ipv6 overview cis 185 advanced routing (ccnp 1) spring 2006 rick graziani modified by s. g. lee...
Post on 19-Dec-2015
213 views
TRANSCRIPT
IPv6 Overview
CIS 185 Advanced Routing (CCNP 1)
Spring 2006
Rick Graziani
Modified by S. G. Lee
Based on Chapter 2: IPv6 Overview, Routing TCP/IP 2nd Edition, Jeff Doyle and Jennifer Carroll
Rick Graziani [email protected] 2
Background
• And when Vint Cerf and Bob Kahn invented TCP/IP for these networks, no one envisioned the Internet as it now is.
• 32-bit address space, yielding almost 4.3 billion addresses, seemed inexhaustible.
• The problem of IPv4 address exhaustion was recognized in the early 1990s, when various experts made projections showing that if the increasing rate of the allotment of IPv4 addresses continued, the entire address space could be depleted in just a few short years.
• A new version of IP—known in the development stage as IP Next Generation or IPng, and which is now IPv6—was the proposed solution.
• But it was recognized that developing the new standards would take time, and that a short-term solution to IPv4 address depletion also was needed.
Rick Graziani [email protected] 3
Background
• That short-term solution was Network Address Translation (NAT).
• Behind the NAT device, private IP addresses as specified in RFC 1918.
• NAT has been so successful in slowing IPv4 address depletion, and has become such a standard part of most networks, that to this day many still question the need for a new version of IP.
• There are two fundamental drivers behind the growing recognition of the need for IPv6.
• The first is widespread vision of new applications using core concepts such as mobile IP, service quality guarantees, end-to-end security, grid computing, and peer-to-peer networking.
• NAT stifles innovation in these areas, and the only way to get NAT out of the way is to make public IP addresses abundant and readily available.
Rick Graziani [email protected] 4
Background
• The second fundamental driver for IPv6 is the rapid modernization of heavily populated countries such as India and China.
• A compelling statistic is that the number of remaining unallocated IPv4 addresses is almost the same as the population of China: about 1.3 billion.
• IPv6 replaces the 32-bit IPv4 address with a 128-bit address, making 340 trillion trillion trillion IP addresses available.
Rick Graziani [email protected] 5
Rick Graziani [email protected] 6
Rick Graziani [email protected] 7
IP Headers
• The IPv4 header contains 12 basic header fields, followed by an options field and a data portion (usually the transport layer segment).
• The basic IPv4 header has a fixed size of 20 octets.
• The variable-length options field increases the size of the total IP header.
• IPv6 contains five of the 12 IPv4 basic header fields.
• The IPv6 header does not require the other seven fields.
Rick Graziani [email protected] 8
• Routers handle fragmentation in IPv4, which causes a variety of processing issues.
• IPv6 routers do not perform fragmentation. • Instead, a discovery process determines the optimum maximum transmission
unit (MTU) to use during a given session.• In the discovery process, the source IPv6 device attempts to send a packet at
the size that is specified by the upper layers, such as the transport or application layer.
• If the device receives an “ICMP packet too big” message, it retransmits the MTU discover packet with a smaller MTU and repeats the process until it gets a response that the discover packet arrived intact.
• Then it sets the MTU for the session.
Rick Graziani [email protected] 9
Address Representation
• 128-bit IPv6 addresses are represented by breaking them up into eight 16-bit segments.(8 개의 16 비트 조각 )
• Each segment is written in hexadecimal between 0x0000 and 0xFFFF, separated by colons.(16 비트 조각 : 4 Hex)
• An example of a written IPv6 address is
3ffe:1944:0100:000a:0000:00bc:2500:0d0b
Rick Graziani [email protected] 10
Rule 1: Leading 0’s - ( 선두 Hex 0 는 삭제 )
• Two rules for reducing the size of written IPv6 addresses.
• The first rule is:– The leading zeroes in any 16-bit segment do not have to
be written; if any 16-bit segment has fewer than four hexadecimal digits, it is assumed that the missing digits are leading zeroes.
