Upload
timothy-martin
View
830
Download
0
Tags:
Embed Size (px)
DESCRIPTION
IPv6 Workshop. From Intro to Intermediate, including Enterprise design considerations.
Citation preview
© 2012 Cisco and/or its affiliates. All rights reserved. 1
Cisco “Tech Session” Preparing for BYOD & the Internet of Everything, an IPv6 Workshop
Tim Martin
CCIE #2020
Solutions Architect
Spring 2014
© 2012 Cisco and/or its affiliates. All rights reserved. 2
• BYOD and the Internet of Everything • IPv6 Addressing Deep Dive • IPv6 Design Considerations • IPv6 Campus Design • IPv6 Data Center Transitions • IPv6 Translation Techniques • IPv6 Internet Edge Design • Summary
© 2012 Cisco and/or its affiliates. All rights reserved. 3
89%
10%
1% 23%
36%
26% 75%
22%
Desktops Smart Phones Tablets • Boomers are retiring, GenX is “tech savvy”, GenY is “tech dependent”
• 2016 GenY (the millennia's (18-34)) become the largest workforce segment
• 43% of 18-24 year-olds say that texting is just as meaningful as a phone conversation -eMarketer
• 40% of GenY believe that blogging about workplace issues is acceptable –Iconoculture
• 24% of GenY say that technology use is what makes their generation unique -Pew Research
• 74% of GenY used a smartphone for work purposes in the last year, compared to 37 percent of Baby Boomers -CompTIA
© 2012 Cisco and/or its affiliates. All rights reserved. 4 4
© 2012 Cisco and/or its affiliates. All rights reserved. 5
National IPv6 Strategies STEM
IPv6
IPv4 Address Depletion
Infrastructure Evolution IPv6 OS, Content & Applications
2011
• Eliminate Complexities Associated with RFC 1918, NAT, ALG’s, CIDR
Mandate
Pref. by App’s in W7, S2008, OSX 4G, DOCSIS 3.0, CGN
© 2012 Cisco and/or its affiliates. All rights reserved. 6
• Early Adopters, from ~2001-2005 (6bone) • Chasm, Refinement from 2005-2009 (Tunneling) • Early Majority, Launch June 2012 (Transitioning)
© 2012 Cisco and/or its affiliates. All rights reserved. 7
§ Standards - Leadership in IP protocols within IETF & IPv6 development
§ Experience - Professional Services offering years of experience in IPv6
§ Solutions - Innovation, Feature Acceleration
© 2012 Cisco and/or its affiliates. All rights reserved. 8
© 2012 Cisco and/or its affiliates. All rights reserved. 9
© 2012 Cisco and/or its affiliates. All rights reserved. 10
340,282,366,920,938,463,374,607,432,768,211,456 (IPv6 Address Space - 340 undecillion, 282 decillion, 366 nonillion, 920 octillion, 938 septillion, 463 sextillion, 463 quintillion, 374 quadrillion, 607 trillion, 431 billion, 768 million, 211 thousand and 456
vs 4,294,967,296 (IPv4 Address Space - 4 Billion)
• Lot’s of talk about how big, it’s BIG, do NOT worry about waste
• Each /64 prefix contains 18 Quintillion host address’s (18,446,744,073,709,551,616)
• Theoretical vs. Practical deployment, still not an issue
Antares 15th Brightest star in the sky
Our Sun
© 2012 Cisco and/or its affiliates. All rights reserved. 11
• IPv6 has a specific Ethernet Protocol ID • IPv6 relies heavily on Multicast
Destination Ethernet Address!
Source Ethernet Address!
0x0800!!
IPv4 Header and Payload!
Destination Ethernet Address!
Source Ethernet Address!
0x86DD!!
IPv6 Header and Payload!
xx 33 33 xx xx xx
I bit = Local Admin, L bit = Multicast/Broadcast
0000 00IL
© 2012 Cisco and/or its affiliates. All rights reserved. 12
Fragment Offset Flags
Total Length Type of Service IHL
Padding Options Destination Address
Source Address
Header Checksum Protocol Time to Live
Identification
Version
IPv4 Header (20-60)
Next Header Hop Limit
Flow Label Traffic Class
Destination Address
Source Address
Payload Length
Version
IPv6 Header (40)
• Length is constant in IPv6 • Fragmentation occurs in (EH)
• Option’s occur in (EH) • UDP must have valid Checksum, unlike v4.
• Upper layer checksums use the Pseudo Header format: SRC/DST Addr + Next Header
© 2012 Cisco and/or its affiliates. All rights reserved. 13
Extension Header * Type Hop-by-Hop Options 0
Routing Header 43
Destination Options 60
Fragment Header 44
ESP Header 50
Authentication Header 51
Mobility Header 135
Shim6 140
Experimental 253,254
No Next Header 59
IPv6 Header Hop-by-Hop Destination Opt TCP Header Payload
• EH are daisy chained, processed in order • Length is variable, must be on 8 byte boundary, typically 24 bytes • If HbH is present, must be first, must be processed, likely in SW
© 2012 Cisco and/or its affiliates. All rights reserved. 14
Type Code Data
Checksum
• Neighbor Discovery, Router Discovery, Path MTU Discovery and (MLD) Type – (1-127) = Error Messages, (128-255) = Informational Messages Code – More Granularity within the Type Checksum – computed over the entire ICMPv6 Data - Original Header Return (8 bytes), then fill to Min MTU (1280)
58
1 Destination Unreachable
2 Packet Too Big
3 Time Exceeded
4 Parameter Problem ICMPv6 Header
Next Header *58, not 1 (ICMP)
© 2012 Cisco and/or its affiliates. All rights reserved. 15
• Will break ICMP error message rule (by responding for Multicast)
• Must set ALL interfaces to 1280 MTU if you disallow PTB at your FW Source Destination Link
MTU 1500 MTU 1500 MTU 1400 MTU 1300
Packet, MTU=1500
ICMPv6 Packet Too Big, Use MTU=1400
Packet, MTU=1400
ICMPv6 Type 2 PTB, Use MTU=1300
Packet, MTU=1300
© 2012 Cisco and/or its affiliates. All rights reserved. 16
IPv6 Address Family
Multicast Anycast Unicast
Assigned Solicited Node
Unique Local Link Local Global Special Embedded
*IPv6 does not use broadcast addressing
Well Known Temp
© 2012 Cisco and/or its affiliates. All rights reserved. 17
• IPv6 addresses are 128 bits long Segmented into 8 groups of 16 bits separated by (:) 32 HEX characters – CAsE DoEs not mAttEr • It’s a Prefix, not a mask, • Word, Group or Quad..
