IPv6. Alexander Gall, UZH/USE Meeting

Similar documents
IPv6 Trace Analysis using Wireshark Nalini Elkins, CEO Inside Products, Inc.

Introduction to IP v6

ProCurve Networking IPv6 The Next Generation of Networking

CIRA s experience in deploying IPv6

Types of IPv4 addresses in Internet

Learn About Differences in Addressing Between IPv4 and IPv6

The Myth of Twelve More Bytes. Security on the Post- Scarcity Internet

Tomás P. de Miguel DIT-UPM. dit UPM

Implementing DHCPv6 on an IPv6 network

Course Overview: Learn the essential skills needed to set up, configure, support, and troubleshoot your TCP/IP-based network.

Industry Automation White Paper Januar 2013 IPv6 in automation technology

: Interconnecting Cisco Networking Devices Part 1 v2.0 (ICND1)

IPv6 Addressing. Awareness Objective. IPv6 Address Format & Basic Rules. Understanding the IPv6 Address Components

IPv6 Associated Protocols

ICS 351: Today's plan. IP addresses Network Address Translation Dynamic Host Configuration Protocol Small Office / Home Office configuration

Vulnerabili3es and A7acks

IPv6 Fundamentals: A Straightforward Approach

Guide to Network Defense and Countermeasures Third Edition. Chapter 2 TCP/IP

About Me. Work at Jumping Bean. Developer & Trainer Contact Info: mark@jumpingbean.co.za

Neighbour Discovery in IPv6

ERserver. iseries. Networking TCP/IP setup

IPv6 in Axis Video Products

Vicenza.linux.it\LinuxCafe 1

IPv6 Security from point of view firewalls

Firewalls und IPv6 worauf Sie achten müssen!

Recent advances in IPv6 insecurities Marc van Hauser Heuse Deepsec 2010, Vienna Marc Heuse

Dedication Preface 1. The Age of IPv6 1.1 INTRODUCTION 1.2 PROTOCOL STACK 1.3 CONCLUSIONS 2. Protocol Architecture 2.1 INTRODUCTION 2.

Securing IPv6. What Students Will Learn:

IPv6.marceln.org.

IPv6 First Hop Security Protecting Your IPv6 Access Network

Network Security TCP/IP Refresher

Interconnecting Cisco Network Devices 1 Course, Class Outline

Getting started with IPv6 on Linux

Discovering IPv6 with Wireshark. presented by Rolf Leutert

Procedure: You can find the problem sheet on Drive D: of the lab PCs. 1. IP address for this host computer 2. Subnet mask 3. Default gateway address

Internet Protocol Version 6 (IPv6)

IPv6 SECURITY. May The Government of the Hong Kong Special Administrative Region

- IPv4 Addressing and Subnetting -

About the Technical Reviewers

IPv6 Hardening Guide for Windows Servers

Introduction to IPv6 and Benefits of IPv6

Are You Ready to Teach IPv6?

Basic IPv6 WAN and LAN Configuration

IPv6 Infrastructure Security

IPv6 Fundamentals Ch t ap 1 er I : ntroducti ti t on I o P IPv6 Copyright Cisco Academy Yannis Xydas

IPv6 en Windows. Juan Jackson Pablo García

Security Assessment of Neighbor Discovery for IPv6

Security of IPv6 and DNSSEC for penetration testers

INTERCONNECTING CISCO NETWORK DEVICES PART 1 V2.0 (ICND 1)

IPv6 Functionality. Jeff Doyle IPv6 Solutions Manager

Technology Brief IPv6 White Paper.

Joe Davies. Principal Writer Windows Server Information Experience. Presented at: Seattle Windows Networking User Group June 1, 2011

Presentation_ID. 2001, Cisco Systems, Inc. All rights reserved.

IPv4 and IPv6 Integration. Formation IPv6 Workshop Location, Date

CloudEngine Series Switches. IPv6 Technical White Paper. Issue 01 Date HUAWEI TECHNOLOGIES CO., LTD.

Technical Support Information Belkin internal use only

Interconnecting Cisco Networking Devices, Part 1 (ICND1) v3.0

IP(v6) security. Matěj Grégr. Brno University of Technology, Faculty of Information Technology. Slides adapted from Ing.

SECURITY IN AN IPv6 WORLD MYTH & REALITY. SANOG XXIII Thimphu, Bhutan 14 January 2014 Chris Grundemann

Telematics. 9th Tutorial - IP Model, IPv6, Routing

IPv6 Security - Opportunities and Challenges

Overview. Lecture 16: IP variations: IPv6, multicast, anycast. I think we have a problem. IPv6. IPv6 Key Features

Deploying IPv6 for Service Providers. Benoit Lourdelet IPv6 Product Manager, NSSTG

Network layer: Overview. Network layer functions IP Routing and forwarding

IPv6 Addressing and Subnetting

IPv6 Network Security.

