1 / 174

IPv6 SE training

IPv6 SE training. Peter Sandkuijl Europe SE manager network security psandkuijl@checkpoint.com. A special thanks for content goes out to Ian Cuthbertson and Gregor Martin from Crossbeam. Agenda. Introduction to IPv6 IPv6 Addressing structure IPv6 Header Structure ICMPv6 Overview

carolynl
Download Presentation

IPv6 SE training

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IPv6 SE training Peter Sandkuijl Europe SE manager network security psandkuijl@checkpoint.com A special thanks for content goes out to Ian Cuthbertson and Gregor Martin from Crossbeam

  2. Agenda • Introduction to IPv6 • IPv6 Addressing structure • IPv6 Header Structure • ICMPv6 Overview • IPv6 Neighbour Discovery • IPv6 Routing • IPv6 Transition Mechanisms • IPv6 Security • IPv6 QoS • IPv6 OS support • IPv6 How to setup • Ipv6 Roadmap • Lab • Exam

  3. Introduction to IPv6 3

  4. What is IPv6? • IPv6 is an evolution of IPv4, also known as IPng (IP Next Generation) • The changes from IPv4 to IPv6 fall primarily into the following categories: • Expanded Routing and Addressing Capabilities • HeaderFormatSimplification • Quality-of-Service Capabilities • Security (IPSec) and Authentication and PrivacyCapabilities • Mobility

  5. Bob Hinden works for Check Point But don’t bother him with questions 

  6. What happened to IPv5? • IPv5 is the IP protocol number of the Stream Protocol (ST) • Experimental protocol • Addresses the resource reservation (protocol intended for QoS) • Designed to coexist with IPv4, not a replacement – same addressing scheme

  7. Why IPv6? • Exhaustion of the IPv4 address space (February 2011) • Inefficient allocation of the 4.3 billion of IPv4 addresses • Global reallocation and renumbering is not practical • 33% of the world's population has Internet access • Dimension of the routing tables in the Internet backbone • End to end visibility (without NAT)

  8. IPv6 Benefits • Larger address space • IPv6 has 128-bit address space, which is 4 times wider in bits in compared to IPv4's 32-bit address space • Autoconfiguration: IPv6 is Plug and Play • It is easier for novice users to connect their machines to the network (i.e., it will be done automatically!) • Header format simplification • Extension headers • Faster processing • Security IPv6 includes security in the basic specification • IPSec mandatory • Quality of Service (QoS) and Class of Service (CoS) • Backbone routing more efficient • Hierarchicaladdressspacemodel

  9. IPv6 Addressing 9

  10. IPv6 Address Space IPv4 Address Space 4,294,967,296 Addresses IPv6 Address Space About 340 trillion, trillion, trillion Adresses

  11. IPv6 Address Space • IPv6 has a vastly larger address space than IPv4: • An IPv4 address is 32 bits long and provides: 4,000,000,000 IP Addresses • An IPv6 address is 128 bits long and provides: 340,000,000,000,000,000,000,000,000,000,000,000,000 Addresses • This is not 4 times the number of addresses, this is 4 times the number of bits • There are enough IPv6 addresses for: • “There are currently 130 million people born each year. If this number of births remains the same until the sun goes dark in 5 billion years, and all of these people live to be 72 years old, they can all have 53 times the address space of the IPv4 Internet for every second of their lives” IPv4 = 32 bits IPv6 = 128 bits

  12. IPv6 Address Space • 128-bits of address space: • Divided into 8 double-octets of 16-bits each:

  13. IPv6 Address Syntax • Each 16 bit block is converted to hexadecimal (case insensitive) and delimited withcolons “:” • The resulting representation is called “colon hexadecimal”

  14. IPv6 Address SyntaxRemoving and Compressing Zeros • Leading zeros may be removed within each block • Successive 16-bit blocks of zeros may be simplified by using a double-colon “::”

  15. IPv6 Address SyntaxCompressing Zeros Limitations • You cannot truncate “trailing” zeros when removing zeros or using double colons • Zero compression can only be used once in a givenaddress