Host Id
:HHHH:HHHH:HHHH:HHHH Host Portion
Subnet Id
SSSS Global Routing Prefix
NNNN:NNNN:NNNN:
Network Portion
2001:0DB8:1010: : :0000:0000:0000:1E2A 00A4
© 2012 Cisco and/or its affiliates. All rights reserved. 18 18
• Recommended Alloca,ons • Consumer, SMB /56 /60 /64 • Municipal Government, Enterprise, Single AS /48 • State Governments, Universi,es (LIR) /32 /36 /40 /44 /48
• Addressing Plan, Site Count • IPv4 Allocation, Multi-homed ISP • Point of Contact, Org ID • Submit, Verify • Review, Officer Certification • Approval, Fees Paid, Assignment
Registries
Level Four Entity
IANA
ISP Org
PA
/48
2000::/3
/12
/32
2000::/3
/48
/12
PI
/32 ARIN
© 2012 Cisco and/or its affiliates. All rights reserved. 19
• Leading 0’s can be omitted
• The double colon (::) can appear only once
2001:0DB8:0000: :0000:0000:0000:1E2A 00A4 Full Format
2001:DB8:0: :0:0:0:1E2A A4 Abbreviated Formats
2001:DB8:0: ::1E2A A4
© 2012 Cisco and/or its affiliates. All rights reserved. 20
Link-Local – Non routable exists on single layer 2 domain (FE80::/64) FE80:0000:0000:0000
:: xxxx:xxxx:xxxx:xxxx
FC0g:gggg:gggg: xxxx:xxxx:xxxx:xxxx ssss:
FD0g:gggg:gggg: xxxx:xxxx:xxxx:xxxx ssss:
Unique-Local – Routable within administrative domain (FC00::/7)
2000:NNNN:NNNN HHHH:HHHH:HHHH:HHHH Global – Routable across the Internet (2000::/3)
:SSSS:
3FFF:NNNN:NNNN HHHH:HHHH:HHHH:HHHH :SSSS:
© 2012 Cisco and/or its affiliates. All rights reserved. 21
Similar to IPv4 New in IPv6
Manually configured StateLess Address AutoConfiguration SLAAC EUI64
SLAAC Privacy Addressing
Assigned via DHCPv6
*Secure Neighbor Discovery SeND
© 2012 Cisco and/or its affiliates. All rights reserved. 22
00 90 27 FF FE 17 FC 0F
OUI Device Identifier
00 90 27 17 FC 0F
02 90 27 FF FE 17 FC 0F
0000 00U0 U= 1 = Universel/unique
0 = Local/not unique U bit must be flipped
FF FE 00 90 27 17 FC 0F
© 2012 Cisco and/or its affiliates. All rights reserved. 23
• Generated on unique 802 using MD5, then stored for next iteration • Enabled by default in Windows, Android, iOS, Mac OS/X, Linux • Temporary or Ephemeral addresses for client application (web browser)
Recommendation: Good for the mobile user, but not for your organization/corporate networks (Troubleshooting and accountability)
23
2001 DB8
/32 /48 /64
Random Generated Interface ID 0000 1234
© 2012 Cisco and/or its affiliates. All rights reserved. 24
DHCP Messages IPv4 IPv6
Initial Message Exchange 4-way handshake 4-way handshake
Message Types Broadcast, Unicast Multicast, Unicast
Client à Server (1) DISCOVER SOLICIT (any servers)
Server à Client (2) OFFER ADVERTISE (want this address)
Client à Server (3) REQUEST REQUEST (I want that address)
Server à Client (4) ACK REPLY (It’s yours)
• Digital Millennium Copyright Act (DMCA), HIPAA (health), PCI (credit card) • FF02::1:2 = All DHCP Agents (servers or relays, Link-local scope) • FF05::1:3 = All DHCP Servers (Site-local scope) • Clients listen on UDP port 546; Servers/relays on UDP port 547 • Rapid Commit, 2 packet exchange. Solicit/Reply, client sets for options • ipv6 dhcp relay destination replaces ip helper address
© 2012 Cisco and/or its affiliates. All rights reserved. 25
• Always uses Link Local (FE80::/64) as its source
• Maps Layer 3 IPv6 address to Layer 2 MAC address
• LINK OPERATIONS (control plane) • Neighbor discovery messages
• Router solicitation (ICMPv6 type 133) • Router advertisement (ICMPv6 type 134) • Neighbor solicitation (ICMPv6 type 135) • Neighbor advertisement (ICMPv6 type 136) • Redirect (ICMPV6 type 137)
IPv4 IPv6 ARP Request Neighbor Solicitation
Broadcast Solicited Node Multicast
ARP Reply Neighbor Advertisement
Unicast Unicast
NDP
RA RS
NS NA Redirects
NUD DAD
IPv6
© 2012 Cisco and/or its affiliates. All rights reserved. 26
• Router solicitations (RS) are sent by nodes at bootup
• Host needs an RA to finish building it’s Address’s
RS
ICMP Type 133 IPv6 Source FE80::A IPv6 Destination FF02::2 Option 1 SRC Link Layer Address
RA
ICMP Type 134 IPv6 Source FE80::2
IPv6 Destination FE80::A Data Options, subnet prefix,
lifetime, autoconfig flag
RS RA
A
© 2012 Cisco and/or its affiliates. All rights reserved. 27
• M-Flag – Stateful DHCPv6 to acquire IPv6 address
• O-Flag – Stateless DHCPv6 in addition to SLAAC
• H-Flag – Mobile IP home agent
• Preference Bits – Low, Med, High
• Router Lifetime – Must be >0 for Default
• Options - Prefix Information, Length, Flags
• L bit – Only way a host get a On Link Prefix
• A bit – Set to 0 for DHCP to work properly
Type: 134 (RA) Code: 0 Checksum: 0xff78 [correct] Cur hop limit: 64 ∞ Flags: 0x84 1… …. = Managed (M flag) .0.. …. = Not other (O flag) ..0. …. = Not Home (H flag) …0 1… = Router pref: High Router lifetime: (s)1800 Reachable time: (ms) 3600000 Retrans timer: 1000 ICMPv6 Option 3 (Prefix Info) Prefix length: 64 ∞ Flags: 0x80 1… …. = On link (L Bit) .1.. …. = No Auto (A Bit) Prefix: 2001:0db8:4646:1234::/64
RA
type = 134 code = 0 checksum hop limit M|O|H|pref router lifetime
reachable time retransmit timer options (variable)
© 2012 Cisco and/or its affiliates. All rights reserved. 28
• Enable DHCPv6 via the M flag • Disable auto configuration via the A bit in option 3 • Enable Router preference to high • Enable DHCPv6 relay
interface fastEthernet 0/0 ipv6 address 2001:db8:1122:acc1::/64 eui-64 ipv6 nd managed-config-flag ipv6 nd prefix default no-autoconfig ipv6 nd router-preference high ipv6 dhcp relay destination 2001:db8:add:café::1
© 2012 Cisco and/or its affiliates. All rights reserved. 29
IPv4 IPv6
A record:
Function IPv4 IPv6
Hostname to
IP Address
A Record www.abc.test. A 192.168.30.1
AAAA Record (Quad A) www.abc.test AAAA 2001:db8:C18:1::2
IP Address To
Hostname
PTR Record 1.30.168.192.in-addr.arpa. PTR www.abc.test.
PTR Record 2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.0.8.1.c.0.8.b.d.0.1.0.0.2.ip6.arpa PTR www.abc.test.
DNSServer!
2001:db8:1::1!
IPv4 IPv6
IPv4
IPv6
192.168.0.3!
www IN A 192.168.0.3 www IN AAAA 2001:db8:1::1
• AAAA = easy, PTR = messy!• Draft RFC 6106, RA Option 25!• We need content..!
© 2012 Cisco and/or its affiliates. All rights reserved. 30
Node A can start using address A
B A C
• ICMPv6 runs on top of IPv6, etype = 86DD, Layer 3.14 :’)
• Probe neighbors to verify address uniqueness
ICMP Type 135 NS IPv6 Source UNSPEC = ::
IPv6 Dest. A Solicited Node Multicast FF02::1:FF00:A
Data FE80::A Query Anyone using A?
NS
© 2012 Cisco and/or its affiliates. All rights reserved. 31
• For each Unicast and Anycast address configured there is a corresponding solicited-node multicast
• Solicited-node multicast consists of FF02::1:FF/104 {lower 24 bits from IPv6 Unicast interface ID}
FF02 0000 0000 0000 0000 0001 FFBC FC0F
FE80 0000 0000 0000 1234 5678 9ABC FC0F
33 33 BC FC 0F FF Ethernet Multicast Uses last 32 bits
© 2012 Cisco and/or its affiliates. All rights reserved. 32
R1#sh ipv6 int e0 Ethernet0 is up, line protocol is up
IPv6 is enabled, link-local address is FE80::200:CFF:FE3A:8B18 Global unicast address(es):
2001:DB8:0:1234::1 subnet is 2001:DB8:0:1234::/64 Joined group address(es): FF02::1 FF02::2 FF02::1:FF00:1 FF02::1:FF3A:8B18 MTU is 1500 bytes ICMP error messages limited to one every 100 milliseconds ICMP redirects are enabled ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds ND router advertisements are sent every 200 seconds *If EUI format is used then the 1rst solicited node mcast addr is used for both the LL & GU
Solicited-Node Multicast Address*
© 2012 Cisco and/or its affiliates. All rights reserved. 33
A! B!
