ipv6 overview cis 185 advanced routing (ccnp 1) spring 2006 rick graziani modified by s. g. lee...

IPv6 Overview

CIS 185 Advanced Routing (CCNP 1)

Spring 2006

Rick Graziani

Modified by S. G. Lee

Based on Chapter 2: IPv6 Overview, Routing TCP/IP 2nd Edition, Jeff Doyle and Jennifer Carroll

Rick Graziani [email protected] 2

Background

• And when Vint Cerf and Bob Kahn invented TCP/IP for these networks, no one envisioned the Internet as it now is.

• 32-bit address space, yielding almost 4.3 billion addresses, seemed inexhaustible.

• The problem of IPv4 address exhaustion was recognized in the early 1990s, when various experts made projections showing that if the increasing rate of the allotment of IPv4 addresses continued, the entire address space could be depleted in just a few short years.

• A new version of IP—known in the development stage as IP Next Generation or IPng, and which is now IPv6—was the proposed solution.

• But it was recognized that developing the new standards would take time, and that a short-term solution to IPv4 address depletion also was needed.


Background

• That short-term solution was Network Address Translation (NAT).

• Behind the NAT device, private IP addresses as specified in RFC 1918.

• NAT has been so successful in slowing IPv4 address depletion, and has become such a standard part of most networks, that to this day many still question the need for a new version of IP.

• There are two fundamental drivers behind the growing recognition of the need for IPv6.

• The first is widespread vision of new applications using core concepts such as mobile IP, service quality guarantees, end-to-end security, grid computing, and peer-to-peer networking.

• NAT stifles innovation in these areas, and the only way to get NAT out of the way is to make public IP addresses abundant and readily available.


Background

• The second fundamental driver for IPv6 is the rapid modernization of heavily populated countries such as India and China.

• A compelling statistic is that the number of remaining unallocated IPv4 addresses is almost the same as the population of China: about 1.3 billion.

• IPv6 replaces the 32-bit IPv4 address with a 128-bit address, making 340 trillion trillion trillion IP addresses available.


IP Headers

• The IPv4 header contains 12 basic header fields, followed by an options field and a data portion (usually the transport layer segment).

• The basic IPv4 header has a fixed size of 20 octets.

• The variable-length options field increases the size of the total IP header.

• IPv6 contains five of the 12 IPv4 basic header fields.

• The IPv6 header does not require the other seven fields.


• Routers handle fragmentation in IPv4, which causes a variety of processing issues.

• IPv6 routers do not perform fragmentation. • Instead, a discovery process determines the optimum maximum transmission

unit (MTU) to use during a given session.• In the discovery process, the source IPv6 device attempts to send a packet at

the size that is specified by the upper layers, such as the transport or application layer.

• If the device receives an “ICMP packet too big” message, it retransmits the MTU discover packet with a smaller MTU and repeats the process until it gets a response that the discover packet arrived intact.

• Then it sets the MTU for the session.


Address Representation

• 128-bit IPv6 addresses are represented by breaking them up into eight 16-bit segments.(8 개의 16 비트 조각 )

• Each segment is written in hexadecimal between 0x0000 and 0xFFFF, separated by colons.(16 비트 조각 : 4 Hex)

• An example of a written IPv6 address is

3ffe:1944:0100:000a:0000:00bc:2500:0d0b


Rule 1: Leading 0’s - ( 선두 Hex 0 는 삭제 )

• Two rules for reducing the size of written IPv6 addresses.

• The first rule is:– The leading zeroes in any 16-bit segment do not have to

be written; if any 16-bit segment has fewer than four hexadecimal digits, it is assumed that the missing digits are leading zeroes.

