IPv6-workshop-TM-0x18

© 2012 Cisco and/or its affiliates. All rights reserved. 1

Cisco “Tech Session” Preparing for BYOD & the Internet of Everything, an IPv6 Workshop

Tim Martin

CCIE #2020

Solutions Architect

Summer 2015


•  BYOD and the Internet of Everything •  IPv6 Protocol Deep Dive •  IPv6 Design Considerations •  IPv6 Campus Design •  IPv6 Data Center Transitions •  IPv6 Translation Techniques •  IPv6 Internet Edge Design •  Summary


89%

10%

1% 23%

36%

26% 75%

22%

Desktops Smart Phones Tablets •  Boomers are retiring, GenX is “tech savvy”, GenY is “tech dependent”

•  2016 GenY (the millennia's (18-34)) become the largest workforce segment

•  43% of 18-24 year-olds say that texting is just as meaningful as a phone conversation -eMarketer

•  40% of GenY believe that blogging about workplace issues is acceptable –Iconoculture

•  24% of GenY say that technology use is what makes their generation unique -Pew Research

•  74% of GenY used a smartphone for work purposes in the last year, compared to 37 percent of Baby Boomers -CompTIA

© 2012 Cisco and/or its affiliates. All rights reserved. 4 4


IPv6

IPv4 Address Depletion

2011

National IPv6 Strategies STEM

Mandate

Infrastructure Evolution

4G, DOCSIS 3.0, CGN

IPv6 OS, Content & Applications

Pref. by App’s in W7, S2008, OSX


• Early Adopters, from ~2001-2005 (6bone) • Chasm, Refinement from 2005-2009 (Tunneling) • Early Majority, Launch June 2012 (Transitioning)

54% 37% 70%

53% 17%


IPv6 Only

Dual Stack Core

IPv6-Only

Preserve Prepare Prosper

464-xlat Dual-Stack

IPv6 Only

Dual Stack Core

MA

P, LW46…

4 over 6

2015 World IPv6 Day

2011 2012 2013 2014 World IPv6 Launch IPv6 in the laboratory IPv6-Centric Networking

2010

IPv6 at Scale

6

Internet

IPv4 Only

IPv4 Core

IPv4-Only NAT

NAT

Dual Stack Core

IPv4 Only

Dual-Stack

6rd, L2TP…

NAT 6 over 4 4

Dual Stack

Dual-Stack

4 6


§  Standards - Leadership in IP protocols within IETF & IPv6 development

§  Experience - Professional Services offering years of experience in IPv6

§  Solutions - Innovation, Feature Acceleration




340,282,366,920,938,463,374,607,432,768,211,456 (IPv6 Address Space - 340 undecillion, 282 decillion, 366 nonillion, 920 octillion, 938 septillion, 463 sextillion, 463 quintillion, 374 quadrillion, 607 trillion, 431 billion, 768 million, 211 thousand and 456

vs 4,294,967,296 (IPv4 Address Space - 4 Billion)

•  Lot’s of talk about how big, it’s BIG, do NOT worry about waste

•  Each /64 prefix contains 18 Quintillion host address’s (18,446,744,073,709,551,616)

•  Theoretical vs. Practical deployment, still not an issue

Antares 15th Brightest star in the sky

Our Sun


•  IPv6 has a specific Ethernet Protocol ID •  IPv6 relies heavily on Multicast

Destination Ethernet Address!

Source Ethernet Address!

0x0800!!

IPv4 Header and Payload!

Destination Ethernet Address!

Source Ethernet Address!

0x86DD!!

IPv6 Header and Payload!

xx 33 33 xx xx xx

I bit = Local Admin, L bit = Multicast/Broadcast

0000 00IL 0 = Universel/unique

1 = Local/not unique


Offset Flags

Total Length Type of Service IHL

Padding Options Destination Address

Source Address

Header Checksum Protocol Time to Live

Identification

Version

IPv4 Header (20-60)

Next Header Hop Limit

Flow Label Traffic Class

Destination Address

Source Address

Payload Length

Version

IPv6 Header (40)

•  Length is constant in IPv6 •  Fragmentation occurs in (EH 44)

•  Option’s occur in (EH 0,6) •  UDP must have valid Checksum, unlike v4.

•  Upper layer checksums use the Pseudo Header format: SRC/DST Addr + Next Header


Extension Header * Type Hop-by-Hop Options 0

Routing Header 43

Destination Options 60

Fragment Header 44

ESP Header 50

Authentication Header 51

Mobility Header 135

Shim6 140

Experimental 253,254

No Next Header 59

IPv6 Header Hop-by-Hop Destination Opt TCP Header Payload

•  EH are daisy chained, processed in order •  Length is variable, must be on 8 byte boundary, typically 24 bytes •  If HbH is present, must be first, MUST (2460), Should be processed (7045)


Type Code Data

Checksum

•  Neighbor Discovery, Router Discovery, Path MTU Discovery and (MLD) Type – (1-127) = Error Messages, (128-255) = Informational Messages Code – More Granularity within the Type Checksum – computed over the entire ICMPv6 Data - Original IPv6 Header, First 8 bytes of ULP, fill to Min MTU (1280)

58

1 Destination Unreachable

2 Packet Too Big

3 Time Exceeded

4 Parameter Problem ICMPv6 Header

Next Header *58, not 1 (ICMP)


•  May cause “hard to spot” connectivity issues

•  Must set ALL interfaces to 1280 MTU if you disallow PTB at your FW Source Destination Link

MTU 1500 MTU 1500 MTU 1400 MTU 1300

Packet, MTU=1500

ICMPv6 Packet Too Big, Use MTU=1400

2 Packets | EH type 44 | Packet, MTU=1400

ICMPv6 Type 2 PTB, Use MTU=1300

2 Packets | EH type 44 | Packet, MTU=1300


IPv6 Address Family

Multicast Anycast Unicast

Assigned Solicited Node

Unique Local Link Local Global Special Embedded

*IPv6 does not use broadcast addressing

Well Known Temp


•  IPv6 addresses are 128 bits long Segmented into 8 groups of 16 bits separated by (:) 32 HEX characters – a Prefix, not a mask •  Word, Group or Quad •  4 Hex characters, each contain 4 bits

Host Portion Network Portion

2001:0db8:0100:1111:0000:0000:0000:0001 2001 : 0db8 : 0100 : 1111 : 0000 : 0000 : 0000 : 0001

16 bits 16 bits 16 bits 16 bits 16 bits 16 bits 16 bits 16 bits

Host Id Subnet Id Global Routing Prefix


•  Leading 0’s can be omitted

•  The double colon (::) can appear only once

2001:0db8:0000: :0000:0000:0000:1e2a 00a4 Full Format

2001:db8:0: :0:0:0:1e2a a4 Abbreviated Formats

2001:db8:0: ::1e2a a4


Link-Local – Non routable exists on single layer 2 domain (fe80::/10) fe80:0000:0000:0000

:: xxxx:xxxx:xxxx:xxxx

fc00:gggg:gggg: xxxx:xxxx:xxxx:xxxx ssss:

fd00:gggg:gggg: xxxx:xxxx:xxxx:xxxx ssss:

Unique-Local – Routable within administrative domain (fc00::/7)

2000:NNNN:NNNN HHHH:HHHH:HHHH:HHHH Global – Routable across the Internet (2000::/3)

:SSSS:

3fff:NNNN:NNNN HHHH:HHHH:HHHH:HHHH :SSSS:


•  Recommended Alloca,ons •  Consumer, SMB /56 /60 /64 •  Municipal Government, Enterprise, Single AS /48 •  State Governments, Universi,es (LIR) /32 /36 /40 /44 /48

•  Addressing Plan, Site Count •  IPv4 Allocation, Multi-homed ISP • 1 - 12 sites, a /44 assignment • 13 - 192 sites, a /40 assignment • 193 - 3,072 sites, a /36 assignment • 3,073 - 49,152 sites, a /32 assignment

Registries

Level Four Entity

IANA

ISP Org

PA

/48

2000::/3

/12

/32

2000::/3

/48

/12

PI

/32

/48

ARIN

Subordinate


Similar to IPv4 New in IPv6

Manually configured StateLess Address AutoConfiguration SLAAC EUI64

SLAAC Privacy Extensions

Assigned via DHCPv6

*Secure Neighbor Discovery SeND


00 90 27 ff fe 17 fc 0f

OUI Device Identifier

00 90 27 17 fc 0f

02 90 27 ff fe 17 fc 0f

0000 00U0 U= 1 = Universel/unique

0 = Local/not unique U bit must be flipped

ff fe 00 90 27 17 fc 0f


•  Generated on unique 802 using MD5, then stored for next iteration •  Enabled by default in Windows, Android, iOS, Mac OS/X, Linux •  Temporary or Ephemeral addresses for client application (web browser)

Recommendation: Good for the mobile user, but not for your organization/corporate networks (Troubleshooting and accountability)

24

2001 DB8

/32 /48 /64

Random Generated Interface ID 0000 1234


DHCPv6 Server 2001:db8::feed:1

DHCPv6 Solicit

•  Source – fe80::1234, Destination - ff02::1:2

•  Client UDP 546, Server UDP 547

•  Original Multicast Encapsulated in Unicast (Relay)

•  DUID – Different from v4, used to identify clients

•  ipv6 dhcp relay destination 2001:db8::feed:1

DHCPv6 Relay

DHCPv6 Relay

SOLICIT (any servers)

ADVERTISE (want this address)

REQUEST (I want that address)

REPLY (It’s yours)


•  Each device has a RSA key pair •  Ultra light check for validity

SHA-1

RSA Keys Priv Pub

Subnet Prefix

Interface Identifier

Crypto. Generated Address

Signature

SeND Messages

Modifier

Public Key Subnet Prefix CGA Params

26


Router R host

Certificate Authority CA0 Certificate Authority Certificate C0

Router certificate request

Router certificate CR

Certificate Path Solicit (CPS): I trust CA0, who are you ?