Example3ffe : 1944 : 0100 : 000a : 0000 : 00bc : 2500 : 0d0b
3ffe : 1944 : 100 : a : 0 : bc : 2500 : d0b
Rick Graziani [email protected] 11
Rule 1: Leading 0’s
Practice
3ffe : 0404 : 0001 : 1000 : 0000 : 0000 : 0ef0 : bc00
3ffe : 0000 : 010d : 000a : 00dd : c000 : e000 : 0001
ff02 : 0000 : 0000 : 0000 : 0000 : 0000 : 0000 : 0005
Rick Graziani [email protected] 12
Rule 1: Leading 0’s
Practice
3ffe : 0404 : 0001 : 1000 : 0000 : 0000 : 0ef0 : bc00
3ffe : 404 : 1 : 1000 : 0 : 0 : ef0 : bc00
3ffe : 0000 : 010d : 000a : 00dd : c000 : e000 : 0001
3ffe : 0 : 10d : a : dd : c000 : e000 : 1
ff02 : 0000 : 0000 : 0000 : 0000 : 0000 : 0000 : 0005
ff02 : 0 : 0 : 0 : 0 : 0 : 0 : 5
Rick Graziani [email protected] 13
Rule 1: Leading 0’s – ( 후미 Hex 0 – 유지 )
• Notice that only leading zeroes can be omitted; trailing zeroes cannot, because doing so would make the segment ambiguous.
• You would not be able to tell whether the missing zeroes belonged before or after the written digits.
3ffe : 1944 : 100 : a : 0 : bc : 2500 : d0b
Correct Original Address
3ffe : 1944 : 0100 : 000a : 0000 : 00bc : 2500 : 0d0b
OR
Wrong, Ambiguous Original Address
3ffe : 1944 : 1000 : a000 : 0000 : bc00 : 2500 : d0b0
Rick Graziani [email protected] 14
Rule 2: Double colon :: equals 0000…0000
• The second rule can reduce this address even further:
• Any single, contiguous string of one or more 16-bit segments consisting of all zeroes can be represented with a double colon.
ff02 : 0000 : 0000 : 0000 : 0000 : 0000 : 0000 : 0005
ff02 : 0 : 0 : 0 : 0 : 0 : 0 : 5
ff02 : : 5
ff02::5
Rick Graziani [email protected] 15
Rule 2: Double colon :: equals 0000…0000
• Only a single contiguous string of all-zero segments can be represented with a double colon.
( 오직 한 개의 연속 0 조각만 제거 )
Example: Both of these are correct2001 : 0d02 : 0000 : 0000 : 0014 : 0000 : 0000 : 0095
2001 : d02 :: 14 : 0 : 0 : 95 or
2001 : d02 : 0 : 0 : 14 :: 95
2001 : 0d02 : 0000 : 0000 : 0014 : 0000 : 0000 : 0095
2001 : d02 :: 14 : 0 : 0 : 95
OR
2001 : d02 : 0 : 0 : 14 :: 95
Rick Graziani [email protected] 16
Rule 2: Double colon :: equals 0000…0000
• Using the double colon more than once in an IPv6 address can create ambiguity.
( 둘 이상의 연속 0 삭제는 혼란 초래 )Example 2001:d02::14::95
• Illegal because the length of the two all-zero strings is ambiguous; it could represent any of the following IPv6 addresses:
2001:0d02:0000:0000:0014:0000:0000:00952001:0d02:0000:0000:0000:0014:0000:00952001:0d02:0000:0014:0000:0000:0000:0095
Rick Graziani [email protected] 17
Network Prefixes ( 네트워크 마스크 )
• IPv4, the prefix—the network portion of the address—can be identified by a dotted decimal or hexadecimal address mask or a bitcount.
255.255.255.0 or /24
• IPv6 prefixes are always identified by bitcount.
• The address is followed by a forward slash and a decimal number indicating how many of the first bits of the address are the prefix bits.
3ffe:1944:100:a::/64
Rick Graziani [email protected] 18
All 0’s IPv6 Address
• An IPv6 address consisting of all zeroes can be written simply with a double colon.