IPV6 DEPLOYMENT GUIDELINES FOR. ARRIS Group, Inc.

Developing an IPv6 Addressing Plan Guidelines, Rules, Best Practice

Router Security Configuration Guide Supplement - Security for IPv6 Routers

Matt Ryanczak Network Operations Manager

We Are HERE! Subne\ng

IP Next Generation (IPv6)

Internet Control Protocols Reading: Chapter 3

ITL BULLETIN FOR JANUARY 2011

IPv6 End Station Addressing: Choosing SLAAC or DHCP Jeff Harrington - NYSERNet

OLD VULNERABILITIES IN NEW PROTOCOLS? HEADACHES ABOUT IPV6 FRAGMENTS

Why IPv6 is necessary for new communication scenarios

GB-OS Version 6.2. Configuring IPv6. Tel: Fax Web:

IPv6 Advantages. Yanick Pouffary.

Review: Lecture 1 - Internet History

IPv6 Security Best Practices. Eric Vyncke Distinguished System Engineer

Linux as an IPv6 dual stack Firewall

TR-296 IPv6 Transition Mechanisms Test Plan

EVALUATING STANDARD AND CUSTOM APPLICATIONS IN IPV6 WITHIN A SIMULATION FRAMEWORK. Brittany Michelle Clore

CS 457 Lecture 19 Global Internet - BGP. Fall 2011

IPv6 Infrastructure Security Jeffrey L Carrell Network Conversions Network Security Consultant, IPv6 SME/Trainer

IPv6 Infrastructure Security

IPv6 Addressing. How is an IPv6 address represented. Classifications of IPv6 addresses Reserved Multicast addresses. represented in Hexadecimal

IP Addressing Introductory material.

IPv6 Autoconfiguration Best Practice Document

IPv6 Fundamentals, Design, and Deployment

Use Domain Name System and IP Version 6

1 Data information is sent onto the network cable using which of the following? A Communication protocol B Data packet

Network Protocol Configuration

Efficient Addressing. Outline. Addressing Subnetting Supernetting CS 640 1

IPv6 Security. Scott Hogg, CCIE No Eric Vyncke. Cisco Press. Cisco Press 800 East 96th Street Indianapolis, IN USA

Troubleshooting Tools

Computer Networks. Introduc)on to Naming, Addressing, and Rou)ng. Week 09. College of Information Science and Engineering Ritsumeikan University

Protocol Specification & Design. The Internet and its Protocols. Course Outline (trivia) Introduction to the Subject Teaching Methods

Mobility on IPv6 Networks

Transcription:

IPv6 Alexander Gall, UZH/USE Meeting alexander.gall@switch.ch Zürich, 25.3.2014

SWITCH Backbone Layer 1

Layer 3 Backbone 100% Dual-Stack

Timeline of IPv6 @SWITCH Sometime in 1996: a Sun Server (Solaris 2.5.1) becomes our first 6bone node. Initial allocation 5F02:2F00:823B::/64 9.10.1997: 3FFE:2000::/48 allocated to SWITCH, the first renumbering 3.9.1999: allocation of 2001:620::/35 (soon expanded to / 32), second renumbering February 2004: our backbone goes dual-stack with the initial IPv6 support (in software) on Cisco Catalyst 6500/7600 with Sup2, IOS 12.2S Many internal and external services are IPv6-enabled today

IPv4 Address Space Exhaustion 3 of the 5 RIRs are below the last /8 barrier, where very strict policies apply (a single /22 per LIR)

IPv6 Deployment (1) http://www.google.com/intl/en/ipv6/statistics.html#tab=ipv6-adoption

IPv6 Deployment (2) http://www.ipv6matrix.org/hosts (based on top Alexa sites)

IPv6 Deployment in Switzerland (3) Most notably due to Swisscom 35% of customers have IPv6 enabled 9% of total traffic is IPv6 25% of traffic of IPv6-enabled customers is IPv6

IPv6 Deployment (4) AMS-IX Internet Exchange (IPv4 current average ~1.5Tbps)

Product Maturity Operating systems: very good Basic networking (routing/switching): good very good Applications: mixed (web/mail very good) Middleboxes (firewalls, load balancers): bad fair/good Good enough to run a stable, secure network http://www.ipv6forum.com/ http://www.ipv6ready.org/

IPv6 Essentials Addresses 128 Bits, represented in 8 groups of Hexadecimal digits separated by colons Leading zeros can be suppressed Double-colon rule : adjacent groups of all zeros can be abbreviated (once) by :: Example 2001:0620:0000:0001:0000:0000:0000:0001 o 2001:620:0:1:0:0:0:1 o 2001:620::1:0:0:0:1 o 2001:620:0:1::1 o

