IPv6 Virtual Labs: How to & Lessons s Learned ed Jeffrey L Carrell Network Conversions Network Consultant IPv6 SME/Trainer jeff.carrell@teachmeipv6.com Twitter: @JeffCarrell_v6 1 IPv6: Build Your Own Lab What are we trying to accomplish today? IPv6 Trivia Quick IPv6 History IPv6 Address basics IPv6 Address Autoconfiguration IPv6 Transition Mechanisms IPv6 Lab system configuration and demonstration 2 Copyright 2015 Jeffrey L. Carrell 1
What are we trying to accomplish today? Learn some IPv6 basics Use free applications, utilities, and OS s to create a virtual lab system on a single host computer Connect to an IPv6 tunnel broker to obtain routed a /56 IPv6 address block, capable of 256 /64 networks or 16 /60 subnets with 16 /64 networks each Configure an open source router application to perform true IPv4/IPv6 routing and DHCP/ services Have real IPv6 Internet presence with only IPv4 access to the Internet 3 IPv6: Trivia In modern day operating systems, is IPv6 an enabled protocol? YES! Generally, will an IPv6 enabled interface have more than one IPv6 address assigned to it? YES! 4 Copyright 2015 Jeffrey L. Carrell 2
IPv6: Trivia How many IPv6 GUA addresses can a network interface have that are in the same network? Up to 4! How many IPv6 GUA addresses can a network interface have that are in different networks? Almost infinite! Can the IPv6 Link-Local address be the same address for all network interfaces in a host? YES! 5 IPv6: Trivia How does an IPv6 enabled host derive its default gateway? Via the RA! Does have a configurable option to provide an IPv6 default gateway? NO! Does an IPv6 host use its LL or GUA address to communicate to its default gateway? LL! 6 Copyright 2015 Jeffrey L. Carrell 3
IPv6: Trivia If an IPv6 enabled host has autoconfigured privacy extention addresses and a statically assigned address, which one gets used for off-net communications? Temporary! If attempting to communicate on-net using your GUA to another IPv6 host, will the communication be successful if the v6 router is not on-net? NO! 7 IPv6 Brief History Fall 1992 IPv4 addresses will run out someday Oct 1993 DHCP RFC 1531 easier IPv4 address management Dec 1993 IPng RFC 1550 basic specification for next version IP May 1994 NAT RFC 1631 temporary solution before IPng available Dec 1995 RFC 1883 Basic specifications of IPv6 Feb 1996 RFC 1918 Private Iv4 addresses Dec 1998 RFC 2460 Full IPv6 defined May 2005 RFC 3927 APIPA (IPv4) 8 Copyright 2015 Jeffrey L. Carrell 4
Comparing IPv4 & IPv6 Addresses IPv4 addresses 2 32 = 4,294,967,296 IPv6 addresses 2 128 = 340,282,366,920,938,463,463,374,607,431,768,211,456 which is 340 undecillion 340 trillion trillion trillion 79,228,162,514,264,337,593,543,950,336 times more v6 addresses than v4 If IP addresses weighed one gram each: IPv4 = half the Empire State Building IPv6 = 56 billion earths 9 What is an IPv6 Address? IPv6 addresses are very different than IPv4 addresses in the size, numbering system, and delimiter between the numbers 128bit -vs- 32bit hexadecimal -vs- decimal colon and double colon -vs- period (or dot for the real geeks) Valid IPv6 addresses are comprised of hexadecimal numbers (0-9 & a-f), with colons separating groups of four numbers, with a total of eight groups (each group is known as quibble or hextet ) 2001:0db8:1010:61ab:f005:ba11:00da:11a5 10 Copyright 2015 Jeffrey L. Carrell 5
Address types Address Type IPv4 IPv6 Unicast - One-to-one communication Broadcast - One-to-many communication local Multicast - One-to-many communication local/remote Anycast - One-to-many communication nearest Yes Yes Yes Yes Yes No Yes Yes 11 Address scopes Address Scope IPv4 IPv6 Link-Local -Not routable Yes (is temp, APIPA) Global Unicast - Routable to Internet Aka public Unique Local Aka private - Routable only within domain RFC 1918 Yes Yes RFC 4193 12 Copyright 2015 Jeffrey L. Carrell 6