• There are two cases where an all-zeroes address is used.
1. Default address, "Default Routes and On-Demand Routing," in which the address is all zeroes and the prefix length is zero:
::/0
2. Unspecified address, which is used in some Neighbor Discovery Protocol procedures (later).
• An unspecified address is a filler, indicating the absence of a real IPv6 address.
• When writing an unspecified address, it is differentiated from a default address by its prefix length:
::/128
Rick Graziani [email protected] 19
Three types of IPv6
The three types of IPv6 address follow:
1. Unicast
2. Anycast
3. Multicast
• Unlike IPv4, there is no IPv6 broadcast address.
• There is, however, an "all nodes" multicast address, which serves essentially the same purpose as a broadcast address.
Rick Graziani [email protected] 20
Global Unicast Addresses
• A unicast address is an address that identifies a single device.
• A global unicast address is a unicast address that is globally unique.
• Global unicast addresses, we mean an address with global scope.
• That is, an address that is globally unique and can therefore be routed globally with no modification.
Rick Graziani [email protected] 21
Global Unicast Addresses
• The host portion of the address is called the Interface ID.
• The reason for this name is that a host can have more than one IPv6 interface, and so the address more correctly identifies an interface on a host than a host itself.
• But that subtlety only goes so far: – A single interface can have multiple IPv6 addresses, and can have
an IPv4 address in addition.
Rick Graziani [email protected] 22
Global Unicast Addresses
• Most striking difference between IPv4 addresses and IPv6 addresses, (aside from their lengths): location of the Subnet Identifier
• Subnet Identifier is part of the network portion of the address rather than the host portion.
Rick Graziani [email protected] 23
Global Unicast Addresses
• A big benefit of making the IPv6 Subnet ID field a part of the network portion of the address is that the Interface ID can be a consistent size for all IPv6 addresses, simplifying the parsing of the address.
• And making the Subnet ID a part of the network portion creates a clear separation of functions: (?)– The network portion provides the location of a device down to the
specific data link
and – the host portion provides the identity of the device on the data
link.
Rick Graziani [email protected] 24
Global Unicast Addresses
• With very few exceptions:– Interface ID is 64 bits long– Subnet ID field is 16 bits
• provides for 65,536 separate subnets
• The IANA and the Regional Internet Registries (RIRs) assign IPv6 prefixes—normally /32 or /35 in length—to the Local Internet Registries (LIRs).
• The LIRs, which are usually large Internet Service Providers, then allocate longer prefixes to their customers. In the majority of cases, the prefixes assigned by the LIRs are /48.
Rick Graziani [email protected] 25
Global Unicast Addresses
Exceptions
• If the customer is very large, a prefix shorter than /48 might be assigned.
• If one and only one subnet is to be addressed, a /64 might be assigned.
• If one and only one device is to be addressed, a /128 might be assigned.
Rick Graziani [email protected] 27
Identifying IPv6 Address Types
• The first few bits of the address specify the address type.
• For example, the first three bits of all global unicast addresses currently are 001, they all start with either 2 or 3. (0010 or 0011)
• Binary 001 is expected to suffice for global unicast addresses for some time to come.
FE80::/10
FEC0::/10
Rick Graziani [email protected] 28
• Global unicast addresses – globally unique , therefore routed globally.
• link-local unicast address– scope is confined to a single link.– Unique only on one link. – not routable off its link.
• Address starts with 1111111010 (FE80::/10).
Local Unicast Addresses
FE80::/10
FEC0::/10
Rick Graziani [email protected] 29
Local Unicast Addresses
• Link-local addresses used for– Neighbor Discovery Protocol: that communicates only on a
single link. – Devices that do not or have not yet been assigned global prefixes,
ability to communicate with other devices.
FE80::/10
FEC0::/10
Rick Graziani [email protected] 30
Site-Local Unicast Addresses
• IPv6 originally defined a site-local unicast address, similar to RFC 1918 IPv4 Addresses. (Private addresses)
• As a result of these concerns, and after some heated debate, the IPv6 Working Group deprecated( 전용 ) site-local addresses in RFC 3879.
