1 / 59

RedIRIS – Miguel Angel Sotos m iguel.sotos@rediris.es

IPv6 tutorial. RedIRIS – Miguel Angel Sotos m iguel.sotos@rediris.es. Agenda. History Why IPv6 IPv6 addresses Autoconfiguration DNS Transition mechanisms Security in IPv6 IPv6 in Windows and Linux IPv6 now. History. 70s

zuri
Download Presentation

RedIRIS – Miguel Angel Sotos m iguel.sotos@rediris.es

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. IPv6 tutorial RedIRIS – Miguel Angel Sotos miguel.sotos@rediris.es

  2. Agenda • History • Why IPv6 • IPv6 addresses • Autoconfiguration • DNS • Transition mechanisms • Security in IPv6 • IPv6 in Windows and Linux • IPv6 now

  3. History • 70s • TCP/IP – developed in 1973, part of a project of the Department of Defense (ARPA agency, USA) • ARPAnet network • Universities and Research centers computers networks connection

  4. History • 80s • 1983, ARPAnet starts using TCP/IP • 1986, NSF (National Science Foundation) begins the development of NFSnet, it will be the ARPAnet substitute, being the base of the Internet

  5. History • 90s • 1993, first previsions of exhaustion of IPv4 addresses • IETF (Internet Engineegin Task Force) develops IPv6 specifications • Initially it was IPng • ¿What happens with IPv5? • Packets were marked with the version number 5, when the packets carried an experimental protocol, called ST, real time streaming.

  6. Agenda • History • Why IPv6 • IPv6 addresses • Autoconfiguration • DNS • Transition mechanisms • Security in IPv6 • IPv6 in Windows and Linux • IPv6 now

  7. Why IPv6 • The main reason, more addresses • But, what happens if I don’t need more addresses? • IPv6 is in fashion • Don’t loose the oportunity • Simplify end to end connections • No more NATs for security • Tecnically: • All in one • Security in network layer • Autoconfiguration • More efficient and jerarquical routing • We start again • Headers are more simple

  8. Why IPv6 • And now we have a lot of devices connected to a network, even TVs, cameras, fridges…everything!

  9. Why IPv6 • Countries with lack of IPv4 addresses • Increasing demand • Companies adopting and introducing IPv6 • IPv6 support will be necessary to not be disconnected of part of the network and internet • IPv6 is robust, no patches • Anyway…maybe IPv4 will not disappear

  10. Agenda • History • Why IPv6 • IPv6 addresses • Autoconfiguration • DNS • Transition mechanisms • Security in IPv6 • IPv6 in Windows and Linux • IPv6 now

  11. IPv6 header • It’s more simple

  12. IPv6 header • CLASS is the Type of Service in IPv4 • HOP LIMIT is the TTL of IPv4 • FLOW LABEL is used in QoS • PAYLOAD LENGTH is the data length carried by the packet • NEXT HEADER • If I have more info, I use more headers… • No checksum • No fragmentation, only end to end • MTU discovery

  13. IPv6 header • Types of header extensions • Routing • Fragmentation • Hop-by-hop options • Destiny options • Atuthentication • ICMP • Completely new • Including IGMP

  14. IPv6 addresses • IPv4 – 4000 million of addresses • Allocation without control • Fragmentation • IPv6 – 3.4x10^38 addresses • Clean slate, we start from scratch. Control, order. • 128 bits to addres the world

  15. IPv6 addresses • 4 times bigger • 32 to 128 bits • Sintax: • aaaa:bbbb:cccc:dddd:eeee:ffff:0000:1111 • Hexadecimal digits in groups of 4 • You can substitute a group of 0s by :: • No masks, instead we have /number_of_bits (like CIDR notation in IPv4)

  16. IPv6 addresses • Addres format: • Unicast, multicast, anycast • Global unicast addresses start with 001 (binary) so we have addresses starting with 2 or 3 • 2001::… or 3ffe::… • No broadcast (instead, multicast)

  17. IPv6 addresses • Interface-id • Last 64 bits of the address • Unique in a local network • The IPv6 address is asociated with the interface, not the host • MAC address is mapped

