into to ipv6

© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr

1

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 1BRKRST-130114444_04_2008_c1

An Introduction to IPv6


BRKRST-1301


2

Why IPv6?


A Need for IPv6?

IETF IPv6 WG began in early 90s, to solve addressing growth issues, but

CIDR, NAT,…were developed

IPv4 32 bit address = 4 billion hosts~40% of the IPv4 address space is still unused which is different from unallocated

The rising of Internet connected device and appliance will eventually deplete the IPv4 address space


IP is everywhereData, voice, audio and video integration is a reality

Regional registries apply a strict allocation control

So, only compelling reason: More IP addresses


3

IP Address Allocation HistoryThe H-D ratio (RFC 3194) is the measure of allocation inefficiency; adjusting the raw numbers from the RIRs to compensate for their historical allocation efficiency of 87%

160192224256 IPv4 Address Pool

IANA RIR IANA Policy - RIRs Allocated Pool for 12-24 Months Distribution

Projections based on Jan 2000 to current their historical allocation efficiency of 87%matches the published IANA pool

1981—IPv4 protocol published1985 ~ 1/16 of total space1990 ~ 1/8 of total space1995 ~ 1/3 of total space2000 ~ 1/2 of total space2005 ~ 1/4 of total space remaining2007 ~ 1/5 of total space remaining

This despite increasingly intense conservation effort See Article in the Internet Protocol Journal

http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_8-3/ipj_8-

0326496

128160 Pool TOTAL

ARIN

HistoricRIPEAPNICLACNICAFRINIC

Collective RIR Pool Window


PPP/DHCP address sharing NAT (network address translation)CIDR (classless inter-domain routing) plus some address reclamation

Theoretical limit of 32-bit space: ~4 billion devices, Practical limit of 32-bit space: ~250 million devices (RFC 3194)U.S. DoC IPv6 RFC http://www.ntia.doc.gov/ntiahome/ntiageneral/ipv6/commentsindex.html

p _ pj_ pj_3.pdf

Why Not NAT

It was created as a temp solution

NAT breaks the end-to-end modelNAT breaks the end-to-end model

Growth of NAT has slowed down growth of transparent applications

No easy way to maintain states of NAT in case of node failures

NAT break security


NAT break security

NAT complicates mergers, double NATing is needed for devices to communicate with each other


4

IPv6 Technology


IPv4 and IPv6 Header Comparison

Total LengthType of ServiceIHLVersion

IPv4 Header

Flow LabelTraffic ClassVersion

IPv6 Header

Fragment OffsetFlags

PaddingOptions

Destination Address

Source Address

Header ChecksumProtocolTime to Live

Identification

Next Header Hop Limit

Class

Source Address

Payload Length


Destination Address

Field’s Name Kept from IPv4 to IPv6

Fields Not Kept in IPv6

Name and Position Changed in IPv6

New Field in IPv6Lege

nd


5

Extension Headers

IPv6 Base Header (40 octets)

Base headerNext Header = 0

1st E t i0 or more Extension Headers

IPv6 Packet

N t H d 17 E t Hd L th

Data

1st Extension Header

Next Header = 43

Last Extension Header

Next Header = 17

…


Next Header = 17 Ext Hdr Length

Ext Hdr Data

MTU Issues

Minimum link MTU for IPv6 is 1280 octets(vs. 68 octets for IPv4)

=> on links with MTU < 1280, link-specificfragmentation and reassembly must be used

Implementations are expected to perform path MTU discovery to send packets bigger than 1280

Minimal implementation can omit PMTU discovery as long as all packets kept ≤ 1280 octets


long as all packets kept ≤ 1280 octets

A hop-by-hop option supports transmission of “jumbograms” with up to 232 octets of payload; payload is normally 216


6

IPv6 Addressing


IPv6 Addressing



7

Addressing Format

16-bit hexadecimal numbers

Numbers are separated by (:)

Representation

Numbers are separated by (:)

Hex numbers are not case sensitive

Abbreviations are possibleLeading zeros in contiguous block could be represented by (::)

Example:


2001:0db8:0000:130F:0000:0000:087C:140B

2001:0db8:0:130F::87C:140B

Double colon only appears once in the address

Addressing

Representation of prefix is just like CIDR

In this representation you attach the prefix length

Prefix Representation

In this representation you attach the prefix length

Like v4 address:198.10.0.0/16

V6 address is represented the same way:2001:db8:12::/48


Only leading zeros are omitted. Trailing zeros are not omitted

2001:0db8:0012::/48 = 2001:db8:12::/48

2001:db8:1200::/48 ≠ 2001:db8:12::/48


8

IPv6 Address Representation

Loopback address representation0:0:0:0:0:0:0:1=> ::10:0:0:0:0:0:0:1 ::1

Same as 127.0.0.1 in IPv4

Identifies self

Unspecified address representation0:0:0:0:0:0:0:0=> ::

Used as a placeholder when no address available


Used as a placeholder when no address available

(Initial DHCP request, Duplicate Address Detection DAD)

IPv6—Addressing Model

Addresses are assigned to interfacesChange from IPv4 mode:Change from IPv4 mode:

Interface “expected” to have multiple addresses

Addresses have scopeLink Local

Unique Local

GlobalLink LocalUnique LocalGlobal


Global

Addresses have lifetimeValid and preferred lifetime


9

Types of IPv6 Addresses

UnicastAddress of a single interface. One-to-one delivery toAddress of a single interface. One to one delivery to single interface

MulticastAddress of a set of interfaces. One-to-many delivery to all interfaces in the set

