ipv6 understanding

8/7/2019 IPV6 Understanding

http://slidepdf.com/reader/full/ipv6-understanding 1/71



Implementing IPv6 Addressing and Basic

Connectivity

� IPv6 quadruples the number of network

address bits from 32 bits (in IPv4) to 128 bits.

� By being globally unique, IPv6 addresses

inherently enable global reachibility and end-

to-end security for networked devices.



IPv6 Addressing and Basic

Connectivity

� The flexibility of the IPv6 address space

reduces the need for private addresses and

the use of Network Address Translation

(NAT) thus, IPv6 enables new applicationprotocols that do not require special

processing by border routers at the edge of

networks.



IPv6 Address Formats

� IPv6 addresses are represented as eight

groups of four hexadecimal digits separated

by colons (:) in the format:

� 2001:0DB8:7654:3210:FEDC:BA98:7654:3210

� 2001:0DB8:0:0:8:800:200C:417A



IPv6 Address Formats

� It is common for IPv6 addresses to containsuccessive hexadecimal fields of zeros.

� To make IPv6 addresses less cumbersome,

two colons (::) may be used to compresssuccessive hexadecimal fields of zeros at the

beginning, middle, or end of an IPv6 address.

� Two colons (::) can be used only once in an

IPv6 address, to represent the longest

successive hexadecimal fields of zeros.



IPv6 Special Addresses

IANA maintains the official list of the IPv6 address space. Global

unicast assignments can be found at the various RIRs or at theGRH DFP pages.

There are a number of addresses with special meaning in IPv6:

Unspecified address

::/128 ² the address with all zero bits is called the unspecified

address. This address must never be assigned to an interface andis to be used only in software before the application has learnedits host's source address appropriate for a pending connection.Routers must not forward packets with the unspecified address.

Link local addresses

::1/128 ² the loopback address is a unicast local host address. If anapplication in a host sends packets to this address, the IPv6 stackwill loop these packets back on the same virtual interface(corresponding to 127.0.0.1 in IPv4).

fe80::/10 ² The link-local prefix specifies that the address is onlyvalid on a single link. This is analogous to the autoconfiguration IPaddresses 169.254.0.0/16 in IPv4.




Unique local addresses

� fc00::/7 ² unique local addresses (ULA) are routable onlywithin a set of cooperating sites. They were defined in RFC4193 as a replacement for site-local addresses (see below). Theaddresses include a 40-bit pseudorandom number in therouting prefix that intends to minimize the risk of conflicts if sites merge or packets are misrouted into the Internet. Despitethe restricted, local usage of these addresses, their address

scope is global. This is a departure from the prior definitions of site-local addresses.

Multicast addresses

� ff00::/8 ² The multicast prefix designates multicast addressesas defined in "IP Version 6 Addressing Architecture" (RFC4291). Some of these have been assigned to specific protocols,

for example ff02::101 will reach all link-local NTP servers (RFC2375).

Solicited-node multicast addresses

� ff02::1:FFXX:XXXX ² XX:XXXX are the 3 low order octets of thecorresponding unicast or anycast address.




� Deprecated or obsolete addresses

::/96 ² This is a 96-bit zero-value prefix originally known as IPv4- compatible addresses. This class of addresses were used torepresent IPv4 addresses within an IPv6 transition technology.Such an IPv6 address has its first 96 bits set to zero, while itslast 32 bits are the IPv4 address that is represented. TheInternet Engineering Task Force (IETF) has deprecated the useof IPv4-compatible addresses with publication RFC 4291. The

only remaining use of this address format is to represent anIPv4 address in a table or database with fixed size membersthat must also be able to store an IPv6 address.

fec0::/10 ² The site-local prefix specifies that the address is validonly within the site network of an organization. Its use has beendeprecated in September 2004 by RFC 3879 and new systems

must not support this special type of address. Newspecifications replace this address type with unique localaddresses.



IPv6 Address Type: Unicast� An IPv6 unicast address is an address destined for

a single interface, on a single node.

� A packet that is sent to a unicast address is

delivered to the interface identified by that address.

� Cisco IOS software supports the following IPv6

unicast address types:

Aggregateable Global Address

Site-Local Address

Unique-Local Address

Link-Local Address



Global Aggregateable Unicast Address

� A global unique address is an IPv6 address that¶sroutable on the internet and may be aggregatedupwards through organizations, and eventually tothe Internet Service Providers (ISPs).

