Joe Davies. Principal Writer Windows Server Information Experience. Presented at: Seattle Windows Networking User Group June 1, 2011

Similar documents
IPv6 Addressing. Awareness Objective. IPv6 Address Format & Basic Rules. Understanding the IPv6 Address Components

Windows 7 Resource Kit

Implementing DHCPv6 on an IPv6 network

Step-by-Step Guide for Setting Up IPv6 in a Test Lab

Guide to Network Defense and Countermeasures Third Edition. Chapter 2 TCP/IP

IPv6 Fundamentals: A Straightforward Approach

Introduction to IP v6

IPv6 Trace Analysis using Wireshark Nalini Elkins, CEO Inside Products, Inc.

Chapter 3 Configuring Basic IPv6 Connectivity

Presented by Greg Lindsay Technical Writer Windows Server Information Experience. Presented at: Seattle Windows Networking User Group April 7, 2010

Neighbour Discovery in IPv6

Use Domain Name System and IP Version 6

IPv6 Associated Protocols

IPv6 Infrastructure Security

IPv6 Addressing and Subnetting

Personal Firewall Default Rules and Components

IPv6 Functionality. Jeff Doyle IPv6 Solutions Manager

Dedication Preface 1. The Age of IPv6 1.1 INTRODUCTION 1.2 PROTOCOL STACK 1.3 CONCLUSIONS 2. Protocol Architecture 2.1 INTRODUCTION 2.

IPv6 in Axis Video Products

Course Overview: Learn the essential skills needed to set up, configure, support, and troubleshoot your TCP/IP-based network.

Lesson Plans Configuring Windows Server 2008 Network Infrastructure

About the Technical Reviewers

Getting started with IPv6 on Linux

Efficient Addressing. Outline. Addressing Subnetting Supernetting CS 640 1

IPv6 Infrastructure Security Jeffrey L Carrell Network Conversions Network Security Consultant, IPv6 SME/Trainer

Updates to Understanding IPv6

IPv6.marceln.org.

Procedure: You can find the problem sheet on Drive D: of the lab PCs. 1. IP address for this host computer 2. Subnet mask 3. Default gateway address

IPv6 Network Security.

Types of IPv4 addresses in Internet

About Me. Work at Jumping Bean. Developer & Trainer Contact Info: mark@jumpingbean.co.za

OS IPv6 Behavior in Conflicting Environments

Security Assessment of Neighbor Discovery for IPv6

IPv6 Hardening Guide for Windows Servers

Basic IPv6 WAN and LAN Configuration

Internet Addresses (You should read Chapter 4 in Forouzan)

Recent advances in IPv6 insecurities Marc van Hauser Heuse Deepsec 2010, Vienna Marc Heuse

ERserver. iseries. Networking TCP/IP setup

TCP/IP Basis. OSI Model

IP addressing. Interface: Connection between host, router and physical link. IP address: 32-bit identifier for host, router interface

Chapter 12 Supporting Network Address Translation (NAT)

Exam : Title : TS: Windows Server 2008 Network Infrastructure, Configuring Ver :

HOST AUTO CONFIGURATION (BOOTP, DHCP)

Tomás P. de Miguel DIT-UPM. dit UPM

IPv6 Virtual Labs: How to & Lessons s Learned. IPv6 Virtual Labs:

1. Introduction to DirectAccess. 2. Technical Introduction. 3. Technical Details within Demo. 4. Summary

1 Data information is sent onto the network cable using which of the following? A Communication protocol B Data packet

8.2 The Internet Protocol

Telematics. 9th Tutorial - IP Model, IPv6, Routing

Discovering IPv6 with Wireshark. presented by Rolf Leutert

Configuring Windows Server 2008 Network Infrastructure

IP address format: Dotted decimal notation:

IPv6 for Cisco IOS Software, File 2 of 3: Configuring

Step By Step Guide: Demonstrate DirectAccess in a Test Lab

Samba and Vista with IPv6

Configuring DHCP and DNS Services

IPv4 and IPv6 Integration. Formation IPv6 Workshop Location, Date

Industry Automation White Paper Januar 2013 IPv6 in automation technology

Computer Networks. Lecture 3: IP Protocol. Marcin Bieńkowski. Institute of Computer Science University of Wrocław

Are You Ready to Teach IPv6?

