IPv6 Functionality. Jeff Doyle IPv6 Solutions Manager jeff@juniper.net



Similar documents
IPv6 Associated Protocols

IPv6 Trace Analysis using Wireshark Nalini Elkins, CEO Inside Products, Inc.

Neighbour Discovery in IPv6

Chapter 3 Configuring Basic IPv6 Connectivity

CloudEngine Series Switches. IPv6 Technical White Paper. Issue 01 Date HUAWEI TECHNOLOGIES CO., LTD.

Implementing DHCPv6 on an IPv6 network

IPv6 Fundamentals: A Straightforward Approach

IPv6 Infrastructure Security

Security Assessment of Neighbor Discovery for IPv6

TESTING IPV6 ROUTERS WITH THE NEIGHBOR DISCOVERY PROTOCOL

- IPv6 Addressing - (References:

Tomás P. de Miguel DIT-UPM. dit UPM

IPv6 Infrastructure Security Jeffrey L Carrell Network Conversions Network Security Consultant, IPv6 SME/Trainer

Windows 7 Resource Kit

IPv6 Addressing. How is an IPv6 address represented. Classifications of IPv6 addresses Reserved Multicast addresses. represented in Hexadecimal

Technology Brief IPv6 White Paper.

Types of IPv4 addresses in Internet

IPv6 for Cisco IOS Software, File 2 of 3: Configuring

Personal Firewall Default Rules and Components

IPv6 associated protocols. Piers O Hanlon

Joe Davies. Principal Writer Windows Server Information Experience. Presented at: Seattle Windows Networking User Group June 1, 2011

IPv6 Addressing and Subnetting

Security Implications of the Internet Protocol version 6 (IPv6)

IPv6 Hardening Guide for Windows Servers

IPv6 First Hop Security Protecting Your IPv6 Access Network

Guide to Network Defense and Countermeasures Third Edition. Chapter 2 TCP/IP

IPv6 Addressing. Awareness Objective. IPv6 Address Format & Basic Rules. Understanding the IPv6 Address Components

Introduction to IP v6

IPv6 Protocols & Standards. ISP/IXP Workshops

Dedication Preface 1. The Age of IPv6 1.1 INTRODUCTION 1.2 PROTOCOL STACK 1.3 CONCLUSIONS 2. Protocol Architecture 2.1 INTRODUCTION 2.

Telematics. 9th Tutorial - IP Model, IPv6, Routing

IPv6 Hands-on Lab. Faraz Shamim, Technical Leader Harold Ritter, Technical Leader. Toronto, Canada May 30, 2013

Learn About Differences in Addressing Between IPv4 and IPv6

Junos OS. IPv6 Neighbor Discovery Feature Guide for Routing Devices. Release Modified: Copyright 2015, Juniper Networks, Inc.

Central America Workshop - Guatemala City Guatemala 30 January - 1 February 07. IPv6 Router s Configuration

IPv6 Diagnostic and Troubleshooting

04 Internet Protocol (IP)

IPv6 Technology Overview Tutorial- Part I. Speaker: Byju Pularikkal Customer Solutions Architect, Cisco Systems Inc.

Recent advances in IPv6 insecurities Marc van Hauser Heuse Deepsec 2010, Vienna Marc Heuse

Vicenza.linux.it\LinuxCafe 1

Router Security Configuration Guide Supplement - Security for IPv6 Routers

About the Technical Reviewers

IPv6 READY. Conformance Test Scenario CE Router. Technical Document. Revision 1.0.0

Step-by-Step Guide for Setting Up IPv6 in a Test Lab

Implementation IPV6 in Mikrotik RouterOS. by Teddy Yuliswar

ERserver. iseries. Networking TCP/IP setup

SEcure Neighbour Discovery: A Report

Addresses, Protocols, and Ports

Junos OS IPv6 Neighbor Discovery Feature Guide for Security Devices Release 15.1X49-D30 Modified: Copyright 2015, Juniper Networks, Inc.

IPv6 for SMB s: Easy or Hard?