Certificate Path Advertize (CPA): I am R, this is my certificate CR

1

2

3

4

5

6 Verify CR against CA0

7 Start using R as default gateway

Router Advertisement

•  Most OS’s do NOT support it (Vista, 2007/8, OSX, iOS, Android)


•  Prefix ff00::/8 8-bit 4-bit 4-bit 112-bit

1111 1111 0 R P T Scope Variable format

Flags

O Reserved

R = 0 R = 1

No embedded RP Embedded RP

P = 0 P = 1

Without Prefix Address based on Prefix

T = 0 T = 1

Well Known Address (IANA assigned) Temporary address (local assigned)

Scope 1 Node

2 Link

3 Realm

4 Admin

5 Site

8 Organization

E Global


Address Scope Meaning ff02::1 Link-Local All Nodes

ff02::2 Link-Local All Routers

ff02::5 Link-Local OSPFv3 Routers

ff02::6 Link-Local OSPFv3 DR Routers

ff02::9 Link-Local RIPng

ff02::A Link-Local EIGRP

•  FF02, is a permanent address and has link scope

•  Link Operations, Routing Protocols, Streaming Services


Corresponding Ethernet Address

ff3e:0040:2001:0db8:cafe:0001:11d7:4cd3 IPv6 Temporary

Multicast Address

33 33 D7 4C D3 11


ff02:0000:0000:0000:0000:0000:0000:0001 IPv6 Well Known

Multicast Address

33 33 00 00 01 00

Every IPv6 Multicast address (layer 3), MUST map to a corresponding Ethernet address (layer 2)


•  Always uses Link Local (fe80::/64) as its source

•  Hop Limit must be set to 255 Generalized TTL Security Mechanism

•  Neighbor discovery messages •  Router solicitation (ICMPv6 type 133) •  Router advertisement (ICMPv6 type 134) •  Neighbor solicitation (ICMPv6 type 135) •  Neighbor advertisement (ICMPv6 type 136) •  Redirect (ICMPv6 type 137)

IPv4 IPv6 ARP Request Neighbor Solicitation

Broadcast Solicited Node Multicast

ARP Reply Neighbor Advertisement

Unicast Unicast

NDP

RA RS

NS NA Redirects

NUD DAD

IPv6


•  Router solicitations (RS) are sent by nodes at bootup

•  Routers forward packets as well as provide provisioning services

RS

ICMP Type 133 IPv6 Source fe80::a IPv6 Destination ff02::2 Opt. 1 SLLA SRC Link Layer Address

RA

ICMP Type 134 IPv6 Source fe80::2

IPv6 Destination fe80::a Data Options, subnet prefix,

lifetime, autoconfig flag

RS RA

A


•  M-Flag – Stateful DHCPv6 to acquire IPv6 address

•  O-Flag – Stateless DHCPv6 in addition to SLAAC

•  Preference Bits – Low, Med, High

•  Router Lifetime – Must be >0 for Default

•  Options - Prefix Information, Length, Flags

•  L bit – Only way a host get a On Link Prefix

•  A bit – Set to 0 for DHCP to work properly

Type: 134 (RA) Code: 0 Checksum: 0xff78 [correct] Cur hop limit: 64 ∞ Flags: 0x84 1… …. = Managed (M flag) .0.. …. = Not other (O flag) ..0. …. = Not Home (H flag) …0 1… = Router pref: High Router lifetime: (s)1800 Reachable time: (ms) 3600000 Retrans timer: (ms) 1000 ICMPv6 Option 3 (Prefix Info) Prefix length: 64 ∞ Flags: 0x80 1… …. = On link (L Bit) .1.. …. = No Auto (A Bit) Prefix: 2001:0db8:4646:1234::/64

RA


RA

type = 134 code = 0 checksum

hop limit M|O|H|pref router lifetime reachable time

retransmit timer

options (variable)

•  ICMPv6 – Type, Code, Checksum, Data

•  Data – Body of the Message Type (Required)

•  Option 1 – Source MAC, Option 5 – MTU

•  Option 3 – Prefix and Host Provisioning

•  Option 25 – Recursive DNS Servers, DNS Search List


•  Tentative – Address in verification process (DAD) •  Preferred – Address can be used for communication •  Valid – Address can be used, may be Preferred or Deprecated •  Deprecated – Address can be used on existing connections •  Invalid – Address is not available for use

Valid

Deprecated Preferred Tentative Invalid Preferred Lifetime

Valid Lifetime


•  Enable DHCPv6 via the M flag •  Disable auto configuration via the A bit in option 3 •  Enable Router preference to high •  Enable DHCPv6 relay

interface fastEthernet 0/0 ipv6 address 2001:db8:1122:acc1::/64 eui-64 ipv6 nd managed-config-flag ipv6 nd prefix default no-autoconfig ipv6 nd router-preference high ipv6 dhcp relay destination 2001:db8:add:café::1


Node A can start using address A

B A C

•  Unspecified Source (::), No Option 1 SLLA

•  Probing the Local Link to Verify Address Uniqueness

•  An NA Indicates Address in Use, Administrative Intervention Required

ICMP Type 135 NS IPv6 Source UNSPEC = :: IPv6 Dest. A Solicited Node Multicast

ff02::1:ff00:a Query Anyone Using “a”

NS

ICMP Type 136 NA IPv6 Source fe80::a IPv6 Dest. 02::1 Flags S = 0

O = 1

NA


•  Unicast address MUST build corresponding solicited-node multicast

•  Solicited-node multicast consists of ff02::1:ff/104 {lower 24 bits from IPv6 Unicast}

ff02 0000 0000 0000 0000 0001 ffbc fc0f

fe80 0000 0000 0000 1234 5678 9abc fc0f

33 33 BC FC 0F FF Every layer 3 IPv6 Multicast address Must map to the corresponding layer 2 Multicast address


R1#sh ipv6 int e0 Ethernet0 is up, line protocol is up

IPv6 is enabled, link-local address is FE80::200:CFF:FE3A:8B18 Global unicast address(es):

2001:DB8:0:1234::1 subnet is 2001:DB8:0:1234::/64 Joined group address(es): FF02::1 FF02::2 FF02::1:FF00:1 FF02::1:FF3A:8B18 MTU is 1500 bytes ICMP error messages limited to one every 100 milliseconds ICMP redirects are enabled ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds ND router advertisements are sent every 200 seconds *If EUI format is used then the 1rst solicited node mcast addr is used for both the LL & GU

Solicited-Node Multicast Address*


A! B!

ICMP Type 135 NS IPv6 Source fe80::a IPv6 Destination ff02::1:ff00:b Hop Limit 255 Target Address 2001:db8:1:46::b Query What is B link layer address? Opt. 1 SLLA A’s Link Layer Address

ICMP Type 136 NA IPv6 Source fe80::b

IPv6 Destination fe80::a Target Address 2001:db8:1:46::b Option 2 TLLA B’s Link Layer Address

*Flags R = Router S = Response to Solicitation O = Override cache information

NS NA

•  ARP replacement, Map’s L3 to L2.

•  Node B will add node A to it’s neighbor cache during this process w/o sending NS

•  Multicast for resolution (new), Unicast for reachability (cache)

DfGW


Neighbors are only considered “reachable” for 30-seconds. “Stale” indicates that, we MAY need to send a NS packet.


R2 A B

Packet

IPv6 Source 2001:db8:4646:1::b IPv6 Dest. 2001:db8:4646:1::a ULP variable

Redirect 137

IPv6 Source fe80::2 IPv6 Dest. 2001:db8:4646:1::b ICMPv6 Type 137 Target Addr. 2001:db8:4636:1::a

Opt. 2 TLLA 001C.2D3E.00AA

Redirect Packet

•  Cannot be used if destination is multicast

•  Hosts should not send redirects, Should be turned off on routed links

•  IPv6 Hosts Don’t Use Bitwise Masking, TLLA Avoids ND Round


•  MLD uses LL source addresses Hop Limit = 1

•  MLD packets use “Router Alert” in HBH Destination is not the routers interface

•  3 msg types: Query, Report, Done

•  MLDv1 = (*,G) shared, MLDv2 = (S,G) source

MLD snooping

MLD IGMP Message Type

ICMPv6 Type Function

MLDv1 (RFC2710) IGMPv2 (RFC 2236) Listener Query

Listener Report

Listener Done

130

131

132

Used to find out if there are any multicast listeners

Response to a query, joins a group

Sent by node to report it has stopped listening

MLDv2 (RFC 3810) IGMPv3 (RFC 3376) Listener Query

Listener Report

130

143


Enhanced reporting, multiple groups and sources


•  IPv4 Compatible 0:0:0:0:0:0.A.B.C.D/96 0:0:0:0:0:0.192.168.30.1 ::c0a8:1e01 Used by IPv6 aware devices, now deprecated

•  IPv4 Mapped 0:0:0:0:0:ffff.A.B.C.D/96 0:0:0:0:0:ffff.192.168.30.1 ::ffff:c0a8:1e01

Used in automatic tunneling by device with no IPv6 knowledge

IPv4

IPv6 Internet

IPv6 Network


C:\ >ipconfig Tunnel adapter ISATAP Adapter Media State : Media disconnected Connection DNS Suffix : foo.com Tunnel adapter Teredo Adapter Media State : Media disconnected Connection-specific DNS Suffix : Tunnel adapter 6TO4 Adapter: Media State : Media disconnected Connection-specific DNS Suffix :

Can be disabled via Registry, GPO, Powershell, etc.