ICS 351: Today's plan

IPv6 Protocols & Standards. ISP/IXP Workshops

Technology Brief IPv6 White Paper.

DirectAccess in Windows 7 and Windows Server 2008 R2. Aydin Aslaner Senior Support Escalation Engineer Microsoft MEA Networking Team

Version 1.3 April IPv6 Supplement: Configure IP Settings and IP Filtering

Technical Support Information Belkin internal use only

Mobile IP. Bheemarjuna Reddy Tamma IIT Hyderabad. Source: Slides of Charlie Perkins and Geert Heijenk on Mobile IP

Learn About Differences in Addressing Between IPv4 and IPv6

R4: Configuring Windows Server 2008 Network Infrastructure

IPv6 Addressing. How is an IPv6 address represented. Classifications of IPv6 addresses Reserved Multicast addresses. represented in Hexadecimal

: Interconnecting Cisco Networking Devices Part 1 v2.0 (ICND1)

IP Addressing A Simplified Tutorial

LAN TCP/IP and DHCP Setup

APNIC IPv6 Deployment

Savera Tanwir. Internet Protocol

Interconnecting Cisco Network Devices 1 Course, Class Outline

IP Addressing Introductory material.

TCP/IP Network Essentials. Linux System Administration and IP Services

Vicenza.linux.it\LinuxCafe 1

Section #6: Addressing

Introduction to Mobile IPv6

Internet Protocol Address

Module 2: Assigning IP Addresses in a Multiple Subnet Network

Advanced IPv6 Design and Deployment for

IP Addressing. IP Addresses. Introductory material.

Configuring Windows Server Clusters

Internet Protocol Version 6 (IPv6)

- IPv4 Addressing and Subnetting -

IP Addressing and Subnetting. 2002, Cisco Systems, Inc. All rights reserved.

Network layer: Overview. Network layer functions IP Routing and forwarding

Firewalls und IPv6 worauf Sie achten müssen!

Active Directory Group Policy. Administrator Reference

Transcription:

Joe Davies Principal Writer Windows Server Information Experience Presented at: Seattle Windows Networking User Group June 1, 2011 2011 Microsoft Corporation

IPv6 addressing and DNS review IPv6 subnetting and address allocation Stateful vs. stateless address autoconfiguration Routers vs. DHCPv6 servers DNS servers and name resolution Registration of AAAA records DNS traffic over IPv6 Source and destination address selection

What are IPv6 addresses again?

IPv6 address in binary form 0010000000000001000011011011100000000000000000000010111100111011 0000001010101010000000001111111111111110001010001001110001011010 Divide along 16-bit boundaries 0010000000000001 0000110110111000 0000000000000000 0010111100111011 0000001010101010 0000000011111111 1111111000101000 1001110001011010 Convert each 16-bit block to hexadecimal and delimit with colons 2001:0DB8:0000:2F3B:02AA:00FF:FE28:9C5A Suppress leading zeros within each block 2001:DB8:0:2F3B:2AA:FF:FE28:9C5A

A single contiguous sequence of 16-bit blocks set to 0 can be compressed to :: (double-colon) Example: FE80:0:0:0:2AA:FF:FE9A:4CA2 becomes FE80::2AA:FF:FE9A:4CA2 FF02:0:0:0:0:0:0:2 becomes FF02::2 2001:DB8:0:2F3B:2AA:FF:FE28:9C5A becomes 2001:DB8::2F3B:2AA:FF:FE28:9C5A

Express routes, address spaces, or address ranges IPv6 always uses address/prefix-length notation Similar to CIDR notation Examples 2001:DB8:0:2F3B::/64 for a subnet prefix 2001:DB8:3F::/48 for a route prefix

Link-local addresses Global addresses Unique local addresses

Address scope is a single link Equivalent to APIPA IPv4 addresses (169.254/16) FE80::/64 prefix Used for: Single subnet, routerless configurations Neighbor Discovery processes 64 bits 64 bits 1111 1110 1000 0000... 0000 Interface ID