IPv6 Address scopes Global Unicast Address Global Scope Unique Local Address Organization/Site Scope Link Local Address Link-Local Scope 13 IPv4/IPv6 special addresses Address Type IPv4 IPv6 Default Route 0000/0 0.0.0.0/0 ::/0 Unspecified 0.0.0.0/32 ::/128 Loopback 127.0.0.1/8 ::1/128 Multicast 224.0.0.0/4 ff00::/8 Link-Local 169.254.0.0/16 fe80::/10 Global Unicast All others 2000::/3 Unique Local Documentation 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 192.0.2.0/24 198.51.100.0/24 203.0.113.0/24 fc00::/7 2001:db8::/32 14 Copyright 2015 Jeffrey L. Carrell 7
IPv6 shorthand notation Option 1 2001::a52:0:0:0:3d16 Consecutive Zeros Leading Zeros 2001:0000:0000:0a52:0000:0000:0000:3d16 Leading Zeros Consecutive Zeros Option 2 2001:0:0:a52::3d16 15 Incorrect shorthand notation 2001:0000:0000:0a52:0000:0000:0000:3d16 Consecutive Zeros Leading Zeros Consecutive Zeros 2001::a52::3d16 NOT A VALID IPv6 Address How many bits are represented by each ::? 16 Copyright 2015 Jeffrey L. Carrell 8
States of an IPv6 address (timers) Valid Tentative Preferred Deprecated Invalid Preferred Lifetime Time Valid Lifetime Tentative address is in process of verification for uniqueness and is not yet available for regular communications Valid address is valid for use in communication based on Preferred and Deprecated status Preferred address is usable for all communications Deprecated address can still be used for existing sessions, but not for new sessions Invalid an address is no longer available for sending or receiving 17 Comparing IPv4 & IPv6 Neighbor Discovery Protocols IPv4 ARP Request ARP Reply Router Solicitation Router Advertisement Gratuitous ARP ARP Cache IPv6 Neighbor Solicitation Neighbor Advertisement Router Solicitation Router Advertisement Duplicate Address Detection Neighbor Cache 18 Copyright 2015 Jeffrey L. Carrell 9
IPv6 Neighbor Discovery Protocol Neighbor Discovery Protocol (NDP) is defined in RFC 4861 NDP provides the following basic IPv6 functions per node Discover what link they are one Learn link prefix addresses Discover the on-link router Discover on-link neighbors Keep track of active neighbors 19 Duplicate Address Detection (DAD) When a node initially assigns an IPv6 address to its interface, it must check whether the selected address is unique If unique, the address is configured on interface The node sends a multicast Neighbor Solicitation message with the: dest MAC of 33:33:<last 32bits of IPv6 mcast addr> dest IPv6 addr of ff02::1:ff<last 24bits of proposed IPv6 addr> source IPv6 of :: (IPv6 unspecified addr) 20 Copyright 2015 Jeffrey L. Carrell 10
IPv6 default for subnet Based on the default definition an IPv6 address is logically ll divided id d into two parts: a 64-bit network prefix and a 64-bit interface identifier (IID) Therefore, the default subnet size is /64 2001:0db8:1010:61ab:f005:ba11:00da:11a5/64 64bits for Network Identifier 64bits for Interface Identifier Prefix Length A single /64 network yields 18 billion-billion possible addresses 21 Interface ID from MAC address Company ID Manufacturer Data 00 19 71 64 3F 00 IEEE 48-Bit MAC Address 00 19 71 FF FE 64 3F 00 Expand to EUI-64 (IEEE Extended Unique ID) 00000000 00000010 0xFFFE inserted 7 th bit inverted Local/Global bit 02 19 71 FF FE 64 3F 00 Invert the Local/Global Bit 0219:71ff:fe64:3f00 Modified EUI-64 Interface ID 22 Copyright 2015 Jeffrey L. Carrell 11