ICMP Type 135 NS IPv6 Source FE80::A
IPv6 Destination B Solicited Node Multicast FF02::1:FF00:B
Target Address 2001:db8:1:46::B Code 0 (need link layer) Query What is B link layer
address?
ICMP Type 136 NA IPv6 Source FE80::B
IPv6 Destination FE80::A Target Type 2
Data Link Layer address of B *Flags R = Router
S = Response to Solicitation O = Override cache information
NS NA
• ARP replacement, Map’s L3 to L2.
• Node B will add node A to it’s neighbor cache during this process w/o sending NS
• Multicast for resolution (new), Unicast for reachability (cache)
© 2012 Cisco and/or its affiliates. All rights reserved. 34
Neighbors are only considered “reachable” for 30-seconds. “Stale” indicates that, we MAY need to send a NS packet.
© 2012 Cisco and/or its affiliates. All rights reserved. 35
2001:db8:C18:2::/64
R1 R2 A B
Packet
IPv6 Source B IPv6 Dest. 2001:db8:c18:2::1 ULP variable
Redirect
ICMP Type 137 IPv6 Source Link Local (R2) IPv6 Dest. B Data Use Link Local (R1)
Redirect Packet
• Cannot be used if destination is multicast
• Hosts should not send redirects
• Should be turned off on routed links
© 2012 Cisco and/or its affiliates. All rights reserved. 36
• Prefix FF00::/8 8-bit 4-bit 4-bit 112-bit
1111 1111 0 R P T Scope Variable format
Flags
O Reserved
R = 0 R = 1
No embedded RP Embedded RP
P = 0 P = 1
Without Prefix Address based on Prefix
T = 0 T = 1
Well Known Address (IANA assigned) Temporary address (local assigned)
Scope 1 Node
2 Link
3 Subnet
4 Admin
5 Site
8 Organization
E Global
© 2012 Cisco and/or its affiliates. All rights reserved. 37
Address Scope Meaning FF01::1 Node-Local This Node
FF05::2 Site-Local All Routers
FF02::1 Link-Local All Nodes
FF02::2 Link-Local All Routers
FF02::5 Link-Local OSPFv3 Routers
FF02::6 Link-Local OSPFv3 DR Routers
FF02::9 Link-Local RIPng
• FF02, is a permanent address and has link scope
• Link Operations, Routing Protocols, Streaming Services
© 2012 Cisco and/or its affiliates. All rights reserved. 38
• MLD uses LL source addresses
• 3 msg types: Query, Report, Done
• MLD packets use “Router Alert” in HBH
• MLDv1 = (*,G) shared, MLDv2 = (S,G) source
MLD snooping
MLD IGMP Message Type
ICMPv6 Type Function
MLDv1 (RFC2710) IGMPv2 (RFC 2236) Listener Query
Listener Report
Listener Done
130
131
132
Used to find out if there are any multicast listeners
Response to a query, joins a group
Sent by node to report it has stopped listening
MLDv2 (RFC 3810) IGMPv3 (RFC 3376) Listener Query
Listener Report
130
143
Used to find out if there are any multicast listeners
Enhanced reporting, multiple groups and sources
© 2012 Cisco and/or its affiliates. All rights reserved. 39
• Hosts send MLD report to alert router they wish to join a multicast group
• Router then joins the tree to the source or RP
MLD Report (A)
ICMP Type 131
IPv6 Source fe80::209:5bff:fe08:a674
IPv6 Destination FF38::276
Hop Limit 1
Group Address ff38::276
Hop-by-Hop Header
Router Alert Yes
MLD Report
A MLD Report
B I wish to receive
ff38::276 I wish to receive
ff38::276
MLD Report (B)
ICMP Type 131
IPv6 Source fe80::250:8bff:fE55:78de
IPv6 Destination FF38::276
Hop Limit 1
Group Address ff38::276
Hop-by-Hop Header
Router Alert Yes
(S, G)
Source for multicast ff38::276
fe80::209:5bff:fe08:a674 fe80::250:8bff:fE55:78de fe80::207:85ff:fe80:692
© 2012 Cisco and/or its affiliates. All rights reserved. 40
MLD Done (A)
ICMP Type 132
IPv6 Source fe80::209:5bff:fe08:a674
IPv6 Destination FF02::2 (All routers)
Hop Limit 1
Group Address ff38::276
Hop-by-Hop Header
Router Alert Yes
MLD Done (A)
A
fe80::209:5bff:fe08:a674 MLD Report (B)
B
fe80::250:8bff:fE55:78de
I wish to leave ff38::276
I am watching ff38::276
MLD Query (C)
ICMP Type 130
IPv6 Source fe80::207:85ff:fe80:692
IPv6 Destination FF38::276
Hop Limit 1
Hop-by-Hop Header
Router Alert Yes
Query (C
)
fe80::207:85ff:fe80:692
C MLD Report (B)
ICMP Type 131
IPv6 Source fe80::250:8bff:fE55:78de
IPv6 Destination FF38::276
Hop Limit 1
Group Address ff38::276
Hop-by-Hop Header
Router Alert Yes
© 2012 Cisco and/or its affiliates. All rights reserved. 41
MLD Report (A)
ICMP Type 143
IPv6 Source fe80::209:5bff:fe08:a674
IPv6 Destination FF02::16
Hop Limit 1
# of Records Include/exclude
Group Address FF38::4000:BA11
Hop-by-Hop Header
Router Alert Yes
MLD Report
A I wish to receive FF38:4000:BA11
(S, G)
Source for multicast FF38::4000:BA11
fe80::209:5bff:fe08:a674
© 2012 Cisco and/or its affiliates. All rights reserved. 42
• General Query FF02::1 Group list empty, who’s listening?
• Group Specific Query FF38::4000:BA11 Anyone still interested in this stream?