ß  Used within administrative domain (IP41) ::0:5efe:w.x.y.z/96 – Private v4 ::200:5efe:w.x.y.z/96 – Global v4

ß  Used with RFC 1918 address’s (UDP3544) 2001:0:{srvr v4}:{flags}:{udp}:{nat v4}

ß  Used with global IPv4 address’s (IP41) 2002:xw.x.y.z::


•  Loopback 0:0:0:0:0:0:0:1=> ::1

•  Unspecified address 0:0:0:0:0:0:0:0=> 0::0 => :: => ::/128

•  Documentation Prefix 2001:0db8::/32

•  Discard Prefix 0100::/64

•  6to4 Automatic Tunneling 2002::/16

•  Default Route ::/0



Windows 7, Mac OSX use pseudo random by default. iPad & iPhone generate a new temporary address per association

C:\Documents and Settings\>netsh netsh>interface ipv6 netsh interface ipv6>show address Querying active state... Interface 5: Local Area Connection Addr Type DAD State Valid Life Pref. Life Address --------- ---------- ------------ ------------ ----------------------------- Public Preferred 29d23h58m25s 6d23h58m25s 2001:0db8:2301:1:202:8a49:41ad:a136 Temporary Preferred 6d21h48m47s 21h46m 2001:0db8:2301:1:bd86:eac2:f5f1:39c1 Link Preferred infinite infinite fe80::202:8a49:41ad:a136 netsh interface ipv6>show route Querying active state... Publish Type Met Prefix Idx Gateway/Interface Name ------- -------- ---- ------------------------ --- --------------------- no Autoconf 8 2001:0db8:2301:1::/64 5 Local Area Connection no Autoconf 256 ::/0 5 fe80::20d:bdff:fe87:f6f9


•  Scope, Preferred over Deprecated, Native over Transitional, Temporary over Public •  Must support application override API, Choice of v6 over v4 is application dependent •  Give IPv6 300ms Head Start. Lookup & Connect Retrieve and Display

Application Layer

TCP/UDP

IPv6 IPv4

Network Interface Card

NCSI – Network Connection Status Indicator

Public Preferred 2001:0db8:2301:1:202:8a34:bead:a136 Temporary Preferred 2001:0db8:2301:1:bd86:ea49:41f1:39c1 Link Preferred fe80::202:8a34:bead:a136

RFC 6555



ü Create a project team, assign a PM ü Identify business value & impacts ü Assess equipment & applications for IPv6 ü Begin training & develop training plan ü Develop the architectural solution ü Obtain a prefix and build the address plan ü Define an exception process for legacy systems ü Update the security policy ü Deploy IPv6 trials in the network ü Test and monitor your deployment


Data Center WAN Internet

SiSi SiSi SiSi SiSi SiSi SiSi

SiSi SiSi

SiSi SiSiSiSi SiSi

SiSi SiSi

Access

Core

Distribution

Distribution

Access


•  Core-to-Access – Gain experience with v6

•  Turn up your servers – Enable the experience

•  Access-to-Core – Securing and monitoring

•  Internet Edge – Business continuity

Servers

Branch Access

WAN

Campus Core

Access Layer

ISP ISP

Internet Edge


Distribution Layer

Access Layer

Core Layer

Aggregation Layer (DC)

Access Layer (DC)

IPv6/IPv4 Dual-stack

Server

IPv6/IPv4 Dual-stack Hosts

Data Center Block

Access Block

• Leverages existing IPv4 infrastructure • Allows “slower” roll into IPv6 deployment • Poor scalability and overall performance, no Multicast support • Tunneling everywhere, “flattens” the network you have built


ISATAP IPv6 Service Block

DA

Data Center Block

WAN/ISP Block

Access Layer

Dist. Layer

Core Layer

IPv4-only Campus Block

Server Internet

• Provides tighter control of where IPv6 is deployed • Allows for reduced time to deliver IPv6 services • Cost of SB equipment and it’s reuse in the network • Eventually hits scalability and overall performance, no Multicast support


Distribution Layer

Access Layer

Core Layer

Aggregation Layer (DC)

Access Layer (DC)

IPv6/IPv4 Dual-stack

Server

IPv6/IPv4 Dual-stack Hosts

Data Center Block

Access Block

56

• Preferred Method, Versatile, Scalable and Highest Performance • No Dependency on IPv4, runs in parallel on dedicated HW • No tunneling, MTU, NAT or performance degrading technologies • Does require IPv6 support on all devices


• Should we use both on the same link at Layer 3? • Separate links, possibly to collect protocol specific statistics • Routing protocols OSPFv3, EIGRP combined or separate? • Fate sharing between the data and control planes per protocol

OSPFv3

EIGRP

Internet

2001:db8:1:1::/64 198.51.100.0/24

IPv4 & IPv6

IPv4 & IPv6

2001:db8:6:6::/64 192.168.4.0/24


• Topology hiding, Interfaces cannot be seen by off link devices • Reduces routing table prefix count, less configuration • Need to use ULA or GUA for generating ICMPv6 messages • What about DNS?, Traceroute, WAN Connections, etc.. • RFC7404 – Details pros and cons

WAN/MAN

Internet FE80::/64

FE80::/64

ULA/GUA

FE80::/64

ULA/GUA

ULA/GUA

ULA/GUA

ULA/GUA


Corporate Backbone Branch 2

ULA Space FD9C:58ED:7D73::/48 Global – 2001:DB8:CAFE::/48

Internet

FD9C:58ED:7D73:3000::/64 2001:DB8:CAFE:3000::/64

FD9C:58ED:7D73::2::/64

Global

2001:DB8:CAFE::/48

• Automatic Prefix Generation (RFC 4193) non sequential /48, avoid M&A challenges • Need to use Global for troubleshooting beyond the internal network • Caution with older OS’s (RFC 3484) using ULA & IPv4 • Multiple policies to maintain (ACL, QoS, Routing, etc..)


•  Today, NAT44 & RFC1918 •  All PA or all PI and peering in multiple regions

PI from one region and run it everywhere? ISP in one region reject PI block from another? What about translation?

•  IETF does NOT recommend the use of NAT66 w/IPv6

•  NAT ≠ Firewall – RFC 4864 (Local Network Protection)

•  NAT ≠ Firewall – RFC 7021 (Impact of CGN on Applications)

Firewall+NAT Internet


Pt 2 Pt /127

WAN

Core /64 or /127

Servers /64

Hosts /64

Loopback /128

•  Anywhere a host exists /64

•  Point to Point /127 Should not use all 0’s or 1’s in the host portion Nodes 1&2 are not in the same subnet

•  Loopback or Anycast /128

•  RFC 7421 /64 is here

•  RFC 6164 /127 cache exhaust


•  Methods Follow IPv4 (/24 only), Organizational, Location, Function based

•  Hierarchy is key (A /48 example) Bit twiddle's dream (16 bit subnet strategy) 4 or 8 bits = (16 or 256) Regions (states, counties, agencies, etc..) 4 or 8 more bits = (16 or 256) Sub Levels within those Regions 4 more bits = (16) Traffic Types (Admin, Guest, Telephony, Video, etc..)

•  Cisco IPv6 Addressing White Paper http://www.cisco.com/go/IPv6

•  Monotonically (1000, 2000, 3000, etc.) vs. Sparse (0000, 4000, 8000, c000 )

62



HSRP for IPv6 •  Modification to NA, RA and ICMPv6 redirects

•  Virtual MAC derived from HSRP group # and virtual IPv6 LLA HSRP Standby

HSRP Active

Neighbor Unreachability Detection •  Rudimentary HA at the first HOP, that is slow to detect failures

•  Hosts use NUD “reachable time” to cycle next known default GW

RA Reach-time

GLBP for IPv6 •  Default Gateway is announced via RA’s from Virtual MAC

•  Active Virtual Gateway (AVG), assigns MAC’s, responds to NDP and directs hosts to Active Virtual Forwarder (AVF)

GLBP AVG AVF

GLBP AVG AVF •  Active/Standby design or laod balancing via VLAN’s

•  Multi-vendor interoperabilty

VRRP for IPv6


•  Many similarities with HSRP for IPv4 from design perspective (odd/even prefix) •  Changes occur in Neighbor Advertisement, Router Advertisement, and ICMPv6 redirects •  Virtual MAC derived from HSRP group number and virtual IPv6 link-local address •  Layer 2 - 0005.73A0.0000-0F0F à 3333.0000.0066 •  Layer 3 – FE80::/64 à FF02::66 •  Layer 4 – UDP port 2029 (HSRPv6)

interface FastEthernet0/1

ipv6 address 2001:DB8:66:67::2/64

standby version 2

standby 2 ipv6 autoconfig

standby 2 timers msec 250 msec 800

standby 2 preempt

standby 2 preempt delay minimum 180

standby 2 authentication cisco

Unix Host with GW of VIP unixhost# route -A inet6 | grep ::/0 | grep eth2 ::/0 fe80::5:73ff:fea0:1

HSRP Standby

HSRP Active


•  Provides weighted or ~= load balancing across resources •  Modification to NA, default GW is announced via RA using vmac •  AVG assigns Vmac’s and responds to NDP, directing hosts to the AVF’s •  Layer 2 – 0007.B4xx.xx08 à 3333.0000.0066 •  Layer 3 – FE80::/64 à FF02::0100:5E00:66 •  Layer 4 – UDP port 3222 (GLBPv6)

interface fastethernet0/0

ipv6 address 2001:db8::/64 eui-64

glbp 8 ipv6 2001:db8::D38:C677:2925:8

glbp 8 priority 110

glbp 8 preempt

glbp 8 load-balancing weighted

glbp 8 weighting 110 lower 95 upper 105

glbp 8 authentication md5 key-string 7 cisco

GLBP 8 AVF

GLBP 8 AVG AVF


•  Sub second failover possible, multi vendor interoperation •  Active/Standby design, Load Balancing via VLAN’s •  Layer 2 – 0000.5E00.02xxà 3333.0000.0012 •  Layer 3 – FE80::/64 à FF02::12 •  Layer 4 – IP protocol 112

fhrp version vrrp v3

!

