IPv6Fundamentals-Slides
Uploaded by
Astro KronosIPv6Fundamentals-Slides
Uploaded by
Astro KronosIPv6 Fundamentals
Training Course
December 2024
RIPE NCC Training Material
Please nd your training material at the following link
https://www.ripe.net/training-material
X
2
fi
Schedule
09:00 - 09:30 Coffee, Tea
11:00 - 11:15 Break
13:00 - 14:00 Lunch
15:30 - 15:45 Break
17:30 End
3
Introductions
• Name
• Experience with IPv6
• Goals
4
Overview
• IPv4?
• IPv6 Address Basics
• Getting it
• Exercise: Making Assignments
• IPv6 Protocol Basics
• Exercise: Addressing Plan
• IPv6 Packets
• Deploying
• Exercise: Configuring IPv6
• Real Life IPv6 Deployment
• Tips
5
IPv4?
Section 1
Reaching the next billion
• Around 5,385 billion Internet users now
- around 67.9 % of all people in the world
• Phones, IP Cameras, “Smart” devices / Gateways are
Internet devices
• The Internet of Things
- How will the Internet look like in 5 - 10 years?
7
The Internet of Things
Libelium Smart World
http://www.libelium.com/top_50_iot_sensor_applications_ranking
© Libelium Comunicaciones Distribuidas S.L.
8
IANA IPv4 Pool
40%
30%
20%
10%
0%
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011
9
IPv4 Exhaustion
“On 14 September 2012, the RIPE NCC
ran out of their regular pool of IPv4”
10
IPv4 run-out
“Today, at 15:35 (UTC+1) on 25 November 2019, we made our final
/22 IPv4 allocation from the last remaining addresses in our
available pool. We have now run out of IPv4 addresses.”
11
Our Reality: The Waiting List
1. Submit the IPv4 allocation request form at the LIR Portal (/24)
2. Wait
Each LIR is put on a rst-come- rst-served waiting list to get
one /24 block (256 addresses)
Cannot be transferred for 24 months after receiving it
12
fi
fi
Network Address Translation
• Extends the capacity of the IPv4 address space
by sharing an IPv4 address between clients
• Fairly common technology, used everywhere
• Breaks the end to end connectivity model
• It doesn’t allow communication with IPv6!
• You are probably going to need it in some form
13
Large Scale NAT
14
IPv6 Address Basics
Section 2
IP Address Distribution
/0 All IPv6 space
/3 Global Unicast
504 /12s - IANA Reserve
7 /12s RIR pools
/12 per RIR
Miscellaneous
1 /12
16
RIR Pools
October 2006 RIR IPv6 Range
AFRINIC 2C00:0000::/12
APNIC 2400:0000::/12
ARIN 2600:0000::/12
LACNIC 2800:0000::/12
RIPE NCC 2A00:0000::/12
June 2019 RIPE NCC 2A10:0000::/12
November 2019 ARIN 2630:0000::/12
November 2024 APNIC 2410:0000::/12
17
IP Address Distribution
/3 IANA
/12 RIR
/32 LIR
/48 /56 /48 End User
Allocation PA Assignment PI Assignment
18
IPv6 Address Basics
• IPv6 address: 128 bits
- 32 bits in IPv4
• Every subnet should be a /64
• Customer assignments (sites) between:
- /64 (1 subnet)
- /48 (65,536 subnets)
• Minimum allocation size /32
- 65,536 /48s
- 16,777,216 /56s
19
Address Notation
2001:0db8:003e:ef11:0000:0000:c100:004d
20
Address Notation
2001:0db8:003e:ef11:0000:0000:c100:004d
2001:db8: 3e:ef11: 0: 0: c100: 4d
20
Address Notation
2001:0db8:003e:ef11:0000:0000:c100:004d
2001:db8: 3e:ef11: 0: 0: c100: 4d
2001:db8:3e:ef11: :c100:4d
20
Address Notation
2001:0db8:003e:ef11:0000:0000:c100:004d
2001:db8: 3e:ef11: 0: 0: c100: 4d
2001:db8:3e:ef11: :c100:4d
1 1 1 0 1 1 1 1 0 0 0 1 0 0 0 1
20
IPv6 Subnetting
2001:0db8:0000:0000:0000:0000:0000:0000
64 bits interface ID
/64
/60 = 16 x /64
/56 = 256 x /64
/52 = 4096 x /64
/48 = 65536 x /64
/32 = 65536 x /48
21
Multiple address types
Addresses Range Scope
Unspeci ed ::/128 n/a
Loopback ::1 host
IPv4-Embedded 64: 9b::/96 n/a
Discard-Only 100::/64 n/a
Link Local fe80::/10 link
Global Unicast 2000::/3 global
Unique Local fc00::/7 global
Multicast 00::/8 variable
22
ff
ff
fi
IPv6 Address Scope
23
IPv6 Address Scope
INTERFACE
23
IPv6 Address Scope
LINK
INTERFACE
23
IPv6 Address Scope
SITE
LINK
INTERFACE
23
IPv6 Address Scope
GLOBAL SITE
LINK
INTERFACE
23
IPv6 Address Scope
GLOBAL SITE
LINK
INTERFACE
FE80::A:B:100 FF01::2 2001:67C:2E:1::C1
FD00:A:B::100 FF05::1:3 FF02::1
23
IPv6 Address Notation
Exercise
Question #1
You have a /32 pre x starting with 2001:0db8.
How do you search for it in the RIPE Database?
a. 2001:0db8
b. 2001:0db8/32
c. 2001:0db8::/32
d. 2001:db8::/32
25
fi
Question #1 Answer
You have a /32 pre x starting with 2001:0db8.