Example3ffe : 1944 : 0100 : 000a : 0000 : 00bc : 2500 : 0d0b

3ffe : 1944 : 100 : a : 0 : bc : 2500 : d0b


Rule 1: Leading 0’s

Practice

3ffe : 0404 : 0001 : 1000 : 0000 : 0000 : 0ef0 : bc00

3ffe : 0000 : 010d : 000a : 00dd : c000 : e000 : 0001

ff02 : 0000 : 0000 : 0000 : 0000 : 0000 : 0000 : 0005


Rule 1: Leading 0’s

Practice

3ffe : 0404 : 0001 : 1000 : 0000 : 0000 : 0ef0 : bc00

3ffe : 404 : 1 : 1000 : 0 : 0 : ef0 : bc00

3ffe : 0000 : 010d : 000a : 00dd : c000 : e000 : 0001

3ffe : 0 : 10d : a : dd : c000 : e000 : 1

ff02 : 0000 : 0000 : 0000 : 0000 : 0000 : 0000 : 0005

ff02 : 0 : 0 : 0 : 0 : 0 : 0 : 5


Rule 1: Leading 0’s – ( 후미 Hex 0 – 유지 )

• Notice that only leading zeroes can be omitted; trailing zeroes cannot, because doing so would make the segment ambiguous.

• You would not be able to tell whether the missing zeroes belonged before or after the written digits.

3ffe : 1944 : 100 : a : 0 : bc : 2500 : d0b

Correct Original Address

3ffe : 1944 : 0100 : 000a : 0000 : 00bc : 2500 : 0d0b

OR

Wrong, Ambiguous Original Address

3ffe : 1944 : 1000 : a000 : 0000 : bc00 : 2500 : d0b0


Rule 2: Double colon :: equals 0000…0000

• The second rule can reduce this address even further:

• Any single, contiguous string of one or more 16-bit segments consisting of all zeroes can be represented with a double colon.

ff02 : 0000 : 0000 : 0000 : 0000 : 0000 : 0000 : 0005

ff02 : 0 : 0 : 0 : 0 : 0 : 0 : 5

ff02 : : 5

ff02::5



• Only a single contiguous string of all-zero segments can be represented with a double colon.

( 오직 한 개의 연속 0 조각만 제거 )

Example: Both of these are correct2001 : 0d02 : 0000 : 0000 : 0014 : 0000 : 0000 : 0095

2001 : d02 :: 14 : 0 : 0 : 95 or

2001 : d02 : 0 : 0 : 14 :: 95

2001 : 0d02 : 0000 : 0000 : 0014 : 0000 : 0000 : 0095

2001 : d02 :: 14 : 0 : 0 : 95

OR

2001 : d02 : 0 : 0 : 14 :: 95



• Using the double colon more than once in an IPv6 address can create ambiguity.

( 둘 이상의 연속 0 삭제는 혼란 초래 )Example 2001:d02::14::95

• Illegal because the length of the two all-zero strings is ambiguous; it could represent any of the following IPv6 addresses:

2001:0d02:0000:0000:0014:0000:0000:00952001:0d02:0000:0000:0000:0014:0000:00952001:0d02:0000:0014:0000:0000:0000:0095


Network Prefixes ( 네트워크 마스크 )

• IPv4, the prefix—the network portion of the address—can be identified by a dotted decimal or hexadecimal address mask or a bitcount.

255.255.255.0 or /24

• IPv6 prefixes are always identified by bitcount.

• The address is followed by a forward slash and a decimal number indicating how many of the first bits of the address are the prefix bits.

3ffe:1944:100:a::/64


All 0’s IPv6 Address

• An IPv6 address consisting of all zeroes can be written simply with a double colon.

• There are two cases where an all-zeroes address is used.

1. Default address, "Default Routes and On-Demand Routing," in which the address is all zeroes and the prefix length is zero:

::/0

2. Unspecified address, which is used in some Neighbor Discovery Protocol procedures (later).

• An unspecified address is a filler, indicating the absence of a real IPv6 address.

• When writing an unspecified address, it is differentiated from a default address by its prefix length:

::/128


Three types of IPv6

The three types of IPv6 address follow:

1. Unicast

2. Anycast

3. Multicast

• Unlike IPv4, there is no IPv6 broadcast address.

• There is, however, an "all nodes" multicast address, which serves essentially the same purpose as a broadcast address.


Global Unicast Addresses

• A unicast address is an address that identifies a single device.

• A global unicast address is a unicast address that is globally unique.