  18. IPv6 addresses • Hosts addresses • When I have IPv6 configured or enabled in a host, I automatically have a link-local address • Starts with fe80:: • Not routeable • Is unique in the local network • That address is configured automatially using the interface-id • Used for autoconfiguration

  19. IPv6 addresses • Multicast addresses • Start with FF00 • First 0 is Flags – (0,1 – permanent, not permanent) • Second 0 is scope • 1 – node • 2 – link • 5 – site • 8 – organization • E– global • FF02::1 – all the nodes of a network • FF02::2 – all the routers of a network

  20. IPv6 addresses • Anycast addresses • Used for a group of interfaces with the same address • One packet sent to that address goes to the nearest host with that address

  21. IPv6 addresses • Example of global addresses: • IPv4: 130.206.1.159 • IPv6: 2001:0720:0418:cafe:cccc:1111:abeb:b0b0 • We can summarize: • 2001:720:0000:0000:0000:0000:0000:9876 is • 2001::9876 • 2001:720:0000:0000:0000:0000:0000:0000 is • 2001:720:: • ¿What will be ::/0 ?

  22. IPv6 addresses • How we can distribute my prefix in my network? • To each one of the centers I can assign a /48 • First 48 bits are fixed • A network is a /64 • Interface ID • I have 16 bits to distribute the addresses in my center • Network ID

  23. IPv6 addresses • Example, RedIRIS have 2001:0720::/32 for all the Universities and Research centers Company/Building Department Department

  24. IPv6 addresses • Special addresses • Loopback (127.0.0.1) is ::1 • Default(0.0.0.0/0) is ::/0 • IPv6 compatible with IPv4 (for tunnels) ::130.206.1.159 • IPv6 mapped over IPv4 ::FFFF:130.206.1.159 • Link-local address, starts with fe80::

  25. Agenda • History • WhyIPv6 • IPv6 addresses • Autoconfiguration • DNS • Transition mechanisms • Security in IPv6 • IPv6 in Windows and Linux • IPv6 now

  26. Autoconfiguration • New IPv6 feature (similar to IPv6 DHCP) • Network administration is easier – plug and play • The user connects the host to the network and is automatically configured • Advantage over DHCP • It’s not necessary an additional server

  27. Autoconfiguration • Protocol used here is neighbor discovery • Hosts and network equipment exchange multicast IPv6 packets to check the host IPv6 address • Duplicate IPv6 addresses detection • Two types • Stateful and stateless • Different mechanisms that can be used in a complementary way

  28. Autoconfiguration • Stateful • Manual configuration, or using DHCP • Like IPv4 • Stateless • Completely automatic configuration • It’s not necessary the manual config of hosts and servers. In some cases, we need minimal network equipment configuration (routers)

  29. Autoconfiguration • Neighbour advertisement • The host send a router request message • ICMP type 133 • The router sends a router advertisement message • ICMP type 134 • Include the prefix announced by the router with the TTL

  30. Autoconfiguration • The host sends the neighbour request message to check the IPv6 address of the neighbour • ICMP type 135 • A neighbour advertisement message is sent • A router can send a change or redirection message to find the best hop for a destiny

  31. Agenda • History • Why IPv6 • IPv6 addresses • Autoconfiguration • DNS • Transition mechanisms • Security in IPv6 • IPv6 in Windows and Linux • IPv6 now

  32. DNS • Now, applications behave in a different way • First, they request the IPv6 addres • (timeout…) • If it’s coded correctly, it will ask for IPv4 • You have to be very careful when putting an IPv6 service in production • Good connectivity • You have to be very careful when configuring an IPv6 address in the DNS • Deny of service!