How do you search for it in the RIPE Database?
a. 2001:0db8
b. 2001:0db8/32
c. 2001:0db8::/32
d. 2001:db8::/32
26
fi
Question #2
How do you correctly compress the following IPv6 address:
2001:0db8:0000:0000:0000:0000:0000:0c50
a. 2001:0db8:0:0:0:0:0:0c50
b. 2001:0db8::0c50
c. 2001:db8::c50
d. 2001:db8::c5
27
Question #2 Answer
How do you correctly compress the following IPv6 address:
2001:0db8:0000:0000:0000:0000:0000:0c50
a. 2001:0db8:0:0:0:0:0:0c50
b. 2001:0db8::0c50
c. 2001:db8::c50 *
d. 2001:db8::c5
28
Question #3
How do you correctly compress the following IPv6 address:
2001:0db8:0000:0000:b450:0000:0000:00b4
a. 2001:db8::b450::b4
b. 2001:db8::b450:0:0:b4
c. 2001:db8::b45:0000:0000:b4
d. 2001:db8:0:0:b450::b4
29
Question #3 Answer
How do you correctly compress the following IPv6 address:
2001:0db8:0000:0000:b450:0000:0000:00b4
a. 2001:db8::b450::b4
b. 2001:db8::b450:0:0:b4 *
c. 2001:db8::b45:0000:0000:b4
d. 2001:db8:0:0:b450::b4
30
Question #4
How do you correctly compress the following IPv6 address:
2001:0db8:00f0:0000:0000:03d0:0000:00
a. 2001:0db8:00f0::3d0:0:00
b. 2001:db8:f0:0:0:3d0:0:
c. 2001:db8:f0::3d0:0:
d. 2001:0db8:0f0:0:0:3d0:0:0
31
ff
ff
ff
f
ff
Question #4 Answer
How do you correctly compress the following IPv6 address:
2001:0db8:00f0:0000:0000:03d0:0000:00
a. 2001:0db8:00f0::3d0:0:00
b. 2001:db8:f0:0:0:3d0:0:
c. 2001:db8:f0::3d0:0: *
d. 2001:0db8:0f0:0:0:3d0:0:0
32
ff
ff
ff
ff
ff
Question #5
How do you correctly compress the following IPv6 address:
2001:0db8:0f3c:00d7:7dab:03d0:0000:00
a. 2001:db8:f3c:d7:7dab:3d:0:
b. 2001:db8:f3c:d7:7dab:3d0:0:
c. 2001:db8:f3c:d7:7dab:3d0::
d. 2001:0db8:0f3c:00d7:7dab:03d::00
33
f
ff
ff
ff
ff
Question #5 Answer
How do you correctly compress the following IPv6 address:
2001:0db8:0f3c:00d7:7dab:03d0:0000:00
a. 2001:db8:f3c:d7:7dab:3d:0:
b. 2001:db8:f3c:d7:7dab:3d0:0: *
c. 2001:db8:f3c:d7:7dab:3d0::
d. 2001:0db8:0f3c:00d7:7dab:03d::00
34
f
ff
ff
ff
ff
Question #6
How do you access your IPv6 web server at
2001:db8::8080 on port 8080 using a web browser?
a. https://2001:db8::8080:8080
b. https://2001:0db8:0000:0000:0000:0000:0000:8080:8080
c. https://[2001:db8::8080]:8080
d. You cannot use the IPv6 address, you have to
rely on DNS
35
Question #6 Answer
How do you access your IPv6 web server at
2001:db8::8080 on port 8080 using a web browser?
a. https://2001:db8::8080:8080
b. https://2001:0db8:0000:0000:0000:0000:0000:8080:8080
c. https://[2001:db8::8080]:8080
d. You cannot use the IPv6 address, you have to
rely on DNS
36
IPv6 Notation - RFC 5952
For more information, please read RFC 5952:
“A Recommendation for IPv6 Address Text Representation”
Link to the RFC:
https://datatracker.ietf.org/doc/html/rfc5952
37
Questions
Getting It
Section 3
Getting an IPv6 allocation
• To qualify, an organisation must:
- Be an LIR
- Have a plan for making assignments within two years
• Minimum allocation size /32
- Up to a /29 without additional justi cation
- More if justi ed by customer numbers and network extension
- Additional bits based on hierarchical and geographical structure,
planned longevity and security levels
40
fi
fi
Customer Assignments
• Give your customers enough addresses
- Minimum /64
- There is no maximum assignment size
• Keep good documentation in case of an audit or if you
request a subsequent allocation
• Every assignment must be registered in the RIPE Database
41
Comparison IPv4 and IPv6 status
IPv4 IPv6
ALLOCATED PA Allocation ALLOCATED-BY-RIR
ASSIGNED PA Assignment ASSIGNED
Text
AGGREGATED-BY-LIR Group of Assignments AGGREGATED-BY-LIR
SUB-ALLOCATED PA Sub-Allocation ALLOCATED-BY-LIR
ASSIGNED PI PI Assignment ASSIGNED PI
42
Examples ASSIGNED
• One single network
• An individual customer
Internet
• Your own infrastructure
ISP
router
One assignment devices
= ‘ASSIGNED’
43
Using ASSIGNED
• Represents one assignment
• Minimum assignment size is a /64
ALLOCATED-BY-RIR
ASSIGNED /56 ASSIGNED /48 ASSIGNED /64
44
Using ASSIGNED - Example Object
45
Examples AGGREGATED-BY-LIR
• Group of customers
• Same assignment size
/56 /56
/56 /56
/56 /56
/56 /56 /56
/56 /56 /56
46
Using AGGREGATED-BY-LIR
• Can be used to group customers
- For example: Residential broadband customers
• “assignment-size:” = assignment of each customer
ALLOCATED-BY-RIR
AGGREGATED-BY-LIR
assignment-size: 56 /36
/56 /56 /56 /56 /56
47
Using AGGREGATED-BY-LIR - Example
48
Examples ALLOCATED-BY-LIR
Reservation for a large customer
Branch o ce or
department
Large Customer Branch O ce
/48
/48 /46 /48 /48 /36
Reservation Delegation
49
ffi
ffi
Using ALLOCATED-BY-LIR
Can be used for customers with potential for growth
- Or for your own infrastructure
- Or to delegate address space to a downstream ISP
ALLOCATED-BY-RIR
ALLOCATED-BY-LIR /36
ASSIGNED /52 ASSIGNED /48
50
Using ALLOCATED-BY-LIR - Example
51
Overview
ALLOCATED-BY-RIR
ASSIGNED /56 ALLOCATED-BY-LIR /44 AGGREGATED-BY-LIR /36
assignment-size: 56
ASSIGNED /48
52
Getting IPv6 PI Address Space
• To qualify, an organisation must:
- Meet the contractual requirements for provider independent
resources
- LIRs must demonstrate special routing requirements
• Minimum assignment size: /48
• PI space cannot be used for sub-assignments
53
Unique Local Addresses
• Pre xes from fc00::/7
- Only from the fd00::/8 block
• Should not be routed on the Internet
• Generate a random 40-bit Global ID and insert it into
fdxx:xxxx:xxxx
Global ID: da24154e1d
Pre x: fdda:2415:4e1d::/48
54
fi
fi
Making Assignments
Exercise
Create assignments for a smart city!