  16. IPv6 Prefixes • Indicates the fixed part of the address • Same as CIDR in IPv4, this is used to define the network portion of the address (192.168.10.0/24) • Dotted decimal subnet masks are NOT used in IPv6 • Example: 128 bits Network prefix (48 bits) Host (80 bits) 0000 12AB:20:3/48

  17. Implied Network Prefix • Half the address space for networks (/64 implied prefix) • Half the address space for host services (Interface ID) • Example: FE80::/64 128 bits Network prefix Interface ID

  18. Interface Identifiers • Lowest order 64-bit field of address • Identify a unique interface on a link • A link is a network medium over which network nodes communicate using the link layer (e.g. ethernet) • Guaranteed unique on subnet • It may be assigned in several different ways: • Auto-configured from a 64-bit EUI-64 • Auto-generated pseudo-random number (to address privacy concerns) • Assigned via DHCP • Manually configured

  19. Interface Identifiers: EUI-64 • EUI – Extended Unique Identifier • EUI-64 address is formed by inserting FFFE and OR’ing a bit (to avoid clashes with assigned EUI-64 address ranges) Ethernet MAC address (48 bits) 64 bits version X = 1 Eui-64 address

  20. IPv6 Autoconfiguration • Stateful configuration • Manual IP configuration • DHCP configuration • Stateless Address Autoconfiguration (RFC2462) • Host autonomously configures its own Link-Local address • Applies to hosts only (not to routers) • Booting nodes send Router solicitation messages to routers for additional addresses and information: • Specifies the prefix, default route and lifetime • But does not specify the DNS servers • In the absence of the router, the host can only generate its link-local address • Uses Duplicate Address Detection (DAD)

  21. IPv6 Address States • Tentativeaddress • This is an address that has not yet been assigned • It is the state prior to the assignment, when uniqueness is being verified • A node cannot communicate in the network using a tentative address • Preferredaddress • This is the address that has been assigned to an interface and can be used without any restrictions for the lifetime assigned • Deprecatedaddress • The use of this address is discouraged but not forbidden • A deprecated address might be one whose lifetime is about to expire • It is no longer used as a Source address for newly established communications • Validaddress • This term is used for both the Preferred and Deprecated address • Invalidaddress • A valid address becomes invalid when its lifetime expires

  22. Types of IPv6 Address • IPv6 Addressing rules are covered by multiples RFC’s • Architecture defined by RFC 3513 • AddressTypes are: • Unicast : One to One • Unspecified (all zeros) • Loopback • Scoped addresses • Link-local • Site-local (deprecated) • Global • Multicast : OnetoMany • Anycast : One to Nearest (Allocated from Unicast) • A single interface may be assigned multiple IPv6 addresses of any type (unicast, anycast, multicast)

  23. Types of IPv6 Addresses (cont.) • Unicast: OnetoOne • An identifier for a single interface • A packet sent to a unicast address is delivered to the interface identified by that address • Delivery to single interface • Multicast: OnetoMany • An identifier for a set of interfaces (typically belonging to different nodes) • A packet sent to a multicast address is delivered to all interfaces identified by that address • Delivery to all interfaces in the set • Anycast: OnetoNearest • An identifier for a set of interfaces (typically belonging to different nodes) • A packet sent to an anycast address is delivered to one of the interfaces identified by that address (the "nearest" one) • Delivery to a single interface in the set • Assigned to routers • Broadcast eliminated in IPv6 (No “broadcast storm”)

  24. Address Type Identification Unique Local Link-Local Global • Addresseshavescope: • Link Local • Unique Local • Global

  25. Link-Local Unicast Address 128 bits FE80 0 Interface ID • FE80::<interface-id> • Scope limited to local network. Unique on a subnet • Automatically configured on each interface • Used when communicating with neighboring nodes on the same link • Cannot be routed 64 bits 10 bits FE80::/64 prefix FE80:: 1:30FF:FEF3:C110 FE80:: 1:30FF:FEF3:C4A2

  26. Global Unicast Address (RFC 4291) • Prefix range 2000::/3 • Used in production IPv6 networks • Globally reachable • Structured as a hierarchy to keep the aggregation Provider 45 bits Site 16 bits Host 64 bits 3 001