Anycast


Address of a set of interfaces. One-to-one-of-many delivery to a single interface in the set that is closest

No more broadcast addresses

Aggregatable Global Unicast Addresses

Provider Site Host

Aggregatable Global Unicast Addresses Are:

001

64 Bits3 45 Bits 16 Bits

Global Routing Prefix SLA Interface ID


Aggregatable Global Unicast Addresses Are:Addresses for generic use of IPv6

Structured as a hierarchy to keep the aggregation


10

Global ID 40 Bits

Unique-Local

128 Bits

Interface IDGlobal ID 40 Bits

Subnet ID

16 Bits

Interface ID

1111 110

FC00::/7

7 Bits


Unique-Local Addresses Used for: Local communications

Inter-site VPNs

Not routable on the Internet

Remaining 54 Bits

Link-Local

128 Bits

Interface IDRemaining 54 Bits

Link-Local Addresses Used for:

Interface ID

1111 1110 10

FE80::/10

10 Bits


Mandatory Address for Communication between two IPv6 device (like ARP but at Layer 3)

Automatically assigned by Router as soon as IPv6 is enabled

Also used for Next-Hop calculation in Routing Protocols

Only Link Specific scope

Remaining 54 bits could be Zero or any manual configured value


11

IPv6 Multicast Address

IP multicast address has a prefix FF00::/8 (1111 1111); the second octet defines the lifetime and scope of the multicast addressand scope of the multicast address

8-bit 4-bit 4-bit 112-bit

1111 1111 Lifetime Scope Group-ID

Lifetime Scope


0 If Permanent1 If Temporary

1 Node2 Link5 Site8 OrganizationE Global

Some Well Known Multicast Addresses

Address Scope Meaning

FF01::1 Node Local All NodesFF01::1 Node-Local All Nodes

FF02::1 Link-Local All Nodes

FF01::2 Node-Local All Routers

FF02::2 Link-Local All Routers

FF05::2 Site-Local All Routers

FF02::1:FFXX:XXXX Link-Local Solicited-Node


Note that 02 means that this is a permanent address and has link scope

More details at http://www.iana.org/assignments/ipv6-multicast-addresses


12

FF02 0000 0000 0000 0000 0001 FF17 FC0F

Multicast Mapping over Ethernet

IPv6 Multicast Address

33 33 FF 17 FC 0F

Mapping of IPv6 multicast address to Ethernet

Corresponding Ethernet Address

Multicast Prefix for Ethernet

Multicast


pp gaddress is:

33:33:<last 32 bits of the IPv6 multicast address>

Solicited-Node Multicast Address

For each unicast and anycast address configured there is a corresponding solicited-node multicast

Thi i i ll d f t f th l t f ARPThis is specially used for two purpose, for the replacement of ARP, and DAD

Used in neighbor solicitation messages

Multicast address with a link-local scope

Solicited-node multicast consists of prefix + lower 24 bits from unicast, FF02::1:FF:



13

R1#sh ipv6 int e0Ethernet0 is up, line protocol is upIPv6 is enabled, link-local address is FE80::200:CFF:FE3A:8B18

Router Interface

No global unicast address is configuredJoined group address(es):

FF02::1FF02::2FF02::1:FF3A:8B18

MTU is 1500 bytesICMP error messages limited to one every 100 millisecondsICMP redirects are enabledND DAD is enabled, number of DAD attempts: 1ND h bl ti i 30000 illi d

Solicited-Node Multicast Address


ND reachable time is 30000 millisecondsND advertised reachable time is 0 millisecondsND advertised retransmit interval is 0 millisecondsND router advertisements are sent every 200 secondsND router advertisements live for 1800 secondsHosts use stateless autoconfig for addresses.

R1#

IPv6 Prefix Allocation Hierarchy and Policy Example

IANA2001::/3

ISP/32ISP

/32

APNIC::/12 to::/23

AfriNIC::/12 to::/23

ARIN::/12 to::/23

LACNIC::/12 to::/23

RIPE NCC::/12 to::/23

ISP/32

ISP/32ISP

/32ISP/32

ISP/32ISP

/32ISP/32

ISP/32ISP

/32ISP/32

ISP/32ISP

/32ISP/32


Site/48Site

/48

/32

Site/48

Site/48Site

/48

/32

Site/48

Site/48Site

/48

/32

Site/48

Site/48Site

/48

/32

Site/48

Site/48Site

/48

/32

Site/48


14

IPv6 Address Allocation Process

Lowest-Order 64-bit field of unicast address may be assigned in several

Partition of Allocated IPv6 Address Space (Cont.)

be assigned in several different ways:

Auto-configured from a 64-bit EUI-64, or expanded from a 48-bit MAC address (e.g., Ethernet address)

Auto-generated pseudo-random number(to address privacy concerns)


( p y )

Assigned via DHCP

Manually configured

IPv6 Interface Identifier

Cisco uses the EUI-64 format to do stateless auto configuration 00 90 27 17 FC 0Fauto-configuration

This format expands the 48 bit MAC address to 64 bits by inserting FFFE into the middle 16 bits

To make sure that the chosen address is from a niq e Ethernet MAC

00 90 27 FF FE 17 FC 0F

FF FE00 90 27 17 FC 0F

000000U0 Where U=1 = Unique

0 = Not Unique


a unique Ethernet MAC address, the universal/local (“u” bit) is set to 1 for global scope and 0 for local scope

0 = Not Unique

02 90 27 FF FE 17 FC 0F

U = 1


15

ICMPv6 and Neighbor Discovery


ICMPv6

Internet Control Message Protocol version 6

RFC 2463RFC 2463

Modification of ICMP from IPv4

Message types are similar (but different types/codes)