IPv6 Packet Filtering

Discovering IPv6 with Wireshark. presented by Rolf Leutert

Getting started with IPv6 on Linux

IPv6 mobility and ad hoc network mobility overview report

Efficient IPv6 Neighbor Discovery Optimizations for Wired and Wireless Networks

Security of IPv6 and DNSSEC for penetration testers

Configuring and Managing Networking on VNX

Host Configuration (Linux)

IPv6 Security Nalini Elkins, CEO Inside Products, Inc.

RARP: Reverse Address Resolution Protocol

EVALUATING STANDARD AND CUSTOM APPLICATIONS IN IPV6 WITHIN A SIMULATION FRAMEWORK. Brittany Michelle Clore

IP - The Internet Protocol

Overview. Lecture 16: IP variations: IPv6, multicast, anycast. I think we have a problem. IPv6. IPv6 Key Features

IP Routing Features. Contents

This tutorial will help you in understanding IPv6 and its associated terminologies along with appropriate references and examples.

Domain Name Auto-Registration for Plugged-in IPv6 Nodes. <draft-kitamura-ipv6-name-auto-reg-00.txt>

Concepts & Examples ScreenOS Reference Guide

Linux as an IPv6 dual stack Firewall

IPv6 Advantages. Yanick Pouffary.

IPv6 Virtual Labs: How to & Lessons s Learned. IPv6 Virtual Labs:

TL-SG2216/TL-SG2424/TL-SG2424P/TL-SG2452. Gigabit Smart Switch REV

IPv6 in Axis Video Products

Firewalls und IPv6 worauf Sie achten müssen!

Guide to TCP/IP, Third Edition. Chapter 3: Data Link and Network Layer TCP/IP Protocols

8.2 The Internet Protocol

Mobility on IPv6 Networks

OS IPv6 Behavior in Conflicting Environments

How To Compare Ipv6 And Ipv4 To Ipv5 (V1.2.0)

Internet Protocol Version 6 (IPv6)

IPv6 Security Best Practices. Eric Vyncke Distinguished System Engineer

TL-SL5428E 24-Port 10/100Mbps + 4-Port Gigabit JetStream L2 Managed Switch

ICS 351: Today's plan

TL-SG3424. JetStream 24-Port Gigabit L2 Managed Switch with 4 Combo SFP Slots REV

IPv6 Security from point of view firewalls

Network Security TCP/IP Refresher

IPv6 INFRASTRUCTURE SECURITY WORKSHOP SESSION 10 BUILDING IPv6 INFRASTRUCTURE NETWORK SECURITY

IPv6 Secure Neighbor Discovery

The VRRP Project. (Virtual Router Redundancy Protocol) Design Document

Are You Ready to Teach IPv6?

Lecture Computer Networks

IPv6 End Station Addressing: Choosing SLAAC or DHCP Jeff Harrington - NYSERNet

Transcription:

IPv6 Functionality Jeff Doyle IPv6 Solutions Manager jeff@juniper.net Copyright 2003 Juniper Networks, Inc.

Agenda ICMPv6 Neighbor discovery Autoconfiguration

Agenda ICMPv6 Neighbor discovery Autoconfiguration

ICMPv6 Many of the same functions as ICMPv4 ICMPv4 Protocol Number = 1 ICMPv6 Next Header Number = 58 Adds new messages and functions Neighbor discovery Stateless autoconfiguration Mobile IPv6 Copyright 2003 Juniper Networks, Inc. 4

ICMPv6 Message Types Defined in RFC 2463 Type Message 1 Destination Unreachable 2 Packet Too Big 3 Time Exceeded 4 Parameter Problem 128 Echo Request 129 Echo Reply Copyright 2003 Juniper Networks, Inc. 5

ICMPv6 New Message Types Defined in RFC 2461 Used for Neighbor Discovery protocol Type Message 133 Router Solicitation (RA) 134 Router Advertisement (RA) 135 Neighbor Solicitation (NS) 136 Neighbor Advertisement (NA) 137 Redirect Copyright 2003 Juniper Networks, Inc. 6

