IPv6 Tutorial Module 2: Benefits of IPv6

1. IPv6 TutorialModule 2: Benefits of IPv6 Dan Campbell, President Millennia Systems, Inc.

2. Contents • Addressing • Performance • Quality of Service • Security • Auto-Configuration • Extension Headers • Mobility

3. Address Enhancements • IPv4 addresses are 4 bytes (32 bits) • Allows for 4,294,967,296 • Removing reserved, experimental, multicast and other unusable address pools, the effective number of addresses is reduced by about 15% to 3.7M addresses • Subnetting substantially reduces the total amount of addresses available for actual hosts • Large /8 and /16 allocations made before RIR oversight depleted the overall pool substantially • Although opinions differ on when it will occur, eventually the IPv4 address pool will be depleted for all practical purposes • IPv6 addresses are 16 bytes (128 bits) The most obvious change in IPv6 is the increased address size and, subsequently, the number of addresses

4. Address Enhancements • Effectively an infinite amount of address space • Allows for the addressing and networking of trillions of non-traditional devices • Most ISPs will acquire at least a /32 from the RIRs • Most organizations will acquire a /48 prefix from their ISP • Provider-independent addressing for non-ISPs is still in debate but seems to be moving forward • Recommendation is to provide every network segment with a /64 prefix • Even small point-to-point links • Provides for better route aggregation and management of routing table size • Recommendation is to provide every unique site with a /48 • Allows for 65K unique subnets within the site • IANA / ICANN / RIR policies will continue to evolve IPv6 addresses are 128 bits in length (16 bytes)

5. Address Enhancements A single interface may have more than one address • Address scopes serve different purposes • Link local • Unique Local Addresses (ULA) • Global • Teredo and other tunnel addresses • Interfaces can have more than one of each address type (scope) • Addresses can be gracefully deprecated so that existing sessions are not terminated prematurely • Easier renumbering • EUI-64 addressing allows for MAC address to be used as IPv6 address • Facilitates auto-configuration • Privacy extensions allow for interfaces to choose random addresses • Addresses change periodically to protect source identity • Multiple global addresses acquired from multiple ISPs can be used simultaneously • Source address selection allows the host to choose its global address based on which upstream ISP the traffic will be routed • Standards still in development

6. Address Enhancements Address Portability • IPv4 portability was limited to Local Internet Registries or Service Providers • Acquisition requires justification and commitments • Enterprises usually do not acquire portable addresses but can with justification • Until recently, only service providers could acquire IPv6 addresses • Enterprises were instructed to acquire an assignment from their upstream ISP • Provider Independent (PI) or “portable” addresses were restricted to Service Providers • Creates issues if an entity wants to multi-home • Seems contrary to the main IPv6 driver which is solving the address depletion issue • May create anti-competitive situations where Enterprises are reluctant to change providers because of the renumbering headache • New RIR polices allow Enterprises to acquire portable address blocks • ARIN, APNIC and AfriNIC have PI policies • RIPE and LACNIC policies are under consideration • Impact • Multi-homing becomes possible • Enterprises are not tied to their upstream provider and can change without renumbering • How will routing table growth be handled? • How will source address selection work to ensure the best routing path is chosen?

7. Source Address Destination Address Next Header Hop Limit Ver Flow Label Payload Length Traffic Class Performance Enhancements • Protocol Optimized • IPv4 header size could vary in length • IPv6 header is consistently 40 bytes • Fixed header size reduces router processing • Unnecessary Fields Removed • Header is limited to only what is necessary • Optional extension headers allow for additional features • Checksum Removed • Error checking and correction exists in other protocol layers • Unnecessary to perform at IP layer • Eliminating the checksum reduces router process and speeds up forwarding

8. Performance Enhancements • Fragmentation Eliminated • Routers are not involved in fragmentation and reassembly • Hosts participating in the end-to-end transaction must fragment packets • Routers will alert end host systems when fragmentation is needed • Path MTU Discovery (ICMP-based) is critical and must be allowed by firewalls • Broadcast Eliminated • Reduces traffic on LAN segments • Reduces the possibility of some traffic-intensive DOS attacks • Replaced by multicast communication and ICMPv6 messages • Route aggregation • Predominantly /32 or /48 aggregate assignments are made by RIRs • Routing table fragmentation will be kept to a minimum • IANA/RIR subnetting recommendations will keep routing tables in check