interface fastethernet0/0

ipv6 address 2001:db8::/64 eui-64

vrrp 4 address-family ipv6

vrrp 4 address fe80::1 primary


•  IPv4 syntax has used “ip” following match/set statements Example: match ip dscp, set ip dscp

•  New match criteria match dscp match precedence

•  New set criteria set dscp set precedence

•  Modification to support IPv6 and IPv4

Data Voice

Video Internet


•  Control access to hardware resources on the system When TCAM is exhausted, SW switching is invoked

•  First hop security features deny global-autoconf (Source guard policy) ND cache limits ND tracking – binding table limits

•  Platform specific issues 6500 “mls ipv6 acl compress address unicast” Catalyst 3750/3560 “sdm prefer …”

•  Routing table How much can the TCAM hold? Typically shared between IPv4 and IPv6

6500#show mls cef maximum-routes FIB TCAM maximum routes : ======================= Current : --------- IPv4 + MPLS - 512k (default) IPv6 + IP Multicast - 256k (default)


•  SDM templates are used to configure system resources in the switch to optimize support for specific features

Highly dependent on how the switch is used in the network

•  Three templates available Routing

Maximizes system resources for unicast routing Typically required for a router or aggregator in the core

VLAN Disables routing, supports maximum unicast MAC addresses Typically be selected for a Layer 2 switch

Default Provides balance to all functions

•  Needed to configure IPv6 ACLs Even on a Layer 2 only switch

•  Requires a reboot


•  Recommendation is stick with /64 prefixes as the longest prefix that will have attached hosts

•  What about prefixes that are longer than a /64? Most platforms consume 2 slots for every IPv6 route and 1 slot for IPv4

•  LPM can consume a greater amount of HW switching resources Greatly limits the scalability of the platform for prefix lengths in the /64 - /127 range

•  May be appropriate based on location of the device •  See first point 2001:db8:4646::/48

2001:db8:4646:5::/64 2001:db8:4646:5::aa03/127



•  Prefix FF00::/8 8-bit 4-bit 4-bit 112-bit

1111 1111 0 R P T Scope Variable format

Flags

O Reserved

R = 0 R = 1

No embedded RP Embedded RP

P = 0 P = 1

Without Prefix Address based on Prefix

T = 0 T = 1

Well Known Address (IANA assigned) Temporary address (local assigned)

Scope 1 Node

2 Link

3 Subnet

4 Admin

5 Site

8 Organization

E Global


•  Every Unicast prefix can build custom multicast addresses

•  Last 32 bits of unicast address mapped into Group ID (112 Bits) 8 Bits 4 Bits 4 Bits 8 Bits 8 Bits 64 Bits 32 Bits

1111 1111 0 0 1 1 1110 Rsvd plen Unicast Prefix Group ID

Example plen 40 = 64 bits

Prefix 2001:db8:cafe:1::

Group ID 11d7:4cd3

FF3E:0040:2001:DB8:CAFE:1:11D7:4CD3


•  Static mapping of RP into Multicast group

•  Solves MSDP and scaling issues 8 Bits 4 Bits 4 Bits 4 Bits 4 Bits 8 Bits 64 Bits 32 Bits

1111 1111 0 1 1 1 1110 Rsvd RPid plen Unicast Prefix Group ID

Example Rsvd/RPid 0000 | 0101

Prefix 2001:db8:cafe:1::

Group ID 645

FF7E:0540:2001:DB8:CAFE:1:0000:0645

FF7E:540:2001:db8:cafe:1::645

2001:db8:cafe:1::5


Address Scope Meaning FF02::1 Link-Local All Nodes

FF02::2 Link-Local All Routers

FF02::5 Link-Local OSPFv3 Routers

FF02::6 Link-Local OSPFv3 DR Routers

FF02::9 Link-Local RIPng

FF02::A Link-Local EIGRP

•  FF02, is a permanent address and has link scope

•  Link Operations, Routing Protocols, Streaming Services



FF3E:0040:2001:0DB8:CAFE:0001:11D7:4CD3 IPv6 Temporary

Multicast Address

33 33 D7 4C D3 11


FF02:0000:0000:0000:0000:0000:0000:0001 IPv6 Well Known

Multicast Address

33 33 00 00 01 00

Every IPv6 Multicast address (layer 3), MUST map to a corresponding Ethernet address (layer 2)


•  MLD uses LL source addresses

•  MLD packets use “Router Alert” in HBH Destination is not the routers interface

•  3 msg types: Query, Report, Done

•  MLDv1 = (*,G) shared, MLDv2 = (S,G) source

MLD snooping

MLD IGMP Message Type

ICMPv6 Type Function

MLDv1 (RFC2710) IGMPv2 (RFC 2236) Listener Query

Listener Report

Listener Done

130

131

132


Response to a query, joins a group

Sent by node to report it has stopped listening

MLDv2 (RFC 3810) IGMPv3 (RFC 3376) Listener Query

Listener Report

130

143


Enhanced reporting, multiple groups and sources


•  Hosts send MLD report to alert router they wish to join a multicast group

•  Router then joins the tree to the source or RP

MLD Report (A)

ICMP Type 131

IPv6 Source fe80::209:5bff:fe08:a674

IPv6 Destination FF38::276

Hop Limit 1

Group Address ff38::276

Hop-by-Hop Header

Router Alert Yes

MLD Report

A MLD Report

B I wish to receive

ff38::276 I wish to receive

ff38::276

MLD Report (B)

ICMP Type 131

IPv6 Source fe80::250:8bff:fE55:78de


Hop Limit 1


Hop-by-Hop Header

Router Alert Yes

(S, G)

Source for multicast ff38::276

fe80::209:5bff:fe08:a674 fe80::250:8bff:fE55:78de fe80::207:85ff:fe80:692


MLD Done (A)

ICMP Type 132


IPv6 Destination FF02::2 (All routers)

Hop Limit 1


Hop-by-Hop Header

Router Alert Yes

MLD Done (A)

A

fe80::209:5bff:fe08:a674 MLD Report (B)

B

fe80::250:8bff:fE55:78de

I wish to leave ff38::276

I am watching ff38::276

MLD Query (C)

ICMP Type 130

IPv6 Source fe80::207:85ff:fe80:692


Hop Limit 1

Hop-by-Hop Header

Router Alert Yes

Query (C

)

fe80::207:85ff:fe80:692

C MLD Report (B)

ICMP Type 131

IPv6 Source fe80::250:8bff:fE55:78de


Hop Limit 1


Hop-by-Hop Header

Router Alert Yes


MLD Report (A)

ICMP Type 143



Hop Limit 1

# of Records Include/exclude

Group Address FF38::4000:BA11

Hop-by-Hop Header

Router Alert Yes

MLD Report

A I wish to receive FF38:4000:BA11

(S, G)

Source for multicast FF38::4000:BA11

fe80::209:5bff:fe08:a674


•  General Query FF02::1 Group list empty, who’s listening?

•  Group Specific Query FF38::4000:BA11 Anyone still interested in this stream?

•  Group & Source Specific Query 2001:DB8:CAFÉ::1, FF38::4000:BA11

•  Filter Mode, Change Record

•  Multiple routers on link Lowest address value assumes Querier role

A Q

uery

Source for multicast FF38::4000:BA11



•  BYOD: Massive influx of consumer devices to be placed on Enterprise networks

•  Consumer devices are typically located within a single Layer 2 domain in the home

•  Users may expect to have the same type of services in the Enterprise / Campus but also across L3 boundaries

•  Device types include mobile devices (iOS, Android), printers, cameras, PCs etc.


•  FF02::FB – Multicast DNS – mDNS (Apple Bonjour) (Chromecast)

•  FF02::2:FF/104 – Node Information Query (FreeBSD)

•  FF02::C – Simple Service Discovery Protocol – SSDP, UPnP (Microsoft)

•  FF02::1:3 – Link Local Multicast Name Resolution – LLMNR (File Sharing enabled)

Personal Computer Operating Systems •  Windows •  Mac OS X •  Linux

Appliances & Networking •  Printers •  Access Points •  Switches •  Routers

AV Equipment •  Speakers •  Cameras •  Displays •  AV Receivers


•  Service Discovery Is your Phone Book. Tell me, where I can reach Mr. Printer Doesn’t necessarily mean that you can actually reach / talk to Mr. Printer

•  Access Control Is like caller screening Even if a person is not listed in the phone book, you might call that person because you know the number “I know Mr. Printer is at 1.2.3.4, let’s call him even if I don’t see him in the phone book”

•  Better Together use the phone book for easy lookup (Service Discovery) use the caller screening for security (ACL / SGT / SGACL ...)



•  Catalyst Integrated Security Features (CISF)

•  Dug Song - dsniff Port

Security


•  ARP is replaced by Neighbor Discovery Protocol Nothing authenticated Static entries overwritten by dynamic ones

•  Stateless Address Autoconfiguration rogue RA (malicious or not)

•  Attack tools are real! Parasit6 Fakerouter6 Alive6 Scapy6 …

89


IPv6 Snooping

IPv6 FHS RA

Guard DHCPv6 Guard

Source/Prefix Guard

Destination Guard

Protection: •  Rogue or

malicious RA •  MiM attacks

Protection: •  Invalid DHCP

Offers •  DoS attacks •  MiM attacks

Protection: •  Invalid source

address •  Invalid prefix •  Source address

spoofing

Protection: •  DoS attacks •  Scanning •  Invalid

destination address

RA Throttler

ND Multicast Suppress

Reduces: •  Control traffic

necessary for proper link operations to improve performance

Core Features Advance Features Scalability & Performance

Facilitates: •  Scale

converting multicast traffic to unicast


•  Attacker hacks any victim's DAD attempts

•  Victim will need manual intervention to configure IP address

Src = UNSPEC Dst = Solicited-node multicast A Data = A Query = Does anybody use A?