Destination unreachable (type 1)

Packet too big (type 2)


Packet too big (type 2)

Time exceeded (type 3)

Parameter problem (type 4)

Echo request/reply (type 128 and 129)


16

Neighbor Discovery

Replaces ARP, ICMP (redirects, router discovery)

Reachability of neighborsReachability of neighbors

Hosts use it to discover routers, auto configuration of addresses

Duplicate Address Detection (DAD)


Neighbor Discovery

Neighbor discovery uses ICMPv6 messages, originated from node on link local with hop limit of 255

Consists of IPv6 header, ICMPv6 header, neighbor discovery header, and neighbor discovery options

Five neighbor discovery messages1. Router solicitation (ICMPv6 type 133)


2. Router advertisement (ICMPv6 type 134)

3. Neighbor solicitation (ICMPv6 type 135)

4. Neighbor advertisement (ICMPv6 type 136)

5. Redirect (ICMPV6 type 137)


17

Router Solicitation and Advertisement

2 RA1 RS

1—ICMP Type = 133 (RS)

Src = link-local address (FE80::1/10)

Dst = all-routers multicast address (FF02::2)

Query = please send RA

2. RA1. RS

2—ICMP Type = 134 (RA)

Src = link-local address (FE80::2/10)

Dst = all-nodes multicast address (FF02::1)

Data = options, subnet prefix, lifetime, autoconfig flag


Router solicitations (RS) are sent by booting nodes to request RAs for configuring the interfaces

Routers send periodic Router Advertisements (RA) to the all-nodes multicast address

Neighbor Solicitation and Advertisement

A B

Neighbor SolicitationICMP type = 135

Src = A Dst = Solicited-node multicast of BData = link-layer address of A Query = what is your link address?


A and B can now exchange packets on this link

Neighbor AdvertisementICMP type = 136Src = B Dst = AData = link-layer address of B


18

Contents of NS

L2 Destination:L2 multicast address corresponding to targetcorresponding to target IPv6 Solicited Node Address

L3 Source:IPv6 Link-Local Address of source

L3 Destination:Solicited Node Addresscorresponding to target IPv6 address of destination


IPv6 address of destination

IPv6 Link-Local Address of destination

Contents of NA

L3 Source:IPv6 Link-Local Address of source

L3 Destination:IPv6 Link-Local Address of destination


Link-Layer address requestedIn the NS message


19

Multicast Neighbor Solicitation—For Duplicate Address Detection (DAD)

Ethernet Header• Dest MAC is 33-33-FF-52-F9-D8

Tentative IP: FE80::2:260:8FF:FE52:F9D8

Send multicast Neighbor Solicitation

Neighbor Solicitation

Dest MAC is 33 33 FF 52 F9 D8IPv6 Header• Source Address is ::• Destination Address is FF02::1:FF52:F9D8• Hop limit is 255Neighbor Solicitation Header• Target Address is

FE80::2:260:8FF:FE52:F9D8

Host A


Host B

Neighbor Solicitation

Host A uses DAD to verify the existence of a duplicate address before assigning the address to its interface.

Multicast Neighbor Advertisement (Response)

Ethernet Header• Destination MAC is 33-33-00-00-00-01IP 6 H d

Tentative IP: FE80::2:260:8FF:FE52:F9D8

N i hb Ad ti t

Host A

IPv6 Header• Source Address is FE80::2:260:8FF:FE52:F9D8• Destination Address is FF02::1• Hop limit is 255Neighbor Advertisement Header• Target Address is FE80::2:260:8FF:FE52:F9D8Neighbor Discovery Option• Target Link-Layer Address is 00-60-08-52-F9-D8


Host B

MAC: 00-60-08-52-F9-D8IP: FE80::2:260:8FF:FE52:F9D8

Neighbor Advertisement

Send multicast Neighbor Advertisement


20

Redirect

R2

A B

Redirect:Src = R2

R1Src = A Dst IP = 2001:db8:C18:2::1 Dst Ethernet = R2 (default router)


Redirect is used by a router to signal the reroute of a packet to a better router

Dst = AData = good router = R12001:db8:C18:2::/64

Autoconfiguration

Mac Address:

Larger Address Space Enables:

Sends Network-Type Information

(Prefix, Default Route, …)

Host Autoconfigured Address Is:

Prefix Received + Link-Layer Address

Mac Address: 00:2c:04:00:FE:56


The use of link-layer addresses inside the address space

Autoconfiguration with “no collisions”

Offers “plug and play”


21

Renumbering

Mac Address:

Sends New Network-Type Information

(Prefix, Default Route, …)

Host Autoconfigured Address Is:

New Prefix Received + Link-Layer Address

Mac Address: 00:2c:04:00:FE:56

Data = Two prefixes:Current prefix (to be deprecated), with short lif ti


Larger Address Space Enables:Renumbering, using autoconfiguration and multiple addresses

lifetimesNew prefix (to be used), with normal lifetimes

interface Ethernet0ipv6 nd prefix 2001:db8:c18:1::/64 43200 0ipv6 nd prefix 2001:db8:c18:2::/64 43200 43200

Router Configuration after Renumbering:

Renumbering (Cont.)

ipv6 nd prefix 2001:db8:c18:2::/64 43200 43200

New Network Prefix: 2001:db8:c18:2::/64Deprecated Prefix: 2001:db8:c18:1::/64

interface Ethernet0ipv6 nd prefix 2001:db8:c18:1::/64 at Jul 31 2008 23:59 Jul 20 2008 23:59ipv6 nd prefix 2001:db8:c18:2::/64 43200 43200

or:


Host Configuration:

Autoconfiguring IPv6 Hosts

deprecated address 2001:db8:c18:1:260:8ff:fede:8fbepreferred address 2001:db8:c18:2:260:8ff:fede:8fbe

Router Advertisements


22

DHCP and DNS for IPv6


DNS Basics

DNS is a database managing Resource Records (RR)Stockage of RR from various types—IPV4 and IPV6:

Start of Authority (SoA)

Name Server

Address—A and AAAA

Pointer—PTR

DNS is an IP applicationIt uses either UDP or TCP on top of IPv4 or IPv6


ReferencesRFC3596: DNS Extensions to Support IP Version 6

RFC3363: Representing Internet Protocol Version 6 Addresses in Domain Name system (DNS)

RFC3364: Tradeoffs in Domain Name System (DNS) Support for Internet Protocol version 6 (IPv6)


23

IPv4 IPv6

IPv6 and DNS

Hostname to IP address

A record:www.abc.test. A 192.168.30.1

AAAA record: www.abc.test AAAA 2001:db8:C18:1::2


IP address to hostname

PTR record: 2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.0.8.1.c.0.8.b.d.0.1.0.0.2.ip6.arpa PTR www.abc.test.

PTR record:1.30.168.192.in-addr.arpa. PTR

www.abc.test.

DHCPv6

Updated version of DHCP for IPv4

Supports new addressing

Can be used for renumbering

DHCP Process is same as in IPv4, but,

Client first detect the presence of routers on the link

If found, then examines router advertisements to determine if DHCP can be used

If no router found or if DHCP can be used, thenDHCP Solicit message is sent to the All-DHCP-Agents multicast address

Using the link-local address as the source address


Using the link local address as the source address

Multicast addresses used:FF02::1:2 = All DHCP Agents (servers or relays, Link-local scope)

FF05::1:3 = All DHCP Servers (Site-local scope)

DHCP Messages: Clients listen UDP port 546; servers and relay agents listen on UDP port 547


24

Managing DHCPv6 via Router Advertisement (Stateful Autoconfig)RAs Can Be Used to Control DHCPv6 Client Behavior

DHCPv6-Serv-1

DHCPv6-Relay-3

Core Router

DHCPv6-Relay-1

1. Router Advertisement (RA) sent with “Use Stateful

Autoconfiguration Flag” = ON


DHCPv6-Client-1

2. Client sends DHCPv6 SOLICIT

Stateless DHCPv6

Stateless DHCPv6 normally combines stateless autoconfiguration for address assignment, DHCPv6 exchange for all other configuration settingsconfiguration settings.

1. Router Advertisement (RA) sent, containing link prefix, also with “Other

configuration flag” = ONDHCPv6-Serv-1

DHCPv6-Relay-3

Core Router

DHCPv6-Relay-1


2. Client autoconfigures address based on prefix option in RA, then sends DHCPv6 SOLICIT

DHCPv6-Client-1

DHCPv6-Relay-1


25

Router AdvertisementCPE

Host

E0E1PE

ISP

Source of RA

User of RA

A Bit M/O Bits

A Operation M/O Operation

PECPE

E10 Don’t Do Stateless

Address Assignment 11 Use Dhcpv6 for Address + Other Config. (i.e., Stateful Dhcpv6)

CPE Do Stateless Address Use Dhcpv6 for Other Config

ISP Provisioning SystemDHCP Client DHCP Server


Stateless (RFC2462)RS Are Sent by Booting Nodes to Request RAs for Configuring the Interfaces; Host Autonomously Configures Its Own Link-Local Address

CPE Router Host 1 Do Stateless Address

Assignment 01 Use Dhcpv6 for Other Config. (i.e., Stateless Dhcpv6)

Prefix/Options AssignmentHost

E0E1PE

ISPCPE

1. CPE Sends DHCP Solicit with ORO = PD

2. PE Sends RADIUS Request for the User

3. RADIUS Responds with User’s Prefix(es)

4. PE Sends DHCP REPLY with Prefix Delegation Options

5 CPE Configures Addresses from6. Host Configures

Addresses Based on

ISP Provisioning SystemDHCP Client DHCP Server


DHCP ND/DHCPAAA

5. CPE Configures Addresses from The Prefix on Its Downstream Interfaces, and Sends an RA. O-bit Is Set to On

Addresses Based on the Prefixes Received in the RA. As the O-bit Is on, It Sends a DHCP Information-request Message, with an ORO = DNS

7. CPE Sends a DHCP REPLY Containing Request Options


26

IPv6 Configurations


IOS IPv6 Addressing Examples (1)Manual Interface Identifier

Fast0/0

ipv6 unicast-routing!interface FastEthernet0/0ip address 10.151.1.1 255.255.255.0ip pim sparse-moded l


duplex autospeed autoipv6 address 2006:1::1/64ipv6 enableipv6 nd ra-interval 30ipv6 nd prefix 2006:1::/64 300 300!