� Addresses with a prefix of 2000::/3 (001) through

E000::/3 (111) are required to have 64-bit interfaceidentifiers in the Modified (EUI)-64 format.

� The Internet Assigned Numbers Authority (IANA)allocates the IPv6 address space in the range of 2000::/16 to regional registries.



Modified EUI-64 Interface ID



Global Aggregateable Unicast AddressThe Global Unicast Address consists of a:

� 48-bit global routing prefix: which included theTop-Level

Aggregator (TLA) and Next-Level Aggregator (NLA) but becausethey were policy-based they were removed)

�16-bit subnet ID: (Site-Level Aggregator) used by individual

organizations to create their own local addressing hierarchy

and identify subnets (as in IPv4). An organization with an IPv6

subnet ID can support up to 65,535 individual subnets.

�Interface-ID: used to identify interfaces on a link, the interface

ID must be unique to the link. Interface IDs used in global

unicast and other IPv6 address types must be 64 bits long and

constructed in the modified EUI-64 format.



Site-Local address� A site-local address is an IPv6 unicast address that

uses the prefix FEC0::/10, and concatenates thesubnet identifier (16-bit SLA field) with the interface

identifier in the modified EUI-64 format.

� Site-local addresses can be used to number a

complete site without using a globally unique prefix.� Site-local addresses can be considered private

addresses because they can be used to restrict

communication to a limited domain.

� IPv6 routers must not forward packets that have site-

local source or destination addresses outside of the

site.

� Site-local addresses are being obsolecesed by

Unique-local addresses, though some still exist.



Site-Local address



Unique Local Address� A unique local address is an IPv6 unicast address with a prefix

FC00::/7 or FD00::/7, that¶s globally unique, and intended for localcommunications. They are not expected to be routable on the globalInternet and are routable inside of a limited area, such as a site.

� A unique local address has:

� It has a well-known, globally unique prefix to allow for

easy filtering at site boundaries.

� It allows sites to be combined or privately interconnectedwithout creating any address conflicts or requiring

renumbering of interfaces that use these prefixes.

� It is ISP-independent and can be used for communications

inside of a site without having any permanent or intermittent

Internet connectivity.

� If it is accidentally leaked outside of a site via routing or

DNS, there is no conflict with any other addresses.

� Applications may treat unique local addresses like global

scoped addresses.



Unique Local Address



Link-Local Address

� A link-local address is an IPv6 unicast address that

can be automatically configured on any interface� It Uses the link-local prefix FE80::/10 (1111 1110 10)

and the interface identifier in modified EUI-64format.

� Link-local addresses are used in the neighbor

discovery protocol and the stateless auto-configuration process.

� Nodes on a local link can use link-local addresses tocommunicate; the nodes do not need site-local or globally unique addresses to communicate.

� IPv6 routers must not forward packets that have link-local source or destination addresses to other links.



Link-Local Address



Internet transition: Migrating IPv4 to IPv6

� If the Internet is to realize the benefits of IPv6, aperiod of transition will be necessary when new IPv6hosts and routers are deployed alongside existingIPv4 systems.

� RFC 2893 (Transition Mechanisms for IPv6 Hosts

and Routers) and RFC2185 (Routing Aspects of IPv6Transition), define a number of mechanisms toensure both the compatibility between old and newsystems and a gradual transition that doesn¶t impact

functionality of the Internet.

� These techniques are sometimes collectively termed

S imple Internet Transition ( S IT).



IPv4/IPv6 Transitional addresses

The transition employs the following techniques:

� Dual-stack IP implementations for hosts and routersthat must interoperate between IPv4 and IPv6.

� IPv6-over-IPv4 tunneling mechanisms for carryingIPv6 packets across IPv4 router networks.

� IPv4/IPv6 header translation. This technique isintended for use when implementation of IPv6 is welladvanced and only a few IPv4-only systems remain.

� Embedding of IPv4 addresses in IPv6 addresses.

IPv6 hosts will be assigned addresses that areinteroperable with IPv4, and IPv4 host addresses willbe mapped to IPv6.



IPv6/IPv4 Mapped addresses

� Dual stack IPv6/IPv4 implementations typicallysupport a special class of addresses, the IPv4mapped addresses.

� This address type has its first 80 bits set to zero, thenext 16 set to one (FFFF), while its last 32 bits

represent an IPv4 address.

� For example, ::ffff:c000:280(all hex) is the IPv4mapped address for the IPv4 address 192.0.2.128.



IPv4 Mapped addresses cont.