IPv6 Essentials Every unicast address has a domain of reachability called scope Node-local scope, aka localhost ::1 Link-local scope FE80::/10 Unique within an IP subnet Not forwarded by any router Everything else is global scope (globally unique) Note: original spec included site-local scope (FEC0::/10) similar to RFC1918 space (10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12). Has been deprecated in favor of Unique Local Addresses (ULA): globally unique but not routed (FC00::/7)

IPv6 Essentials An interface can have any number of IPv6 addresses (IPv4 only one). Typically one link-local and one global Selection of source address for outgoing packets becomes non-trivial (IPv4/IPv6, multiple IPv6 addresses, transition mechanisms) Specified in RFC6724, uses a policy table Locally configured (/etc/gai.conf on Linux) New DHCPv6 option allows central distribution

IPv6 Essentials Hierarchical address allocation like with IPv4 (IANA RIR LIR End User ) Basic rule: End User (e.g. UZH) gets a /48 Subnets get a /64 (required for autoconfiguration) Avoids traditional problem of subnet sizing in IPv4 Assign once, no need to ever change size

IPv6 Essentials Packet header Fixed size (40 bytes, IPv4 20 bytes w/o options) Same QoS bits ( traffic class ) No checksum Flow label, should replace 5-tuple (addresses, ports,protocol) for flow classification Options, fragmentation and upper-layer protocols (TCP, UDP, ICMP) are implemented as a chain of extension headers

Extension Headers Basic rule: extension headers are only processed by the destination. One exception: hop-by-hop header must be examined by intermediate hops, must be the first option after the IPv6 header. Problem: middleboxes (Firewalls, NATs etc.) violate this rule. Ongoing work in the IETF to adapt to this reality

ICMP Additional functionality integrated in ICMPv6 Neighbor Discovery, similar to ARP for IPv4 but includes more Duplicate Address Detection Neighbor Unreachability Detection Address Autoconfiguration (see later) Multicast group manegement (MLD, same as IGMP in IPv4) Integral part of IPv6 must not be filtered in a subnet Some types must not be filtered on the WAN (related to fragmentation/mtu discovery)

Stateless Address Autoconfiguration (SLAAC) Novel mechanism to configure global-scope IPv6 Addresses automatically Router sends periodic Router Advertisements (RAs) Subnet prefix (/64) Default router Options, e.g. DNS server Client takes prefix, adds 64-bit Interface Identifier (IID) constructed from its MAC address, creates full 128-bit Address Address gets refreshed by RAs, can expire if router stops sending them Apart from static configuration, RAs are the only source for candidate default routers

SLAAC Plug and Play, no administration Not well suited for controlled environments No standardized way to register address in DNS Could be done with dynamic DNS No registered mapping between MAC address and IP address Can be created by scraping neighbor cache on routers Proposed mechanism to have DHCP server register mappings

SLAAC Some people felt that embedded MAC addresses violate privacy Same interface identifier wherever you go IPv6 Privacy Extension : randomize IID and change periodically (e.g. once per day) Implemented in most current systems, often enabled by default OK for home network, less so for controlled environments New spec stable privacy addresses (not yet published) generates one random IID per subnet visited by the host

DHCPv6 DHCP is the standard way to configure IPv4 networks DHCPv6 is a new, independent protocol, but similar structure to IPv4 DHCP Uses UDP on separate ports (546, 547) More coherent than DHCPv4, designed from scratch (e.g. relay functionality) IPv4 leases based on MAC address IPv6 leases based on Device Unique Identifier (DUID), which may be based on a MAC address, but does not provide a proper MAC-to-IPv6 mapping! MAC address option added recently (December 2013) Still requires Router Advertisements for default router IETF activity to add DHCP default router option died

DHCPv6/RA interaction RA contains two flags as hints to the client M ( managed ): use DHCP to obtain address O ( other ): use DHCP to obtain other information (e.g. DNS server, NTP server etc.) SLAAC can be disabled by unsetting the A flag

Default Router Redundancy IPv4 HSRP/VRRP provide virtual IP/MAC default router address Default router distributed via DHCP IPv6 HSRP/VRRP also available RAs from virtual address configures default route Alternative: static configuration on the client

Deployment Several transition mechanisms available Tunneling (IPv6 packets encapsulated in IPv4) Translation (rewrite IPv6 header to IPv4, NAT64 ) Dual stack, run IPv6 and IPv4 in parralel Dual stack is the only sensible choice for you (tunnels are forbidden by the UZH policy) Q: When should we start? A: Yesterday You'll have to convince the Informatikdienste that IPv6 is important to you :(

Deployment Without global connectivity, there is not much you cando Option: use ULA for internal IPv6 communication (address selection will prefer IPv4 for all external connections) Use DHCP Have your ULA prefix advertised by your default router General advice for dual-stack Use IPv6-only wherever possible (internal services) Always chose symmetric configuration when possible

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information