• Global unicast addresses, we mean an address with global scope.

• That is, an address that is globally unique and can therefore be routed globally with no modification.



• The host portion of the address is called the Interface ID.

• The reason for this name is that a host can have more than one IPv6 interface, and so the address more correctly identifies an interface on a host than a host itself.

• But that subtlety only goes so far: – A single interface can have multiple IPv6 addresses, and can have

an IPv4 address in addition.



• Most striking difference between IPv4 addresses and IPv6 addresses, (aside from their lengths): location of the Subnet Identifier

• Subnet Identifier is part of the network portion of the address rather than the host portion.



• A big benefit of making the IPv6 Subnet ID field a part of the network portion of the address is that the Interface ID can be a consistent size for all IPv6 addresses, simplifying the parsing of the address.

• And making the Subnet ID a part of the network portion creates a clear separation of functions: (?)– The network portion provides the location of a device down to the

specific data link

and – the host portion provides the identity of the device on the data

link.



• With very few exceptions:– Interface ID is 64 bits long– Subnet ID field is 16 bits

• provides for 65,536 separate subnets

• The IANA and the Regional Internet Registries (RIRs) assign IPv6 prefixes—normally /32 or /35 in length—to the Local Internet Registries (LIRs).

• The LIRs, which are usually large Internet Service Providers, then allocate longer prefixes to their customers. In the majority of cases, the prefixes assigned by the LIRs are /48.



Exceptions

• If the customer is very large, a prefix shorter than /48 might be assigned.

• If one and only one subnet is to be addressed, a /64 might be assigned.

• If one and only one device is to be addressed, a /128 might be assigned.


Correction in book

FE80::/10

FEC0::/10


Identifying IPv6 Address Types

• The first few bits of the address specify the address type.

• For example, the first three bits of all global unicast addresses currently are 001, they all start with either 2 or 3. (0010 or 0011)

• Binary 001 is expected to suffice for global unicast addresses for some time to come.

FE80::/10

FEC0::/10


• Global unicast addresses – globally unique , therefore routed globally.

• link-local unicast address– scope is confined to a single link.– Unique only on one link. – not routable off its link.

• Address starts with 1111111010 (FE80::/10).

Local Unicast Addresses

FE80::/10

FEC0::/10


Local Unicast Addresses

• Link-local addresses used for– Neighbor Discovery Protocol: that communicates only on a

single link. – Devices that do not or have not yet been assigned global prefixes,

ability to communicate with other devices.

FE80::/10

FEC0::/10


Site-Local Unicast Addresses

• IPv6 originally defined a site-local unicast address, similar to RFC 1918 IPv4 Addresses. (Private addresses)

• As a result of these concerns, and after some heated debate, the IPv6 Working Group deprecated( 전용 ) site-local addresses in RFC 3879.

• An assurance has been given to those who see advantages in site-local addresses to introduce another scheme with similar "bigger scope than link but smaller scope than global" benefits, but as of this writing such a replacement scheme has yet to be seen.


Anycast Addresses

• An anycast address represents a service rather than a device

• The same address can reside on one or more devices providing the same service.


Anycast Addresses

• A service is offered by three servers, all advertising the service at the IPv6 address 3ffe:205:1100::15.

• The router, receiving advertisements for the address, does not know that it is being advertised by three different devices; instead, the router assumes that it has three routes to the same destination and chooses the lowest-cost route.

• In this is the route to server C with a cost of 20.

Preferred route


Anycast Addresses

• The advantage of anycast addresses is that a router always routes to the "closest" or "lowest-cost" server.

• So servers providing some commonly used service can be spread across a large network and traffic can be localized or scoped to the nearest server, making traffic patterns in the network more efficient.

• And if one server becomes unavailable, the router routes to the next nearest server.

Preferred route


Multicast Addresses

• A multicast address identifies not one device but a set of devices—a multicast group.