Src = any C’s IF address Dst = A Option = link-layer address of C

A B

NS

NA

C


•  Admin/Intern sends RA’s with false prefix •  Enthusiast who has a tunnel broker account •  The most frequent threat by non-malicious user

B

Src = C link-local address Dst = All-nodes Options = prefix BAD

RA

A C


•  Flooding RA’s overwhelms the system, OSX, MSFT, ipad/phone, Android

B RA, prefix BAD1

A 2 3 5

RA, prefix BAD2 RA, prefix BAD3 RA, prefix BAD4 RA, prefix BAD5 RA, prefix BAD6

C

Update: MSFT Addresses Vulnerability in IPv6 Could Allow Denial of Service (2904659) Published: Tuesday, February 11, 2014


•  Attacker spoofs Router Advertisement with false on-link prefix •  MITM, Splash Screen, Capture

B

Src = B’s link-local address Dst = All-nodes Options = prefix BAD

RA

A C


•  Port ACL


ipv6 traffic-filter ACCESS_PORT in

deny icmp any any router-advertisement

•  Feature Based


ipv6 nd raguard

•  Policy Based

ipv6 snooping policy HOST!

security-level guard ! ! ! ! !

limit address-count 2 !

device-role node!

interface GigabitEthernet1/0/2!

ipv6 snooping attach-policy HOST!

HOST Device-role

RA

RA

RA

RA

RA

ROUTER Device-role


IPv6 NH=44 NH=60, Offset = 0, M=1 DO - Frag 1, >1400 Bytes

ICMP RA IPv6 NH=44 NH=58, Offset = 176, M=0 Fragment 2

ICMP RA IPv6 NH=44 NH=58, Offset = 1, M=0 Fragment 2

IPv6 NH=44 NH=58, Offset = 0, M=1 Fragment 1 ICMP

Hidden ULP

Overlapping Fragments

Offset Flag

Length ToS IHL

Checksum Prot TTL

ID

Ver Routing Type!Reserved Next Header Offset Reserved | M!Identification

Fragmentation EH (type 44)

Aug 2013 RFC 6980

• RFC 6980 ≥ deny ipv6 fe80::/64 any fragments

deny ipv6 any any undetermined-transport

RFC 5722, hosts to reject id’s with overlaps


Prevent Rogue DHCP responses from misleading the client

DHCP Server

DHCP Req.

I am a DHCP Server

DHCP Client


•  Deep control packet Inspection •  Address Glean (ND , DHCP, data) •  Address watch •  Binding Guard

Instrumental link-operation security feature that analyzes control/data switch traffic, detect IP address, and store/update them in Binding Table to ensure rogue users cannot spoof or steal addresses.

Intf IPv6 MAC VLAN State

g1/0/10 ::000A 001A 110 Active

g1/0/11 ::001C 001C 110 Stale

g1/0/16 ::001E 001E 200 Verifying

IPv6 Binding Table (RFC6620)

IPv6 Source Guard

IPv6 Destination

Guard Device Tracking


Mitigates Address High Jacking, Ensures Proper Prefix


g1/0/10 ::000A 001A 110 Active

g1/0/11 ::001C 001C 110 Stale

g1/0/16 ::001E 001E 200 Verifying

g1/0/21 ::0021 0021 200 Active

~Host A

NDP or DHCPv6

Host A


•  Mitigate prefix-scanning attacks and Protect ND cache •  Drops packets for destinations without a binding entry


g1/0/10 ::0001 001A 110 Active

g1/0/11 ::001C 001C 110 Stale

g1/0/16 ::001E 001E 200 Verifying

Forward packet

Lookup Table

found No

Yes

NS 2001:db8::1

Ping 2001:db8::1

Ping 2001:db8::4 Ping 2001:db8::3

Ping 2001:db8::2



§  Radio is a shared media §  Hosts must “awaken” to see if Mul,cast is for them §  Only unicast frames are acknowledged and retransmi1ed §  AP transmits bcast/mcast frames at the lowest possible rate to ensure recep,on §  Disable legacy IEEE 802.11b data rates (1, 2, 5.5 Mbps)

!


§  DAD –  1 packet per IP address configured on the network

§  RS –  1 packet per host that joins the network

§  RA –  Periodic: 1 packet every X seconds –  Solicited: 1 packet for every host that joins the network

§  NS –  1 packet for every new host/host pair

§  NA –  1 packet for every new host address

§  MLD –  1 packet for solicited node mul,cast group

§  What about broken stuff (i.e. MLD packets sent to Solicited Node Mcast)


•  Scaling the 802.11 multicast reliability issues •  NDP process is multicast “chatty”, consumes airtime •  Controller rate limits the period RA’s, while allowing RS to flow •  Caching allows the Controller to “proxy” the NA, based on gleaning

(NS)

00:24:56:75:44:33 2001:db8:0:20::2 00:24:56:11:93:28 2001:db8:0:20::4

(Unicast NA)

(NS) (Unicast NA)

2

4 Periodic (RA’s)

(Multicast NS)

(Multicast NS)


•  Management access - Telnet/SSH/HTTP/HTTPs •  Mobility – Auto anchor, Guest access, WebAuth, •  Services – NTP, SNMP, Syslog, Radius, CDP, CAPWAPv6 •  UDP Lite – Speeds calculating checksums using pseudo-header •  WebAuth - Captive portal for IPv6 only clients


Anchor

Foreign

Mobility Tunnel

Unicast RA

Mcast RA

Roaming Client

•  Roaming client must be able to receive the original router advertisement •  Controllers must be part of the same mobility group domain •  The anchor controller sends the RA to the foreign in the mobility tunnel •  AP convert’s multicast RA to an L2 unicast (MC2UC)


•  Existing VideoStream support using MC2UC (Multicast to Unicast) for IPv4 works the same for IPv6 multicast streams

•  The multicast to unicast conversion occurs at the Access Point for efficiency and scalability

Ethernet

IPv6 802.11

VLAN IPv6 Ethernet IPv4 IPv6 CAPWAP 802.11

CAPWAP Multicast Group

Stream A

A

107



•  Enable IPv6 routing -  “ipv6 unicast-routing”

•  IPv6 Next Hop -  Link local addresses

•  Router ID -  Unique 32-bit number that identifies the router -  Happens to be written in dotted decimal notation L

•  Addressing considerations -  Structure -  Hierarchy -  Summarization

Management Routing Switching Services


ipv6 general-prefix foo-core 2001:0db8:4646:6000::/52 ipv6 general-prefix foo-acc 2001:0db8:4646:6acc::/56 ipv6 unicast-routing ! interface GigabitEthernet1/0/1 description To 6k-core-right ipv6 address foo-core ::3:0:0:0:d63/64 ipv6 eigrp 10 ipv6 hello-interval eigrp 10 1 ipv6 hold-time eigrp 10 3 ipv6 authentication mode eigrp 10 md5 ipv6 authentication key-chain eigrp 10 eigrp ipv6 summary-address eigrp 10 2001:0db8:4646:6000::/52 ! interface GigabitEthernet1/0/2 description To 6k-core-left ipv6 address foo-core ::C:0:0:0:d63/64 ipv6 eigrp 10 ipv6 summary-address eigrp 10 2001:0db8:4646:6000::/52

interface Vlan4 description Data VLAN for Access ipv6 address foo-acc ::4:d63/64 ipv6 eigrp 10 ! interface Vlan6 description Data VLAN for Access ipv6 address foo-acc ::6:d63/64 ipv6 eigrp 10 ! ipv6 router eigrp 10 no shutdown router-id 10.122.10.10 passive-interface Vlan4 passive-interface Vlan6 passive-interface Loopback0


•  IGP’s use Link Local Address’s •  Redistribution needs GUA or ULA

•  Routing Protocols may need “Multi-Hop”

•  Static can be tragic, no auto update

Ipv6 unicast-routing ! !direct Ipv6 route 2001:db8:2::/48 ethernet 1/0 ! !recursive Ipv6 route 2001:db8:5::/48 2001:db8:4::1


•  RIPng – UDP 521, 15 hops •  FE80::/64 Source à FF02::9 Destination

•  Distance Vector, Hop Count (1-15)

•  Split Horizon, Poison Reverse

•  Beuller, Bueller, anyone?