56
Context
• You work for the LIR: nl.ripencc-ts
• Your LIR has a /32 allocation: 2001:db8::/32
• Your customer Future Casa is working on a project called
“Smart Home 6”
• They need IPv6 addresses from your address space
• Future Casa wants to connect 1 million Smart Homes
57
Product Description
• Each home will be equipped with a 4G-enabled base unit
• The base unit will be the central gateway for smart
services inside the house
• Each smart service runs on a dedicated subnet
• Services can be enabled or disabled at any point from a
user’s smartphone app
• Future Casa will be rolling out new services in the future
58
Smart Home 6 Network Diagram
IPv6 Internet
/64
/64 ???
/64
/64 /64
/64
/64
/64
LIR / ISP /64
2001:db8::/32
5G wireless
point to point
59
Calculations…
60
Calculations…
• /64 = 1 subnet
- Not enough. We need one subnet alone for the p2p conn.
60
Calculations…
• /64 = 1 subnet
- Not enough. We need one subnet alone for the p2p conn.
• /63 = 2 subnets
- Not enough subnets.
- Not on the 4-bit boundary!
60
Calculations…
• /64 = 1 subnet
- Not enough. We need one subnet alone for the p2p conn.
• /63 = 2 subnets
- Not enough subnets.
- Not on the 4-bit boundary!
• /60 = 16 subnets
- Is it enough to meet the future needs?
- You want to avoid having to renumber!
60
Calculations…
61
Calculations…
• /56 = 256 subnets
- Sounds reasonable. How many subnets can a house need?
61
Calculations…
• /56 = 256 subnets
- Sounds reasonable. How many subnets can a house need?
• /52 = 4096 subnets
- More than enough.
61
Calculations…
• /56 = 256 subnets
- Sounds reasonable. How many subnets can a house need?
• /52 = 4096 subnets
- More than enough.
• /48 = 65K subnets
- De nitely more than enough.
61
fi
Calculations…
• /56 = 256 subnets
- Sounds reasonable. How many subnets can a house need?
• /52 = 4096 subnets
- More than enough.
• /48 = 65K subnets
- De nitely more than enough.
61
fi
Calculations…
One million smart homes
x
/56 per home
=
62
Calculations…
One million smart homes
x
/56 per home
=
/36
62
Possible options for /36 subnets
2001:db8::/32 /32
63
Possible options for /36 subnets
2001:db8::/32 /32
/36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36
63
Possible options for /36 subnets
2001:db8::/32 /32
/36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36
2001:db8:0000::/36
63
Possible options for /36 subnets
2001:db8::/32 /32
/36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36
2001:db8:0000::/36
2001:db8:1000::/36
63
Possible options for /36 subnets
2001:db8::/32 /32
/36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36
2001:db8:0000::/36
2001:db8:1000::/36
2001:db8:2000::/36
63
Possible options for /36 subnets
2001:db8::/32 /32
/36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36
2001:db8:0000::/36
2001:db8:1000::/36
2001:db8:2000::/36
2001:db8:3000::/36
63
Possible options for /36 subnets
2001:db8::/32 /32
/36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36
2001:db8:0000::/36
2001:db8:1000::/36
2001:db8:2000::/36
2001:db8:3000::/36
2001:db8:4000::/36
63
Possible options for /36 subnets
2001:db8::/32 /32
/36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36
2001:db8:5000::/36
2001:db8:0000::/36
2001:db8:1000::/36
2001:db8:2000::/36
2001:db8:3000::/36
2001:db8:4000::/36
63
Possible options for /36 subnets
2001:db8::/32 /32
/36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36
2001:db8:5000::/36
2001:db8:0000::/36
2001:db8:6000::/36
2001:db8:1000::/36
2001:db8:2000::/36
2001:db8:3000::/36
2001:db8:4000::/36
63
Possible options for /36 subnets
2001:db8::/32 /32
/36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36
2001:db8:5000::/36
2001:db8:0000::/36
2001:db8:6000::/36
2001:db8:1000::/36
2001:db8:7000::/36
2001:db8:2000::/36
2001:db8:3000::/36
2001:db8:4000::/36
63
Possible options for /36 subnets
2001:db8::/32 /32
/36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36
2001:db8:5000::/36
2001:db8:0000::/36
2001:db8:6000::/36
2001:db8:1000::/36
2001:db8:7000::/36
2001:db8:2000::/36
2001:db8:8000::/36
2001:db8:3000::/36
2001:db8:4000::/36
63
Possible options for /36 subnets
2001:db8::/32 /32
/36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36
2001:db8:5000::/36
2001:db8:0000::/36