• A packet being sent to a multicast group is originated by a single device; therefore a multicast packet normally has a unicast address as its source address and a multicast address as its destination address. (unicast src addr, multicast dest addr)

• IPv6 does not have a reserved broadcast address like IPv4, but it does have a reserved all-nodes multicast group. (FF02::1)

FE80::/10

FEC0::/10


Multicast Addresses

• Multicasting is essential to the basic operation of IPv6, particularly

some of its plug-and-play features such as router discovery and

address autoconfiguration.

• These functions are a part of the Neighbor Discovery Protocol,

discussed later.


Multicast Addresses

(Link-local)


Neighbor Discovery Protocol (NDP)

Provides plug-and-play features, using the following functions:

• Router Discovery— Discover the local routers without

• Prefix Discovery— Discover the prefix or prefixes assigned to that link.

• Parameter Discovery— Discover other parameters such as the link MTU and hop limits for its connected link.

• Address Autoconfiguration— Determine its full address, without DHCP.

• Address Resolution— Discover the link-layer addresses of other nodes on the link without the use of Address Resolution Protocol (ARP).

• Next-Hop Determination— Determine the link-layer next hop for a destination, either as a local destination or a router to the destination.

• Neighbor Unreachability Detection(NUD)— Determine when a neighbor on a link, either another host or a router, is no longer reachable.

• Duplicate Address Detection(DAD)— Determine if an address it wants to use is already being used by another node on the link.

• Redirect— A router can notify a host of a better next-hop than itself to an off-link destination. The redirect function is a part of basic ICMP functionality in IPv4, but is redefined as part of NDP in IPv6.


NDP Messages ( RFC 2461 )

Uses ICMPv6 to exchange the messages, five new ICMPv6 messages

• Router Advertisement (RA) messages are originated by routers to advertise their

presence and link-specific parameters such as link prefixes, link MTU, and hop limits.

– These messages are sent periodically, and also in response to Router Solicitation

messages.

• Router Solicitation (RS) messages are originated by hosts to request that a router send

an RA. ( 간청 )

• Neighbor Solicitation (NS) messages are originated by nodes to request another

node's link layer address and also for functions such as duplicate address detection and

neighbor unreachability detection.

• Neighbor Advertisement (NA) messages are sent in response to NS messages. If a

node changes its link-layer address, it can send an unsolicited NA to advertise the new

address.

• Redirect messages are used the same way that redirects are used in ICMP for IPv4;

they have merely been moved from being a part of the base ICMPv6 protocol to being a

part of NDP.


NDP Messages

RA (Router Advertisement)

- Address, prefix, link MTU

RS (Router Solicitation)

- Need RA from Router

NS (Neighbor Solicitation)

- Request another node's link layer address

NA (Neighbor Advertisement)

- Sent in response to NS

Redirect

- Suggest another Gateway


NDP - Router Discovery


- All-nodes multicast address (FF02::1)

- Sent between 4 - 1,800 seconds, default every 200 seconds

- Address, prefix, link MTU

• A router makes its presence known by periodically sending RAs on its attached links.

• Router(config)# ipv6 unicast-routing : Cisco routers automatically send RAs on Ethernet and FDDI interfaces


NDP - Router Discovery

Immediate (.5 second delay) RA (Router Advertisement)

RS (Router Solicitation)

Source Add: (::) or link-local layer

Dest. Add: all-routers multicast (FF02::2)

Dest. Add: unicast if source was link-local, otherwise multicast to all-nodes (FF02::1)

Host adds router to default router list

When a host receives an RA, it adds the router to its default router list.If there is more than one router on the default router list, it could either rotate through the list, or select and keep a single router as default.


NDP - Address Autoconfiguration

• When an IPv6 host first becomes active on a link, it can self-configure its own interface address.

• The first step

– determination of the 64-bit Interface ID portion of the

address.

– A mechanism called MAC-to-EUI64 conversion is used.

• The second step

– Add link-local prefix is a reserved, well-known value of

0xFE80::/10


NDP - Address Autoconfiguration – Interface ID

Universal/Local (U/L)

From : MAC

Step (1)

Step (2)


NDP - Address Autoconfiguration – Link Local Prefix

Start with getting a Link-Local IPv6 Address

• link-local prefix (0xFE80::/64) + EUI64 Interface Address.