Ipv6 unicast-routing ! Interface loopback 0 Ipv6 address 2001:db8:1000::1/128 Ipv6 rip CISCO enable ! Interface ethernet 0/0 Ipv6 address 2001:db8:5000:31::1/64 Ipv6 rip CISCO enable ! Ipv6 router rip CISCO


Ipv6 unicast-routing ! Interface ethernet 0/0 Ipv6 address 2001:db8:5000:31::1/64 Ipv6 router isis CISCO Isis circuit-type level-1 Isis ipv6 metric 10000 ! Router isis CISCO Net 49.0001.2222.2222.222.00 Metric style wide ! Address-family ipv6 Multi-topology

•  IS-IS – (RFC5308) CLNS •  IPv4 & IPv6

•  Link State •  2 New TLV’s Added

•  Topology Support •  Single Topology •  Multi Topology (preferred in DS) •  Multi Instance


Ipv6 unicast-routing ! Interface loopback0 Ipv6 address 2001:db8:1000::1/128 Ipv6 eigrp 11 ! Interface ethernet 0/0 Ipv6 address 2001:db8:5000:31::1/64 Ipv6 eigrp 11 ! Ipv6 router eigrp 11 Passive-interface loopback0 Eigrp router-id 10.10.10.10

•  EIGRP – IP 88

•  FE80::/64 Source à FF02::A Destination

•  2 New TLV’s – internal-type & external-type

•  No Split Horizon, Auto Summary Disabled

•  Stub reduces topology & queries •  EIGRP can perform better in large scale

hub and spoke environments


Ipv6 unicast-routing ! Interface loopback0 Ipv6 address 2001:db8:1000::1/128 Ipv6 ospf 8 area 0 ! Interface ethernet 0/0 Ipv6 address 2001:db8:5000:31::1/64 Ipv6 ospf 8 area 0 ! Ipv6 router ospf 8 router-id 10.10.10.10 passive-interface loopback0

•  OSPFv3 – IP 89 •  FE80::/64 Source à FF02::5, FF02::6 (DR’s) •  Link-LSA (8) – Local Scope, NH •  Intra-Area-LSA (9) – Routers Prefix’s •  Use Inter-Area-Prefix (3) – Between ABR’s

•  Can converge quickly to a point of scale, initial database build and discovery takes some time

•  Link state protocols perform better in full mesh environments, if tuned correctly

RFC 5838 (AF), RFC 7166 (AT)


•  Every OSPF packet contains standard header

•  Header size reduced from 24 to16 bytes

•  Authenticaion fields have been removed

•  Instance ID – Multiple processes per link. -  Address family independence

-  Default 0-IPv6, 64-IPv4

•  Router ID – 32 bit “number” -  Does not have to be an active address

•  Checksum – IPv6 pseudo header format

Version Type

Authentication

Area IDChecksum Autype

Authentication

Packet LengthRouter ID

Version Type

Instance ID 0

Router IDArea ID

Packet Length

Checksum

OSPFv2

OSPFv3 Standard Header


Options LS typeLS ageLink State ID

Advertising RouterLS sequence numer

LS checksum Length

OSPFv2

•  All LSA’s use common 20 byte header

•  Options field has moved to the LSA body

•  Type field expanded, contains flood scope -  Link 0,0 -  Area 0,1 -  AS 1,0

•  U bit added for unkown or new LSA’s

LS sequence numerLS checksum Length

LS age LS type

Advertising RouterLink State ID

OSPFv3 LSA Header



•  AH for authentication (RFC4552) -  Manual key process -  Dynamic keying is 1-to-1 -  OSPF design is 1-to-many -  ESP could be used for confidentiality -  Needed security license for IPSec

•  RFC7166 Authentication Trailers -  Updates RFC 6506 -  Anti-replay -  HMAC-SHA-1, 256, 384, 512 -  IOS 15.4S/M/T

key chain AUTH key 1 key-string RFC cryptographic-algorithm hmac-sha-512 ! address-family ipv6 unicast authentication mode strict area 0 authentication key-chain AUTH exit-address-family



•  Utilizes Existing IPv4 Transport •  Dual Stack on the PE •  MP-BGP Next Hop ::ffff:192.0.2.210 •  LDP Next Hop 192.0.2.210 •  Control Plane uses IPv4, for now

2001:db8:babe::/48 2001:db8:d00d::/48

R1 R4

IPv6 MP-BGP LDPv4

router bgp 192 no bgp default ipv4-unicast neighbor 192.0.2.3 remote-as 192 neighbor 129.0.2.3 update-source L0 ! address-family ipv6 redistribute connected no synchronization neighbor 192.0.2.3 activate neighbor 192.0.2.3 send-label ! ipv6 route 2001:db8:babe::/48 2001:db8:1:1::2


•  Utilizes Address Family (AF) in VRF Context •  Allows for VPN Functionality •  Subsequent Address Family Identifiers (SAFI) ‒ MP-BGP Address-family SAFI = 2 (IPv6) ‒ VRF Address-family SAFI = 128 (VPN)

2001:db8:café:1::/64

2001:db8:babe:1::/64

2001:db8:d00d:1::/64

2001db8:café:4::/64

2001:db8:babe:4::/64

2001:db8:dood:4::/64

R1

R4

vrf definition 6vpe rd 192:1 route-target export 192:1 route-target import 192:3 ! router bgp 192 address-family vpnv6 neighbor 192.0.2.3 activate neighbor 192.0.2.3 send-community both ! address-family ipv6 vrf 6vpe redistribute connected no synchronization


§  Adding TTL Security (for both IPv4 and IPv6) §  Adding the ability to form LDP session over IPv6, including peer discovery §  Modifying the Forwarding Equivalence Class to support both IPv4 and IPv6 §  Modifying how the LDP Identifier is used; still 32 bit §  Link local address will NOT get labels generated or passed

2001:db8:café:1::/64

2001:db8:babe:1::/64

2001:db8:d00d:1::/64

2001db8:café:4::/64

2001:db8:babe:4::/64

2001:db8:dood:4::/64

R1

R4


•  Private Circuit – Business as usual, Routing Protocols

•  Internet Circuit – DMVPN for scalability and resiliency

•  Local Internet “hop off” is Multi homing

Branch

WAN

::1 ::2

::3 ::1

::2

::3

::4 ::1 ::2

::3

Enterprise Campus

Data Center

HE2

HE1

BR1-2

BR1-1 ASA-1 BR1-LAN

::5 ::2

::3 BR1-LAN-SW

Main Site

124


•  Hub Configuration Example

crypto isakmp policy 1

encr aes 256

authentication pre-share

group 2

!

crypto isakmp key CISCO address 0.0.0.0 0.0.0.0

!

crypto ipsec transform-set HUB esp-aes 256 esp-sha-hmac

!

crypto ipsec profile HUB

set transform-set HUB

interface Tunnel0 description DMVPN Tunnel 1 ip address 10.126.1.1 255.255.255.0 ipv6 address 2001:DB8:CAFE:20A::1/64 ipv6 mtu 1416 ipv6 eigrp 10 ipv6 hold-time eigrp 10 35 no ipv6 next-hop-self eigrp 10 no ipv6 split-horizon eigrp 10 ipv6 nhrp authentication CISCO ipv6 nhrp map multicast dynamic ipv6 nhrp network-id 10 ipv6 nhrp holdtime 600 ipv6 nhrp redirect tunnel source Serial1/0 tunnel mode gre multipoint tunnel key 10 tunnel protection ipsec profile HUB

Primary DMVPN Tunnel 2001:DB8:CAFE:20A::/64 Backup DMVPN Tunnel

2001:DB8:CAFE:20B::/64

WAN HE2

HE1

BR1-2

BR1-1


•  Spoke Configuration Example

crypto isakmp policy 1 encr aes 256 authentication pre-share group 2 ! crypto isakmp key CISCO address 0.0.0.0 0.0.0.0 ! crypto ipsec transform-set SPOKE esp-aes 256 esp-sha-hmac ! crypto ipsec profile SPOKE set transform-set SPOKE

interface Tunnel0 description to HUB ip address 10.126.1.2 255.255.255.0 ipv6 address 2001:DB8:CAFE:20A::2/64 ipv6 mtu 1416 ipv6 eigrp 10 ipv6 hold-time eigrp 10 35 no ipv6 next-hop-self eigrp 10 no ipv6 split-horizon eigrp 10 ipv6 nhrp authentication CISCO ipv6 nhrp map 2001:DB8:CAFE:20A::1/64 172.16.1.1 ipv6 nhrp map multicast 172.16.1.1 ipv6 nhrp network-id 10 ipv6 nhrp holdtime 600 ipv6 nhrp nhs 2001:DB8:CAFE:20A::1 ipv6 nhrp shortcut tunnel source Serial1/0 tunnel mode gre multipoint tunnel key 10 tunnel protection ipsec profile SPOKE

Primary DMVPN Tunnel 2001:DB8:CAFE:20A::/64 Backup DMVPN Tunnel

2001:DB8:CAFE:20B::/64

WAN HE2

HE1

BR1-2

BR1-1


•  Spoke Configuration Example

127

interface Tunnel2 description to HUB no ip address ipv6 address 2001:DB8:CAFE:C5C0::B/127 ipv6 mtu 1400 no ipv6 redirects ipv6 nhrp authentication CISCO ipv6 nhrp network-id 100 ipv6 nhrp holdtime 300 ipv6 nhrp nhs 2001:DB8:CAFE:C5C0::A nbma 2001:DB8:CAFE:37::B multicast ipv6 nhrp shortcut ipv6 eigrp 10 tunnel source GigabitEthernet0/0 tunnel mode gre multipoint ipv6 tunnel key 100 tunnel protection ipsec profile SPOKE


IPv4 + IPv6

IPv4 + IPv6 IPv4 + IPv6

Native IPv6 Infrastructure CE BR

MAP MAP

Ingress IPv4 Traffic

Egress IPv4 Traffic

•  IPv4 follows IPv6 routing within a domain (traffic destined to another subscriber does not traverse the BR)

•  All other traffic sent via anycast to any MAP BR •  Forwarding is handled either by double translation (MAP-T) or

encapsulation (MAP-E)


•  Segment Routing Header: Segment List describes the path of the packet: list of segments (IPv6 addresses) Next Segment: a pointer to the segment list element identifying the next segment HMAC & Flags fields

•  The Active Segment is set as the DA of the packet, using the “Next Segment”

•  Segments are identified by IPv6 addresses, no specific signaling is needed An SR node can be a router, a server, any appliance, application, …

X A

F

C B

E

Y

G

D

PAYLOAD IPv6 Hdr: DA=Y, SA=X

H

IPv6 Hdr: DA=C, SA=X SR Hdr: SL= C, F, H, Y PAYLOAD

IPv6 Hdr: DA=F, SA=X SR Hdr: SL= C, F, H, Y PAYLOAD

IPv6 Hdr: DA=H, SA=X SR Hdr: SL= C, F, H, Y PAYLOAD

PAYLOAD IPv6 Hdr: DA=Y, SA=X



•  IPv4 Only Data Center – IPv6 Translation on the Front End

•  Dual Stack – Both IPv4 & IPv6 Into the Data Center

•  IPv6 Only Data Center – IPv4 Translation on the Front End

•  What is the Cost of Each Stage?