  27. Global Unicast Address Allocation /48 /64 /23 /32 2001 0410 Interface ID Registry ISP prefix Site prefix Subnet prefix • The allocation process is: • The IANA is allocating the IPv6 address space in the ranges of 2001::/16 to the RIRs (Regional Internet Registry) - http://www.iana.org/assignments/ipv6-unicast-address-assignments • Each registry gets /23 prefixes from the IANA • Registry allocates a /32 prefix to an IPv6 ISP • Policy is that an ISP allocates a /48 prefix to each end customer

  28. Global Unicast Address Allocation (cont.) APNIC 2001:0200::/23 ARIN 2001:0400::/23 RIPE 2001:0600::/23 LACNIC 2001:1200::/23 27 RIRs ISP-1 2001:0601::/32 ISP-2 2001:0602::/32 ISP-3 2001:0603::/32 29 ISPs/RIR Customer-1 2001:0602:0001::/48 Customer-2 2001:0602:0002::/48 216 Customers/ISP Subnet-1 2001:0602:0001:0001:/64 Subnet-2 2001:0602:0001:0002:/64 216 Subnets/customer 264 Nodes/Subnet IANA 2001::/16

  29. Aggregation Benefits Customer 1 Customer 2 IPv6 Internet • Larger address space enables: • Aggregation of prefixes announced in the global routing table • Efficient and scalable routing Only announces the /32 prefix 2001:0601:0001:/48 ISP 2001:0601::/32 2001::/16 2001:0602:0002:/48

  30. Special Addresses • Unspecified (::) • Used when no address is available • DHCPv6 requests • DuplicateAddressDetection • Like 0.0.0.0 in IPv4 • Loopback (::1) • Identifiesself • Used to determine if your IPv6 stackworks: ping6 ::1

  31. Unique Local IPv6 UnicastAddresses (RFC 4193) • Prefix range FC00::/7 • L set to 1 for locally assigned (0 may be defined later). This means addresses will actually start FD00 • Pseudo-randomly allocated global ID, avoid overlaps • Ideally for sites with intermittent / no global IPv6 connectivity • Get a unique range http://www.simpledns.com/private-ipv6.aspx

  32. Unicast address summary - ranges

  33. Multicast Address • Broadcasts in IPv6 are not used and replaced by Multicast • A multicast address identifies a group of interfaces • An interface may belong to any number of multicast groups • Multicast addresses must not be used as a source address in an IPv6 packet, only as a destination

  34. Multicast Address (cont.) 8 bits 4 bits 4 bits 112 bits FF00::/8 prefix FF01:: 1 FF01:: 1 All-Nodes addresses FF02:: 1 FF02:: 1 FF00::/8 prefix FF01:: 1 FF01:: 1 All-Nodes addresses FF02:: 1 FF02:: 1 FF01:: 2 FF01:: 2 All-Routers addresses FF02:: 2 FF02:: 2 FF05:: 2 FF05:: 2

  35. Multicast Address Scope 8 bits 4 bits 4 bits 112 bits

  36. Multicast Address Group ID • The group ID identifies the multicast group, within the given scope • Though 112 bits are available, RFC 4291 suggests only using the low-order 32 bits Multicast MAC - Address Mapping Per RFC 2464 33 33 last four bytes of the IPv6 destination multicast address 8 bits 8 bits Multicast IPv6 Address 0 Group ID 32 bits 8 bits 4 bits 4 bits 80 bits

  37. An IPv6 Host Has… • Unicastaddresses: • A link-local address for each interface • Possibility other unicast address(es) for each interface (assigned manually or automatically) • A loopbackaddress (::1) • Multicastaddresses: • The node-local scope all-nodes multicast address (FF01::1) • The link-local scope all-nodes multicast address (FF02::1) • The solicited-node address for each unicast address • The multicast addresses of all other groups to which the host belongs

  38. Solicited node address • Solicited-node addresses are used by the IPv6 Neighbor Discovery (ND) protocol to provide more efficient address resolution than the ARP technique used in IPv4