• Group & Source Specific Query 2001:DB8:CAFÉ::1, FF38::4000:BA11
• Filter Mode, Change Record
• Multiple routers on link Lowest address value assumes Querier role
A Q
uery
Source for multicast FF38::4000:BA11
© 2012 Cisco and/or its affiliates. All rights reserved. 43
• Loopback 0:0:0:0:0:0:0:1=> ::1
• Unspecified address 0:0:0:0:0:0:0:0=> 0::0 => :: => ::/128
• Documentation Prefix 2001:0DB8::/32
• Discard Prefix 0100::/64
• 6to4 Automatic Tunneling 2002::/16
• Default Route ::/0
© 2012 Cisco and/or its affiliates. All rights reserved. 44
• IPv4 Compatible 0:0:0:0:0:0.A.B.C.D/96 0:0:0:0:0:0.192.168.30.1 ::C0A8:1E01 Used by IPv6 aware devices, now deprecated
• IPv4 Mapped 0:0:0:0:0:FFFF.A.B.C.D/96 0:0:0:0:0:FFFF.192.168.30.1 ::FFFF:C0A8:1E01
Used in automatic tunneling by device with no IPv6 knowledge
IPv4
IPv6 Internet
IPv6 Network
© 2012 Cisco and/or its affiliates. All rights reserved. 45
Windows 7, Mac OSX use pseudo random by default. iPad & iPhone generate a new temporary address per association
C:\Documents and Settings\>netsh netsh>interface ipv6 netsh interface ipv6>show address Querying active state... Interface 5: Local Area Connection Addr Type DAD State Valid Life Pref. Life Address --------- ---------- ------------ ------------ ----------------------------- Public Preferred 29d23h58m25s 6d23h58m25s 2001:0db8:2301:1:202:8a49:41ad:a136 Temporary Preferred 6d21h48m47s 21h46m 2001:0db8:2301:1:bd86:eac2:f5f1:39c1 Link Preferred infinite infinite fe80::202:8a49:41ad:a136 netsh interface ipv6>show route Querying active state... Publish Type Met Prefix Idx Gateway/Interface Name ------- -------- ---- ------------------------ --- --------------------- no Autoconf 8 2001:0db8:2301:1::/64 5 Local Area Connection no Autoconf 256 ::/0 5 fe80::20d:bdff:fe87:f6f9
© 2012 Cisco and/or its affiliates. All rights reserved. 46
© 2012 Cisco and/or its affiliates. All rights reserved. 47
Distribution Layer
Access Layer
Core Layer
Aggregation Layer (DC)
Access Layer (DC)
IPv6/IPv4 Dual-stack
Server
IPv6/IPv4 Dual-stack Hosts
Data Center Block
Access Block
• Leverages existing IPv4 infrastructure • Allows “slower” roll into IPv6 deployment • Poor scalability and overall performance, no Multicast support • Tunneling everywhere, “flattens” the network you have built
© 2012 Cisco and/or its affiliates. All rights reserved. 48
ISATAP IPv6 Service Block
DA
Data Center Block
WAN/ISP Block
Access Layer
Dist. Layer
Core Layer
IPv4-only Campus Block
Server Internet
• Provides tighter control of where IPv6 is deployed • Allows for reduced time to deliver IPv6 services • Cost of SB equipment and it’s reuse in the network • Eventually hits scalability and overall performance, no Multicast support
© 2012 Cisco and/or its affiliates. All rights reserved. 49
Distribution Layer
Access Layer
Core Layer
Aggregation Layer (DC)
Access Layer (DC)
IPv6/IPv4 Dual-stack
Server
IPv6/IPv4 Dual-stack Hosts
Data Center Block
Access Block
49
• Preferred Method, Versatile, Scalable and Highest Performance • No Dependency on IPv4, runs in parallel on dedicated HW • No tunneling, NAT or other performance degrading technologies • Does require IPv6 support on all devices
© 2012 Cisco and/or its affiliates. All rights reserved. 50
• Should we use both on the same link at Layer 3? • Separate links, possibly to collect protocol specific statistics • Routing protocols OSPFv3, EIGRP combined or separate? • Fate sharing between the data and control planes per protocol
OSPFv3
EIGRP
Internet
2001:db8:1:1::/64 198.51.100.0/24
IPv4 & IPv6
IPv4 & IPv6
2001:db8:6:6::/64 192.168.4.0/24
© 2012 Cisco and/or its affiliates. All rights reserved. 51
• Topology hiding, Interfaces cannot be seen by off link devices • Reduces routing table prefix count, Less configuration • Need to use ULA or GUA for management and troubleshooting • What about DNS?, WAN connections and more
WAN/MAN
Internet FE80::/64
FE80::/64
ULA/GUA
FE80::/64
ULA/GUA
ULA/GUA
ULA/GUA
ULA/GUA
© 2012 Cisco and/or its affiliates. All rights reserved. 52
Corporate Backbone Branch 2
ULA Space FD9C:58ED:7D73::/48 Global – 2001:DB8:CAFE::/48
Internet
FD9C:58ED:7D73:3000::/64 2001:DB8:CAFE:3000::/64
FD9C:58ED:7D73::2::/64 2001:DB8:CAFE:2::/64
Global
2001:DB8:CAFE::/48
• Both ULA and Global are used except for Internal only hosts • Semi random generator requires non sequential /48’s, avoid M&A challenges • Need to use Global for troubleshooting beyond the internal network • Multiple policies to maintain (ACL, QoS, Routing, etc..)
© 2012 Cisco and/or its affiliates. All rights reserved. 53
• Today, NAT44 & RFC1918 • All PA or all PI and peering in multiple regions
PI from one region and run it everywhere? ISP in one region reject PI block from another? What about translation?
• IETF does NOT recommend the use of NAT66 w/IPv6
• NAT ≠ Firewall – RFC 4864 (Local Network Protection)
• NAT ≠ Firewall – RFC 7021 (Impact of CGN on Applications)
Firewall+NAT Internet
Some enterprises are getting a prefix per RIR and only deploying one.
Building backup plans with the others
© 2012 Cisco and/or its affiliates. All rights reserved. 54
• /64 everywhere a host
• /127 Point to Point Should not use all 0’s or 1’s in the host portion Nodes 1&2 are not in the same subnet
• /128 Loopback out of a single /64 as a design option
• /64, /64, /64
Pt 2 Pt /127
WAN
Core /64 or /127
Servers /64
Hosts /64
Loopback /128
© 2012 Cisco and/or its affiliates. All rights reserved. 55
• Scope, Preferred over Deprecated, Native over Transitional, Temporary over Public • Must support application override API, Choice of v6 over v4 is application dependent • Give IPv6 300ms Head Start Pv6/IPv4 Lookup & Connect Retrieve and Display
Application Layer
TCP/UDP
IPv6 IPv4
Network Interface Card
NCSI – Network Connection Status Indicator
Temporary Preferred 2001:0db8:2301:1:bd86:eac2:f5f1:39c1 Public Preferred 2001:0db8:2301:1:202:8a34:bead:a136 Link Preferred fe80::202:8a34:bead:a136
RFC 6555
© 2012 Cisco and/or its affiliates. All rights reserved. 56
© 2012 Cisco and/or its affiliates. All rights reserved. 57
• Many similarities with HSRP for IPv4 from design perspective (odd/even prefix) • Changes occur in Neighbor Advertisement, Router Advertisement, and ICMPv6 redirects • Virtual MAC derived from HSRP group number and virtual IPv6 link-local address • Layer 2 - 0005.73A0.0000-0F0F à 3333.0000.0066 • Layer 3 – FE80::/64 à FF02::66 • Layer 4 – UDP port 2029 (HSRPv6)
interface FastEthernet0/1
ipv6 address 2001:DB8:66:67::2/64
standby version 2
standby 2 ipv6 autoconfig
standby 2 timers msec 250 msec 800
standby 2 preempt
standby 2 preempt delay minimum 180
standby 2 authentication cisco
HSRP Standby
HSRP Active
Unix Host with GW of VIP unixhost# route -A inet6 | grep ::/0 | grep eth2 ::/0 fe80::5:73ff:fea0:1
© 2012 Cisco and/or its affiliates. All rights reserved. 58
• Provides weighted or ~= load balancing across resources • Modification to NA, default GW is announced via RA using vmac • AVG assigns Vmac’s and responds to NDP, directing hosts to the AVF’s • Layer 2 – 0007.B4xx.xx08 à 3333.0000.0066 • Layer 3 – FE80::/64 à FF02::0100:5E00:66 • Layer 4 – UDP port 3222 (GLBPv6)
interface fastethernet0/0
ipv6 address 2001:db8::/64 eui-64
glbp 8 ipv6 2001:db8::D38:C677:2925:8
glbp 8 priority 110
glbp 8 preempt
glbp 8 load-balancing weighted
glbp 8 weighting 110 lower 95 upper 105
glbp 8 authentication md5 key-string 7 cisco
58
GLBP 8 AVF
GLBP 8 AVG AVF
© 2012 Cisco and/or its affiliates. All rights reserved. 59
• IPv4 syntax has used “ip” following match/set statements Example: match ip dscp, set ip dscp
• New match criteria match dscp match precedence
• New set criteria set dscp set precedence
• Modification to support IPv6 and IPv4
Data Voice
Video Internet
© 2012 Cisco and/or its affiliates. All rights reserved. 60
• Apple (Bonjour) has a light weight approach, adopted quicker
• FF02::FB – Multicast DNS – mDNS
• Microsoft (Rally) has a more robust, heavier implementation, has moved slower
• FF02::C – Simple Service Discovery Protocol – SSDP, UPnP
• FF02::1:3 – Link Local Multicast Name Resolution – LLMNR (File Sharing enabled)
Personal Computer Operating Systems • Windows • Mac OS X • Linux
Appliances & Networking • Printers • Access Points • Switches • Routers
AV Equipment • Speakers • Cameras • Displays • AV Receivers
© 2012 Cisco and/or its affiliates. All rights reserved. 61
IPv6 Snooping
IPv6 FHS RA
Guard DHCPv6 Guard
Source/Prefix Guard
Destination Guard
Protection: • Rouge or
malicious RA • MiM attacks
Protection: • Invalid DHCP
Offers • DoS attacks • MiM attacks
Protection: • Invalid source
address • Invalid prefix • Source address
spoofing
Protection: • DoS attacks • Scanning • Invalid
destination address
RA Throttler
ND Multicast Suppress
Reduces: • Control traffic
necessary for proper link operations to improve performance
Core Features Advance Features Scalability & Performance
Facilitates: • Scale
converting multicast traffic to unicast
© 2012 Cisco and/or its affiliates. All rights reserved. 62
• Admin/Intern sends RA’s with false prefix • Enthusiast who has a tunnel broker account • The most frequent threat by non-malicious user
B
Src = C link-local address Dst = All-nodes Options = prefix BAD
RA
A C
© 2012 Cisco and/or its affiliates. All rights reserved. 63
• Attacker hacks any victim's DAD attempts
• Victim will need manual intervention to configure IP address
Src = UNSPEC Dst = Solicited-node multicast A Data = A Query = Does anybody use A?