Address scope is the entire IPv6 Internet Equivalent to public IPv4 addresses Structure Global Routing Prefix Subnet ID Interface ID 45 bits 16 bits 64 bits 001 Global Routing Prefix Subnet ID Interface ID

Private to an organization, yet unique per site and per organization FD00::/8 prefix 40-bit Global ID randomly assigned Unique 48-bit prefix between sites of an organization and between organizations 8 bits 40 bits 16 bits 64 bits 1111 1101 Global ID Subnet ID Interface ID

RFC 1886 DNS extensions to support IP version 6 Name to address records AAAA record type (equivalent to IPv4 A record) Example record host1.example.com IN AAAA 2001:db8::1:dd48:ab34:d07c:3914 Address to name records New reverse domain called IP6.ARPA. Example record 4.1.9.3.c.7.0.d.4.3.b.a.8.4.d.d.1.0.0.0.0.0.0.0.8.b.d.0.1.0. 0.2.ip6.arpa. IN PTR host1.example.com

DNS clients only register global and uniquelocal addresses Windows dynamic update behavior DNS client On the DNS tab of advanced TCP/IP settings DNS server On the General tab of the properties of a zone None Secure only (default) Nonsecure and secure

Domain members No problem Non-domain members Use DHCP service to register on the DNS client s behalf DNS tab of the properties of a DHCP scope

How do I divide up an IPv6 address prefix?

Using the 16 bits in the Subnet ID portion of the global or unique local address prefix Step 1: Determining the number of bits to subnet Subnetting on nibble (hex digit) boundaries 4 hex digits Example: Region-Location-Building-Floor 2001:DB8:1719:2A3E::/64 2 Region A Location 3 Building E - Floor Subnetting on bit boundaries Step 2: Enumerating the subnetted address prefixes

f = number of fixed bits s = number of bits for subnetting r = remaining bits f+s+r=16 f r [48-bit prefix]: :: s

Binary Use binary representations of the subnet ID and convert to hexadecimal Hexadecimal Use hexadecimal representations of the subnet ID and a calculated increment Decimal Using decimal representations of the subnet ID and increment

1. Calculate the hexadecimal increment between subnetted address prefixes 2. Create 2-column table: Network prefix number Subnetted address prefix 3. First entry is starting prefix with new prefix length 4. Next entry is starting prefix plus increment with new prefix length 5. Repeat step 4 until table is complete

Step 1 Starting prefix: 2001:DB8:0:C000::/51 f = 51 48 = 3 Number of bits to subnet: 3 s = 3 New prefix length is 51+3=54 l = 51 + s Increment between subnets: i = 2 16-(f+s) = 2 16-(3+3) = 1024 = 0x400 C000 is 1100 0000 0000 0000 Fixed bits Bits for subnetting

Steps 2 and 3 Network Prefix Number Subnetted Address Prefix 1 2001:DB8:0:C000::/54 C000 is 1100 0000 0000 0000

Step 4 Network Prefix Number Subnetted Address Prefix 1 2001:DB8:0:C000::/54 2 2001:DB8:0:C400::/54 add 0x400 C400 is 1100 0100 0000 0000

Step 5 Network Prefix Number Subnetted Address Prefix 1 2001:DB8:0:C000::/54 2 2001:DB8:0:C400::/54 3 2001:DB8:0:C800::/54 add 0x400 C800 is 1100 1000 0000 0000

Step 5 Network Prefix Number Subnetted Address Prefix 1 2001:DB8:0:C000::/54 2 2001:DB8:0:C400::/54 3 2001:DB8:0:C800::/54 4 2001:DB8:0:CC00::/54 5 2001:DB8:0:D000::/54 6 2001:DB8:0:D400::/54 7 2001:DB8:0:D800::/54 8 2001:DB8:0:DC00::/54 add 0x400 add 0x400 add 0x400 add 0x400 add 0x400 DC00 is 1101 1100 0000 0000

How does the host know where to get its configuration settings?

