Cips 2012 0046

Harpreet Singh
harprsin@cisco.com
R .Sankara Narayanan rsnaraya@cisco.com
2010 Cisco and/or its affiliates. All rights reserved.
IPv4 Exhaustion
Market Drivers
IPv6 Technical Overview IPv6 Transition Mechanisms Security
Cisco Confidential
The Growing Internet

Internet growth in terms the number of connected devices - is accelerating at an exponential rate
India added 15 million new subscribers in August more than the population of Greece1
China Mobile has surpassed 500 million subscribers more than the population of North America2 The Embedded Internet will consist of over 15 billion devices by 20153
Mobility / Device Proliferation
IP Video / Collaboration
Governmental directives & initiatives

IPv6 Task Force and promotion councils: Africa, India, Japan, Korea, Germany EU sponsored projects China to mandate top ISPs/Content Providers fully support IPv6 in 3 years U.S. Federal Mandate
Embedded Internet
2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential For BarrettXplore
The Growing Internet Challenge

The gap between supply and demand for IP addresses the key Internet resource is widening
IPv4 Address Blocks Remaning1
25 < 700 Days Remaining 15B
Internet-Enabled Devices2
0 Today Sep 2011
5B Today 2015+
The pool of IPv4 address blocks is dwindling rapidly
While the number of new Internet devices is exploding
1 Geoff Huston, APNIC, www.potaroo.net, tracking /8 address-blocks managed by the Internet Assigned Numbers Authority 2 Cisco Visual Networking Index / Intel Embedded Internet Projections
2009 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
For BarrettXplore
3rd February 2011 The last five remaining /8 pools were allocated amongst the five Regional Internet Registries
Hey Buddy, Can you spare an IPv4 address?
15th April 2011, APNIC pool consists of the final /8 block IPv4 allocation policy has now changed APNIC members eligible for a SINGLE /22 (1024 addresses) from the pool
Source: http://www.icann.org/en/news/releases/release-03feb11-en.pdf
Cisco Confidential
RIRs still have addresses available from local pools APNIC, RIPE, and ARIN will all be exhausted by 2012
Nortel sold 666,624 IP addresses to Microsoft on 23rd March for $7.5M ($11.25 each)
Source: Tony Hain, Cisco Systems http://www.tndh.net/~tony/ietf/IPv4-rir-pools.pdf
Cisco Confidential
Based on what we know is true today (Conservative)
World Population Connected Devices
6.5 Billion
500 Million
6.8 Billion
12.5 Billion
7.2 Billion
25 Billion
7.6 Billion
50 Billion
Connected Devices Per Person
0.08
2003
More connected devices than people
1.84
2010
3.47
2015
6.58
2020
2008
Source: Cisco IBSG, 2010
Cisco Confidential
IPv6 is an enabler, it is NOT a new service. It allows anything to connect to everything
IPv4 address pool exhausted
Government Mandates
Cable market address scaling Population densities in APAC 4G deployments Smart Grids/Sensor Networks Connected Communities IPv4 connects computers IPv6 connects people and things
Cisco Confidential
IPv4 Address Run-Out
National IPv6 Strategies
US DoD, China, India NGI, EU
IPv6
IPv6 OS, Content & Applications Infrastructure Evolution
End Point Explosion Smart Grid Smart Meters Smart Cities Internet of Things Cable Set Top Boxes Mobile Telephony
https://www.arin.net/knowledge/v4-v6.html
2010 Cisco and/or its affiliates. All rights reserved. C3RS 2008 Cisco Systems, Inc. All rights reserved.
Cisco Highly ConfidentialControlled Access
Cisco Confidential
10
100%
2001:0205:8:1/64
100%
Total Capacity
Overload Condition
50%
50%
0%
2001:0205:8:2/64
100% 50%
Power Consumption
0%
0%
2001:0205:8:3/64
100% 50% 0%
2001:0205:8:4/64
100%
50% 0%
2001:0205:8:5/64
100% 50%
0%
Cisco Confidential
11
Yosemite
http://[2402:6000:200:100::4]
http://[2001:470:d:2ed::1]
http://[2001:4830:20e0:1::5]
ipv6.google.com
http://[2001:b48:12:1::2]
http://[2001:da8:200:200::4:28]
http://[2405:5000:1:2::99]
http://[2001:44b8:8020:f501:250:56ff:feb3:6633]
Sandviken Kommun http://[2001:b48:10::3]
http://[2001:49f0:1000::3] http://[2001:252:0:1::2008:6] http://[2607:f0d0:1000:11:1::2]
http://[2001:218:2001:3005::8a]
http://[2001:470:0:64::2]
Helsingborg Dagblad
http://[2001:2040:2000::6]
http://[2406:0:6a:4::167] http://[2a02:250::6] http://[2a01:e0c:1:1599::1]
http://[2001:470:1:1d::d8da:84ea]
http://[2001:558:1004:9:69:252:76:96] http://[2a01:a8:0:5::26]
http://[2001:470:0:e6::4a52:2717]
http://[2607:f4e8:12:fffe:230:48ff:fe96:f99e]
http://[2001:4f8:fff6::21]
http://[2001:9b0:1:104:230:48ff:fe56:31ae]
http://[2001:470:1:3a::13]
http://[2620:0:ef0:13::20]
http://[2607:f0d0:3001:62:1::53]
http://[2a01:48:1:0:2e0:81ff:fe05:4658]
http://[2001:440:fff9:100:202:b3ff:fea4:a44e]
http://[2620:0:1cfe:face:b00c::3]
http://[2607:f238:2::51]
http://[2001:838:1:1:210:dcff:fe20:7c7c]
The IPv4 address exhaustion problem is real and depleting at a rapid rate Asia has used up its allocation, US and European will be exhausted by early 2012 Service Providers need to act as soon as possible A roadmap to IPv6 must be considered
Cisco Confidential
13
How Do We Get There from Here?