27

r1#sh ipv6 int fast0/0FastEthernet0/0 is up, line protocol is upIPv6 is enabled, link-local address is FE80::207:50FF:FE5E:9460Global unicast address(es):

IOS IPv6 Addressing Examples (1)Manual Interface Identifier

( )2006:1::1, subnet is 2006:1::/64

Joined group address(es):FF02::1FF02::2FF02::1:FF00:1FF02::1:FF5E:9460

MTU is 1500 bytesICMP error messages limited to one every 100 millisecondsICMP redirects are enabled

r1#sh int fast0/0

MAC Address : 0007.505e.9460


ND DAD is enabled, number of DAD attempts: 1ND reachable time is 30000 millisecondsND advertised reachable time is 0 millisecondsND advertised retransmit interval is 0 millisecondsND router advertisements are sent every 30 secondsND router advertisements live for 1800 secondsHosts use stateless autoconfig for addresses.

r1#

r1#sh int fast0/0

FastEthernet0/0 is up, line protocol is up

Hardware is AmdFE, address is 0007.505e.9460 (bia 0007.505e.9460)

IOS IPv6 Addressing Examples (2)EUI-64 Interface Identifier

Fast0/0

ipv6 unicast-routing!interface FastEthernet0/0ip address 10.151.1.1 255.255.255.0ip pim sparse-mode


duplex autospeed autoipv6 address 2006:1::/64 eui-64ipv6 enableipv6 nd ra-interval 30ipv6 nd prefix 2006:1::/64 300 300!


28

r1#sh ipv6 int fast0/0FastEthernet0/0 is up, line protocol is upIPv6 is enabled, link-local address is FE80::207:50FF:FE5E:9460

IOS IPv6 Addressing Examples (2)EUI-64 Interface Identifier

Global unicast address(es):2006:1::207:50FF:FE5E:9460, subnet is 2006:1::/64

Joined group address(es):FF02::1FF02::2FF02::1:FF5E:9460

MTU is 1500 bytesICMP error messages limited to one every 100 millisecondsICMP redirects are enabledND DAD is enabled number of DAD attempts: 1

r1#sh int fast0/0


MAC Address : 0007.505e.9460


ND DAD is enabled, number of DAD attempts: 1ND reachable time is 30000 millisecondsND advertised reachable time is 0 millisecondsND advertised retransmit interval is 0 millisecondsND router advertisements are sent every 30 secondsND router advertisements live for 1800 secondsHosts use stateless autoconfig for addresses.

r1#


Hardware is AmdFE, address is 0007.505e.9460 (bia 0007.505e.9460)

IPv6 Routing



29

Static Routing


Static Routing

ipv6 route ipv6-prefix/prefix-length {ipv6-address | interface-type interface-number [ipv6-address]} [administrative-distance] [administrative-multicast-distance | unicast | multicast] [tag tag][administrative-multicast-distance | unicast | multicast] [tag tag]

Examples:Forward packets for network 2001:DB8::/32 through 2001:DB8:1:1::1 with an administrative distance of 10Router(config)# ipv6 route 2001:DB8::/32 2001:DB8:1:1::1 10

Default route to 2001:DB8:1:1::1


Router(config)# ipv6 route ::/0 2001:DB8:1:1::1


30

RIPng (RFC 2080)


Enhanced Routing Protocol SupportRIPng Overview RFC 2080command version must be zero

Address Family Identifier Route Tag

IPv4 Address

command version must be zero

IP 6 fi

Similar characteristics as IPv4Distance-vector, hop limit of 15, split-horizon, multicast based (FF02::9), UDP port (521) etc.

U d t d f t f IP 6

Subnet Mask

Next Hop

Metric

IPv6 prefix

route tag prefix len metric


Updated features for IPv6IPv6 prefix & prefix len

Special Handling for the NHRoute tag and prefix len for NH is all 0. Metric will have 0xFF; NH must be link local


31

Enhanced Routing Protocol Support RIPng Configuration and Display

LAN1: 2001:db8:c18:1::/64

Router 2

Ethernet0 = 2001:db8:c18:1:260:3eff:fe47:1530

::/0

Router2#ipv6 router rip RT0

interface Ethernet0ipv6 address 2001:db8:c18:1::/64 eui-64ipv6 rip RT0 enableipv6 rip RT0 default-information originate

LAN1: 2001:db8:c18:1::/64

LAN2: 2001:db8:c18:2::/64

Ethernet0

Ethernet1Router 1

Router2# debug ipv6 ripRouter1#


oute # debug p 6 pRIPng: Sending multicast update on Ethernet0 for RT0

src=FE80::260:3eff:fe47:1530dst=FF02::9 (Ethernet0)sport=521, dport=521, length=32command=2, version=1, mbz=0, #rte=1tag=0, metric=1, prefix=::/0

Link-Local src Address

oute #ipv6 router rip RT0

interface Ethernet0ipv6 address 2001:db8:c18:1::/64 eui-64ipv6 rip RT0 enableInterface Ethernet1ipv6 address 2001:db8:c18:2::/64 eui-64ipv6 rip RT0 enable

Multicast All RIP-Routers

Access-List



32

Cisco IOS Standard Access Lists

Can filter traffic based on source and destination address

When Used for Traffic Filtering, IPv6 Standard Access Control Lists (ACL) Offers the Following Functions:

Can filter traffic inbound or outbound on a specific interface

Can add priority to the ACL

Implicit “deny all” at the end of access list


IPv6 Access-List Example

Filtering outgoing traffic from unique-local source addresses

IPv6 Internet2001:0db8:c18:2::/64

fc00:0:0:2::/64

Ethernet0ipv6 access-list blocksite deny fc00:0:0:2::/64 any ipv6 access-list blocksite permit any any

interface Ethernet0ipv6 traffic-filter blocksite out


Global prefix: 2001:0db8:c18:2::/64Unique-local prefix: fc00:0:0:2::/64


33

Deployment


IPv4-IPv6 Transition/Coexistence

A wide range of techniques have been identified and implemented, basically falling into three categories:1. Dual-stack techniques, to allow IPv4 and IPv6 to

co-exist in the same devices and networks

2. Tunneling techniques, to avoid order dependencies when upgrading hosts, routers, or regions

3. Translation techniques, to allow IPv6-only devices to communicate with IPv4-only devices


Expect all of these to be used, in combination


34

Dual Stack Approach

Application IPv6-Enable Application

PreferredTCP UDP

IPv4 IPv6

Data Link (Ethernet)

