2.2 - >

http://www.bieringer.de/linux/IPv6/status/IPv6+Linux-status-distributions.html

HP/Compaq HP-UX 11iTru64 UNIX V5.1OpenVMS V5.1

http://www.compaq.com/ipv6/next_gen.html

Apple MAC OS X 10.2 - > http://developer.apple.com/macosx/

173

IPv6 Capable Routers

Vendor Versions More Info

6WIND 6100, 6200, Windedge http://www.6wind.com

Nortel BayRS routers https://www.nortel.com

Cisco Nearly all router products http://www.cisco.com/ipv6

Ericsson RXI 820 http://www.ericsson.comExtreme Networks 4GNSS http://www.extremenetworks.comHitachi GR2000-2S, GR2000-4S, GR2000-

6H, GR2000-10H, GR2000-20Hhttp://www.hitachi.com

Juniper M5, M10, M20, M40, M160 http://www.juniper.net/solutions/enabling_tech/ipv6

Nokia 100, 300, 400, 500, 600700 http://www.nokia.com/nokia/0,1522,,00.html?orig=/IPv6

Sumitomo Electric 3700 http://seusa.sumitomo.com/htmls/randd/ipv6/ipv6.html

Zebra Zebra-0.94 http://www.zebra.orgTeledat Nearly all router products http://www.teledat.es

174

Early lessons learned

• There is great long term potential for IPv6 to generate additional revenue and reduce costs for enterprises. In the short term, enterprises should expect increased costs, complexity, IA, and interoperability issues during the transition.

• Enterprises should strongly consider top-down, centrally coordinated IPv6 transition efforts to reduce costs, minimize IA vulnerabilities, and minimize interoperability issues.

• Enterprise policies, processes, procedures, and databases will need to be examined and upgraded to dual IPv4/v6.

• Enterprise network services will need to be examined, engineered, and upgraded to dual IPv4/v6.

• Enterprise network infrastructure will need to be examined, engineered, and upgraded to dual IPv4/v6.

• Enterprise custom and COTS SW applications will need to be examined, engineered, and upgraded to dual IPv4/v6.

• Enterprise products and services will need to be examined, engineered, and upgraded to dual IPv4/v6..

• The IPv6 transition may heavily impact ongoing and future enterprise IT acquisitions.

175

Early lessons learned -Security

• Many resources will be shared during the transition. These become a means for an IPv6 attack to disrupt IPv4 communications and vice-versa.

• The new features of IPv6 will add new vulnerabilities.

• IPv6 coexistence mechanisms have their own set of new vulnerabilities.

• Engineering and Operations personnel must be properly trained to minimize the impact of new vulnerabilities.

176

Factors impacting coexistence mechanisms used.

• Policy• Cost• Security• Performance• Operational Complexity

Documents

No Slide Title · (RFC950) NAT (RFC1631) CIDR, DHCP (RFC1519,1531) loss of E2E Architecture. 7 Registered IPv4 Address Allocation History 0.00% 20.00% 40.00% 60.00% 80.00% 100.00%