• can be used for communication with other devices on the same link.

• For example, FE80::0200:0BFF:FE0A:2D51


Original MAC: 0000:0B0A:2D51

Converted MAC: 0200:0BFF:FE0A:2D51

LINK LOCAL Add: FF80::0200:0BFF:FE0A:2D51

FE80:: 0200:0BFF:FE0A:2D5111111110 10000000 [& 48 0’s] Interface ID [64 bits]




• Example of a link-local address, Ethernet interface "en1" on a Macintosh OS X host.

• Using the link-local prefix FF80::/10 and a MAC-to-EUI64 conversion, an IPv6 interface derives its link-local address with no help from any other device:


NDP - Address Autoconfiguration – Global Prefix

• If the host only needs to communicate with devices on the link, autoconfiguring its link-local address is sufficient.

• But if it needs to communicate with devices off-link, it needs an address with a wider scope—normally a global IPv6 address.

• There are two ways it can acquire this address: – stateful address autoconfiguration– stateless address autoconfiguration



Stateful Address Autoconfiguration (Like IPv4 DHCP)• Consults a DHCPv6 server for the necessary address information:

– Preconfigured to find a DHCPv6 server

or– Received RA might have its M flag set telling it to use DHCPv6

• DHCPv6, described in RFC 3315, is not much different in its end results than DHCP for IPv4.


- Use DHCPv6 Server

DHCPv6 Request



Stateless Address Autoconfiguration• Host acquires one or more link prefixes from the RAs it receives. • It then adds the prefix to its previously determined Interface ID, and it

now has a globally unique IPv6 address. • Example, if the host received an RA advertising a prefix of 3FFE:

1104:404:1::/64, it would add that prefix to its Interface ID for a global address of 3FFE:1104:404:1:0200:0BFF:FE0A:2D51.


- Prefix of 3FFE:1104:404:1::/64

Original MAC: 0000:0B0A:2D51

Converted MAC: 0200:0BFF:FE0A:2D51

Router Adv: 3FFE:1104:404:1::/64

Global Add: 3FFE:1104:404:1:0200:0BFF:FE0A:2D51


NDP - Duplicate Address Detection

• Use of MAC addresses to derive an Interface ID almost always guarantees a unique address of any scope.

• Still wise to ensure that the address is unique.

• Whenever a device acquires a unicast address, it must perform Duplicate Address Detection before using the address.

• Required for stateful configuration, stateless configuration, or statically configured.

• The only exception to the rule is an anycast address, because anycast addresses by definition can appear on more than one device.

• There is also an exception for link local addresses.

My Global Address is 3FFE:1104:404:1:0200:0BFF:FE0A:2D51

“Tentative”: Need to do Duplicate Address Detection



• A node that has acquired a new address classifies the address as tentative.

• The address cannot be used until verified with the Duplicate Address Detection.

• The node sends an NS with the Target Address field set to the address to be verified. – Source address of the NS is the unspecified address– Destination of the NS is a solicited-node multicast address.




- Target Address = 3FFE:1104:404:1:0200:0BFF:FE0A:2D51



• The Destination, solicited-node multicast address is formed by prepending the prefix FF02:0:0:0:0:1: FF00::/104 to the last 24 bits of the target address.

• For example, given the Interface ID derived in , the solicited-node multicast address is FF02::1:FF0A:2D51.

• This is a sort of broadcast for any device with these 24 bits in their Interface ID.• The reason for this is that if a node has autoconfigured more than one interface

address, the last 24 bits of all of its addresses should be the same. • So the one NS with a solicited-node multicast address should match all of its

interface addresses.





- Destination: Solicited-Node Multicast Address = FF02::1:FF0A:2D51



• If a node receives an NS and the target address matches one of its assigned addresses, it sends an NA with the Target Address and the destination address set to the tentative address.

• The node that had originated the NS, on receipt of the NA, knows that the tentative address is duplicate and cannot be used.






- Target and Destination Address = 3FFE:1104:404:1:0200:0BFF:FE0A:2D51

Can’t use this Global Address!