Interface ID from Random Number RFC 4941 - Privacy Extensions for Stateless Address Autoconfiguration in IPv6 Initial IID is derived based on mathematical computation to create a random 64bit number and appended to prefix to create a GUA An additional but different 64bit number is computed, appended to prefix, and tagged temporary for a 2 nd GUA Temporary GUA should be re-computed on a frequent basis Temporary GUA is used as primary address for communications, as it is considered more secure 23 IPv6 autoconfiguration options Address Autoconfiguration Method Link-Local (always configured) ICMPv6 RA (Type 134) Flags M Flag O Flag ICMPv6 RA (Type 134) ICMPv6 Option Prefix Info A Flag L Flag N/A N/A N/A N/A Prefix Derived from Internal (fe80::) Interface ID Derived from M-EUI-64 or Privacy Other Configuration Options Manual Off Off Off On Manual Manual Manual SLAAC Off Off On On RA M-EUI-64 or Privacy # of IPv6 Addr Manual 1 Manual 2 (LL, Manual) 3 (LL, IPv6, IPv6 temp) Stateful 2 On N/R Off On (LL, () ) Stateless Combination Stateless & Off On On On RA On N/R On On RA and M-EUI-64 or Privacy M-EUI-64 or Privacy and 3 (LL, IPv6, IPv6 temp) 4 (LL, IPv6, IPv6 temp, ) 24 Copyright 2015 Jeffrey L. Carrell 12
IPv6 address autoconfiguration Assigning an IPv6 address: Link-Local (automatically assigned when IPv6 is enabled) Based on prefix fe80::/10, assigned as fe80::/64 Interface ID (64 bit host portion) derived from either: Modified IEEE EUI-64 format (RFC 4291) Derived from MAC address Privacy format (RFC 4941) Derived from random number generator NOTE: Requires no routers, no servers, no additional network systems support. 25 Link-Local address basics Each interface must have one (and only one) link-local l l address (generally autoconfigured by OS) Can/may be same on any/all interfaces Zone ID or Scope ID is used to differentiate which interface is to be used for outbound communications Zone ID is appended to link-local address when used for outbound communications. Examples: ping fe80::22c:8a5c:12ab:370f%vlan1 - switch ping fe80::22c:8a5c:12ab:370f%12 - Windows ping fe80::22c:8a5c:12ab:370f%eth0 - Linux ^destination host to ping ^intf to go out 26 Copyright 2015 Jeffrey L. Carrell 13
IPv6 autoconfiguration options Address Autoconfiguration Method Link-Local (always configured) ICMPv6 RA (Type 134) Flags M Flag O Flag ICMPv6 RA (Type 134) ICMPv6 Option Prefix Info A Flag L Flag N/A N/A N/A N/A Prefix Derived from Internal (fe80::) Interface ID Derived from M-EUI-64 or Privacy Other Configuration Options Manual Off Off Off On Manual Manual Manual SLAAC Off Off On On RA M-EUI-64 or Privacy # of IPv6 Addr Manual 1 Manual 2 (LL, Manual) 3 (LL, IPv6, IPv6 temp) Stateful 2 On N/R Off On (LL, () ) Stateless Combination Stateless & Off On On On RA On N/R On On RA and M-EUI-64 or Privacy M-EUI-64 or Privacy and 3 (LL, IPv6, IPv6 temp) 4 (LL, IPv6, IPv6 temp, ) 27 IPv6 address autoconfiguration Assigning an IPv6 address: SLAAC (Stateless address autoconfiguration), generally a /64 Uses prefix information from Router Advertisement Interface ID (64 bit host portion) derived from either: Modified IEEE EUI-64 format (RFC 4291) Derived from MAC address Privacy format (RFC 4941) Derived from random number generator Generally creates 2 global addresses Cryptographically generated (RFC 3971 & 3972) Secure/unique interface ID 28 Copyright 2015 Jeffrey L. Carrell 14