Agenda ICMPv6 Neighbor discovery Autoconfiguration

IPv6 Neighbor Discovery RFC 2461 Neighbor can be router or host Performs several functions Link-layer address resolution Router discovery Local prefix discovery Address autoconfiguration Parameter discovery Next-hop determination Tracks neighbor and router reachability Duplicate address detection Redirects Copyright 2003 Juniper Networks, Inc. 8

Comparison to IPv4 Functions Similar IPv4 functions ARP ICMP Router Discovery ICMP Redirect IPv4 has no agreed-upon mechanism for neighbor unreachability detection Detects failing routers and links Detects nodes that change their link-layer address Unlike ARP, detects half-link failures Copyright 2003 Juniper Networks, Inc. 9

Improvements Over IPv4 Router discovery part of base protocol Hosts do not need to snoop routing protocols RAs and redirects carry link-layer addresses No additional packet exchange needed RAs carry link prefixes No separate mechanism to configure netmasks Enables address autoconfiguration Multiple prefixes can be associated with same link RAs can advertise link MTUs Ensures all nodes on link use same MTU value Immune to reception of off-link ND messages Hop limit always set to 255 IPv4 ICMP Redirects and Router Discovery messages can be sent from off-link Copyright 2003 Juniper Networks, Inc. 10

Router Discovery Router Advertisements sent periodically Interval randomized to prevent synchronization Configurable range defined by: MaxRtrAdvInterval (default 600 seconds) MinRtrAdvInterval (default 200 seconds) RAs sent to All-Nodes multicast address (ff01::1) RAs sent in response to Router Solicitations RS sent to All-Routers multicast address (ff01::2) RA unicast to soliciting node Copyright 2003 Juniper Networks, Inc. 11

Router Advertisement Information Current hop limit Value to be used by outgoing IP packets Address configuration flags M and O bits Router lifetime Lifetime for default router Reachable time/ Retrans timer Used for router unreachability detection Source link-layer address (optional) Can be omitted for in-bound load balancing MTU (optional) If AdvLinkMTU is configured Prefix information (optional) Used for address autoconfiguration Copyright 2003 Juniper Networks, Inc. 12

Unsolicited Router Advertisement Default GW-List A B C E D C A RA B F G Copyright 2003 Juniper Networks, Inc. 13

Solicited Router Advertisement Default GW-List A B C E D C A RS B F G RA Copyright 2003 Juniper Networks, Inc. 14

Choosing a Default Gateway Default GW-List A B C Implementations may randomly select a default router Implementations may cycle through default list round-robin What happens when default router is the wrong router? Copyright 2003 Juniper Networks, Inc. 15

Redirect Default GW-List A B C ICMP Redirect to Router B E Sent data to Host 3 using Default GW "A" C A D Path used with Default Gateway "A" Redirect traffic via Router B B F G Host 3 Copyright 2003 Juniper Networks, Inc. 16

Neighbor Cache C:\Documents and Settings\Jeff Doyle>ipv6 nc 5: fe80::202:2dff:fe25:5e4c 00-02-2d-25-5e-4c permanent 4: fe80::260:83ff:fe7b:2df3 00-60-83-7b-2d-f3 stale (router) 4: fe80::210:a4ff:fea0:bc97 00-10-a4-a0-bc-97 permanent 4: 3ffe:3700:1100:1:210:a4ff:fea0:bc97 00-10-a4-a0-bc-97 permanent 4: 3ffe:3700:1100:1:d9e6:b9d:14c6:45ee 00-10-a4-a0-bc-97 permanent 4: 2001:468:1100:1:210:a4ff:fea0:bc97 00-10-a4-a0-bc-97 permanent 4: 2001:468:1100:1:d9e6:b9d:14c6:45ee 00-10-a4-a0-bc-97 permanent 3: 2002:c058:6301::c058:6301 192.88.99.1 permanent 3: 2002:836b:213c::836b:213c 131.107.33.60 permanent 3: 2002:4172:a85b::4172:a85b 127.0.0.1 permanent 3: 2002:836b:213c:1:e0:8f08:f020:6 131.107.33.60 permanent 3: 2001:708:0:1::624 incomplete 2: ::65.114.168.91 127.0.0.1 permanent 2: fe80::5efe:65.114.168.91 127.0.0.1 permanent 2: fe80::5efe:169.254.113.126 127.0.0.1 permanent 1: fe80::1 permanent 1: ::1 permanent Copyright 2003 Juniper Networks, Inc. 17