0x0800 0x86dd

TCP UDP

IPv4 IPv6

Data Link (Ethernet)

0x0800 0x86dd Frame Protocol ID

Preferred Method on

Application’s Servers


Dual Stack Node Means:Both IPv4 and IPv6 stacks enabled

Applications can talk to both

Choice of the IP version is based on name lookup and application preference

Cisco IOS Dual Stack Configuration

Dual-Stack

router#ipv6 unicast-routing

Cisco IOS® Is IPv6-Enable:

IPv6 and IPv4 Network

Dual Stack Router

IPv4: 192.168.99.1

IPv6: 2001:db8:213:1::/64 eui-64

interface Ethernet0ip address 192.168.99.1 255.255.255.0ipv6 address 2001:db8:213:1::/64 eui-64


Cisco IOS Is IPv6-Enable:If IPv4 and IPv6 are configured on one interface, the router is dual-stacked

Telnet, Ping, Traceroute, SSH, DNS client, TFTP, etc.


35

Tunneling


Tunneling

Some ideas same as beforeGRE, MPLS, IP

Many Ways to Do Tunneling

GRE, MPLS, IP

Native IP over data link layersATM PVC, dWDM Lambda, Frame Relay PVC, Serial, Sonet/SDH, Ethernet

Some new techniquesAutomatic tunnels using IPv4 , compatible IPv6 address,


g p6to4, ISATAP


36

Manually Configured GRE Tunnel

IP 4

Dual-Stack Router2

Dual-Stack Router1 IPv4IPv6

NetworkIPv6

Network

Router2Router1

IPv4: 192.168.99.1 IPv6: 2001:db8:800:1::3

IPv4: 192.168.30.1 IPv6: 2001:db8:800:1::2

router1# router2#


interface Tunnel0ipv6 enableipv6 address 2001:db8:c18:1::3/128tunnel source 192.168.99.1tunnel destination 192.168.30.1tunnel mode gre ipv6

interface Tunnel0ipv6 enableipv6 address 2001:db8:c18:1::2/128tunnel source 192.168.30.1tunnel destination 192.168.99.1tunnel mode gre ipv6

Manually Configured IPv6 over IPv4 Tunnel

IP 4

Dual-Stack Router2

Dual-Stack Router1 IPv4IPv6

networkIPv6

network

Router2Router1

IPv4: 192.168.99.1 IPv6: 2001:db8:800:1::3

IPv4: 192.168.30.1 IPv6: 2001:db8:800:1::2

router1# router2#


interface Tunnel0ipv6 enableipv6 address 2001:db8:c18:1::3/127tunnel source 192.168.99.1tunnel destination 192.168.30.1tunnel mode ipv6ip

interface Tunnel0ipv6 enableipv6 address 2001:db8:c18:1::2/127tunnel source 192.168.30.1tunnel destination 192.168.99.1tunnel mode ipv6ip


37

6to4 Tunneling


Automatic 6to4 Tunnels

Automatic 6to4 tunnel allows isolated IPv6 domains to connect over an IPv4 network

Unlike the manual 6to4 the tunnels are not point-to-point, they are multipoint tunnels

IPv4 is embedded in the IPv6 address is used to find the other end of the tunnel

Address format is 2002:IPv4 address::



38

Automatic 6to4 Tunnel (RFC 3056)

IPv4IP 6

6to4 Router6to4 Router IPv6 Host B

IPv6 Host A

IP 6

6to4:

IPv4IPv6 Network

192.168.99.1 192.168.30.1Network Prefix:

2002:c0a8:6301::/48Network Prefix:

2002:c0a8:1e01::/48= =

IPv6 Network


Is an automatic tunnel method

Gives a prefix to the attached IPv6 network

/48 /64/16

Public IPv4Address

2002 SLA Interface ID

Automatic 6to4 Tunnel (RFC 3056)

S=2002:c0a8:6301::1D=2002:c0a8:1e01::2

S=2002:c0a8:6301::1D=2002:c0a8:1e01::2

IP 6 H d IP 6 D t IP 6 H d IP 6 D t

IPv4IPv6 Network

Tunnel: IPv6 in IPv4 Packet

IPv6 Host A 6to4 Router

IPv6 Host B6to4 Router

2002:c0a88:6301::1 2002:c0a8:1e01::2192.168.99.1 192.168.30.1

IPv6 Header IPv6 Data IPv6 Header IPv6 Data

IPv6 Network


Tunnel: IPv6 in IPv4 Packet

S(v4)=192.168.99.1D(v4)=192.168.30.1S(v6)=2002:c0a8:6301::1D(v6)=2002:c0a8:1e01::2