Nodes discover the set of routers on the local link IPv6 router discovery also provides: Default value of Hop Limit field Use of stateful address protocol for addresses or other settings Reachability and retransmission timers Network prefixes for the link MTU of the local link How long the advertising router is the default router Specific routes Exchange of Router Solicitation/Router Advertisement (RA) messages

Ethernet Header Destination MAC is 33-33-00-00-00-02 IPv6 Header Source Address is :: Destination Address is FF02::2 Hop limit is 255 Router Solicitation Header Host A MAC: 00-B0-D0-E9-41-43 IP: none Send multicast Router Solicitation Router Solicitation Router MAC: 00-10-FF-D6-58-C0 IP: FE80::210:FFFF:FED6:58C0

Ethernet Header Destination MAC is 33-33-00-00-00-01 IPv6 Header Source Address is FE80::210:FFFF:FED6:58C0 Destination Address is FF02::1 Hop limit is 255 Router Advertisement Header Current Hop Limit, Flags, Router Lifetime, Reachable and Retransmission Timers Neighbor Discovery Options Source Link-Layer Address MTU Prefix Information Host A MAC: 00-B0-D0-E9-41-43 IP: none Router Advertisement Send multicast Router Advertisement MAC: 00-10-FF-D6-58-C0 IP: FE80::210:FFFF:FED6:58C0 Router

1. Stateless Receipt of Router Advertisement messages with one or more Prefix Information options 2. Stateful Use of a stateful address configuration protocol such as DHCPv6 3. Both Receipt of Router Advertisement messages and stateful configuration protocol For all types, a link-local address is always configured

Configure link-local address Perform duplicate address detection Perform router discovery Use Router Advertisements to determine Configuration parameters Stateless addresses and on-link prefixes For stateless addresses, perform duplicate address detection Whether to use DHCPv6 Request address prefixes via Managed Address Configuration flag Request options via Other Stateful Address Configuration flag If no responses, use DHCPv6

Set Hop Limit, Reachable Time, Retrans Timer, MTU. Are Prefix Information options present? Yes Configure stateless addresses. Send Router Solicitation. No Router Advertisement response received? No Use DHCPv6. Is Managed Address Configuration flag set to 1? Yes Yes No Is Other Stateful Configuration flag set to 1? Yes Use DHCPv6. No Stop address autoconfiguration.

Managed Address Configuration flag netsh interface ipv6 set interface <name/index> managedaddress=enabled Other Stateful Address Configuration flag netsh interface ipv6 set interface <name/index> otherstateful=enabled

DHCPv6 clients Windows Vista and higher, Windows Server 2008 and higher DHCPv6 servers Windows Server 2008/R2 DHCP Server service DHCPv6 relay agents Windows Server 2008/R2 Routing and Remote Access service

User Datagram Protocol (UDP) messages DHCPv6 clients listen on UDP port 546 DHCPv6 servers and relay agents listen on UDP port 547 Solicit Sent by a client to locate servers Advertise Sent by a server in response to a Solicit message to indicate availability Request Sent by a client to request addresses or configuration settings from a specific server Reply Sent by a specific server and contains addresses and configuration settings Renew Sent by a client to a specific server to extend the lifetimes of assigned addresses and obtain updated configuration settings

1. A Solicit message sent by the client to locate the servers. 2. An Advertise message sent by a server to indicate that it can provide addresses and configuration settings. 3. A Request message sent by the client to request addresses and configuration settings from a specific server. 4. A Reply message sent by the requested server that contains addresses and configuration settings.

1. An Information-Request message sent by the client to request configuration settings from a server. 2. A Reply message sent by a server that contains the requested configuration settings.

Built-in to DHCP Server service IPv6 node in the console tree Must configure a static IPv6 address on each interface

IPv6 node properties Creating a scope Configuring scope options Configuring reservations

Component of Routing and Remote Access service 1. Add DHCPv6 Relay Agent routing protocol from the IPv6\General node 2. Add interfaces 3. Configure the IPv6 addresses (global or unique local) of DHCPv6 servers DEMO

Most like IPv4 Routers advertise themselves as default routers only DHCPv6 servers assign address prefixes and options Managed Address Configuration flag set to 1 Other Stateful Address Configuration flag set to 1 Stateless addresses with DHCPv6-based options Routers advertise address prefixes and themselves as default routers DHCPv6 servers assign address prefixes and options Managed Address Configuration flag set to 0 Other Stateful Address Configuration flag set to 1

How does the host know what to request and where to send it and what to do with the results?