• An assurance has been given to those who see advantages in site-local addresses to introduce another scheme with similar "bigger scope than link but smaller scope than global" benefits, but as of this writing such a replacement scheme has yet to be seen.
Rick Graziani [email protected] 31
Anycast Addresses
• An anycast address represents a service rather than a device
• The same address can reside on one or more devices providing the same service.
Rick Graziani [email protected] 32
Anycast Addresses
• A service is offered by three servers, all advertising the service at the IPv6 address 3ffe:205:1100::15.
• The router, receiving advertisements for the address, does not know that it is being advertised by three different devices; instead, the router assumes that it has three routes to the same destination and chooses the lowest-cost route.
• In this is the route to server C with a cost of 20.
Preferred route
Rick Graziani [email protected] 33
Anycast Addresses
• The advantage of anycast addresses is that a router always routes to the "closest" or "lowest-cost" server.
• So servers providing some commonly used service can be spread across a large network and traffic can be localized or scoped to the nearest server, making traffic patterns in the network more efficient.
• And if one server becomes unavailable, the router routes to the next nearest server.
Preferred route
Rick Graziani [email protected] 34
Multicast Addresses
• A multicast address identifies not one device but a set of devices—a multicast group.
• A packet being sent to a multicast group is originated by a single device; therefore a multicast packet normally has a unicast address as its source address and a multicast address as its destination address. (unicast src addr, multicast dest addr)
• IPv6 does not have a reserved broadcast address like IPv4, but it does have a reserved all-nodes multicast group. (FF02::1)
FE80::/10
FEC0::/10
Rick Graziani [email protected] 35
Multicast Addresses
• Multicasting is essential to the basic operation of IPv6, particularly
some of its plug-and-play features such as router discovery and
address autoconfiguration.
• These functions are a part of the Neighbor Discovery Protocol,
discussed later.
Rick Graziani [email protected] 37
Neighbor Discovery Protocol (NDP)
Provides plug-and-play features, using the following functions:
• Router Discovery— Discover the local routers without
• Prefix Discovery— Discover the prefix or prefixes assigned to that link.
• Parameter Discovery— Discover other parameters such as the link MTU and hop limits for its connected link.
• Address Autoconfiguration— Determine its full address, without DHCP.
• Address Resolution— Discover the link-layer addresses of other nodes on the link without the use of Address Resolution Protocol (ARP).
• Next-Hop Determination— Determine the link-layer next hop for a destination, either as a local destination or a router to the destination.
• Neighbor Unreachability Detection(NUD)— Determine when a neighbor on a link, either another host or a router, is no longer reachable.
• Duplicate Address Detection(DAD)— Determine if an address it wants to use is already being used by another node on the link.
• Redirect— A router can notify a host of a better next-hop than itself to an off-link destination. The redirect function is a part of basic ICMP functionality in IPv4, but is redefined as part of NDP in IPv6.
Rick Graziani [email protected] 38
NDP Messages ( RFC 2461 )
Uses ICMPv6 to exchange the messages, five new ICMPv6 messages
• Router Advertisement (RA) messages are originated by routers to advertise their
presence and link-specific parameters such as link prefixes, link MTU, and hop limits.
– These messages are sent periodically, and also in response to Router Solicitation
messages.
• Router Solicitation (RS) messages are originated by hosts to request that a router send
an RA. ( 간청 )
• Neighbor Solicitation (NS) messages are originated by nodes to request another
node's link layer address and also for functions such as duplicate address detection and
neighbor unreachability detection.
• Neighbor Advertisement (NA) messages are sent in response to NS messages. If a
node changes its link-layer address, it can send an unsolicited NA to advertise the new
address.
• Redirect messages are used the same way that redirects are used in ICMP for IPv4;
they have merely been moved from being a part of the base ICMPv6 protocol to being a
part of NDP.