2001:db8:6000::/36
2001:db8:1000::/36
2001:db8:7000::/36
2001:db8:2000::/36
2001:db8:8000::/36
2001:db8:3000::/36
2001:db8:9000::/36
2001:db8:4000::/36
63
Possible options for /36 subnets
2001:db8::/32 /32
/36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36
2001:db8:5000::/36
2001:db8:0000::/36
2001:db8:6000::/36
2001:db8:1000::/36
2001:db8:7000::/36
2001:db8:2000::/36
2001:db8:8000::/36
2001:db8:3000::/36
2001:db8:9000::/36
2001:db8:4000::/36
2001:db8:a000::/36
63
Possible options for /36 subnets
2001:db8::/32 /32
/36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36
2001:db8:5000::/36
2001:db8:0000::/36 2001:db8:b000::/36
2001:db8:6000::/36
2001:db8:1000::/36
2001:db8:7000::/36
2001:db8:2000::/36
2001:db8:8000::/36
2001:db8:3000::/36
2001:db8:9000::/36
2001:db8:4000::/36
2001:db8:a000::/36
63
Possible options for /36 subnets
2001:db8::/32 /32
/36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36
2001:db8:5000::/36
2001:db8:0000::/36 2001:db8:b000::/36
2001:db8:6000::/36
2001:db8:1000::/36 2001:db8:c000::/36
2001:db8:7000::/36
2001:db8:2000::/36
2001:db8:8000::/36
2001:db8:3000::/36
2001:db8:9000::/36
2001:db8:4000::/36
2001:db8:a000::/36
63
Possible options for /36 subnets
2001:db8::/32 /32
/36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36
2001:db8:5000::/36
2001:db8:0000::/36 2001:db8:b000::/36
2001:db8:6000::/36
2001:db8:1000::/36 2001:db8:c000::/36
2001:db8:7000::/36
2001:db8:2000::/36 2001:db8:d000::/36
2001:db8:8000::/36
2001:db8:3000::/36
2001:db8:9000::/36
2001:db8:4000::/36
2001:db8:a000::/36
63
Possible options for /36 subnets
2001:db8::/32 /32
/36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36
2001:db8:5000::/36
2001:db8:0000::/36 2001:db8:b000::/36
2001:db8:6000::/36
2001:db8:1000::/36 2001:db8:c000::/36
2001:db8:7000::/36
2001:db8:2000::/36 2001:db8:d000::/36
2001:db8:8000::/36
2001:db8:3000::/36 2001:db8:e000::/36
2001:db8:9000::/36
2001:db8:4000::/36
2001:db8:a000::/36
63
Possible options for /36 subnets
2001:db8::/32 /32
/36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36
2001:db8:5000::/36
2001:db8:0000::/36 2001:db8:b000::/36
2001:db8:6000::/36
2001:db8:1000::/36 2001:db8:c000::/36
2001:db8:7000::/36
2001:db8:2000::/36 2001:db8:d000::/36
2001:db8:8000::/36
2001:db8:3000::/36 2001:db8:e000::/36
2001:db8:9000::/36
2001:db8:4000::/36 2001:db8:f000::/36
2001:db8:a000::/36
63
Possible options for /36 subnets
2001:db8::/32 /32
/36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36 /36
2001:db8:5000::/36
2001:db8:0000::/36 2001:db8:b000::/36
2001:db8:6000::/36
2001:db8:1000::/36 2001:db8:c000::/36
2001:db8:7000::/36
2001:db8:2000::/36 2001:db8:d000::/36
2001:db8:8000::/36
2001:db8:3000::/36 2001:db8:e000::/36
2001:db8:9000::/36
2001:db8:4000::/36 2001:db8:f000::/36
2001:db8:a000::/36
63
Solution RIPE Database object
64
Solution RIPE Database object
65
IPv6 Protocol Basics
Section 4
IPv6 Protocol Functions
• Address Autoconfiguration
- Supported by Neighbor Discovery
- Stateless - with SLAAC
- Stateful - with DHCPv6
• Neighbor Discovery Protocol
- Replaces ARP from IPv4
- Uses ICMPv6 and Multicast
- Finds the other IPv6 devices on the link
- Keeps track of reachability
67
The Autoconfiguration Process
1. Make a Link-Local address
2. Check for duplicates on the link
3. Search for a router
4. Make a Global Unicast address
68
Making a Link-Local Address
48 bits - MAC Address
• Interface ID is made
from the MAC address
FF FE
fe80:: Interface ID
• fe80:: + Interface ID = Link-Local address for the host
69
Checking for Duplicates
Neighbor Solicitation
A A
Hello! Is this IPv6 address in use?
Can you tell me your MAC address?
Neighbor AdvertisementB
B Hello! Yes, I’m using that IPv6 address.
My MAC address is 72:D6:0C:2F:FC:01
If nobody replies to the Neighbor Solicitation,
the host uses the generated link-local address
70
Solicited Node Multicast Address
• Used in Neighbor Discovery Protocol for obtaining
the layer 2 link-layer (MAC) addresses
IPv6 unicast address
Prefix Interface ID Lower 24 bits
same bits
Solicited-node multicast address
ff02 0 1 ff Lower 24 bits
128 bits
71
Solicited Node Multicast Address
72
Searching for Routers
Router Solicitation
A A
Hello! Is there a router out there?