Src = any C’s IF address Dst = A Option = link-layer address of C
A B
NS
NA
C
© 2012 Cisco and/or its affiliates. All rights reserved. 64
• Flooding RA’s overwhelms the system, OSX, MSFT, ipad/phone, Android
B RA, prefix BAD1
A 2 3 5
RA, prefix BAD2 RA, prefix BAD3 RA, prefix BAD4 RA, prefix BAD5 RA, prefix BAD6
C
Update: MSFT Addresses Vulnerability in IPv6 Could Allow Denial of Service (2904659) Published: Tuesday, February 11, 2014
© 2012 Cisco and/or its affiliates. All rights reserved. 65
• Attacker spoofs Router Advertisement with false on-link prefix • MITM, Splash Screen, Capture
B
Src = B’s link-local address Dst = All-nodes Options = prefix BAD
RA
A C
© 2012 Cisco and/or its affiliates. All rights reserved. 66
• Port ACL blocks all ICMPv6 RA from hosts interface FastEthernet0/2
ipv6 traffic-filter ACCESS_PORT in
deny icmp any any router-advertisement
• RA-guard lite (12.2(33)SXI4 & 12.2(54)SG ): also dropping all RA received on this port
interface FastEthernet0/2
ipv6 nd raguard
access-group mode prefer port
• RA-guard (12.2(50)SY, 15.0(2)SE)
ipv6 nd raguard policy HOST device-role host
ipv6 nd raguard policy ROUTER device-role router
ipv6 nd raguard attach-policy HOST vlan 100
interface FastEthernet0/0
ipv6 nd raguard attach-policy ROUTER
HOST Device-role
RA
RA
RA
RA
RA
ROUTER Device-role
© 2012 Cisco and/or its affiliates. All rights reserved. 67
Prevent Rogue DHCP responses from misleading the client
Before DHCP Guard After DHCP Guard
Host First Hop Switch Host First Hop Switch
DHCP Server DHCP Server
I am a DHCP Server
DHCP Req. DHCP Req.
I am a DHCP Server
© 2012 Cisco and/or its affiliates. All rights reserved. 68
• Deep control packet Inspection • Address Glean (ND , DHCP, data) • Address watch • Binding Guard
Instrumental link-operation security feature that analyzes control/data switch traffic, detect IP address, and store/update them in Binding Table to ensure rogue users cannot spoof or steal addresses.
Intf IPv6 MAC VLAN State
g1/0/10 ::000A 001A 110 Active
g1/0/11 ::001C 001C 110 Stale
g1/0/16 ::001E 001E 200 Verifying
IPv6 Binding Table (RFC6620)
IPv6 Source Guard
IPv6 Destination
Guard Device Tracking
© 2012 Cisco and/or its affiliates. All rights reserved. 69
Host A First Hop Switch Host A First Hop Switch
Mitigates Address High Jacking, Ensures Proper Prefix
Intf IPv6 MAC VLAN State
g1/0/10 ::000A 001A 110 Active
g1/0/11 ::001C 001C 110 Stale
g1/0/16 ::001E 001E 200 Verifying
g1/0/21 ::0021 0021 200 Active
Intf IPv6 MAC VLAN State
g1/0/10 ::000A 001A 110 Active
g1/0/11 ::001C 001C 110 Stale
g1/0/16 ::001E 001E 200 Verifying
g1/0/21 ::0021 0021 200 Active
NA NA
NA
NA
~Host A ~Host A
© 2012 Cisco and/or its affiliates. All rights reserved. 70
• Mitigate prefix-scanning attacks and Protect ND cache • Drops packets for destinations without a binding entry
Intf IPv6 MAC VLAN State
g1/0/10 ::0001 001A 110 Active
g1/0/11 ::001C 001C 110 Stale
g1/0/16 ::001E 001E 200 Verifying
Forward packet
Lookup Table
found No
Yes
NS 2001:db8::1
Ping 2001:db8::1
Ping 2001:db8::4 Ping 2001:db8::3
Ping 2001:db8::2
© 2012 Cisco and/or its affiliates. All rights reserved. 71
• Scaling the 802.11 multicast reliability issues • NDP process is multicast “chatty”, consumes airtime • Controller rate limits the period RA’s, while allowing RS to flow • Caching allows the Controller to “proxy” the NA, based on gleaning
(NS)
00:24:56:75:44:33 2001:db8:0:20::2 00:24:56:11:93:28 2001:db8:0:20::4
(Unicast NA)
(NS) (Unicast NA)
2
4 Periodic (RA’s)
© 2012 Cisco and/or its affiliates. All rights reserved. 72
Anchor
Foreign
Mobility Tunnel
Unicast RA
Mcast RA
Roaming Client
• Roaming client must be able to receive the original router advertisement • Controllers must be part of the same mobility group domain • The anchor controller sends the RA to the foreign in the mobility tunnel • AP convert’s multicast RA to an L2 unicast (MC2UC)
© 2012 Cisco and/or its affiliates. All rights reserved. 73
ipv6 general-prefix foo-core 2001:0db8:4646:6000::/52 ipv6 general-prefix foo-acc 2001:0db8:4646:6acc::/56 ipv6 unicast-routing ! interface GigabitEthernet1/0/1 description To 6k-core-right ipv6 address foo-core ::3:0:0:0:d63/64 ipv6 eigrp 10 ipv6 hello-interval eigrp 10 1 ipv6 hold-time eigrp 10 3 ipv6 authentication mode eigrp 10 md5 ipv6 authentication key-chain eigrp 10 eigrp ipv6 summary-address eigrp 10 2001:0db8:4646:6000::/52 ! interface GigabitEthernet1/0/2 description To 6k-core-left ipv6 address foo-core ::C:0:0:0:d63/64 ipv6 eigrp 10 ipv6 summary-address eigrp 10 2001:0db8:4646:6000::/52
interface Vlan4 description Data VLAN for Access ipv6 address foo-acc ::4:d63/64 ipv6 eigrp 10 ! interface Vlan6 description Data VLAN for Access ipv6 address foo-acc ::6:d63/64 ipv6 eigrp 10 ! ipv6 router eigrp 10 no shutdown router-id 10.122.10.10 passive-interface Vlan4 passive-interface Vlan6 passive-interface Loopback0
© 2012 Cisco and/or its affiliates. All rights reserved. 74
• RIPng – UDP 521, 15 hops • FE80::/64 Source à FF02::9 Destination
• Distance Vector, Hop Count (1-15)
• Split Horizon, Poison Reverse
• Beuller, Bueller, anyone?