IPv4 Header IPv6 Header IPv6 Data


39

Automatic 6to4 Configuration

IPv4IPv6 Network

IPv6 Network

6to4 Router2

6to4 Router1

E0 E0Network Network

192.168.99.1 192.168.30.1Network Prefix:2002:c0a8:6301::/48

Network Prefix:2002:c0a8:1e01::/48

= =

router1#interface Ethernet0

router2#interface Ethernet0


ipv6 address 2002:c0a8:6301:1::/64 eui-64Interface Ethernet1ip address 192.168.99.1 255.255.0.0

interface Tunnel0ipv6 unnumbered Ethernet0tunnel source Ethernet1tunnel mode ipv6ip 6to4

ipv6 route 2002::/16 Tunnel0

ipv6 address 2002:c0a8:1e01:1::/64 eui-64Interface Ethernet1ip address 192.168.30.1 255.255.0.0interface Tunnel0ipv6 unnumbered Ethernet0tunnel source Ethernet1tunnel mode ipv6ip 6to4

ipv6 route 2002::/16 Tunnel0

Automatic 6to4 Relay

6to4 6to4

IPv6 Internet

IPv4RelayRouter1

192.168.99.1 192.168.30.1Network Prefix:2002:c0a8:6301::/48

= =

Network Prefix:2002:c0a8:1e01::/48

IPv6 Network

IPv6 Site Network


6to4 Relay: Is a gateway to the rest of the IPv6 Internet

Is a default router


40

Automatic 6to4 Relay Configuration

IPv4

6to4 Router1

6to4 Relay

E0

IPv6 Internet

IPv6 Network

192.168.99.1Network Prefix:2002:c0a8:6301::/48 IPv6 Address:

2002:c0a8:1e01::1=

router1#interface Ethernet0ipv6 address 2002:c0a8:6301:1::/64 eui-64Interface Ethernet1

IPv6 Network

Network


Interface Ethernet1ip address 192.168.99.1 255.255.0.0

interface Tunnel0no ip addressipv6 unnumbered Ethernet0tunnel source Ethernet1tunnel mode ipv6ip 6to4

ipv6 route 2002::/16 Tunnel0ipv6 route ::/0 2002:c0a8:1e01::1

Automatic 6to4 Tunnels

Border router must be dual stack with a global IPv4 address

Requirements for 6to4

Interior routing protocol for IPv6 is required

DNS for IPv6



41

ISATAP Tunneling


Intrasite Automatic Tunnel Address Protocol

RFC 4214

To deploy a router is identified that carriesTo deploy a router is identified that carries ISATAP services

ISATAP routers need to have at least one IPv4 interface and 0 or more IPv6 interface

DNS entries are created for each of the ISATAP routers IPv4 addresses


Hosts will automatically discover ISATAP routers and can get access to global IPv6 network

Host can apply the ISATAP service before all this operation but its interface will only have a link local v6 address until the first router appears


42

Intrasite Automatic Tunnel Address ProtocolUse IANA’s OUI 00-00-5E and Encode IPv4 Address as Part of EUI-64

ISATAP is used to tunnel IPv4 within as administrative domain (a

InterfaceIdentifier(64 bits)

IPv4 Address64-bit Unicast Prefix 0000:5EFE:32-bit32-bit


ISATAP is used to tunnel IPv4 within as administrative domain (a site) to create a virtual IPv6 network over a IPv4 network

Supported in Windows XP Pro SP1 and others

IPv6 Campus ISATAP Configuration

Supported in Windows XP Pro SP1 and others

ISATAP connections look like one flat networkISATAP connections look like one flat network

Create DNS “A” record for “ISATAP” = 10.1.1.1

Use Static Config if DNS use is not desired:C:\>netsh interface ipv6 isatap set router 10.1.1.1

Currently ISATAP does not support multicast!!


Currently ISATAP does not support multicast!!

Interface ID

IPv4 Address64-bit Unicast Prefix 0000:5EFE:32-bit32-bit

2001:DB8:C003:111F:0:5EFE:10.1.2.100

ISATAP Address Format:


43

Client Configuration (Linux): ISATAP Tunnels

IPv6-enabled

Requires Kernel support

L3 SwitchIPv6 Not Supported

IPv6 L3 Switch/Router

LinuxClient

q ppfor ISATAP—USAGI

Modified IProute package—USAGI

Must configure ISATAP router—not automatic

10.1.1.100—Client IPv4 address2001:DB8:C003:111f:0:5efe:10.1.1.100—IPv6 address


# ip tunnel add is0 mode isatap 10.1.1.100 v4any 30.1.1.1 ttl 64# ip link set is0 up

Router IPHost IP

IPv6Network

IPv4 Network ISATAP Router 1

E0

Automatic Advertisement of ISATAP Prefix

ISATAP Tunnel

ISATAP Host A

NetworkISATAP Tunnel

ICMPv6 Type 133 (RS) IPv4 Source: 206.123.20.100 IPv4 Destination: 206.123.31.200 IPv6 Source: fe80::5efe:ce7b:1464 IPv6 Destination: fe80::5efe:ce7b:1fc8


6 es a o e80 5e e ce b c8Send me ISATAP Prefix ICMPv6 Type 134 (RA)

IPv4 Source: 206.123.31.200 IPv4 Destination: 206.123.20.100 IPv6 Source: fe80::5efe:ce7b:1fc8 IPv6 Destination: fe80::5efe:ce7b:1464ISATAP Prefix: 2001:db8:ffff :2::/64


44

Automatic Address Assignment of Host and Router

IPv6Network

IPv4 NetworkE0

ISATAP Tunnel

ISATAP Router 1ISATAP Host A

ISATAP host A receives the ISATAP prefix 2001:db8:ffff:2::/64 from ISATAP Router 1

When ISATAP host A wants to send IPv6 packets to

206.123.20.100 fe80::5efe:ce7b:1464 2001:db8:ffff:2::5efe:ce7b:1464

206.123.31.200 fe80::5efe:ce7b:1fc8 2001:db8:ffff:2::5efe:ce7b:1fc8

NetworkISATAP Tunnel


When ISATAP host A wants to send IPv6 packets to 2001:db8:ffff:2::5efe:ce7b:1fc8, ISATAP host A encapsulates IPv6 packets in IPv4. The IPv4 packets of the IPv6 encapsulated packets use IPv4 source and destination address.