As an exception to standard IPv6 address notation(all hex),

IPv4 mapped addresses are commonly represented

with their last 32 bits written in dot-decimal notation

(eg. IPv4), appended to the standard IPv6 notation of

the leading bits, e.g. ::ffff:c000:280 could be written

as ::ffff:192.0.2.128.

80 bits16 bits 32 bits

zeros FFFF 192.0.2.128



IPv4 Mapped addresses cont.

� This address type allows the transparent use of the

transport layer protocols over IPv4 through the IPv6networking API.

� A benefit of this mechanism is that server applications only need to open a single listeningsocket to handle connections from clients using IPv6

or IPv4 protocols.� IPv6 clients will be handled natively by default, and

IPv4 clients appear as IPv6 clients with anappropriately mapped address.

� It can also be used to establish IPv4 connectionsspecifically with an IPv6 socket. While the networkprotocol on the transmission medium is IPv4, theconnection is presented as an IPv6 interface to theapplication.



IPv6 Address Type: Anycast

� An Anycast address is an address that is assigned

to a set of interfaces that typically belong to different

routers.

� A packet sent to an anycast address is delivered to

the closest interface as defined by the routing

protocols in use.

� Anycast addresses are syntactically the same as

unicast addresses since they¶re allocated from the

unicast address space.

� Routers to which the anycast address are assigned

must be explicitly configured to recognize that the

address is an anycast address.



IPv6 Address Type: Anycast

� Anycast addresses can be used only bya router, not a host, and anycast

addresses must not be used as the

source address of an IPv6 packet.



IPv6 Address Type: Multicast

� The second octet following the prefix defines the

lifetime and scope of the multicast address.

� A permanent multicast address has a lifetimeparameter equal to 0.

� A temporary multicast address has a lifetimeparameter equal to 1.

� A multicast address that has the scope of a node,link, site, or organization, or a global scope has ascope parameter of 1, 2, 5, 8, or E, respectively.

For example, a multicast address with the prefix FF02::/16 is a

permanent multicast address with a link scope.



IPv6 Address Type: Multicast



IPv6 Multicast GroupsGroup ID (Interface Id, above slide) Identifies the multicast group. Some

special purpose multicast addresses are predefined as follows:

FF01::1 All interfaces node-local. All interfaces on the host itself.

FF02::1 All nodes link-local. All systems on the local network.

FF01::2 All routers node-local. All routers local to the host itself .

FF02::2 All routers link-local. All routers on the same link as the host.

FF05::2 All routers site-local. All routers on the same site as the host.

FF02::B Mobile agents link-local.

FF02::1:2 All DHCP agents link-local.

FF05::1:3 All DHCP servers site-local.



IPv6 Multicast Groups� A special multicast address, the solicited node

multicast address, is used by ICMP for neighbor discovery and duplicate address detection. It hasthe format:

� FF02::1:FFxx:xxxx, where xx xxxx is taken from the

last 24-bits of a nodes unicast address.

� A node¶s IPv6 address of 4025::01:800:100F:7B5B

belongs to the multicast group FF02::1:FF0F:7B5B.

� For a more complete listing of reserved multicast

addresses, see the IANA documentation± IPv6Multicast Addresses Assignments.



IPv6 Header Format� The basic IPv6 packet header has 8 fields with a total

size of 40 octets. Fields were removed from the IPv6header because, in IPv6, fragmentation is nothandled by routers and checksums at the networklayer are not used.

� Instead, fragmentation in IPv6 is handled by the

source of a packet and checksums at the data linklayer and transport layer are used.

� In IPv4, the User Datagram Protocol transport layer uses an optional checksum. In IPv6, use of the UDPchecksum is required to check the integrity of the

inner packet.� Additionally, the basic IPv6 packet header and

options field are aligned to 64 bits, which canfacilitate the processing of IPv6 packets.



IPv6 Basic IP Header



IPv6 Extension Headers



IPv6 Extension Headers

Hop by Hop Options 0 This header is processed by all hops in the path of a packet. When

present, and always follows immediately after the basic IPv6 packet

header .

Destination options

header

60 Is processed at the final destination and also at each visited address

specified by a routing header when followed by the hop-by-hop options

header. Alternatively, the destination options header can follow any

Encapsulating Security Payload (ESP) header , in which case the

destination options header is processed only at the final destination.

Routing header 43 The routing header is used for source routing.

Fragment header 44 Used when a source must fragment a packet that is larger than the MTU for

the path between itself and a destination. Used in each fragmented packet.