  33. DNS www.ipv6.elmundo.es 2001:800:400:10::71 Access to the web server (port 80) Port 80 not reachable

  34. DNS • I have configured all the hosts in my network, • Also my router • DNS is a must, due to the length of the • addresses • Bind v9 support IPv6 addresses • IPv6 requests over IPv6: • options { listen-on-v6 { any; }; } • IPv6 requests over IPv4

  35. DNS • It’s better not to create an special zone for IPv6 (like ipv6.my_center.com) • But, it can be dangerous for production services • During tests, it’s better ftp.ipv6.my_center.com than ftp.my_center.com • Anyway, we should go for the same direct zone • Direct zone • We use the same config files as with IPv4 (AAAA instead of A)

  36. DNS • Reverse zone • nibble-bit notation with .arpa • 0.2.7.0.1.0.0.2.ip6.arpa • Root servers are configured to support this format • Recommended and the zone which is delegated with the Registries (like RIPE) • Latests versions of glibc support this format

  37. Agenda • History • Why IPv6 • IPv6 addresses • Autoconfiguration • DNS • Transition mechanisms • Security in IPv6 • IPv6 in Windows and Linux • IPv6 now

  38. Transition • We cannot switch off the Internet and then switch on with IPv6 • There are several mechanisms • IPv4 and IPv6 can live together • BUT IPv4 and IPv6 are not compatible • Three types of transition mechanisms • Dual-stack • Based on tunnels • Based on address translation

  39. Transition • Dual-stack • We depend on vendors implementations • My equipment support native IPv4 and native IPv6, at the the same time, parallel. • More operational effort • I can plan a periodic migration, step by step • Network • Servers • Applications and services • Hosts • The best one • It’s recommended a testing period

  40. Transition • Tunnels • IPv6 traffic is encapsulated in IPv4 packets • I connect two IPv6 worlds separated by an IPv4 domain • Automatic tunnels • The host has an IPv4 compatible IPv6 address • 6to4: IPv4 address of the tunnel endpoints are identified in the IPv6 prefix • We use 2002::/16 • Manual tunnels • Explicit configuration • IPv4 tunnel endpoints • IPv6 address of the tunnel interface • Tunnel brokers • Automatic configuration to have basic IPv6 connectivity if my network is only IPv4

  41. Transition • 6to4 • I connect two IPv6 worlds isolated (IPv4 between them) • The router to the Internet creates a 6to4 tunnel to the other domain • The IPv4 addresses of the tunnel endpoints are included in the IPv6 prefix • Used 2002::/16 • Teredo • Provides IPv6 connectivity behind a NAT • Encapsulates IPv6 packets into UDP IPv4 • They can go through the NAT and the Internet

  42. Transition • To migrate all my network to IPv6 I’ll have the following problems: • My hardware doesn’t support IPv6 • Upgrade it • Use a Linux router • Use an alternate router, with a tunnel to a provider • I have a firewall • Not a lot of solutions • Upgrade is important

  43. Transition Level 2 migration, integrating an IPv6 router in the same vlan Small IPv6 router

  44. Transition More natural migration, including dual-stack

  45. Transition Migration using Level 3

  46. Agenda • History • Why IPv6 • IPv6 addresses • Autoconfiguration • DNS • Transition mechanisms • Security in IPv6 • IPv6 in Windows and Linux • IPv6 now

  47. Security • Support for IPv6+firewalls+tunnels is not widely deployed • But IPv6 has IPsec… • The same as with IPv4, but in that case is part of the protocol (security header), less problems • Security is included, as part of the IPv6 specifications • Authentication • Encryption

  48. Security • With the right security policies, it’s not a problem to have public addresses for everyone. • It’s easier the network administration • NAT is not necessary • Problems with multimedia applications • Problems with IPsec • Problems with multicast • Problems with end to end, peer to peer and point to point applications

  49. Agenda • History • Why IPv6 • IPv6 addresses • Autoconfiguration • DNS • Transition mechanisms • Security in IPv6 • IPv6 in Windows and Linux • IPv6 now

  50. IPv6 & Windows • www.microsoft.com/ipv6 • You can create an IPv6 tunnel against Micrsoft • Good for testing • With windos 2000 you have to install SP2 • With Windows XP • With SP1 or higher • It’s part of the system • To install it • Form properties of my network places • Using CLI • Netsh interface ipv6 install • Without SP1 • You cannot do DNS queries using IPv6 • Install it using CLI • Ipv6 install

More Related