Automatic Configuring ISATAP

IPv4 NetworkE0

ISATAP TunnelIPv6

Network

ISATAP Router 1ISATAP Host A

The tunnel source command must point to an interface with an IPv4 address configured

Configure the ISATAP IPv6 address, d fi t b d ti d j t

ISATAP-router1#!interface Ethernet0ip address 206.123.31.200 255.255.255.0!

ISATAP Tunnel Network

206.123.20.100 fe80::5efe:ce7b:1464 2001:db8:ffff:2::5efe:ce7b:1464

206.123.31.200 fe80::5efe:ce7b:1fc8 2001:db8:ffff:2::5efe:ce7b:1fc8


and prefixes to be advertised just as you would with a native IPv6 interface

The IPv6 address has to be configured as an EUI-64 address since the last 32 bits in the interface identifier is used as the IPv4 destination address

interface Tunnel0ipv6 address 2001:db8:ffff:2::/64 eui-64no ipv6 nd suppress-ratunnel source Ethernet0tunnel mode ipv6ip isatap


45

Translation


Legacy Services (IPv4 Only)

NAT–PT

IPv6-Only IPv4-Only S t

Many of the non-routing/switching products do not yet support IPv6 (i.e., content switching modules)

IPv6 Server

Legacy IPv4 Server

Segment

IPv6-EnabledNetwork

Segment

IPv6-onlyHost


NAT-PT (Network Address Translation–Protocol Translation) as an option to front-end IPv4-only server—Note: NAT-PT IS being moved to experimental

Place NAT-PT box as close to IPv4 only server as possible

Be very aware of performance and manageability issues


46

Configuring Cisco IOS NAT-PT

NAT-PT enables communication between IPv6-only and IPv4-only nodes

CEF switching in 12.3(14)Ti t f F tEth t0/0

192.168.1.0/24 F0/1

.10

DNS

.100

interface FastEthernet0/0ipv6 address 2001:DB8:C003:1::1/64ipv6 cefipv6 nat

!interface FastEthernet0/1

ip address 192.168.1.1 255.255.255.0ipv6 nat prefix 2010::/96ipv6 nat

!ipv6 nat v4v6 source 192.168.1.100 2010::100


2001:DB8:C003:1::/64

F0/0NAT Prefix 2010::/96

2001:DB8:C003:1::10

ipv6 nat v4v6 source 192.168.1.10 2010::10!ipv6 nat v6v4 source route-map MAP1 pool V4POOLipv6 nat v6v4 pool V4POOL 192.168.2.1 192.168.2.10 prefix-length 24!route-map MAP1 permit 10match interface FastEthernet0/0

NAT-PT Packet Flow

NAT-PTIPv4 IPv6NAT-PTInterface

DNS IPv6 Host

Interface

192.168.1.10 2001:DB8:C003:1::10

Src: 2001:DB8:C003:1::10

12

Src: 192.168.2.10


Dst: 2010::10 Dst: 192.168.1.10

3

Src: 192.168.1.10Dst: 192.168.2.10

Src: 2010::10Dst: 2001:DB8:C003:1::10

4

DynamicStatic


47

Conclusion

IPv6 is real!

Start now rather than laterP h f th f tPurchase for the future

Start moving legacy application towards IPv6 support

Test, test and then test some more!

Integration can be done per Application (Dual Stack or Tunneled)

Microsoft Vista and Longhorn have IPv6 enabled by default and preferred over IPv4

Things to consider:Don’t assume your favorite vendor/app/gear has an IPv6 plan

Full parity between IPv4 and IPv6 is still a ways off


Watch the standards and policies: http://www.ietf.org and http://www.arin.net/policy/proposals/2006_4.html

Enterprise and SP Deployment Scenarios:ISP IPv6 Deployment Scenarios in Broadband Access Networks (RFC 4779)

Scenarios and Analysis for Introducing IPv6 into ISP Networks (RFC 4029)

IPv6 Enterprise Network Scenarios (RFC 4057)

Procedures for Renumbering an IPv6 Network without a Flag Day (RFC 4192)

Q and A



48

More Information

CCO IPv6http://www.cisco.com/ipv6

The ABC of IPv6http://www.cisco.com/en/US/products/sw/iosswrel/products_abc_ios_overview.html

IPv6 e-Learning [requires CCO username/password] http://www.cisco.com/warp/customer/732/Tech/ipv6/elearning/

IPv6 Access Serviceshttp://www.cisco.com/warp/public/732/Tech/ipv6/docs/ipv6_access_wp_v2.pdf


ICMPv6 Packet Types and Codes TechNotehttp://www.cisco.com/warp/customer/105/icmpv6codes.html

Cisco IOS IPv6 Product [email protected]

Recommended Reading

Continue your Cisco Live learning experience with further reading from Cisco Press

Check the Recommended Reading flyer for suggested books


Available Onsite at the Cisco Company Store


49

Complete Your Online Session Evaluation

Give us your feedback and you could win fabulous prizes. Winners announced daily.

Don’t forget to activate your Cisco Live virtual account for access to

Receive 20 Passport points for each session evaluation you complete.

Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center.

all session material on-demand and return for our live virtual event in October 2008.

Go to the Collaboration Zone in World of Solutions or visit www.cisco-live.com.

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 111BRKRST-130114444_04_2008_c1 111© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKRST-130114444_04_2008_c1


into to ipv6

Documents

cisco systems

cisco public

ipv4 address space

states of nat

c1 nat break security

endtoend model nat

total space remaining2007

endtoend model growth