•  IPv4

•  Load Balancer inline

•  No translation in this design

•  Services are Firewalled

Internet Firewall Edge Router Load Balancer Switch Web, Email, Etc.

IPv4


•  Dual Stack Front End

•  Translation via NAT/Proxy/SLB

•  Easy to Turn Up

•  Hard to Move Forward

•  False Sense of Accomplishment

Firewall Edge Router Load Balancer Switch Web, Email, Etc.

NAT/Proxy/SLB

IPv4/IPv6 IPv4

Internet


•  IPv4 & IPv6 Addressing on All Devices

•  Incremental Operational Cost (~20%)

•  Double Everything (ACL’s, SLA’s, etc.)

•  Two Data Planes, Two Control Planes

•  Recommended Approach


IPv4/IPv6

Internet


•  Dual Stack Front End

•  Translation via NAT/Proxy/SLB

•  Forces Developers to use IPv6

•  Reduces Operational Costs

•  Eliminates Complexity within the DC

Load Balancer Switch Web, Email, Etc.

NAT/Proxy/SLB

IPv6 IPv4/IPv6


•  IPv4 Sailed Toward Sunset

•  Not Likely for a Very Long Time

•  Someday, Maybe Someday


IPv6

Internet


•  Large DCs with very dense hosts populations can cause severe performance problems on the control plane of switches due to IPv4 and IPv6 ‘control’ traffic

•  One size will not fit all, tuning will require experimentation

137

• NUD Reachable Time: ipv6 nd reachable-time time-in-milliseconds

• When using an FHRP, move from 30 sec (default) to 10 minutes • Scavenge and Refresh Timer: ipv6 nd cache expire time-in-seconds

• When using an FHRP, Use refresh in conjunction with NA glean

• Unsolicited NA Glean: ipv6 nd na glean • Create neighbor entries from unsolicited NA’s received from hosts

• Router Advertisements: ipv6 nd ra interval •  IOS = 200 Sec, NXOS = 600 Sec, router lifetime = 3x RA interval


•  Networks with dense hosts populations may have performance problems with the control plane (switches) due to IPv4 and IPv6 ‘control’ traffic

•  One size will not fit all, tuning will require experimentation

138

•  ND cache sizing - ipv6 nd cache interface-limit size [ log rate ] -  Limit the number of ND cache entries -  Don’t forget link-local addresses

•  NUD Reachable Time: ipv6 nd reachable-time time-in-milliseconds - When using an FHRP, move from 30 sec (default) to 10 minutes

•  Scavenge and Refresh Timer: ipv6 nd cache expire time-in-seconds - When using an FHRP, Use refresh in conjunction with NA glean

•  Unsolicited NA Glean: ipv6 nd na glean -  Create neighbor entries from unsolicited NA’s received from hosts

• Router Advertisements: ipv6 nd ra interval -  IOS = 200 Sec, NXOS = 600 Sec, router lifetime = 3x RA interval


•  Same configuration requirements and operation as with IPv4

•  Configure VRRP address to be the same as physical interface of “primary”


• Tunnel Protocol for Fiber Channel over an IP infrastructure • RFC 4404 – Entity Address Size IPv4 (4) or IPv6 (16) • MDS 9x00 Series

– out-of-order delivery, jumbo frames, traffic shaping, TCP optimization


• Replication Services, Disaster Recovery • Shared Assets and Resources • Overlay Transport Virtualization (OTV) – L2 Technologies Encapsulated in L3 – IPv6 Within OTV over IPv4 – Disable Optimized Multicast Forwarding (OMF) in IGMP snooping on OTV edge devices for IPv6 Solicited Node Multicast traffic to flow.

OTV Global Cloud


•  Hosts are ready Windows enabled by default, disabling it = no more support from Microsoft Mac OS X, iOS, Android, Linux, */BSD: enabled by default

•  File & Print No WINS or NetBios over IPv6 SMB on TCP 445

•  SQL Server IPv6 preferred Watch for v4 socket calls

•  Server 2008/R2 Needs Unified Access Server

•  Server 2012 Includes UAS, NAT64/DNS64


• Inconsistent API’s use of IPv6 Addresses •  Some functions expect a URL (must enclose with brackets for IPv6) •  Some functions expect just an IP (no bracket) • Data types, Headers, Structures, Sockets, oh my

• Know how your app displays or accepts an IPv6 address • 198.51.100.44:8080 à [2001:db8:café:64::26]:8080

• Home grown App’s may only support IPv4 • Pressure vendors to move to protocol agnostic framework • RFC 3493 – Open Socket Call, 64 bit structure align to HW • RFC 3542 – Raw Socket, ping, Traceroute, r commands


• May Need Radical Change – Disabling IPv4 Forces IPv6 Development

• Open Stack – Havana – Limited IPv6 Support, WP – Ice House – Neutron L3 Extension

• Application Centric Infrastructure (ACI) – Automates Network Resource Provisioning – On Demand Scale of Applications


IPv4 IPv6

A record:

Function IPv4 IPv6

Hostname to

IP Address

A Record www.abc.test. A 192.168.30.1

AAAA Record (Quad A) www.abc.test AAAA 2001:db8:C18:1::2

IP Address To

Hostname

PTR Record 1.30.168.192.in-addr.arpa. PTR www.abc.test.

PTR Record 2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.0.8.1.c.0.8.b.d.0.1.0.0.2.ip6.arpa PTR www.abc.test.

•  AAAA = easy, PTR = messy •  Add IPv6 address, create AAAA record in DNS zone •  Repeat for every name server from sub zones to parent zone •  Glue records, add an entry in DNS for the IP’s of your domains name servers



Application Support

Server Load Balancer

IPv6

IPv4

IPv6 Internet

Stateful NAT64

Client Visibility

IPv4

IPv6

IPv4 Internet

SW = Poor Performance

Proxy

IPv6

IPv4

IPv6 Internet


•  Translation Algorithms RFC 6052 (Implementation Details)

•  Framework for Translation RFC 6144 (Implementation Scenarios)

•  Stateless NAT64 RFC 6145 (IP/ICMP Translation Algorithm) Maps the Entire IPv4 Internet into IPv6 Prefix

•  Stateful NAT64 RFC 6146 (State Table for IPv4/IPv6 Translation) Used mainly where IPv6-only clients need to access IPv4 servers

•  DNS64 RFC 6147 (IPv6 Client to IPv4 Server)

Version IHL Type of Service Total Length

Identification Flags Fragment Offset

Time to Live Protocol Header Checksum

Source Address

Destination Address

Version Traffic Class Flow Label

Payload Length Next Header Hop Limit

Source Address

Destination Address


•  RFC 6144 8 Total Scenarios (4, 7, 8 are NA) 1, 2, 3 Involve Internet Connectivity 5 & 6 Are Focused on Intranet Connectivity

•  Stateless Translation Algorithmic Mapping Address Information & Translator Configuration Initiation from IPv4 or IPv6

•  Stateful Translation Uses a State Table for Translation Based on L3/L4 Tuples Generally Initiation is from IPv6

Scenarios Defined Version IHL Type of Service Total Length



Source Address

Destination Address



Source Address

Destination Address

IPv4 Internet

IPv4 Internet

IPv4 Network

IPv6 Network

IPv6 Network

IPv6 Internet

IPv6 Network

IPv4 Network

IPv4 Network

IPv6 Network

1

2

3

5

6


•  RFC 6145 1:1 Address Mapping

•  IP Header Fields Copy ToS to/from Traffic Class Id, Flags & Offset to/from EH 44 TTL to/from Hop Limit and Decrement Protocol to/from Next Header Checksum Computed IPv6 to IPv4

•  ICMP Header Fields Type Translated (IPv4 8, 0 to IPv6 128, 129) Pseudo Checksum for IPv6 (UDP as well)

Ideal for IPv6 Only Data Center

150




Source Address

Destination Address



Source Address

Destination Address

IPv4 Internet

IPv6 Network

IPv6 Network

IPv6 Network

IPv4 Network

IPv4 Network

IPv6 Network

1

2

5

6

IPv4 Internet


•  RFC 6146 Overload Address Mapping

•  TCP/UDP/ICMP Headers Form L4 Portion of State Tuple Pseudo Checksum for IPv6 Portion No Multicast, IPSec, etc.

•  MUST use DNS64 RFC 6147 Synthesis DNS Records AAAA to A

•  ALG’s May be Required

•  MTU Issues Possible

Ideal for IPv6 Only Networks Accessing IPv4

151




Source Address

Destination Address



Source Address

Destination Address

IPv4 Internet

IPv4 Internet

IPv4 Network

IPv6 Network

IPv6 Network

IPv6 Internet

IPv6 Network

IPv4 Network

IPv4 Network

IPv6 Network

1

2*

3

5

6*

*Use Static IPv6 to IPv4 Mappings


Step 1à IPv6 PC queries AAAA Record for v4 Server

2001:db8:122:344::6 DNS Server

192.168.90.101

192.0.2.0/24 2001:db8:122:344::/64

DNS64

DNS46

IPv6 PC

.1 ::2

ßStep 5 Translates it to a AAAA Record

AAAA Record A Record

AAAA Record

A Record

Network-Specific Prefix 3001::/96

Step 3à Translator Sends A Record for v4Server ßStep 2 DNS responds “empty” AAAA Record

ßStep 4 DNS Server responds A Record for IPv4Server


ßSource IPv6 3001::c000:221 Dest. IPv6 2001:db8:122:344::6

ßSource IPv4 192.0.2.33 Dest. IPv4 192.0.2.1

à Source IPv6 2001:db8:122:344::6 Dest. IPv6 3001::c000:221

Network-Specific Prefix 3001::/96

2001:db8:122:344::6 IPv4 Server 192.0.2.33

2001:db8:122:344::/64

Dynamic NAT64

Static NAT46

IPv6 PC

.1 ::2 192.0.2.0/24

àSource IPv4 192.0.2.1 Dest. IPv4 192.0.2.33


Citrix NetScaler

•  Virtual IP (VIP), SNAT Pool •  Publish Appropriate AAAA Record •  IPv6 to IPv4, Similar to NAT64 •  Translation & SLB are done on same platform

•  OS/App dictate design parameters •  Rapid Time to Deploy

ISP-A

Servers WWW

ISP-B

UCS Servers

Dual Stack

IPv4 Only


•  Web Server Logging for Geo Location, Analytics, Security, etc..