Router Advertisement
Hello! I’m a router and I have some
information for you…
The Router Advertisement gives the host more information
to get an IPv6 address and set up a connection
73
Stateless Address Auto-Configuration
• The Router Advertisement message tells the host:
- Router’s address
- Zero or more link prefixes
- SLAAC allowed (yes/no)
- DHCPv6 options
- MTU size (optional)
Link Prefix Interface ID
Global Unicast IPv6 Address
74
Interfaces will have multiple addresses
• Unicast
- Link Local fe80::5a55:caff:fef6:bdbf/64
- Global Unicast 2001::5a55:caff:fef6:bdbf/64 (multiple)
• Multicast
- All Nodes ff02::1 (scope: link)
- Solicited Node ff02::1:fff6:bdbf (scope: link)
• Routers
- All Routers ff02::2 (scope: link)
75
Verifying Reachability
Neighbor Solicitation
Hello! Are you still out there? A
Is your MAC address still valid?
Neighbor Advertisement
B Hello! Yes, I’m still online.
My MAC address is 72:D6:0C:2F:FC:01
If the target does not reply to the Neighbor Solicitation,
the sender removes the MAC address from the cache
76
Redirects
IPv6 Packet
A
This packet is for an IPv6 host.
Redirect
Hello! That destination you wanted?
I know a better way to reach it.
• Hosts can be redirected to a better first-hop router
• They can also be informed that the destination is a neighbor on the link
77
Questions
Addressing Plans
Section 5
Why Create an Addressing Plan?
• Bene ts of an IPv6 addressing plan
- Mental health during implementation (!)
- Easier implementation of security policies
- E cient addressing plans are scalable
- More e cient route aggregation
80
ffi
fi
ffi
IPv6 Address Management
• Your spreadsheet might not scale
- There are 65.536 /64s in a /48
- There are 65.536 /48s in a /32
- There are 524.288 /48s in a /29
- There are 16.777.216 /56s in a /32
- There are 134.217.728 /56s in a /29
• Find a suitable IPAM solution
81
Addressing Plan
Exercise
Addressing Plan Exercise
• Things to consider
- administrative ease!
- use assignments on 4 bit boundary
- 2 possible scenarios for network
- 5 possible scenarios for customer assignments
• 20 minutes preparation time
• 10 minutes discussion
83
Network Diagram - POPs
POP1 POP2
mail colo 1
Switch1 cr1.pop1
www
cr1.pop2
proxy
Colocated
Customers
cr2.pop2
NTP
Switch2 cr2.pop1
voip
colo 2
DNS AR2
Point-to-point Point-to-point
Switch Layer 3 switch Router
Customer 1 Customer 2
84
Network Diagram - POP1
POP1 POP2
mail colo 1
sw 1 cr1.pop1
www
cr1.pop2
proxy
Colocated
Customers
cr2.pop2
NTP
sw 2 cr2.pop1
voip
colo 2
DNS AR2
Point-to-point Point-to-point
Switch Layer 3 switch Router
Customer 1 Customer 2
85
Network Diagram - POP1
POP1 POP2
mail colo 1
sw 1 cr1.pop1
www
cr1.pop2
proxy
Colocated
Customers
cr2.pop2
NTP
sw 2 cr2.pop1
voip
colo 2
DNS AR2
Point-to-point Point-to-point
Switch Layer 3 switch Router
Customer 1 Customer 2
86
Network Diagram - POP2
POP1 POP2
mail colo 1
sw 1 cr1.pop1
www
cr1.pop2
proxy
Colocated
Customer
cr2.pop2
NTP
sw 2 cr2.pop1
voip
colo 2
DNS AR2
Point-to-point Point-to-point
Switch Layer 3 switch Router
Customer 1 Customer 2
87
Network Diagram - POP2
POP1 POP2
mail colo 1
sw 1 cr1.pop1
www
cr1.pop2
proxy
Colocated
Customer
cr2.pop2
NTP
sw 2 cr2.pop1
voip
colo 2
DNS AR2
Point-to-point Point-to-point
Switch Layer 3 switch Router
Customer 1 Customer 2
87
Network Diagram - POP2
POP1 POP2
mail colo 1
sw 1 cr1.pop1
www
cr1.pop2
proxy
Colocated
Customer
cr2.pop2
NTP
sw 2 cr2.pop1
voip
colo 2
DNS AR2
Point-to-point Point-to-point
Switch Layer 3 switch Router
Customer 1 Customer 2
88
Addressing plans
• /64 for each subnet
• Number of hosts in a /64 is irrelevant
• Multiple /48s per pop can be used
- separate blocks for infrastructure and customers
- document address needs for allocation criteria
• Use one /64 block per site for loopbacks
89
The /64 story
• “Every interface ID must be a /64” (RFC 4291)
• Because of SLAAC
• Other RFCs followed this
• The only exception is a /127 for point-to-point links
90
More on Addressing Plans
• For private networks, consider ULA
• For servers you want a manual configuration
• Avoid embedding service information in IP addresses
- pop server = 2001:db8:1::110 ❌
- dns server = 2001:db8:1::53 ❌
• Instead, use DNS for service discovery
- POP server: 2001:db8:1::1 (resolvable as pop.example.com)
- DNS server: 2001:db8:1::2 (resolvable as dns.example.com)
91
Questions
IPv6 Packets
Section 6
IPv6 Header Format
• Fixed length
- Optional headers are daisy-chained
• IPv6 header is twice as long (40 bytes) as
IPv4 header without options (20 bytes)
94
IPv6 Header
95
IPv6 Header
• Optional fields go into extension headers
96
IPv6 Header
• Daisy-chained after the main header
97
Common Headers
• Common values of Next Header Fields:
- 0 Hop-by-hop option (extension)
- 6 TCP (payload)
- 17 UDP (payload)
- 43 Routing (extension)
- 44 Fragmentation (extension)
- 50 Encrypted Security Payload (extension)
- 58 ICMPv6
98
Fragmentation
• Routers don’t fragment packets with IPv6
- More efficient handling of packets in the core
- Fragmentation is being done by host
• If a packet is too big for next hop:
- “Packet too big” error message
- This is an ICMPv6 message
- Filtering ICMPv6 causes problems
99
Path MTU Discovery
• A sender who gets this “message-too-big”
ICMPv6 error tries again with a smaller packet
- A hint of size is in the error message
- This is called Path MTU Discovery
100
Ordering of Headers
• Order is important:
- Only hop-by-hop header has to be processed by every
node
- Routing header needs to be processed by every router
- Fragmentation has to be processed before others at the
destination
101
Ordering of Headers
102
Questions
Deploying IPv6
Section 7
Assigning Addresses
• Routers influence how hosts connect to network
• Several options:
- Manual configuration
- Router Advertisement only (SLAAC)
- RA + DHCPv6 (‘M’ flag on)
- RA + DHCPv6 (‘O’ flag on)
- RA (‘A’ flag off) + DHCPv6 (‘M’ flag on)
• Gateway is always provided by the RA
105
Router Advertisement Options
• RA message is used to provide configuration info
- Default gateway address
- Which prefix(es) to use on the link? Prefix length?