Rick Graziani [email protected] 39
NDP Messages
RA (Router Advertisement)
- Address, prefix, link MTU
RS (Router Solicitation)
- Need RA from Router
NS (Neighbor Solicitation)
- Request another node's link layer address
NA (Neighbor Advertisement)
- Sent in response to NS
Redirect
- Suggest another Gateway
Rick Graziani [email protected] 40
NDP - Router Discovery
RA (Router Advertisement)
- All-nodes multicast address (FF02::1)
- Sent between 4 - 1,800 seconds, default every 200 seconds
- Address, prefix, link MTU
• A router makes its presence known by periodically sending RAs on its attached links.
• Router(config)# ipv6 unicast-routing : Cisco routers automatically send RAs on Ethernet and FDDI interfaces
Rick Graziani [email protected] 41
NDP - Router Discovery
Immediate (.5 second delay) RA (Router Advertisement)
RS (Router Solicitation)
Source Add: (::) or link-local layer
Dest. Add: all-routers multicast (FF02::2)
Dest. Add: unicast if source was link-local, otherwise multicast to all-nodes (FF02::1)
Host adds router to default router list
When a host receives an RA, it adds the router to its default router list.If there is more than one router on the default router list, it could either rotate through the list, or select and keep a single router as default.
Rick Graziani [email protected] 42
NDP - Address Autoconfiguration
• When an IPv6 host first becomes active on a link, it can self-configure its own interface address.
• The first step
– determination of the 64-bit Interface ID portion of the
address.
– A mechanism called MAC-to-EUI64 conversion is used.
• The second step
– Add link-local prefix is a reserved, well-known value of
0xFE80::/10
Rick Graziani [email protected] 43
NDP - Address Autoconfiguration – Interface ID
Universal/Local (U/L)
From : MAC
Step (1)
Step (2)
Rick Graziani [email protected] 44
NDP - Address Autoconfiguration – Link Local Prefix
Start with getting a Link-Local IPv6 Address
• link-local prefix (0xFE80::/64) + EUI64 Interface Address.
• can be used for communication with other devices on the same link.
• For example, FE80::0200:0BFF:FE0A:2D51
Rick Graziani [email protected] 45
Original MAC: 0000:0B0A:2D51
Converted MAC: 0200:0BFF:FE0A:2D51
LINK LOCAL Add: FF80::0200:0BFF:FE0A:2D51
FE80:: 0200:0BFF:FE0A:2D5111111110 10000000 [& 48 0’s] Interface ID [64 bits]
NDP - Address Autoconfiguration – Link Local Prefix
Rick Graziani [email protected] 46
NDP - Address Autoconfiguration – Link Local Prefix
• Example of a link-local address, Ethernet interface "en1" on a Macintosh OS X host.
• Using the link-local prefix FF80::/10 and a MAC-to-EUI64 conversion, an IPv6 interface derives its link-local address with no help from any other device:
Rick Graziani [email protected] 47
NDP - Address Autoconfiguration – Global Prefix
• If the host only needs to communicate with devices on the link, autoconfiguring its link-local address is sufficient.
• But if it needs to communicate with devices off-link, it needs an address with a wider scope—normally a global IPv6 address.
• There are two ways it can acquire this address: – stateful address autoconfiguration– stateless address autoconfiguration
Rick Graziani [email protected] 48
NDP - Address Autoconfiguration – Global Prefix
Stateful Address Autoconfiguration (Like IPv4 DHCP)• Consults a DHCPv6 server for the necessary address information:
– Preconfigured to find a DHCPv6 server
or– Received RA might have its M flag set telling it to use DHCPv6
• DHCPv6, described in RFC 3315, is not much different in its end results than DHCP for IPv4.
RA (Router Advertisement)
- Use DHCPv6 Server
DHCPv6 Request
Rick Graziani [email protected] 49
NDP - Address Autoconfiguration – Global Prefix
Stateless Address Autoconfiguration• Host acquires one or more link prefixes from the RAs it receives. • It then adds the prefix to its previously determined Interface ID, and it
now has a globally unique IPv6 address. • Example, if the host received an RA advertising a prefix of 3FFE:
1104:404:1::/64, it would add that prefix to its Interface ID for a global address of 3FFE:1104:404:1:0200:0BFF:FE0A:2D51.