Ipv6 unicast-routing ! Interface loopback 0 Ipv6 address 2001:db8:1000::1/128 Ipv6 rip CISCO enable ! Interface ethernet 0/0 Ipv6 address 2001:db8:5000:31::1/64 Ipv6 rip CISCO enable ! Ipv6 router rip CISCO
© 2012 Cisco and/or its affiliates. All rights reserved. 75
Ipv6 unicast-routing ! Interface ethernet 0/0 Ipv6 address 2001:db8:5000:31::1/64 Ipv6 router isis CISCO Isis circuit-type level-1 Isis ipv6 metric 10000 ! Router isis CISCO Net 49.0001.2222.2222.222.00 Metric style wide ! Address-family ipv6 Multi-topology
• IS-IS – (RFC5308) CLNS • IPv4 & IPv6
• Link State • 2 New TLV’s Added
• Topology Supoprt • Single Topology • Multi Topology • Multi Instance
© 2012 Cisco and/or its affiliates. All rights reserved. 76
Ipv6 unicast-routing ! Interface loopback0 Ipv6 address 2001:db8:1000::1/128 Ipv6 eigrp 11 ! Interface ethernet 0/0 Ipv6 address 2001:db8:5000:31::1/64 Ipv6 eigrp 11 ! Ipv6 router eigrp 11 Passive-interface loopback0 Eigrp router-id 10.10.10.10
• EIGRP – IP 88
• FE80::/64 Source à FF02::A Destination
• 2 New TLV’s – internal-type & external-type
• No Split Horizon, Auto Summary Disabled
• Stub reduces topology & queries • EIGRP can perform better in large scale
hub and spoke environments
© 2012 Cisco and/or its affiliates. All rights reserved. 77
Ipv6 unicast-routing ! Interface loopback0 Ipv6 address 2001:db8:1000::1/128 Ipv6 ospf 3 area 0 instance 13 ! Interface ethernet 0/0 Ipv6 address 2001:db8:5000:31::1/64 Ipv6 ospf 3 area 0 instance 13 ! Ipv6 router ospf 3 router-id 10.10.10.10 passive-interface loopback0
• OSPFv3 – IP 89 • FE80::/64 Source à FF02::5, FF02::6 (DR’s) • Link-LSA (8) – Local Scope, NH • Intra-Area-LSA (9) – Routers Prefix’s • Use Inter-Area-Prefix (3) – Between ABR’s
• Can converge quickly to a point of scale, initial database build and discovery takes some time
• Link state protocols perform better in full mesh environments, if tuned correctly
© 2012 Cisco and/or its affiliates. All rights reserved. 78
• RFC 4798 ‒ Utilizes Existing IPv4 Core ‒ Dual Stack on the PE
• MP-BGP Next Hop ::ffff:192.0.2.210 • LDP Next Hop 192.0.2.210 • Control Plane uses IPv4, for now
2001:db8:babe::/48 2001:db8:d00d::/48
R1 R4
IPv4 core, LDP, IGP, TE, etc.
IPv6 MP-BGP LDPv4
router bgp 192 no bgp default ipv4-unicast bgp log-neighbor-changes neighbor 192.0.2.3 remote-as 192 neighbor 129.0.2.3 update-source Loopback0 ! address-family ipv6 redistribute connected redistribute static no synchronization neighbor 192.0.2.3 activate neighbor 192.0.2.3 send-label exit-address-family ! ipv6 route 2001:db8:babe::/48 2001:db8:1:1::2
© 2012 Cisco and/or its affiliates. All rights reserved. 79
• RFC 4659 ‒ Utilizes Address Family (AF) in VRF Context ‒ Allows for VPN Functionality
• Subsequent Address Family Identifiers (SAFI) ‒ MP-BGP Address-family SAFI = 2 (IPv6) ‒ VRF Address-family SAFI = 128 (VPN)
2001:db8:café:1::/64
2001:db8:babe:1::/64
2001:db8:d00d:1::/64
2001db8:café:4::/64
2001:db8:babe:4::/64
2001:db8:dood:4::/64
R1
R4
IPv4 core, LDP, IGP, TE, etc.
vrf definition 6vpe rd 192:1 route-target export 192:1 route-target import 192:3 ! address-family ipv6 exit-address-family ! router bgp 192 address-family vpnv6 neighbor 192.0.2.3 activate neighbor 192.0.2.3 send-community both exit-address-family ! address-family ipv6 vrf 6vpe redistribute connected redistribute static no synchronization exit-address-family
© 2012 Cisco and/or its affiliates. All rights reserved. 80
© 2012 Cisco and/or its affiliates. All rights reserved. 81
• IPv4 Only Data Center – IPv6 Translation on the Front End
• Dual Stack – Both IPv4 & IPv6 Into the Data Center
• IPv6 Only Data Center – IPv4 Translation on the Front End
• What is the Cost of Each Stage?
© 2012 Cisco and/or its affiliates. All rights reserved. 82
• IPv4
• Load Balancer inline
• No translation in this design
• Services are Firewalled
Internet Firewall Edge Router Load Balancer Switch Web, Email, Etc.
IPv4
© 2012 Cisco and/or its affiliates. All rights reserved. 83
• Dual Stack Front End
• Translation via NAT/Proxy/SLB
• Easy to Turn Up
• Hard to Move Forward
• False Sense of Accomplishment
Firewall Edge Router Load Balancer Switch Web, Email, Etc.
NAT/Proxy/SLB
IPv4/IPv6 IPv4
Internet
© 2012 Cisco and/or its affiliates. All rights reserved. 84
• IPv4 & IPv6 Addressing on All Devices
• Incremental Operational Cost (~20%)
• Double Everything (ACL’s, SLA’s, etc.)
• Two Data Planes, Two Control Planes
• Recommended Approach
Firewall Edge Router Load Balancer Switch Web, Email, Etc.
IPv4/IPv6
Internet
© 2012 Cisco and/or its affiliates. All rights reserved. 85
• Dual Stack Front End
• Translation via NAT/Proxy/SLB
• Forces Developers to use IPv6
• Reduces Operational Costs
• Eliminates Complexity within the DC
Load Balancer Switch Web, Email, Etc.
NAT/Proxy/SLB
IPv6 IPv4/IPv6
© 2012 Cisco and/or its affiliates. All rights reserved. 86
• IPv4 Sailed Toward Sunset
• Not Likely for a Very Long Time
• Someday, Maybe Someday
Firewall Edge Router Load Balancer Switch Web, Email, Etc.
IPv6
Internet
© 2012 Cisco and/or its affiliates. All rights reserved. 87
• Large DCs with very dense hosts populations can cause severe performance problems on the control plane of switches due to IPv4 and IPv6 ‘control’ traffic
• One size will not fit all, tuning will require experimentation
87
• NUD Reachable Time: ipv6 nd reachable-time time-in-milliseconds
• NUD Retry Interval: ipv6 nd nud retry base interval-in-milliseconds max-attempts
• Scavenge and Refresh Timer: ipv6 nd cache expire time-in-seconds
• Unsolicited NA Glean: ipv6 nd na glean
• Glean rate limiter: mls rate-limit unicast cef glean <pps> <burst>
© 2012 Cisco and/or its affiliates. All rights reserved. 88
• Same configuration requirements and operation as with IPv4
• Configure VRRP address to be the same as physical interface of “primary”
© 2012 Cisco and/or its affiliates. All rights reserved. 89
• Tunnel Protocol for Fiber Channel over an IP infrastructure • RFC 4404 – Entity Address Size IPv4 (4) or IPv6 (16) • MDS 9x00 Series
– out-of-order delivery, jumbo frames, traffic shaping, TCP optimization
© 2012 Cisco and/or its affiliates. All rights reserved. 90
• Replication Services, Disaster Recovery • Shared Assets and Resources • Overlay Transport Virtualization (OTV) – L2 Technologies Encapsulated in L3 – IPv6 Within OTV over IPv4 – Disable Optimized Multicast Forwarding (OMF) in IGMP snooping on OTV edge devices for IPv6 Solicited Node Multicast traffic to flow.