IPv6 SLAAC process A node sends a multicast Router Solicitation message to the all-routers address ff02::2 Router(s) respond with Router Advertisement message containing A & L flags on and prefix(es) for stateless autoconfiguration The node configures its own IPv6 address(es) with the advertised prefix(es), plus a locally-generated Interface ID Node checks whether the selected address(es) is(are) unique (Duplicate Address Detection) If unique, the address(es) is(are) configured on interface Note no DNS automatically configured 29 ICMPv6 - Router Advertisement Router Advertisement (RA) [key components] M flag managed address configuration flag (for stateful () autoconfig) O flag other configuration flag (for stateless autoconfig) Prf flag router preference flag (ska priority) Router Lifetime lifetime associated with the default router Prefix Length number of bits in the prefix A flag autonomous address-configuration flag (for SLAAC) L flag on-link flag Valid Lifetime length of time the address is valid for use in preferred and deprecated states Preferred Lifetime length of time the address is valid for new communications Prefix IPv6 address prefix For additional info, see RFC 4861 30 Copyright 2015 Jeffrey L. Carrell 15
Router Advertisement packet (Stateless) 31 IPv6 autoconfiguration options Address Autoconfiguration Method Link-Local (always configured) ICMPv6 RA (Type 134) Flags M Flag O Flag ICMPv6 RA (Type 134) ICMPv6 Option Prefix Info A Flag L Flag N/A N/A N/A N/A Prefix Derived from Internal (fe80::) Interface ID Derived from M-EUI-64 or Privacy Other Configuration Options Manual Off Off Off On Manual Manual Manual SLAAC Off Off On On RA M-EUI-64 or Privacy # of IPv6 Addr Manual 1 Manual 2 (LL, Manual) 3 (LL, IPv6, IPv6 temp) Stateful 2 On N/R Off On (LL, () ) Stateless Combination Stateless & Off On On On RA On N/R On On RA and M-EUI-64 or Privacy M-EUI-64 or Privacy and 3 (LL, IPv6, IPv6 temp) 4 (LL, IPv6, IPv6 temp, ) 32 Copyright 2015 Jeffrey L. Carrell 16
IPv6 address autoconfiguration Assigning an IPv6 address: Stateful (), generally a /64 (RFC 3315) Uses prefix information defined in scope Interface ID (64 bit host portion) derived from scope pool Reply includes other information DNS, domain, time server, tftp or download server, etc 33 IPv6 Stateful () process A node sends a multicast Router Solicitation message to the all-routers address ff02::2 Router(s) respond with Router Advertisement message containing M flag for stateful autoconfiguration The node sends a multicast Solicit message to the all-dhcp relay agents and servers address ff02::1:2 server(s) responds with Advertise message(s) containing IPv6 address and lifetimes The node sends a Request message to confirm and seeking other information server responds with Reply message Node checks whether the selected address is unique (Duplicate Address Detection) If unique, the address is configured on interface 34 Copyright 2015 Jeffrey L. Carrell 17
ICMPv6 - Router Advertisement Router Advertisement (RA) [key components] M flag managed address configuration flag (for stateful () autoconfig) O flag other configuration flag (for stateless autoconfig) Prf flag router preference flag (ska priority) Router Lifetime lifetime associated with the default router Prefix Length number of bits in the prefix A flag autonomous address-configuration flag (for SLAAC) L flag on-link flag Valid Lifetime length of time the address is valid for use in preferred and deprecated states Preferred Lifetime length of time the address is valid for new communications Prefix IPv6 address prefix For additional info, see RFC 4861 35 Router Advertisement packet (Stateful/) 36 Copyright 2015 Jeffrey L. Carrell 18
IPv6 Stateful () process Solicit = DHCPDiscover (IPv4) Advertise = DHCPOffer (IPv4) Request = DHCPRequest (IPv4) Reply = DHCPAck (IPv4) 37 W2K8-R2 server operation 38 Copyright 2015 Jeffrey L. Carrell 19