- Is SLAAC allowed?
- Is DHCPv6 available? For address/options? Only options?
- What is the preference of a router on the link?
- DNS servers / Domain (optional)
- MTU size (optional)
RA: Network Configuration
106
SLAAC IID Generation Options
64 bits
Interface ID (IID)
Modi ed EUI-64 (uses MAC address) “Stable” IID
for SLAAC
Stable, semantically opaque [RFC7217]
“Temporary”
Temporary Address Extensions [RFC8981] IID for SLAAC
107
fi
Stable, Semantically Opaque IID
• Consider IID bits “opaque”, no value or meaning [RFC7136]
How to generate IIDs [RFC7217]
Di erent for each interface in the same network pre x
Not related to any xed interface identi er
Always the same when same interface connected to same network
• Widely used and standardised for “stable” addresses
[RFC8064]
108
ff
fi
fi
fi
DHCPv6
• Used to give additional information like DNS servers
or to manage the address pool
• Router Advertisement message contains hints
- If “managed” flag = ‘1’ can use DHCPv6 to get an address
- Optionally provide the address of a DNS server (RFC 8106)
• Using additional flags, the network admin can disable
SLAAC and force DHCPv6
109
DHCPv6 (M=1)
HOSTS
DHCPv6 Server
ROUTER
fe80::a
SOLICIT
ADVERTISE
REQUEST
REPLY
110
DHCPv6 (M=1)
HOSTS
DHCPv6 RELAY
ROUTER NETWORK DHCPv6 SERVER
fe80::a
SOLICIT R-F (SOLICIT)
ADVERTISE R-R (ADVERTISE)
REQUEST R-F (REQUEST)
REPLY R-R (REPLY)
111
DHCPv6 (M=0, O=1)
HOSTS
DHCPv6 Server
ROUTER
fe80::a
INFORMATION-REQUEST
REPLY
112
DHCPv6 (M=0, O=1)
HOSTS
DHCPv6 RELAY
ROUTER NETWORK DHCPv6 SERVER
fe80::a
INFORMATION-REQUEST R-F(INFORMATION-REQUEST)
REPLY R-R (REPLY)
113
MLD
• Multicast Listener Discovery (MLD) is an important
component of IPv6
• IPv6 routers use MLD to discover multicast listeners
on a directly attached link, similar to IGMP in IPv4
• MLD is embedded in ICMPv6. Two versions exist:
- MLDv1 similar to IGMPv2
- MLDv2 similar to IGMPv3
114
MLD
• 3 types of messages: Query, Report, Done
MLD IGMP Message Type ICMPv6 Type Function
Listener Query 130 Discover multicast listeners
MLDv1
IGMPv2 Listener Report 131 Response to a Query, joins a group
(RFC2710)
Listener Done 132 Node reports that it has stopped listening
Listener Query 130 Discover multicast listeners
MLDv2
IGMPv3
(RFC3810)
Listener Report 143 Current multicast listening state, or changes
115
DNS in IPv6 is difficult?
• DNS is not IP layer dependent
• A record for IPv4
• AAAA record for IPv6
• Don't answer based on incoming protocol
• Only challenges are for translations
- NAT64, proxies
116
Reverse DNS
2001:db8:3e:ef11::c100:4d
117
Reverse DNS
2001: db8: 3e:ef11: :c100: 4d
118
Reverse DNS
2001:0 db8:003e:ef11:0000:0000:c100:004d
118
Reverse DNS
2001:0 db8:003e:ef11:0000:0000:c100:004d
8 .b.d.0.1.0.0.2.ip6.arpa.
118
Reverse DNS
2001:0 db8:003e:ef11:0000:0000:c100:004d
8 .b.d.0.1.0.0.2.ip6.arpa.
d.4.0.0.0.0.1.c.0.0.0.0.0.0.0.0.1.1.f.e.e.3.0.0.8.b.
d.0.1.0.0.2.ip6.arpa. PTR
yourname.domain.tld.
118
Reverse DNS
2001:0 db8:003e:ef11:0000:0000:c100:004d
8 .b.d.0.1.0.0.2.ip6.arpa.
d.4.0.0.0.0.1.c.0.0.0.0.0.0.0.0.1.1.f.e.e.3.0.0.8.b.
d.0.1.0.0.2.ip6.arpa. PTR
yourname.domain.tld.
d.4.0.0.0.0.1.c.0.0.0.0.0.0.0.0.1.1.f.e.e.3.0.0.8.b.d.0.1.0.0.2.ip6.arpa. PTR yourname.domain.tld.