OTV Global Cloud
© 2012 Cisco and/or its affiliates. All rights reserved. 91
• Hosts are ready Windows enabled by default, disabling it = no more support from Microsoft Mac OS X, iOS, Android, Linux, */BSD: enabled by default
• File & Print No WINS or NetBios over IPv6 SMB on TCP 445
• SQL Server IPv6 preferred Watch for v4 socket calls
• Server 2008/R2 Needs Unified Access Server
• Server 2012 Includes UAS, NAT64/DNS64
© 2012 Cisco and/or its affiliates. All rights reserved. 92
• Inconsistent API’s use of IPv6 Addresses • Some functions expect a URL (must enclose with brackets for IPv6) • Some functions expect just an IP (no bracket)
• Know whether your app displays or accept an IPv6 address • 198.51.100.44:8080 à [2001:db8:café:64::26]:8080
• Home grown App’s may only support IPv4 • Pressure vendors to move to protocol agnostic framework • RFC 3493 – Open Socket Call, 64 bit structure align to HW • RFC 3542 – Raw Socket, ping, Traceroute, r commands
© 2012 Cisco and/or its affiliates. All rights reserved. 93
• May Need Radical Change – Disabling IPv4 Forces IPv6 Development
• Open Stack – Havana – Limited IPv6 Support, WP – Ice House – Neutron L3 Extension
• Application Centric Infrastructure (ACI) – Automates Network Resource Provisioning – On Demand Scale of Applications
© 2012 Cisco and/or its affiliates. All rights reserved. 94
• Server supports IPv4 and IPv6
• Internal & external
• Server supports IPv4 & IPv6
• DNSSEC
DHCP DNS
• Integrated DNS and DHCP
• Configuration and reporting
IPAM
• SNMPv3 over IPv6 and managing IPv6 MIB’s • Protocol Version Independent (PVI) manage the same OID’s (RFC’s 4292, 4293) • NetFlow, Deep Packet Inspection, IPSLA, all work with IPv6 • IPv6 support for Wireshark, Packet analysis, MRTG, Netflow collectors, etc..
© 2012 Cisco and/or its affiliates. All rights reserved. 95
• Anycast Address for Client Access to DHCP/DNS • Uses the same address in multiple locations • Simple, Scalable and Reliable Solution • Global Unicast Address (GUA) for Service Uptime • DNS server injects /128 via OSPF DDI1
2001:db8:aa::21
2001:db8:aa::21
2001:db8:aa:: Cost 10
I pick DNS1 closest metric
2001:db8:aa:: Cost 30
2001:db8:aa:: Cost 20
DDI2 2001:db8:aa::21
DDI3 2001:db8:aa::21
Command &
Control
GUA
GUA
© 2012 Cisco and/or its affiliates. All rights reserved. 96
© 2012 Cisco and/or its affiliates. All rights reserved. 97 97
Application Support
Server Load Balancer
IPv6
IPv4
IPv6 Internet
Stateful NAT64
Client Visibility
IPv4
IPv6
IPv4 Internet
SW = Poor Performance
Proxy
IPv6
IPv4
IPv6 Internet
© 2012 Cisco and/or its affiliates. All rights reserved. 98 98
• Translation Algorithms RFC 6052 (Implementation Details)
• Framework for Translation RFC 6144 (Implementation Scenarios)
• Stateless NAT64 RFC 6145 (IP/ICMP Translation Algorithm) Maps the Entire IPv4 Internet into IPv6 Prefix
• Stateful NAT64 RFC 6146 (State Table for IPv4/IPv6 Translation) Used mainly where IPv6-only clients need to access IPv4 servers
• DNS64 RFC 6147 (IPv6 Client to IPv4 Server)
Version IHL Type of Service Total Length
Identification Flags Fragment Offset
Time to Live Protocol Header Checksum
Source Address
Destination Address
Version Traffic Class Flow Label
Payload Length Next Header Hop Limit
Source Address
Destination Address
© 2012 Cisco and/or its affiliates. All rights reserved. 99
• RFC 6144 8 Total Scenarios (4, 7, 8 are NA) 1, 2, 3 Involve Internet Connectivity 5 & 6 Are Focused on Intranet Connectivity
• Stateless Translation Algorithmic Mapping Address Information & Translator Configuration Initiation from IPv4 or IPv6
• Stateful Translation Uses a State Table for Translation Based on L3/L4 Tuples Generally Initiation is from IPv6
Scenarios Defined Version IHL Type of Service Total Length
Identification Flags Fragment Offset
Time to Live Protocol Header Checksum
Source Address
Destination Address
Version Traffic Class Flow Label
Payload Length Next Header Hop Limit
Source Address
Destination Address
IPv4 Internet
IPv4 Internet
IPv4 Network
IPv6 Network
IPv6 Network
IPv6 Internet
IPv6 Network
IPv4 Network
IPv4 Network
IPv6 Network
1
2
3
5
6
© 2012 Cisco and/or its affiliates. All rights reserved. 100
• RFC 6145 1:1 Address Mapping
• IP Header Fields Copy ToS to/from Traffic Class Id, Flags & Offset to/from EH 44 TTL to/from Hop Limit and Decrement Protocol to/from Next Header Checksum Computed IPv6 to IPv4
• ICMP Header Fields Type Translated (IPv4 8, 0 to IPv6 128, 129) Pseudo Checksum for IPv6 (UDP as well)
Ideal for IPv6 Only Data Center
100
Version IHL Type of Service Total Length
Identification Flags Fragment Offset
Time to Live Protocol Header Checksum
Source Address
Destination Address
Version Traffic Class Flow Label
Payload Length Next Header Hop Limit
Source Address
Destination Address
IPv4 Internet
IPv6 Network
IPv6 Network
IPv6 Network
IPv4 Network
IPv4 Network
IPv6 Network
1
2
5
6
IPv4 Internet
© 2012 Cisco and/or its affiliates. All rights reserved. 101
• RFC 6146 Overload Address Mapping
• TCP/UDP/ICMP Headers Form L4 Portion of State Tuple Pseudo Checksum for IPv6 Portion No Multicast, IPSec, etc.
• MUST use DNS64 RFC 6147 Synthesis DNS Records AAAA to A
• ALG’s May be Required
• MTU Issues Possible
Ideal for IPv6 Only Networks Accessing IPv4
101
Version IHL Type of Service Total Length
Identification Flags Fragment Offset
Time to Live Protocol Header Checksum
Source Address
Destination Address
Version Traffic Class Flow Label
Payload Length Next Header Hop Limit
Source Address
Destination Address
IPv4 Internet
IPv4 Internet
IPv4 Network
IPv6 Network
IPv6 Network
IPv6 Internet
IPv6 Network
IPv4 Network
IPv4 Network
IPv6 Network
1
2*
3
5
6*
*Use Static IPv6 to IPv4 Mappings
© 2012 Cisco and/or its affiliates. All rights reserved. 102 102
Step 1à IPv6 PC queries AAAA Record for v4 Server
2001:db8:122:344::6 DNS Server
192.168.90.101
192.0.2.0/24 2001:db8:122:344::/64
DNS64
DNS46
IPv6 PC
.1 ::2
ßStep 5 Translates it to a AAAA Record
AAAA Record A Record
AAAA Record
A Record
Network-Specific Prefix 3001::/96
Step 3à Translator Sends A Record for v4Server ßStep 2 DNS responds “empty” AAAA Record
ßStep 4 DNS Server responds A Record for IPv4Server
© 2012 Cisco and/or its affiliates. All rights reserved. 103
ßSource IPv6 3001::3001::c000:221 Dest. IPv6 2001:db8:122:344::6
ßSource IPv4 192.0.2.33 Dest. IPv4 192.0.2.1
à Source IPv6 2001:db8:122:344::6 Dest. IPv6 3001::3001::c000:221
Network-Specific Prefix 3001::/96
2001:db8:122:344::6 IPv4 Server 192.0.2.33
2001:db8:122:344::/64
Dynamic NAT64
Static NAT46
IPv6 PC
.1 ::2 192.0.2.0/24
àSource IPv4 192.0.2.1 Dest. IPv4 192.0.2.33
© 2012 Cisco and/or its affiliates. All rights reserved. 104
Citrix NetScaler
• Virtual IP (VIP), SNAT Pool • Publish Appropriate AAAA Record • IPv6 to IPv4, Similar to NAT64 • Translation & SLB are done on same platform
• OS/App dictate design parameters • Rapid Time to Deploy
ISP-A
Servers WWW
ISP-B
UCS Servers
Dual Stack
IPv4 Only
© 2012 Cisco and/or its affiliates. All rights reserved. 105
• Web Server Logging for Geo Location, Analytics, Security, etc..