Key difference in DHCP/ Default gateway DHCP configurable Router option in scope no configurable Router option in scope (possible future, but no client OS support yet) An IPv6 node derives its default gateway from the router s Link-Local Local address when the L flag is set in the Prefix information field of an RA (! not from the network prefix!) 39 Unique Identifier - DUID Each DHCP client and server has a DUID DHCP servers use DUIDs to identify clients for the selection of configuration parameters and in the association of IAs with clients DHCP clients use DUIDs to identify a server in messages where a server needs to be identified For additional info, see RFC 3315 40 Copyright 2015 Jeffrey L. Carrell 20
Cloning clients and DUID When a client machine is cloned, all the clones have the same DUID When 2 clients with the same DUID request an IPv6 address, the server provides the same address to both clients When the 2 nd client performs DAD, it detects an IPv6 address conflict, and will not go on link 41 Cloning clients and DUID For cloned MS Windows clients, the DUID is in the Windows Registry and can be removed with a manual operation (regedit) This should be done before creating a clone, so that when the clones clients are booted, new and unique DUIDs will be created reg delete HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters /f /v Dhcpv6DUID 42 Copyright 2015 Jeffrey L. Carrell 21
Lab 1 IPv6 autoconfiguration options Address Autocoiguration Method Link-Local (always configured) ICMPv6 RA (Type 134) Flags M Flag O Flag ICMPv6 RA (Type 134) ICMPv6 Option Prefix Info A Flag L Flag N/A N/A N/A N/A Prefix Derived from Internal (fe80::) Interface ID Derived from M-EUI-64 or Privacy Other Configuration Options 2 Manual Off Off Off On Manual Manual Manual 3 7a SLAAC Off Off On On RA M-EUI-64 or Privacy # of IPv6 Addr Manual 1 Manual 2 (LL, Manual) 3 (LL, IPv6, IPv6 temp) 5 Stateful 2 On N/A Off On (LL, 7b () ) 7c 7d Stateless Combination Stateless & Off On On On RA On N/A On On RA and M-EUI-64 or Privacy M-EUI-64 or Privacy and 3 (LL, IPv6, IPv6 temp) 4 (LL, IPv6, IPv6 temp, ) 43 IPv6 address autoconfiguration Assigning an IPv6 address: Stateless Uses prefix information from Router Advertisement Interface ID (64 bit host portion) derived from either: Modified IEEE EUI-64 format (RFC 4291) Derived from MAC address Privacy format (RFC 4941) Derived from random number generator Cryptographically generated (RFC 3971 & 3972) Secure/unique interface ID Uses for other information DNS, domain, time server, tftp or download server, etc 44 Copyright 2015 Jeffrey L. Carrell 22
IPv6 Stateless process A node sends a multicast Router Solicitation message to the all-routers routers address ff02::2 Router(s) respond with Router Advertisement message containing A & L flags on and prefix(es), and O flag on for stateless autoconfiguration The node configures its own IPv6 address(es) with the advertised prefix(es), plus a locally-generated Interface ID The node sends a multicast Information-Request message to the all-dhcp relay agents and servers address ff02::1:2 server responds with Reply message Node checks whether the selected address is unique (Duplicate Address Detection) If unique, the address is configured on interface 45 ICMPv6 - Router Advertisement Router Advertisement (RA) [key components] M flag managed address configuration flag (for stateful () autoconfig) O flag other configuration flag (for stateless autoconfig) Prf flag router preference flag (ska priority) Router Lifetime lifetime associated with the default router Prefix Length number of bits in the prefix A flag autonomous address-configuration flag (for SLAAC) L flag on-link flag Valid Lifetime length of time the address is valid for use in preferred and deprecated states Preferred Lifetime length of time the address is valid for new communications Prefix IPv6 address prefix For additional info, see RFC 4861 46 Copyright 2015 Jeffrey L. Carrell 23