•  Source IP of client requests will be logged as the SNAT or other NAT’d address

•  Packet may go through multiple proxies X-Forwarded-For: client, proxy1, proxy2

GET / HTTP/1.1 Host: www.foo.org User-Agent: Mozilla Firefox/3.0.3 Accept: text/html,application/xhtml+xml,application/xml Accept-Language: en-us,en Keep-Alive: 300 x-forward-for: 2001:db8:ea5e:1:49fa:b11a:aaf8:91a5 Connection: keep-alive Servers

WWW

Global IPv6 Address ---Translation--- Source NAT Pool



Single Link Single ISP

Enterprise

ISP 1

Default Route

Dual Links Single ISP

ISP 1 POP1

POP2

Enterprise

Multi-Homed Multi-Prefix

Enterprise

ISP2

USA

ISP4

BGP

ISP3

ISP 1

Europe


•  Do you support dual stack peering? •  Do you have a separate (SLA) for IPv6? •  Do you support BGP peering over IPv6? •  Do you have a FULL IPV6 route table? •  What is the maximum prefix length?

•  What about DNS…

Hosted Cloud Service §  Maximum prefix length offered by the cloud provider? §  Access to provisioning and billing portal over IPv6? §  Global IPv6 addressing for VM’s in your environment?

ISP-A ISP-B

Routing

Switching

Services


•  Challenges Arise ‒ Upstream Address Filters ‒ Asymmetric Routing ‒ Default GW & NH Selection ‒ Provider Allocated ‒ Primary Provider & ASP Stream ‒ SOHO Tunneling, VPN

§  Medium to Large Enterprise ‒ Provider Independent ‒ BGP

ISP-A ASP-B


•  Solve for Ingress & Egress separately

•  Peer with IPv6 for IPv6 prefixes

•  MD5 shared secret’s, IPSec could be used

•  Controlling TTL, accepting >254 only (allow -1)

•  Prefix Size Filtering, /32 - /48

router bgp 200

bgp router-id 4.6.4.6

neighbor 2001:db8:café:102::2 remote-as 2014

neighbor 2001:db8:café:102::2 ttl-security hops 1

neighbor 2001:db8:café:102::2 password cisco4646

ISP A ISP B

Internet


•  Avoid Over Tuning BGP Longest Match, Highest Local-Pref, Shortest AS-Path Peer with IPv6, “no bgp default ipv4-unicast”

•  Split Your Allocation /44 = (2) /45’s AS Path prepend to prefer one ISP over the other

•  iBGP link Between Edge Routers is Required To avoid black hole. GRE, L3 VPN, MAN/WAN

•  Dynamic Routing Protocol or HSRP at FW When more than one Edge Router is used

•  eBGP Multi-hop to Core thru FW Increase Metrics, so that DCI Link is not Preferred

Multiple Locations, PI Prefix

161

ISP A ISP B

AS 64498

EIGRP 10

Subnets X,Y,Z Subnets A,B,C

AS 65535 AS 65534

Internet


ISP-A ISP-B •  Small to Medium Enterprise •  Swaps Left Most Bits of Address ‒ Equal length Prefix’s

•  Modification of RFC 6724 API or RFC 7078 •  Site scoped ULA connecting to GUA

•  No Protocol “fixups”, Unless ALG’s are Supported •  “IETF does not recommend the use of Network Address

Translation technology for IPv6” •  Consider reading RFC 7157, No NAT Multi-homing

FD07:18:403e::/48

2001:db8:11::/48 2001:db8:55::/48


•  Small to Medium Enterprise •  Tunneling the PA IPv6 over LISP ‒ Provider Allocated /48 ‒ Hosted by PxTR Provider

•  Avoids Multi Prefix PA Issues •  Possibly an ISP that is IPv4 Only •  SHIM6, HIP, ILNP etc. ‒ OS Mods, Code Change

Dual Stack Internet

MR/MS PxTR MR/MS PxTR

Client 172.16.99.100 2001:db8:ea5e:1::/64

2001:db8:cafe::/48

xTRs

192.168.1.x/30

2001:db8:cafe:103::/64

2001:db8:cafe::/48


•  Potential DoS with poor IPv6 stack implementations •  PadN in DO, covert channeling – RFC 2460 states a max of 5 bytes (0x00) •  IPv6 Inspection – Only known EH, strict order, granular filtering •  What constitutes an acceptable EH maximum?

Perfectly Valid IPv6 Packet According to the Sniffer

Routing Header out of order. DH should be last

Header Should Only Appear Once

Destination Header Which Should Occur at Most Twice

164


•  Bogon filtering (data plane & BGP route-map): http://www.cymru.com/Bogons/ipv6.txt

•  Anti-spoofing, Multi homed filtering (Edge Router)

•  Block HBH, RH type 0 (Edge Router)

•  uRPF – Unicast Reverse Path Forwarding (B2B)

Enterprise Internet

B2B

ipv6 access-list HBH

deny hbh any any

deny ipv6 any any routing-type 0

permit icmp any any

permit ipv6 any any


•  Address Range Source of 2000::/3 at minimum vs. “any”, permit assigned space

•  ICMPv6 Error types thru, NDP to, RFC 4890

•  Extension Headers Allow Fragmentation, others as needed. Block HBH & RH type 0

•  IPv6 ACL’s IPv6 traffic-filter – to apply ACL to an interface

permit icmp any any nd-na

permit icmp any any nd-ns

deny ipv6 any any log



•  Anycast Address for Client Access to DHCP/DNS •  Uses the same address in multiple locations •  Simple, Scalable and Reliable Solution •  Global Unicast Address (GUA) for Service Uptime •  DNS server injects /128 via OSPF DDI2

2001:db8:aa::21

2001:db8:aa::21

2001:db8:aa:: Cost 10

I pick DNS1 closest metric

2001:db8:aa:: Cost 30

2001:db8:aa:: Cost 20

DDI3 2001:db8:aa::21

DDI4 2001:db8:aa::21

Command &

Control

GUA

GUA

DDI1 2001:db8:aa::21


•  Managing security infrastructures: Firewall, IDS, SIEM

•  Tool visibility, insight and analysis of IPv6 traffic Netflowv9, IPv6 SLA

•  Dual Stack Interface may result in combined output MRTG reporting combined v4 and V6 traffic statistics.

•  Requires support in Instrumentation (MIB , Netflow records, etc.) NMS tools and systems Protocol Version Independent OID Mmgt

RFC’s 4292 & 4293

169 169


Stop probing the wrong path with “ping”

Trace the live traffic: Detect the flaky link!

!

Debug ECMP Networks

Simplify Operations

Always on app visibility

Enhance Applications

Charge level for battery-operated devices (sensors) included in data traffic: No need to drain

battery for OAM

R1

R2

R4

R5

R3 R6

Derive IPv6 Traffic Matrix

Optimize Planning

Delay Trend Analysis

Enhance Visibility

A trip-recorder for your traffic, inline at rate performance Uses iOAM extension header


A record AAAA record

ARP request

RA DHCP reply DNS reply


IPv6 toolkit HE.net Netalyzr LanDroid Netstat



•  Address Spoofing (-> uRPF, ACLs) [IOS, ASA]

•  Neighbor Discovery Attacks (NS,NA,RS,RA,REDIR..) (-> First Hop Security, RA Guard, ND Inspection, SeND, ACL, IPv6 Inspects) [Catalyst, ASA]

•  Routing Header (RH0) source routing like attacks (-> no ipv6 source route (before 12.4.(15)T, blocked on ASA by default ) [IOS, ASA]

•  Extention Header (e.g. Fragmentation) Games (-> ACLs e.g. deny ip any any undetermined-transport) [IOS, ASA, Catalyst]

•  DHCP Attacks (-> DHCP Authentication, PACL) [IOS, ASA, Catalyst]

•  Transition Technologies (6to4, Teredo, ISATAP, etc) Attacks (-> ACL, disabled on device, enable IPv6 ) [IOS, ASA, IPS]

•  Smurf Attack (-> uRPF) [IOS, ASA]

•  Routing Protocol Attacks (-> Authentication) [IOS,ASA]

•  … and more. To be continued… have fun defending them. J


© 2012 Cisco and/or its affiliates. All rights reserved. 176 A Phased-Plan Approach for Successful IPv6 Adoption

IPv6 Assessment Service •  Determine how your network needs to change to support your IPv6 strategy

IPv6 Discovery Service •  Guidance in the early stages of considering a transition to IPv6

IPv6 Planning and Design Service •  Designs, transition strategy, and support to enable a smooth migration

IPv6 Implementation Service •  Validation testing and implementation consulting services

Network Optimization Service •  Absorb, manage, and scale IPv6 in your environment


•  Gain Operational Experience now

•  Security enforcement is possible

•  Control IPv6 traffic as you would IPv4

•  “Poke” your Provider’s

•  IPv6 is here now are you?

177