Authentication header

and

ESP header

51

50

The Authentication header and the ESP header are used within IP Security

Protocol (IPSec) to provide authentication, integrity, and confidentiality of a

packet. These headers are identical for both IPv4 and IPv6.

Transport (upper-layer)

headers

6 TCP

17 UDP

The Upper-layer headers are the typical transport-layer headers used inside a

packet to transport the data. The two main transport protocols are TCP and

UDP.

Mobility header 135 Extension headers used by mobile nodes, correspondent nodes, and home

agents in all messaging related to the creation and management of bindings.



Unicast Reverse Path Forwarding� The Unicast RPF feature is invoked to mitigate problems

caused by malformed or forged (spoofed) IPv6 source

addresses that pass through an IPv6 router.

� Malformed or forged source addresses can indicate denial-of-service (DoS) attacks based on source IPv6 address spoofing.

� Unicast RPF checks to see if any packet received at a router interface arrives on one of the best return paths to the source

of the packet. Unicast RPF does this by doing a reverse lookupin the CEF table.

� With Unicast RPF, all equal-cost ³best´ return paths areconsidered valid. Unicast RPF works in cases where multiplereturn paths exist provided that each path is equal to the othersin terms of the routing cost (number of hops, weights, and soon) and as long as the route is in the FIB.



Unicast Reverse Path Forwarding� Where NOT to use Unicast RPF.

� Unicast RPF should not be used where UPSR ring topologies

are implemented such as within the core of an ISP, or oninterfaces that are internal to the network. These interfaces arelikely to have routing asymmetry meaning the number of hopsin the transmit and receive path differ. Unicast RPF should beapplied only where there is natural or configured symmetry. Aslong as administrators carefully plan which interfaces theyactivate Unicast RPF on, routing asymmetry is not a serious

problem.

� Routers at the edge of the network of an ISP are more likely tohave symmetrical reverse paths than routers that are in thecore of the ISP network.

� Routers that are in the core of the ISP network have no

guarantee that the best forwarding path out of the router will bethe path selected for packets returning to the router. Hence, itis not recommended that you apply Unicast RPF where there isa chance of asymmetric routing. It is simplest to place UnicastRPF only at the edge of a network or, for an ISP, at thecustomer edge of the network.



Unicast Reverse Path Forwarding

Unicast RPF Blocking Traffic in an Asymmetrical Routing Environment



Path MTU Discovery for IPv6

� As in IPv4, path MTU discovery in IPv6 allows a hostto dynamically discover and adjust to differences inthe MTU size of every link along a given data path.

� In IPv6, however, fragmentation is handled by thesource of a packet when the path MTU of one link

along a given data path is not large enough toaccommodate the size of the packets.

� Having IPv6 hosts handle packet fragmentationsaves IPv6 router processing resources and helpsIPv6 networks run more efficiently.

� In IPv6, the minimum link MTU is 1280 octets. Werecommend using an MTU value of 1500 octets for IPv6 links.



IPv6 Neighbor Discovery

� An IP address is obtained statefuly (DHCPv6) or

Statelessly (ICMPv6)

� The M bit in an RA message determines how the IP

address is obtained.

� TheO

bit determines if other configurationparameters are configured statefuly as well.

� An IP address is obtained statefuly (DHCPv6) if the

M bit is set (1).

� An IP address is obtained Statelessly (ICMPv6) if theM bit is not set (0).



Internet Control Message Protocol Version 6

(ICMPv6)� In order for IP to move data from one node to another

successfully, there are many functions that need to be carriedout, (error reporting, route discovery, and diagnostics) to namea few. These tasks are carried out by Internet Control MessageProtocol

� ICMPv6 also carries out the tasks of conveying multicast groupmembership information, (a function that was previously

performed by the IGMP protocol in IPv4), and addressresolution, (previously performed by ARP).

� ICMPv6 messages and their use are specified in RFC 4443 ±Internet Control Message Protocol (ICMPv6) for the InternetProtocol Version 6 (IPv6) and RFC 2461 ± Neighbor Discoveryfor IP Version 6 (IPv6). Both RFCs are draft standards with a

status of elective.� Every ICMPv6 message is preceded by an IPv6 header (and

possibly some IP extension headers). The ICMPv6 header isidentified by a Next Header value of 58 in the immediatelypreceding header.




(ICMPv6)

There are two classes of ICMPv6 messages.

Error messages Type 0 to 127.