Neighbor Address Resolution Equivalent function to IPv4 ARP But multicast instead of broadcast Check Neighbor Cache for address If no address, create an Incomplete entry for target address Send Neighbor Solicitation to Solicited-Node Multicast address Target node sends Neighbor Advertisement with link-layer address Soliciting node changes Incomplete entry to Reachable Copyright 2003 Juniper Networks, Inc. 18

Solicited Node Multicast Address All multicast-capable interfaces required to listen Formed by appending low-order 24 bits of target IPv6 address to prefix ff02:0:0:0:0:1:ff00::/104 Addresses differing only in high-order bits will map to same solicited-node multicast Useful when multiple addresses assigned to interface Reduces number of multicast addresses a node must listen for Example: Interface Address #1 = 3ffe:3700:1100:1:200:bff:fec6:45ee Interface Address #2 = 2001:468:1100:1:200:bff:fec6:45ee Solicited-Node Multicast Address = ff02::1:ffc6:45ee Copyright 2003 Juniper Networks, Inc. 19

Next-Hop Discovery Check Neighbor Cache for existing next-hop entry for particular destination Check whether destination is on- or off- link On-link: Sent directly to destination Off-link: Sent to default router Identify link-layer address of next-hop Copyright 2003 Juniper Networks, Inc. 20

Neighbor Unreachability Detection Neighbor cache stores information about neighbors IP address Link-layer address Reachability state Neighbor reachability states INCOMPLETE REACHABLE STALE DELAY PROBE Copyright 2003 Juniper Networks, Inc. 21

Agenda ICMPv6 Neighbor discovery Autoconfiguration

Address Autoconfiguration Stateless autoconfiguration Requires only a router Key advantage for applications such as Mobile IP Stateful autoconfiguration When more control is desired DHCPv6 Stateless and stateful can be combined M and O flags in RA M flag: Stateless Address Autoconfiguration Y/N O flag: Stateless Autoconfigure Other Parameters Y/N Copyright 2003 Juniper Networks, Inc. 23

Stateless Autoconfiguration Interface ID automatically derived IEEE addresses use MAC-to-EUI-64 conversion Other addresses use other means, such as random number generation Host creates a link-local address Host performs duplicate address check Host sends RS to the all-routers multicast address (ff01::2) Router unicasts RA with prefix information Host adds prefix to Interface ID to form global unicast address Copyright 2003 Juniper Networks, Inc. 24

MAC-to-EUI-64 Conversion 1. First three octets of MAC becomes Company-ID 2. Last three octets of MAC becomes Node-ID 3. 0xfffe inserted between Company-ID and Node-ID 4. Universal/Local-Bit (U/L-bit) is set to 1 for global scope Copyright 2003 Juniper Networks, Inc. 25

MAC-to-EUI-64 Conversion Example MAC Address: 0000:0b0a:2d51 In binary: 00000000 00000000 00001011 00001010 00101101 01010001 U/L Bit Company-ID Individual Node-ID Insert fffe between Company-ID and Node-ID 00000000 00000000 00001011 11111111 11111110 00001010 00101101 01010001 Set U/L bit to 1 00000010 00000000 00001011 11111111 11111110 00001010 00101101 01010001 U/L Bit = fffe Resulting EUI-64 Address: 0200:0bff:fe0a:2d51 Copyright 2003 Juniper Networks, Inc. 26

Using the EUI-64 Interface ID EUI-64 Address: 200:bff:fe0a:2d51 Link-Local Address: fe80::200:bff:fe0a:2d51 Global Unicast Address: 3ffe:3700:1100:1:200:bff:fe0a:2d51 Copyright 2003 Juniper Networks, Inc. 27

Solicited-Node Multicast Revisited Interface Address #1 = 3ffe:3700:1100:1:200:bff:fec6:45ee Interface Address #2 = 2001:468:1100:1:200:bff:fec6:45ee Solicited-Node Multicast Address = ff02::1:ffc6:45ee Last 24 bits are not changed by autoconfiguration or by solicited node multicast Copyright 2003 Juniper Networks, Inc. 28