NDP - Neighbor Address Resolution

• IPv4 uses ARP (Address Resolution Protocol) to discover Layer 2 data link addresses, when it knows an IPv4 destination address.

• IPv6 uses NDP• Example

- a node might want to send a packet to examplehost.com. - A DNS query returns the address

3FFE:521:2400:15:211:24FF:FE23:334E - The sending node must now discover the link-layer address to use

as a destination address of the frame for the local link.

DNS Server

IPv6 packet for examplehost.com

examplehost.com

DNS Query for examplehost.comDNS Reply

3FFE:521:2400:15:211:24FF:FE23:334E



• When the node examines the prefix of the IPv6 address returned by DNS, it either concludes that the destination is a neighbor on the local link or that it is off-link and therefore reachable through the default router.

• If the latter is the case (yes), the node should already know the link-layer address of the default router from the RAs.

• Similar to IPv4.

DNS Server


examplehost.com


3FFE:521:2400:15:211:24FF:FE23:334E

RA (Router Advertisement) –Link Layer address

Is the prefix returned the same as my prefix? - on the link or off the link NO, send to router, YES, send directly.



• But if the destination is on the local link, the node first looks in its neighbor cache to see if the address is known.

• The neighbor cache in IPv6 is very similar to the ARP cache in IPv4; it records known network-layer addresses and the link-layer addresses associated with them.

DNS Server


examplehost.com


3FFE:521:2400:15:211:24FF:FE23:334E


Is the prefix returned the same as my prefix? YES, check neighbor cache.



DNS Server


examplehost.com


3FFE:521:2400:15:211:24FF:FE23:334E


Is the prefix returned the same as my prefix? YES, check neighbor cache for an IPv6 – MAC address match.



• If the address is not in the neighbor cache, it is entered but tagged Incomplete, indicating that address resolution is in progress.

• The node then sends an NS to the solicited-node multicast address associated with the target node.

DNS Server


examplehost.comRA (Router Advertisement) –Link Layer address


- Target Address = 3FFE:521:2400:15:211:24FF:FE23:334E

- Destination, Solicited-Node Multicast Address = FF02::1::FE23:334E



• If the solicited node exists and the NS is valid, it responds with an NA.

• The soliciting node, upon receipt of the NA, can add the target node's link-layer address to the neighbor cache entry and change the entry from Incomplete to Reachable.

DNS Server


examplehost.comRA (Router Advertisement) –Link Layer address

NS (Neighbor Solicitation)- Target Address = 3FFE:521:2400:15:211:24FF:FE23:334E

- Destination, Solicited-Node Multicast Address = FF02::1::FE23:334E


- Data Link Layer Address = 0011:2423:334E Add to neighbor cache.


Privacy Addresses – Final Note

• Even if a device moves from subnet to subnet or even major network to major network, its Interface ID always remains the same; and if the Interface ID remains the same, it can be tracked.

• At the least, this becomes a privacy issue. • For example, suppose you are using IPv6 to connect to your company network. • Recording and analyzing packets coming into some part of the network can

identify you by your unchanging Interface ID. • And by further analyzing the different prefixes prepended to that Interface ID,

your employer can infer where you are at all times: at work, at home, traveling, or whatever.

• More insidious uses can also be made of such tracking, keeping record of your location and activities for everything from marketing to criminal exploitation.

• RFC 3041 addresses this security concern by defining IPv6 privacy addresses. • A privacy address is one in which the Interface ID is generated by an algorithm

using a pseudo-random number. • What is significant about it, and makes it reasonably private, is that the

Interface ID changes approximately once a day (or on some configurable period) and also whenever the node acquires a new IPv6 prefix.

IPv6 Overview

CIS 185 Advanced Routing (CCNP 1)

Spring 2006

Rick Graziani

ipv6 overview cis 185 advanced routing (ccnp 1) spring 2006 rick graziani modified by s. g. lee...

Documents

ipv6 header

ipv4 address depletion

basic ipv4 header

rick graziani

allotment of ipv4 addresses

ipv4 basic header fields

ipv6 routers

ip addresses available