118
IPv6 and Domain Objects
• IPv6 prefix: 2001:db8::/32
• Domain object:
domain: 8.b.d.0.1.0.0.2.ip6.arpa
descr: rDNS for my whole IPv6 network
admin-c: NOC12-RIPE
tech-c: NOC12-RIPE
zone-c: NOC12-RIPE
nserver: pri.example.net
nserver: sns.company.org
ds-rdata: 45062 8 2 275d9acbf3d3fec11b6d6…
mnt-by: EXAMPLE-LIR—MNT
created: 2015-01-21T13:52:29Z
last-modified: 2016-02-07T15:09:46Z
source: RIPE
119
Security Considerations
• Everybody can claim to be a router
- Use RA Guard to filter unauthorised RAs
- RFC 6105
- Secure Neighbour Discovery (SEND)
- RFC 3971
- Neighbour Solicitation/Advertisement spoofing
- DoS Attack
- Router Solicitation and Advertisement Attacks
120
Security Considerations
• Leaking router advertisements
- Cisco enables RA by default
- Windows, MacOS and others will default accept
- A machine can easily get IPv6 unnoticed
• Big threat today in IPv6 is human error
- lack of knowledge / training
- typos
- Maintaining two IP protocols
121
Configuring IPv6
Exercise
Assigning Addresses
• R1 will send the RAs and act as DHCPv6 Relay Agent
• R2 will get IPv6 configuration info in three ways:
- RA + SLAAC only
- RA + SLAAC + ‘O’ flag (DHCPv6 Other Configuration)
- RA + no SLAAC + ‘M’ flag (DHCPv6 Managed)
• The DHCPv6 server is already configured
123
Network Diagram
DHCPv6 e0/0 e0/1 e0/0
Server
R1 R2
Router roles:
R1: Default gateway router
DHCPv6 relay agent
R2: Client device
SLAAC
DHCPv6 client
124
Exercise: Configuring IPv6
• Make sure you have connectivity
• Go to: workbench.ripe.net
• Choose the lab (ask the trainers)
• Your login is your number on participants list
• The trainers will provide the password
• Choose “RA and DHCPv6” from the menu
125
Check R2
• Verify that the interface e0/0 has no address yet
show ipv6 interface brief
126
Basic IPv6 Settings
• Before configuring IPv6 on your router interfaces,
the basic IPv6 settings must be enabled
• On both R1 and R2
configure terminal
ipv6 unicast-routing
ipv6 cef
127
1st Case: SLAAC only (Router)
• On R1 we will configure an IPv6 address from a /64
prefix on interface e0/1
interface e0/1
ipv6 address 2001:ffxx:1::a/64
Where xx is your given number for the LAB!
1 = 01
2 = 02
10 = 10
11 = 11
128
1st Case: SLAAC only (Client)
• On R2 we will configure SLAAC on the interface e0/0
interface e0/0
ipv6 address autoconfig default
129
Check R2
• Verify that the interface e0/0 has an IPv6 address
end (exits config mode)
show ipv6 interface e0/0
• And a default route
show ipv6 route
130
Check R2
• Unfortunately, R2 has no DNS name servers
show ip dns view
• This information was not provided in the RA from R1
131
2nd Case: SLAAC + O flag (Router)
• On R1 we will configure the ‘O’ flag for the RAs on
interface e0/1
interface e0/1
ipv6 nd other-config-flag
132
2nd Case: SLAAC + O flag (Client)
• On R2 we will first bring down the interface e0/0
configure terminal
interface e0/0
shutdown
• And then bring it back up…
no shutdown
133
2nd Case: SLAAC + O flag (Client)
• Verify that the interface e0/0 has an IPv6 address and
other configuration
end (exits config mode)
show ipv6 interface e0/0
show ip dns view
show ipv6 dhcp interface e0/0
134
3rd Case: RA + M flag (Router)
• On R1 we will configure the ‘M’ flag for the RAs on
interface e0/1
interface e0/1
no ipv6 nd other-config-flag
ipv6 nd managed-config-flag
135
3rd Case: RA + M flag (Client)
• On R2 we will first bring down the interface e0/0
configure terminal
interface e0/0
shutdown
• Remove the SLAAC configuration
no ipv6 address autoconfig default
136
3rd Case: RA + M flag (Client)
• On R2, configure the DHCP client
ipv6 address dhcp
ipv6 enable
ipv6 nd autoconfig default-route
• And then bring the interface back up…
no shutdown
137
3rd Case: RA + M flag (Client)
• Verify that the interface e0/0 has an IPv6 address and
other configuration
end (exits config mode)
show ipv6 interface e0/0
show ipv6 dhcp interface e0/0
138
Questions
Real Life IPv6 Deployment
Section 8
Colocation Provider
• 30 staff
• Routing
- Dual Stack!
- Possible IGP combinations were:
- OSPFv2 for IPv4, IS-IS for IPv6 (only)
- OSPFv2 for IPv4, OSPFv3 for IPv6
- IS-IS for IPv4, OSPFv3 for IPv6
- IS-IS for both IPv4 and IPv6 (their solution)
- Check internal routing before going external!