Special handling for DNS queries DirectAccess DNS Security Extensions (DNSSEC) For DirectAccess, acts as a client-side conditional forwarder Determines which names should be directed to which DNS servers Internet DNS server DirectAccess server NRPT IPv6 addresses for s1.corp.contoso.com? AAAA = 2002:836b:1:1:0:5efe:10.0.21.117 intranet DNS server DirectAccess client Internet intranet

.corp.contoso.com nls.corp.contoso.com NRPT 2002:836b:2:1:0:5efe:10.0.0.1 Namespace rules Namespace or name with address of DNS server Result: Use the specified DNS server Exemption rules Namespace or name with no DNS server Result: Use interface-configured DNS server Name does not match an NRPT rule, use interfaceconfigured DNS server

1. Check DNS resolver cache 2. Check NRPT Determine the set of DNS servers to use 3. Resolve name FQDNs DNS Single-label, unqualified names DNS (with suffixes and name devolution) Link-Local Multicast Name Resolution (LLMNR)

DNS messages sent over IPv6 or over IPv4? Based on IP addresses of determined DNS servers All records or AAAA-only query? Most queries are for all records DirectAccess clients perform AAAA-only queries DNS query results Set of A records (IPv4 addresses) Set of AAAA records (IPv6 addresses) Now what? How does the node determine the set of sourcedestination address pairs with which to initiate communication?

By default, IPv6 addresses are preferred To prefer IPv4 addresses Set DisabledComponents=0x20 Modify prefix policy table Address selection process A source address selection algorithm to choose the best source address to use with a destination address A destination address selection algorithm to sort the list of possible destination addresses in order of preference Local prefix policy table to customize preference of source and destination addresses

netsh interface ipv6 show prefixpolicies Precedence Label Prefix ---------- ----- --------------- 50 0 ::1/128 (loopback) 40 1 ::/0 (IPv6 addresses) 30 2 2002::/16 (6to4 addresses) 20 3 ::/96 (IPv4-comp addresses) 10 4 ::ffff:0:0/96 (IPv4 addresses) 5 5 2001::/32 (Teredo addresses) Modify with netsh interface ipv6 add set delete prefixpolicy

Application or Winsock obtains the set of destination addresses (name resolution) and calls the stack for destination address sorting: 1. For each destination address, perform a route lookup to determine the sending interface and source address candidates (strong host send) 2. For each destination address, select the best source address and create source-destination pairs (source address selection) 3. Sort source-destination address pairs (destination address selection)

To determine the best source for each destination: Prefer the source address that has a scope appropriate for the destination address Prefer a non-deprecated address Prefer the source address that has the same label in the prefix policy table as the destination address Prefer a temporary address over a public address Prefer the source address that has the longest matching prefix with the destination

To sort the list of destinations: Prefer the destination address that matches the scope of the source address Prefer destination addresses with source addresses that are not deprecated Prefer the destination address that has the same label from the prefix policy table as its source address Prefer the destination address that has the highest precedence from the prefix policy table Prefer a native IPv6 destination address to an IPv6 transition technology destination address Prefer the destination address with the smallest scope

Domain members No problem Non-domain members using DHCPv6 DNS tab on the DHCPv6 scope GOTCHA: Non-domain members using only RAs (stateless) can t register

Who is assigning IPv6 prefixes/addresses? Router (stateless) DHCPv6 server (stateful) Is DNS traffic to be sent over IPv6? If yes, assign DNS server and domain name via DHCPv6 How are nodes registering their AAAA records? If via stateless, watch out for requiring secure updates Non-domain joined computers can t register stateless (RA) addresses

Portal page Demonstrate IPv6 DHCPv6 test lab extension IPv6-only test lab extension

Windows Server Networking on TechNet Windows Server Networking on MSDN Windows Networking Writing Team blog Windows Server Documentation Twitter feed

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information