  39. An IPv6 Router Has… • Unicastaddresses: • A link-local address for each interface • Unicast address(es) for each interface • A loopbackaddress (::1) • Anycastaddresses: • Subnet-router anycast address for all interfaces for which it is configured to act as a router • Multicastaddresses: • The node-local scope all-nodes multicast address (FF01::1) • The node-local scope all-routers multicast address (FF01::2) • The link-local scope all-nodes multicast address (FF02::1) • The link-local scope all-routers multicast address (FF02::2) • The site-local scope all-routers multicast address (FF05::2) • The solicited-node address for each unicast address • The multicast addresses of all other groups to which the host belongs

  40. Default Address Selection for IPv6 (RFC 3484) • Address pairs of the same scope or type (link-local, global) are preferred • A smaller scope for the Destination address is preferred (use the smallest scope possible) • A preferred (non-deprecated) address is preferred. • If all criteria are similar, address pairs with the longest common prefix are preferred • For the Source address, global addresses are preferred over temporary addresses. • In Mobile IP situations, home addresses are preferred over care-of addresses

  41. Example: Neighbor Solicitation S 00-10-5a-aa-20-a2 Ethernet frame D 33-33-00-00-00-01 S FE80::210:5AFF:FE:AA:20:A2 D FF02::1 (all-nodes address) Data1: Target address FE80::260:97FF:FE:02:6E:A5 IP packet Data2: Source MAC 00-10-5a-aa-20-a2 Send multicast Neighbor solicitation S 00-10-5a-aa-20-a2 Ethernet D ???????????? S FE80::210:5AFF:FE:AA:20:A2 IP D FE80::260:97FF:FE:02:6E:A5 Host A MAC: 00-10-5a-aa-20-a2 IP: FE80::210:5AFF:FE:AA:20:A2 MAC: 00-60-97-02-6e-a5 IP: FE80::260:97FF:FE:02:6E:A5 Host B

  42. Anycast Addresses • An lPv6 anycast address is a global unicast address that is assigned to more than one interface • Anycast addresses are indistinguishable from unicast addresses • Anycast addresses are used only as destination addresses and are assigned only to routers • When assigned to an interface, the node must be explicitly configured to know that the address is an anycast address • A packet sent to an anycast address will be delivered to a single interface: the “nearest” interface having that address) • ln a WAN scope, the nearest interface is found according to the measure of distance of the routing protocol • ln a LAN scope, the nearest interface is found according to the first neighbor that is learned about

  43. IPV4 vs IPv6 Addresses *Automatic Private IP Addressing

  44. IPv6 Header Structure 45

  45. Ethernet Encapsulation (RFC 2464) Link Layer Frame IPv4 = 0x0800 IPv6 = 0x86DD EtherType 2 bytes 40 bytes variable 4 bytes 6 bytes 6 bytes Destination address Source address IPv6 Header Data FCS Multicast destination address 33 33 last four bytes of the IPv6 destination multicast address

  46. IPv6 Header (RFC 2460) • Fixed length • Longer header than IPv4, but smaller number of fields • Headerprocessingissimpler • Options are handled by extension headers Version Traffic Class Flow Label PayloadLength Next Header Hop Limit Source Address 40 bytes Destination Address 64 bits

  47. IPv6 Header Fields

  48. IPv4 & IPv6 Header Comparison IPv4 Header (20 bytes without options) IPv6 Header (40 bytes without extensions) Version IHL Type of service Total Length Version Traffic Class Flow Label Identification Flags Fragment Offset Payload Length Next Header Hop Limit Time To Live Protocol Header Checksum Source Address Source Address Destination Address Destination Address Options Padding Field name kept from IPv4 to IPv6 Field not kept in IPv6 Name and Position change in IPv6 New field in IPv6

  49. Extension Headers • Extension headers specified by the Next Header field • “Stacked” extensions for additional features • Added to the basic 40-byte header format • Only the destination node will process an extension header, except if the Hop-by-Hop Optionsheaderispresent IPv6 Header Next-Header = TCP TCP Header + Data IPv6 Header Next-Header = Routing Routing Header Next-Header = TCP TCP Header + Data IPv6 Header Next-Header = Routing Routing Header Next-Header = ESP ESP Header Next-Header = TCP TCP Header + Data

  50. Extension Header Types

More Related