141
Colocation Provider
• Checklist
- set access lists on network equipment
- set up monitoring (SNMP)
- have working DNS
• Subnetting tools
- sipcalc, IPv6calc, apps
• Every customer gets a /48 assignment
- and a /64 for the connection
142
Colocation Provider
• Points of attention:
- stateless auto configuration can assign a subnet “unexpectedly”
- not all firewalls support IPv6
- be careful with statement “IPv6 ready”
143
ISP xDSL
• 200 staff
• 2 /32 prefixes (due to merger)
- not enough
- make a plan before requesting allocation
• /48 per POP
• /56 per router
• /64 per customer vlan
144
ISP xDSL
• Servers
- no EUI-64
- no autoconfig
- port number for services (i.e. POP3 at ::110)
- default gateway manually set to, for example:
- 2001:db8::1/64 (usually)
145
ISP xDSL
• Network links (point-to-point)
- core
- /64 per link
- ::1 - ::2
- no auto configuration
- easy to remember
• You don’t want your router link at:
- 2001:db8:cf9d:7631:cd01:fe55:4532:ae60/64
• You want your router link at:
- 2001:db8:1:1::/64
146
Large Enterprise
• Approx. 550 IT staff
• Several locations worldwide
• Most of their business processes rely heavily
on the Internet
• Driven to IPv6 by need to continue doing
business as usual
147
Large Enterprise
• Make an inventory of IT needs
- Hardware / Software / Services
- Talk to your ISPs early during preparation
• Evaluate the current IPv6 offerings
- Don’t trust your vendor on “full IPv6 support”
- Basic network functions are not the issue
- Check cloud solutions
• Train your IT staff
- Make them understand the WHY of IPv6
- Focus on the people responsible for applications
148
Large Enterprise
• Build a testlab (and start testing!)
• Make an IPv6 Roadmap
- Dedicated IT group approves roadmap and tracks status
- “IPv6 Readiness” required for all new purchases
- Plan replacement of solutions that don’t do IPv6
- Point out the risks of apps not doing IPv6
• Phased Approach to Deployment
- Phase 1: dual stack all external facing services
- Phase 2: datacenter and internal network
149
Tips
Section 9
How to get started
• Change purchasing procedure (feature parity)
• Check your current hardware and software
• Plan every step and test
• One service at a time
- face first
- core
- customers
• Create a lessons learned document
• Update your marketing team promptly and appropriately
151
RIPE-772 Document
• “Requirements for IPv6 in ICT Equipment”
- Best Current Practice describing what to ask for when requesting
IPv6 Support
- Useful for tenders and RFPs
- Original version was ripe-554
- Ripe-554 Originated by the Slovenian Government
- Adopted by various others (Germany, Sweden)
Link to the document:
https://www.ripe.net/publications/docs/ripe-772
152
Troubleshooting for ISP Helpdesks
• Most ISP connectivity problems are not IPv6 related
• Helpdesks can get confused!
- IPv6 is new for them
- They don’t have experience with IPv6 issues
• A generic troubleshooting guide can help!
• Based on the open source testipv6.com tool
• Customisable
https://www.ripe.net/ripe/docs/ripe-631
153
Customers And Their /48
• Customers have no idea how to
handle 65,536 subnets!
• Provide them with information!
Link to the document:
https://www.ripe.net/support/training/material/
basicipv6-addressing-plan-howto.pdf
154
Also useful
• Websites
- http://www.getipv6.info
- http://www.ipv6actnow.org
- http://datatracker.ietf.org/wg/v6ops/
- https://www.ripe.net/publications/docs/ripe-772
• Mailing lists
- http://lists.cluenet.de/mailman/listinfo/ipv6-ops
- http://www.ripe.net/mailman/listinfo/ipv6-wg
155
Don'ts
• Don't separate IPv6 features from IPv4
• Don't do everything in one go
• Don't appoint an IPv6 specialist
- do you have an IPv4 specialist?
• Don't see IPv6 as a product
- the Internet is the product!
156
Questions
We want your feedback!
What did you think about this session?
Take our survey at:
https://www.ripe.net/s/feedback/v6fun/
RIPE NCC
Academy
Learn something new today!
academy.ripe.net
159
Presentation Title
https://getcerti ed.ripe.net/
Presentation Subtitle
Type Of Session
fi
Have more questions? Ask us!
[email protected]
Ënn Соңы Y Diwedd
An Críoch پایان
Vége Endir Koniec
Finvezh Ende
վերջ
Son დასასრული Finis
הסוף Kiнець
Amaia Tmiem
Lõpp Kpaj
Loppu Liðugt
Sfârşit Slutt
Fund
Kraj Конeц
النهاية
Konec
Fin Τέλος
Fine Fí Kрай
Einde
Pabaiga
Slut
Fim Beigas
What’s Next in IPv6
Webinars Face-to-face E-learning Examinations
Attend another webinar Meet us at a location near Learn at your own pace at Learnt everything you
live wherever you are. you for a training session our online Academy. needed? Get certified!
delivered in person.
✤ Introduction to IPv6 (2 hrs) ✤ IPv6 Fundamentals (8.5 hrs) ✤ IPv6 Fundamentals (15 hrs) ✤ IPv6 Fundamentals - Analyst
✤ IPv6 Addressing Plan (1 hr) ✤ Advanced IPv6 (17 hrs) ✤ IPv6 Security (24 hrs) ✤ IPv6 Security - Expert
✤ Basic IPv6 Protocol Security (2 hrs) ✤ IPv6 Security (8.5 hrs)
✤ IPv6 Associated Protocols (2 hrs)
✤ IPv6 Security Myths, Filtering and Tips
(2 hrs)
For more info For more info For more info
click the link click the link click the link
below below below
learning.ripe.net academy.ripe.net getcertified.ripe.net
Copyright Statement
[…]
The RIPE NCC Materials may be used for private purposes,
for public non-commercial purpose, for research, for
educational or demonstration purposes, or if the
materials in question speci cally state that use of the
material is permissible, and provided the RIPE NCC Materials
are not modi ed and are properly identi ed as RIPE NCC
documents. Unless authorised by the RIPE NCC in writing,
any use of the RIPE NCC Materials for advertising or
marketing purposes is strictly forbidden and may be
prosecuted. The RIPE NCC should be noti ed of any such
activities or suspicions thereof.
[…]
Find the
Link to the
fullcopyright
copyrightstatement:
statement here:
https://www.ripe.net/about-us/legal/copyright-statement X
fi
fi
fi
fi