• Source IP of client requests will be logged as the SNAT or other NAT’d address
• Packet may go through multiple proxies X-Forwarded-For: client, proxy1, proxy2
GET / HTTP/1.1 Host: www.foo.org User-Agent: Mozilla Firefox/3.0.3 Accept: text/html,application/xhtml+xml,application/xml Accept-Language: en-us,en Keep-Alive: 300 x-forward-for: 2001:db8:ea5e:1:49fa:b11a:aaf8:91a5 Connection: keep-alive Servers
WWW
Global IPv6 Address ---Translation--- Source NAT Pool
© 2012 Cisco and/or its affiliates. All rights reserved. 106
© 2012 Cisco and/or its affiliates. All rights reserved. 107
Single Link Single ISP
Enterprise
ISP 1
Default Route
Dual Links Single ISP
ISP 1 POP1
POP2
Enterprise
Multi-Homed Multi-Prefix
Enterprise
ISP2
USA
ISP4
BGP
ISP3
ISP 1
Europe
© 2012 Cisco and/or its affiliates. All rights reserved. 108
• Do you support dual stack peering? • Do you have a separate (SLA) for IPv6? • Do you support BGP peering over IPv6? • Do you have a FULL IPV6 route table? • What is the maximum prefix length?
• What about DNS…
Hosted Cloud Service § Maximum prefix length offered by the cloud provider? § Access to provisioning and billing portal over IPv6? § Global IPv6 addressing for VM’s in your environment?
ISP-A ISP-B
Routing
Switching
Services
© 2012 Cisco and/or its affiliates. All rights reserved. 109
• Challenges Arise ‒ Upstream Address Filters ‒ Asymmetric Routing ‒ Default GW & NH Selection
§ Small to Medium Enterprise ‒ Provider Allocated ‒ NPTv6, LISP
§ Medium to Large Enterprise ‒ Provider Independent ‒ BGP
ISP-A ISP-B
© 2012 Cisco and/or its affiliates. All rights reserved. 110
ISP-A ISP-B • Small to Medium Enterprise ‒ Provider Allocated ‒ Not Topology Hiding
• Swaps Left Most Bits of Address ‒ Just the Prefix ‒ Length Must be Equal
• Public on Outside (2001:db8::/48) • Private on Inside (FD00::/8) • No Protocol “fixups”, Unless ALG’s are Supported
FD07:18:403e::/48
2001:bd8:11::/48 2001:bd8:55::/48
© 2012 Cisco and/or its affiliates. All rights reserved. 111
• Small to Medium Enterprise • Tunneling the PA IPv6 over LISP ‒ Provider Allocated /48 ‒ Hosted by PxTR Provider
• Avoids Multi Prefix PA Issues • Possibly an ISP that is IPv4 Only • SHIM6, HIP, ILNP etc. ‒ OS Mods, Code Change
Dual Stack Internet
MR/MS PxTR MR/MS PxTR
Client 172.16.99.100 2001:db8:ea5e:1::/64
2001:db8:cafe::/48
xTRs
192.168.1.x/30
2001:db8:cafe:103::/64
2001:db8:cafe::/48
© 2012 Cisco and/or its affiliates. All rights reserved. 112
• Medium to Large Enterprise
• Use a /127 on pt-2-pt, /64 on multipoint
• MD5 shared secret’s, IPSec could be used
• Controlling TTL, accepting >254 only (allow -1)
• Path, prefix size limits and filtering
ISP-A
:2
:3
:1
:3
2001:db8:cafe:102::/127
2001:db8:cafe:103::/64
ISP-B
::6 ::7
:4
:5
:2
:4
router&bgp&200&&&
bgp&router,id&2.2.2.2&&
neighbor&2001:DB8:cafe:102::2&remote,as&2112&&
neighbor&2001:DB8:cafe:102::2&ttl,security&hops&1&&&
neighbor&2001:DB8:cafe:102::2&password&cisco123&
© 2012 Cisco and/or its affiliates. All rights reserved. 113
• Bogon filtering (data plane & BGP route-map): http://www.cymru.com/Bogons/ipv6.txt
• Anti-spoofing (RFC2827, BCP38), Multi homed filtering (RFC3704, BCP 84)
• uRPF – Unicast Reverse Path Forwarding
Enterprise Internet
B2B
© 2012 Cisco and/or its affiliates. All rights reserved. 114
• Address Range Source of 2000::/3 at minimum vs. “any”, permit assigned space
• ICMPv6 Error types thru, NDP to, RFC 4890
• Extension Headers Allow Fragmentation, others as needed. Block HBH & RH type 0
• IPv6 ACL’s IPv6 traffic-filter – to apply ACL to an interface
© 2012 Cisco and/or its affiliates. All rights reserved. 115
© 2012 Cisco and/or its affiliates. All rights reserved. 116
• Address Spoofing (-> uRPF, ACLs) [IOS, ASA]
• Neighbor Discovery Attacks (NS,NA,RS,RA,REDIR..) (-> First Hop Security, RA Guard, ND Inspection, SeND, ACL, IPv6 Inspects) [Catalyst, ASA]
• Routing Header (RH0) source routing like attacks (-> no ipv6 source route (before 12.4.(15)T, blocked on ASA by default ) [IOS, ASA]
• Extention Header (e.g. Fragmentation) Games (-> ACLs e.g. deny ip any any undetermined-transport) [IOS, ASA, Catalyst]
• DHCP Attacks (-> DHCP Authentication, PACL) [IOS, ASA, Catalyst]
• Transition Technologies (6to4, Teredo, ISATAP, etc) Attacks (-> ACL, disabled on device, enable IPv6 ) [IOS, ASA, IPS]
• Smurf Attack (-> uRPF) [IOS, ASA]
• Routing Protocol Attacks (-> Authentication) [IOS,ASA]
• … and more. To be continued… have fun defending them. J
© 2012 Cisco and/or its affiliates. All rights reserved. 117 117
© 2012 Cisco and/or its affiliates. All rights reserved. 118 A Phased-Plan Approach for Successful IPv6 Adoption
IPv6 Assessment Service • Determine how your network needs to change to support your IPv6 strategy
IPv6 Discovery Service • Guidance in the early stages of considering a transition to IPv6
IPv6 Planning and Design Service • Designs, transition strategy, and support to enable a smooth migration
IPv6 Implementation Service • Validation testing and implementation consulting services
Network Optimization Service • Absorb, manage, and scale IPv6 in your environment
© 2012 Cisco and/or its affiliates. All rights reserved. 119
• Gain Operational Experience now
• Security enforcement is possible
• Control IPv6 traffic as you would IPv4
• “Poke” your Provider’s
• IPv6 is here now are you?
119
© 2012 Cisco and/or its affiliates. All rights reserved. 120