Informational messages Type 128 to 255.




(ICMPv6)

ICMPv6 message types include:1 Destination Unreachable

2 Packet Too Big

3 Time (Hop Count) Exceeded

4 Parameter Problem

128 Echo Request

129 Echo Reply

130 Group Membership Query

131 Group Membership Report

132 Group Membership Reduction

133 Router Solicitation

134 Router Advertisement135 Neighbor Solicitation

136 Neighbor Advertisement

137 Redirect Message



IPv6 Neighbor Discovery Messages

� Type 133 Router Solicitation Message

� Type 134 Router Advertisement Message

� Type 135 Neighbor Solicitation Message� Type 136 Neighbor Advertisement Message

� Type 137 Neighbor Redirect Message



IPv6 Neighbor Solicitation Message� When a node wants to determine the link-layer address of

another node, the source address in a neighbor solicitationmessage is the IPv6 address of the node sending the neighbor solicitation message (Type 135).

� The destination address in the neighbor solicitation message isthe solicited-node multicast address that corresponds to theIPv6 address of the destination node.

� The neighbor solicitation message also includes the link-layer address of the source node.

� Neighbor solicitation messages are also used to verify thereachability of a neighbor after the link-layer address of aneighbor is identified.

� When a node wants to verify the reachability of a neighbor, thedestination address in a neighbor solicitation messageis theunicast address of the neighbor .



IPv6 Neighbor Solicitation Message



IPv6 Neighbor Advertisement Message



IPv6 Router Advertisement Message

� Router advertisement (RA) messages, have a valueof 134 in the Type field of the ICMP packet header,

are periodically sent out each configured interface of

an IPv6 router.

� For stateless autoconfiguration to work properly, theadvertised prefix length in RA messages must

always be 64 bits.

� The RA messages are sent to the all-nodes multicast

address.



IPv6 Router Solicitation Message

� Router solicitation messages, value of Type 133 of

the ICMP packet header, are sent by hosts at system

startup so that the host can immediately

autoconfigure without needing to wait for the next

scheduled RA message.

� Router solicitation messages are usually sent by

hosts at system startup (the host does not have a

configured unicast address), the source address in

router solicitation messages is usually the

unspecified IPv6 address (0:0:0:0:0:0:0:0).

� RAs are also sent in response to router solicitation

messages.



IPv6 Router Solicitation Message



IPv6 Neighbor Redirect Message

� Routers send neighbor redirect messages to informhosts of better first-hop nodes on the path to adestination.

� A value of 137 in the Type field of the ICMP packetheader identifies an IPv6 neighbor redirect message.

� A router must be able to determine the link-localaddress for each of its neighboring routers in order to ensure that the target address in a redirectmessage identifies the neighbor router by its link-local address.

� For static routing, the address of the next-hop router should be specified using the link-local address of the router.

� For dynamic routing, all IPv6 routing protocols mustexchange the link-local addresses of neighboringrouters.



IPv6 Stateless Auto-configuration

� A node on the link can automatically configure site-

local and global IPv6 addresses by appending its 64bit interface ID to the 64 bit prefixes included in theRA messages.

� The resulting 128-bit IPv6 addresses configured bythe node are then subjected to duplicate address

detection to ensure their uniqueness on the link.� If the prefixes advertised in the RA messages are

globally unique, then the IPv6 addresses configuredby the node are also guaranteed to be globallyunique.

� Router solicitation messages, which have a value of 133 in the Type field of the ICMP packet header, aresent by hosts at system startup so that the host canimmediately autoconfigure without needing to waitfor the next scheduled RA message.



IPv6 Stateless Auto-configuration



IPv6 Prefix Aggregation



IPv6 Site Multi-homing

� Multiple IPv6 prefixes can be assigned to

networks and hosts.

� Having multiple prefixes assigned to a

network makes it easy for that network to

connect to multiple ISPs without breakingthe global routing table.

(see Figure 18)



IPv6 Site Multi-homing



Dual IPv4 and IPv6 Protocol Stacks

� The Dual IPv4 and IPv6 protocol stack technique can

be used to transition to IPv6 by enabling gradualone-by-one upgrades to applications running on

nodes.

� Applications running on nodes are upgraded to

make use of the IPv6 protocol stack.

� Applications that are not upgraded, support only the

IPv4 coexisting with upgraded applications on a

node.

� New and upgraded applications make use of both

the IPv4 and IPv6 protocol stacks.

(see Figure 19).

ipv6 understanding

Documents