RA (Router Advertisement)
- Prefix of 3FFE:1104:404:1::/64
Original MAC: 0000:0B0A:2D51
Converted MAC: 0200:0BFF:FE0A:2D51
Router Adv: 3FFE:1104:404:1::/64
Global Add: 3FFE:1104:404:1:0200:0BFF:FE0A:2D51
Rick Graziani [email protected] 50
NDP - Duplicate Address Detection
• Use of MAC addresses to derive an Interface ID almost always guarantees a unique address of any scope.
• Still wise to ensure that the address is unique.
• Whenever a device acquires a unicast address, it must perform Duplicate Address Detection before using the address.
• Required for stateful configuration, stateless configuration, or statically configured.
• The only exception to the rule is an anycast address, because anycast addresses by definition can appear on more than one device.
• There is also an exception for link local addresses.
My Global Address is 3FFE:1104:404:1:0200:0BFF:FE0A:2D51
“Tentative”: Need to do Duplicate Address Detection
Rick Graziani [email protected] 51
NDP - Duplicate Address Detection
• A node that has acquired a new address classifies the address as tentative.
• The address cannot be used until verified with the Duplicate Address Detection.
• The node sends an NS with the Target Address field set to the address to be verified. – Source address of the NS is the unspecified address– Destination of the NS is a solicited-node multicast address.
My Global Address is 3FFE:1104:404:1:0200:0BFF:FE0A:2D51
“Tentative”: Need to do Duplicate Address Detection
NS (Neighbor Solicitation)
- Target Address = 3FFE:1104:404:1:0200:0BFF:FE0A:2D51
Rick Graziani [email protected] 52
NDP - Duplicate Address Detection
• The Destination, solicited-node multicast address is formed by prepending the prefix FF02:0:0:0:0:1: FF00::/104 to the last 24 bits of the target address.
• For example, given the Interface ID derived in , the solicited-node multicast address is FF02::1:FF0A:2D51.
• This is a sort of broadcast for any device with these 24 bits in their Interface ID.• The reason for this is that if a node has autoconfigured more than one interface
address, the last 24 bits of all of its addresses should be the same. • So the one NS with a solicited-node multicast address should match all of its
interface addresses.
My Global Address is 3FFE:1104:404:1:0200:0BFF:FE0A:2D51
“Tentative”: Need to do Duplicate Address Detection
NS (Neighbor Solicitation)
- Target Address = 3FFE:1104:404:1:0200:0BFF:FE0A:2D51
- Destination: Solicited-Node Multicast Address = FF02::1:FF0A:2D51
Rick Graziani [email protected] 53
NDP - Duplicate Address Detection
• If a node receives an NS and the target address matches one of its assigned addresses, it sends an NA with the Target Address and the destination address set to the tentative address.
• The node that had originated the NS, on receipt of the NA, knows that the tentative address is duplicate and cannot be used.
My Global Address is 3FFE:1104:404:1:0200:0BFF:FE0A:2D51
“Tentative”: Need to do Duplicate Address Detection
NS (Neighbor Solicitation)
NA (Neighbor Advertisement)
- Target Address = 3FFE:1104:404:1:0200:0BFF:FE0A:2D51
- Target and Destination Address = 3FFE:1104:404:1:0200:0BFF:FE0A:2D51
Can’t use this Global Address!
Rick Graziani [email protected] 54
NDP - Neighbor Address Resolution
• IPv4 uses ARP (Address Resolution Protocol) to discover Layer 2 data link addresses, when it knows an IPv4 destination address.
• IPv6 uses NDP• Example
- a node might want to send a packet to examplehost.com. - A DNS query returns the address
3FFE:521:2400:15:211:24FF:FE23:334E - The sending node must now discover the link-layer address to use
as a destination address of the frame for the local link.
DNS Server
IPv6 packet for examplehost.com
examplehost.com
DNS Query for examplehost.comDNS Reply
3FFE:521:2400:15:211:24FF:FE23:334E
Rick Graziani [email protected] 55
NDP - Neighbor Address Resolution
• When the node examines the prefix of the IPv6 address returned by DNS, it either concludes that the destination is a neighbor on the local link or that it is off-link and therefore reachable through the default router.