Address Autoconfiguration: A Security Problem? Interface ID remains constant for a host Even when prefix information changes Unlike IPv4, where entire address changes Mobile users can be tracked Usage from always-on addresses can be tracked This is a concern for some, not for others Two solutions: Always use stateful autoconfiguration (DHCPv6) Use privacy addresses for outgoing connections Copyright 2003 Juniper Networks, Inc. 29

RFC 3041 Privacy Addresses A new Interface ID is randomly generated Whenever a new public address is autoconfigured Periodically (period is configurable) Both autoconfigured public and private addresses are used Public for incoming connections (DNS registered) Private for outgoing connections Copyright 2003 Juniper Networks, Inc. 30

Stateful Autoconfiguration: DHCPv6 Currently in Internet-draft Many changes from DHCPv4: Configuration of dynamic updates to DNS Address deprecation for dynamic renumbering Authentication Clients can ask for multiple IP addresses Addresses can be reclaimed Integration between stateful and stateless autoconfiguration Uses multicasting All_DHCP_Agents: ff02::1:2 All_DHCP_Servers: ff05::1:3 Copyright 2003 Juniper Networks, Inc. 31

Duplicate Address Detection Must be performed by all nodes Performed with both stateless and stateful autoconfiguration Performed before assigning a unicast address to an interface Performed on interface initialization Not performed for anycast addresses Link must be multicast capable New address is called "tentative" as long as duplicate address detection takes place Copyright 2003 Juniper Networks, Inc. 32

Duplicate Address Detection 1. Interface joins all-nodes multicast group 2. Interface joins solicited-node multicast group 3. Node sends one NS with Target address = tentative IP address Source address = unspecified (::) Destination address = tentative solicitednode address Copyright 2003 Juniper Networks, Inc. 33

Duplicate Address Detection If address already exists, the particular node sends a NA with Target address = tentative IP address Destination address = tentative solicited-node address If soliciting node receives NA with target address set to the tentative IP address, the address must be duplicate Copyright 2003 Juniper Networks, Inc. 34

Configuration Example: Router Discovery [edit] lab@juniper5# show interfaces fe-2/1/0 unit 0 { family inet6 { address 2001:468:1100:1::1/64; address 3ffe:3700:1100:1::1/64; } } [edit] lab@juniper5# show protocols router-advertisement interface fe-2/1/0.0 { other-stateful-configuration; prefix 3ffe:3700:1100:1::/64; prefix 2001:468:1100:1::/64; } Copyright 2003 Juniper Networks, Inc. 35

Configuration Example: Windows XP Host C:\Documents and Settings\Jeff Doyle>ipv6 if 4 Interface 4: Ethernet: Local Area Connection 2 uses Neighbor Discovery uses Router Discovery link-layer address: 00-10-a4-a0-bc-97 preferred global 2001:468:1100:1:d9e6:b9d:14c6:45ee, life 6d21h14m26s/21h12m4s (anonymous) preferred global 2001:468:1100:1:210:a4ff:fea0:bc97, life 29d23h59m25s/6d23h59m25s (public) preferred global 3ffe:3700:1100:1:d9e6:b9d:14c6:45ee, life 6d21h14m26s/21h12m4s (anonymous) preferred global 3ffe:3700:1100:1:210:a4ff:fea0:bc97, life 29d23h59m25s/6d23h59m25s (public) preferred link-local fe80::210:a4ff:fea0:bc97, life infinite multicast interface-local ff01::1, 1 refs, not reportable multicast link-local ff02::1, 1 refs, not reportable multicast link-local ff02::1:ffa0:bc97, 3 refs, last reporter multicast link-local ff02::1:ffc6:45ee, 2 refs, last reporter link MTU 1500 (true link MTU 1500) current hop limit 64 reachable time 22000ms (base 30000ms) retransmission interval 1000ms DAD transmits 1 Copyright 2003 Juniper Networks, Inc. 36

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information