Router Advertisement packet (Stateless/) 47 IPv6 autoconfiguration options Address Autoconfiguration Method Link-Local (always configured) ICMPv6 RA (Type 134) Flags M Flag O Flag ICMPv6 RA (Type 134) ICMPv6 Option Prefix Info A Flag L Flag N/A N/A N/A N/A Prefix Derived from Internal (fe80::) Interface ID Derived from M-EUI-64 or Privacy Other Configuration Options (DNS, domain, time, tftp, etc) Derived via Manual Off Off Off On Manual Manual Manual SLAAC Off Off On On RA Stateful () Stateless Combination Stateless & M-EUI-64 or Privacy # of IPv6 Addr Manual 1 Manual On N/R Off On Off On On On RA On N/R On On RA and M-EUI-64 or Privacy M-EUI-64 or Privacy and 2 (LL, Manual) 3 (LL, IPv6, IPv6 temp) 2 (LL, ) 3 (LL, IPv6, IPv6 temp) 4 (LL, IPv6, IPv6 temp, ) 48 Copyright 2015 Jeffrey L. Carrell 24
Combination Stateless and This is typically an undesired configuration Generally a result of enabling RA flags for one type of address autoconfiguration requirement, and not disabling other flags not required Result is too many/unwanted IPv6 GUA s SLAAC up to two possible GUA s Stateful () one GUA Even a manual configured GUA Remember, if there is a Temporary GUA, it will be used for outbound communications 49 IPv6 Legal address 2001:db8:123:456::/64 Is this a node address or a network prefix representation? 50 Copyright 2015 Jeffrey L. Carrell 25
Point-to-point Links Would you use /64 on p2p links? YES, but: provision a /64 for the link then assign as /127 (if possible) not all L3 vendors support /127 DO NOT do /126 RFC 6164 51 Point-to-point Links So, let s see what it looks like: 2001:db8:123:456::1/127 2001:db8:123:456::2/127 } v4 thinking Are these 2 addresses in the same subnet? 52 Copyright 2015 Jeffrey L. Carrell 26
/128 vs- /127 vs- /126 Last hextet: 126 127 128 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 /128 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 /127 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 /126 53 Mixed URL & IPv6 notation in URL IPv6 Characters URL Characters https://[2001:0:0:a52::3d16]:5678/webpage.html Enclose IPv6 Address in Square Brackets Optional Port ID For additional info, see RFC 5952 54 Copyright 2015 Jeffrey L. Carrell 27
IPv6 GUA in URL 55 IPv6 Link-local in URL http://[fe80::f254%2511] fe80::f254 is destination, %11 is the outbound interface but specified as %2511 where the %25 is hex converted to the % symbol Note, this does not work in all browsers 56 Copyright 2015 Jeffrey L. Carrell 28
IPv6 Browser add-ons 57 IPv6 Browser add-ons 58 Copyright 2015 Jeffrey L. Carrell 29
Telnet/SSH over IPv6 59 Telnet/SSH over IPv6 group05-netiron#show telnet Console connections: established, privilege super-user you are connecting to this session 4 seconds in idle Telnet server status: Enabled Telnet connections (inbound): 1 established, client ip6 address 2001:470:1f0f:ee7::7:100, privilege super-user using vrf default-vrf. 60 Copyright 2015 Jeffrey L. Carrell 30
TFTP over IPv6 group05-netiron#copy running-config tftp ipv6 2001:470:ba04:1652::102 group05.cfg 61 RDP over IPv6 62 Copyright 2015 Jeffrey L. Carrell 31
Cisco switch - IPv6 VLAN config interface Vlan1 ipv6 address FE80::2 link-local ipv6 address 2001:DB8:1AB:BA5E::2/64 ipv6 enable ipv6 nd prefix 2001:DB8:1AB:BA5E::/64 35 15 ipv6 nd other-config-flag flag ipv6 nd ra interval 65 25 63 HP switch - IPv6 VLAN config vlan 1 ipv6 enable ipv6 address fe80::1 link-local ipv6 address 2001:db8:1ab:ba5e::1/64 ipv6 nd ra managed-config-flag ipv6 nd ra max-interval 60 ipv6 nd ra min-interval 20 ipv6 nd ra prefix 2001:db8:1ab:ba5e::/64 40 20 no-autoconfig 64 Copyright 2015 Jeffrey L. Carrell 32
Jeff s IPv6 Wireshark 65 Color rule processing order Color rules read like a router ACL or firewall rule First color rule that matches wins 66 Copyright 2015 Jeffrey L. Carrell 33