• If the latter is the case (yes), the node should already know the link-layer address of the default router from the RAs.
• Similar to IPv4.
DNS Server
IPv6 packet for examplehost.com
examplehost.com
DNS Query for examplehost.comDNS Reply
3FFE:521:2400:15:211:24FF:FE23:334E
RA (Router Advertisement) –Link Layer address
Is the prefix returned the same as my prefix? - on the link or off the link NO, send to router, YES, send directly.
Rick Graziani [email protected] 56
NDP - Neighbor Address Resolution
• But if the destination is on the local link, the node first looks in its neighbor cache to see if the address is known.
• The neighbor cache in IPv6 is very similar to the ARP cache in IPv4; it records known network-layer addresses and the link-layer addresses associated with them.
DNS Server
IPv6 packet for examplehost.com
examplehost.com
DNS Query for examplehost.comDNS Reply
3FFE:521:2400:15:211:24FF:FE23:334E
RA (Router Advertisement) –Link Layer address
Is the prefix returned the same as my prefix? YES, check neighbor cache.
Rick Graziani [email protected] 57
NDP - Neighbor Address Resolution
DNS Server
IPv6 packet for examplehost.com
examplehost.com
DNS Query for examplehost.comDNS Reply
3FFE:521:2400:15:211:24FF:FE23:334E
RA (Router Advertisement) –Link Layer address
Is the prefix returned the same as my prefix? YES, check neighbor cache for an IPv6 – MAC address match.
Rick Graziani [email protected] 58
NDP - Neighbor Address Resolution
• If the address is not in the neighbor cache, it is entered but tagged Incomplete, indicating that address resolution is in progress.
• The node then sends an NS to the solicited-node multicast address associated with the target node.
DNS Server
IPv6 packet for examplehost.com
examplehost.comRA (Router Advertisement) –Link Layer address
NS (Neighbor Solicitation)
- Target Address = 3FFE:521:2400:15:211:24FF:FE23:334E
- Destination, Solicited-Node Multicast Address = FF02::1::FE23:334E
Rick Graziani [email protected] 59
NDP - Neighbor Address Resolution
• If the solicited node exists and the NS is valid, it responds with an NA.
• The soliciting node, upon receipt of the NA, can add the target node's link-layer address to the neighbor cache entry and change the entry from Incomplete to Reachable.
DNS Server
IPv6 packet for examplehost.com
examplehost.comRA (Router Advertisement) –Link Layer address
NS (Neighbor Solicitation)- Target Address = 3FFE:521:2400:15:211:24FF:FE23:334E
- Destination, Solicited-Node Multicast Address = FF02::1::FE23:334E
NA (Neighbor Advertisement)
- Data Link Layer Address = 0011:2423:334E Add to neighbor cache.
Rick Graziani [email protected] 60
NDP - Neighbor Address Resolution
Rick Graziani [email protected] 61
Privacy Addresses – Final Note
• Even if a device moves from subnet to subnet or even major network to major network, its Interface ID always remains the same; and if the Interface ID remains the same, it can be tracked.
• At the least, this becomes a privacy issue. • For example, suppose you are using IPv6 to connect to your company network. • Recording and analyzing packets coming into some part of the network can
identify you by your unchanging Interface ID. • And by further analyzing the different prefixes prepended to that Interface ID,
your employer can infer where you are at all times: at work, at home, traveling, or whatever.
• More insidious uses can also be made of such tracking, keeping record of your location and activities for everything from marketing to criminal exploitation.
• RFC 3041 addresses this security concern by defining IPv6 privacy addresses. • A privacy address is one in which the Interface ID is generated by an algorithm
using a pseudo-random number. • What is significant about it, and makes it reasonably private, is that the
Interface ID changes approximately once a day (or on some configurable period) and also whenever the node acquires a new IPv6 prefix.
IPv6 Overview
CIS 185 Advanced Routing (CCNP 1)
Spring 2006
Rick Graziani