9. QoS Enhancements • Traffic Class • 8 bit field • Same as DiffServ in IPv4 • Backward compatible with existing Diffserv-based QoS implementations • New “Flow Label” • New 20-bit field • Allows for mapping of flows directly to the layer 3 header • Used for flow prioritization, expedited forwarding and other special treatment • Reduces router processing by restricting flow-based QoS processing to layer 3 • Allows mapping of flows to IP layer prior to encryption of upper layers • Still no good RFC or white paper describing its usage • Great potential

10. Auto-configuration Enhancements Stateless Auto-configuration is one of IPv6’s best features • Allows for hosts to be deployed into operation with little to no manual intervention • Auto-configuration communication is handled by ICMPv6 through multicast messages • Neighbor / Router Discovery allows hosts and routers to interact for configuration and forwarding purposes • EUI-64 Addressing allows for host MAC address to automatically become host IPv6 address • Privacy extensions allow for hosts to configure themselves with a random address that changes periodically • Duplicate Address Detection (DAD) protects against duplicates • Prefix Delegation allows for easy network or segment renumbering from a central source • Interfaces can have multiple addresses with obsolete addresses gracefully deprecated • Critical feature made use by other features such as Mobile IPv6 • DHCPv6 (stateful) is available if desired

11. Extension Headers • Headers are optional and not part of the standard 40-byte header • Hop-by-Hop • Destination Options • Routing • Fragmentation • Authentication Header • Encapsulating Security Payload • Mobility • Multiple headers can be nested if the packet or application requires • Additional features can be developed as new extension headers Extension headers provide additional features

12. Security EnhancementsIPSec Mandate Perhaps the best security enhancement is the mandate that vendor IPv6 implementations support IPSec • IPSec in IPv4 is a separate add-on, often a separate feature set • OS must be purchased with IPSec and added to devices • Requires OS upgrade, which is disruptive and might discourage use • Implementations that do not support IPSec may be considered non-compliant • Does not mandate the use of IPSec, just the inclusion in the protocol stack • IPSec is turned off by default and must be enabled by the user • Will encourage more secure peer-to-peer communications • Host-to-host VPNs • IPSec is a a pair of IPv6 Extension Headers (AH and ESP) • AH is optional if ESP is used

13. Source Address Destination Address Next Header Hop Limit Ver Flow Label Payload Length Authentication Header Encapsulating Security Payload Header Traffic Class Security EnhancementsAH / ESP Extension Headers • IPSec in IPv6 is implemented as two separate extension headers • Authentication Header • Next Header Value = 51 • Validates packet’s authenticity • Same as AH in IPv4 IPSec • Optional header (may not be required in some ESP implementations) • Encapsulating Security Payload • Next Header Value = 50 • Provides packet confidentiality and integrity through encryption • Same as ESP in IPv4 IPSec • Can be used without AH • Overall, IPSec in IPv6 is fundamentally no different than in IPv4

14. Mobility Enhancements • Mobile IPv4 (MIPv4) was an add-on to IPv4 • Requires upgrades to routers and other systems participating in the mobile infrastructure • Mobile IPv6 (MIPv6) was developed with tight integration to IPv6 • Mobility extension header • Development is ongoing in the various working groups • Improvements: • Alleviates need for deployment of foreign agents • Takes advantage of IPv6 auto-configuration, neighbor discovery, router advertisements for address changes • Better movement detection and faster handoff • Alleviates the issue with triangular routing through route optimization (RFC 3775) • Control messages can be piggy-backed on normal IP packets rather than be separate packets • Reduces the chance of ingress filtering blocking traffic • Dynamic Home Agent Address Discovery (DHAAD) • Security and mobile node identity assurance • Indirectly, the vast address space will help mobility as it is likely NAT will be eliminated and all hosts will have an address • Allows for network mobility, in addition to traditional host mobility • May become the most important facet of IPv6 and ultimately its biggest driver

15. Realize Tomorrow. Today.