Using Wireshark to view IPv6 pkts IPv6 display filter families ipv6 icmpv6 dhcpv6 IPv6 related display filters: http://www.wireshark.org/docs/dfref/i/ipv6.html e / / p t 67 Display filters option 2 In the Packet Details view, right-click on a specific field to build a filter 68 Copyright 2015 Jeffrey L. Carrell 34
Configuration profiles What they are Why/how you use them What they contain How to share 69 Packet annotation 70 Copyright 2015 Jeffrey L. Carrell 35
Using Wireshark to view IPv6 pkts 71 Security concerns If EUI-64 based address, can determine manufacturer of interface, which may lead to what type of device it is, and where in the network in may be located. Since IPv6 is enabled by default in many operating systems and devices, simple scan of network will provide tons of info Many tools already available for exploitation of devices/systems Easy to spoof clients with rogue RA (use RA Guard on switches to block RAs on non-trusted interfaces) If there is a Temporary IPv6 address in addition to a regular RA configured IPv6 address, the Temporary address is used for outbound communications by the client. Temporary IPv6 addresses can change frequently. 72 Copyright 2015 Jeffrey L. Carrell 36
IPv6 Attack Tools Attack Toolkits THC-IPv6 30+ tools! http://www.thc.org/thc-ipv6/ SI6 Networks IPv6 Toolkit 24+ tools! http://www.si6networks.com/tools/ipv6toolkit/ Scanners Nmap, halfscan6 (older) Packet forgery Scapy DoS Tools (older) 6tunneldos, 4to6ddos, Imps6-tools 73 Network scanning 2001:0db8:1010:61ab:f005:ba11:00da:11a5/64 64bits for Network Identifier 64bits for Interface Identifier Prefix Length Since prefix is defined, don t scan there, need only scan lower 64 bits (18BB # s!!!!!!) Scan last section for IPv4 looking addresses (0-254) Scan middle of IID for fffe, then scan for known OID Scan for known hex words Scan for IPv4 address converted to hex notation 10.1.1.1 = 0a01:0101 -or- a01:101 -or- 10:1:1:1 74 Copyright 2015 Jeffrey L. Carrell 37
IPv6 Math IPv6 CIDR prefixes IPv6 Nibble Boundary Breaking down /48 into subnets IPv6 Non-Nibble Boundary 75 IPv6 CIDR prefix equivalents Source ARIN: https://www.arin.net/knowledge/cidr.pdf 76 Copyright 2015 Jeffrey L. Carrell 38
What IS a Nibble? A nibble is 4 bits Due to IPv6 addresses expressed using hex characters, subnetting on the nibble boundary allows for easy carving of an address allocation Starting at /64 (smallest subnet), prefixes on the nibble boundary are: /60, /56, /52, /48, /44, /40, /36, /32, etc. 77 IPv6 Nibble boundaries 2001:0db8:1234:5678::1 64 60 56 52 48 44 40 36 32 78 Copyright 2015 Jeffrey L. Carrell 39
IPv6 Non-Nibble boundary In this address 2001:db8:2:50::/61 the range of addresses in this block are: 2001:0db8:0002:0050:0000:0000:0000:0000 to 2001:0db8:0002:0057:ffff:ffff:ffff:ffff Note that the above subnet uses half of the 4 th nibble range of the 4 th hextet, which only runs from 0 to 7 The adjacent block is 2001:db8:2:58::/61: 2001:0db8:0002:0058:0000:0000:0000:0000 to 2001:0db8:0002:005f:ffff:ffff:ffff:ffff Note that the above subnet uses half of the 4 th nibble range of the 4 th hextet, which only runs from 8 to f Neither of these two example address blocks use the entire nibble range, which can lead to confusion and possible network address overlap if not implemented correctly 79 IPv6 Non-Nibble boundary /61 /48 /52 /56 /60 /64 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 0 0 0 0 = 0 0 1 1 1 = 7 1 0 0 0 = 8 1 1 1 1 = f 80 Copyright 2015 Jeffrey L. Carrell 40
IPv6 Allocation options /44 to /48 2001:db8:1740::/44 /44 16 /48 2001:db8:1740::/48 2001:db8:1741::/48 2001:db8:1742::/48 2001:db8:1743::/48 2001:db8:1744::/48 2001:db8:1745::/48 2001:db8:1746::/48 2001:db8:1747::/48 2001:db8:1748::/48 2001:db8:1749::/48 2001:db8:174a::/48 2001:db8:174b::/48 2001:db8:174c::/48 2001:db8:174d::/48 2001:db8:174e::/48 2001:db8:174f::/48 81 IPv6 Allocation options /48 to /64 /48 16 /52 16 /56 16 /60 16 /64 256 /64 /48 256 /56 16 /60 16 /64 256 /64 /48 4096 /60 16 /64 /48 65536 /64 82 Copyright 2015 Jeffrey L. Carrell 41
IPv6 Nibble boundary /48 Following nibble boundary rules, a /48 address prefix assigned to company yields: /52-16 sites /56-16 buildings per site /60-16 locations per building /64-16 networks per location /48 /64 2001 0db8 0000 1612 Site /52 Building or Group /56 Location or Group# /60 VLAN /64 83 IPv6 Allocation options /56 to /60 to /64 /56 16 /60 16 /64 2001:db8:1150::/56 2001:db8:1150::/60 2001:db8:1150:10::/60 2001:db8:1150:20::/60 2001:db8:1150:30::/60 2001:db8:1150:40::/60 2001:db8:1150:50::/60 2001:db8:1150:60::/60 2001:db8:1150:70::/60 2001:db8:1150:80::/60 1150 80 2001:db8:1150:90::/60 2001:db8:1150:a0::/60 2001:db8:1150:b0::/60 2001:db8:1150:c0::/60 2001:db8:1150:d0::/60 2001:db8:1150:e0::/60 2001:db8:1150:f0::/60 2001:db8:1150:10::/64 2001:db8:1150:11::/64 2001:db8:1150:12::/64 2001:db8:1150:13::/64 2001:db8:1150:14::/64 2001:db8:1150:15::/64 2001:db8:1150:16::/64 2001:db8:1150:17::/64 2001:db8:1150:18::/64 1150 18 2001:db8:1150:19::/64 2001:db8:1150:1a::/64 2001:db8:1150:1b::/64 2001:db8:1150:1c::/64 2001:db8:1150:1d::/64 2001:db8:1150:1e::/64 2001:db8:1150:1f::/64 84 Copyright 2015 Jeffrey L. Carrell 42
IPv6 Prefix Calculator (online) http://www.pierky.com/ipv6-prefix-calculator/# 85 Lab platforms Hosted (standalone) hypervisors VMware Workstation/Fusion VirtualBox Bare metal hypervisors VMware ESXi Microsoft Hyper-V Citrix XenServer Physical equipment 86 Copyright 2015 Jeffrey L. Carrell 43
Lab platforms, con t GNS3 Virtual Routers Cisco HP Juniper Brocade VyOS Cumulus VX 87 IPv6 Transition mechanisms - tunnels 6in4 RFC 4213 6over4 RFC 2529 6to4 RFC 3056 ISATAP RFC 5214 Teredo RFC 4380 6rd RFC 5969 88 Copyright 2015 Jeffrey L. Carrell 44
IPv6 Tunnel brokers Tunnelbroker.net 6in4 tunnel Freenet6.net IPv6-over-UDP Sixxs.net 6in4 tunnel & AYIAY 89 IPv6 Freenet6 tunnel service IPv6-in-IPv4 in NAT Traversal mode (aka - IPv6-over-UDP) Uses Tunnel Setup Protocol (TSP) See RFC 5572 for additional information Source www.gogo6.com/freenet6/powered-by 90 Copyright 2015 Jeffrey L. Carrell 45
IPv6 Freenet6 tunnel service The freenet6.net system provides a /56 IPv6 block (with Pro account) You have options when creating /64 IPv6 networks /56 16 /60 16 /64 256 /64 91 IPv6 Build Your Own Lab Demo Breakdown /56 into /60 s and then /64 s under 2001:5c0:xxxx:xxyz::/56 Y = subnets /60 0 = core a = internal network(s) of VyOS e = external USB-Enet network (link to another router) c = networks on external Cisco 3750 L3 switch Z = networks /64 0 = core f = loopback 1 = 1 st /64 network 2001:5c0:xxxx:xxc1::/64 = first /64 on Cisco 3750 92 Copyright 2015 Jeffrey L. Carrell 46
IPv6 Build Your Own Lab Demo 93 IPv6 Build Your Own Lab more 94 Copyright 2015 Jeffrey L. Carrell 47
Resources 95 Resources 96 Copyright 2015 Jeffrey L. Carrell 48
Resources 97 Resources DoD HPCMP IPv6 Knowledge Base http://www.hpc.mil/index. php/2013-08-29-16-03-23/networking- overview/2013-10-03-17- 24-38 98 Copyright 2015 Jeffrey L. Carrell 49
Resources 99 IPv6 Verification / test sites http://ip6.nl/ http://test-ipv6.com/ t / http://ipv6-test.com/ http://whatismyv6.com/ http://myglobalip.com/ http://ismyipv6working.com/ http://www.kame.net/ http://www.vyncke.org/ip.php 100 Copyright 2015 Jeffrey L. Carrell 50
Thank You for Attending! jeff.carrell@teachmeipv6.com Twitter: @JeffCarrell_v6 101 Copyright 2015 Jeffrey L. Carrell 51