IPv4 and IPv6 will coexist for the foreseeable future
No D-Day/Flag Day
Education and Careful Planning are crucial

How long does it take in your environment?
IPv4 and IPv6 implementations must be scalable, reliable, secure and feature rich Many ways to deliver IPv6 services to End Users.
Cisco Confidential
For BarrettXplore
14
Enabling an Orderly, Incremental Transition

Boundless service opportunities with Smart Grid, Connected Cities, Mobile Video, Cloud Computing
Today Private IP 6-over-4 Transitional 4-over-6 All IPv6
Business / Consumer
IP NGN
Prosper
Prepare Preserve
= IPv4
= Private IP
= IPv6
Cisco Confidential For BarrettXplore
15
harpreets@cisco.com rsnaraya@cisco.com
Cisco Confidential
16 16
IPv6 Addressing IPv6 Header ICMPv6 and Neighbor Discovery IPv6 Interface Configuration
Cisco Confidential
17
Cisco Confidential
18
Service Addressing Range IP Provisioning Security Mobility
IPv4 32-bit, NAT DHCP IPSec Mobile IP Differentiated Service, Integrated Service
IPv6 128-bit, Multiple Scopes SLAAC, Renumbering, DHCP IPSec Mobile IP with Direct Routing Differentiated Service, Integrated Service
Quality-of-Service
Multicast
IGMP/PIM/MBGP
MLD/PIM/MBGP, Scope Identifier
Cisco Confidential
19
IPv6 addresses are 128 bits long

Segmented into 8 groups of four HEX characters (called HEXtets) Separated by a colon (:) Default is 50% for network ID, 50% for interface ID Network portion is allocated by Internet registries 2^64 (1.8 x 1019) Still leaves us with ~ 3 billion network prefixes for each person on earth
Global Unicast Identifier Example
Network Portion
Interface ID
gggg:gggg:gggg: ssss:xxxx:xxxx:xxxx:xxxx
Global Routing Prefix Subnet ID 64 n bits n <= 48 bits Host
2001:0000:0000: 00A1:0000:0000:0000:1E2A
Full Format
2001:0:0: A1::1E2A
Abbreviated Format
Cisco Confidential
20
340,282,366,920,938,463,374,607,432,768,211,456
(IPv6 Address Space - 340 Trillion Trillion Trillion)
vs 4,294,967,296
(IPv4 Address Space - 4 Billion)
Cisco Confidential
21
/23
/32
/48
/64 Interface ID
2001
Registry ISP prefix Site prefix Subnet prefix
0DB8
Represented as:
x:x:x:x:x:x:x:x where x is a 16-bit hexadecimal field
2001:0DB8:C003:0001:0000:0000:0000:BEEF
2001:DB8:C003:1:0:0:0:BEEF
2001:DB8:C003:1::BEEF 0:0:0:0:0:0:0:1 --> ::1 - Loopback address
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
2001:DB8:0001:0001:/64
2001:DB8:0001:0002:/64
Site 1
Only announces the /32 prefix ISP
2001:DB8:0002:0001:/64
2001:DB8:0002:0002:/64
2001:DB8:0001:/48 Site 2
2001:DB8::/32 IPv6 Internet 2001::/16
2001:DB8:0002:/48 /23 2001 /32 /48 /64 Interface ID
0410
Registry ISP prefix Site prefix Subnet prefix

Hex numbers are not case sensitive
Abbreviations are possible

Leading zeros in contiguous block could be represented by (::) 2001:0db8:0000:130F:0000:0000:087C:140B
2001:0db8:0:130F::87C:140B
Double colon can only appear once in the address IPv6 uses CIDR representation IPv4 address looks like 98.10.0.0/16 IPv6 address is represented the same way 2001:db8:12::/48 Notation must be represented in 16 bit blocks irrespective of the mask e.g. FE80::/10, or FF00::/8 Only leading zeros are omitted, trailing zeros cannot be omitted 2001:0db8:0012::/48 = 2001:db8:12::/48 2001:db80:1200::/48 2001:db8:12::/48
Cisco Confidential
24
Loopback address representation
0:0:0:0:0:0:0:1 == ::1
Same as 127.0.0.1 in IPv4 Identifies self Unspecified address representation 0:0:0:0:0:0:0:0 == :: Used as a placeholder when no address available (Initial DHCP request, Duplicate Address Detection DAD) NOT the default route Default Route representation ::/0
Cisco Confidential
25
Addresses are assigned to interfaces
An IPv6 interface is expected to have multiple addresses and multiple scopes

Addresses have scope Link Local
Unique Local
Global Addresses have lifetime
Valid and preferred lifetime
Global
Unique Local
Link Local
Cisco Confidential
26
Three types of unicast address scopes

Link-Local Non routable exists on single layer 2 domain (FE80::/64) FE80:0000:0000:0000: xxxx:xxxx:xxxx:xxxx Unique-Local Routable within administrative domain (FC00::/7) FCgg:gggg:gggg: ssss:xxxx:xxxx:xxxx:xxxx FDgg:gggg:gggg: ssss:xxxx:xxxx:xxxx:xxxx Global Routable across the Internet (2000::/3) 2ggg:gggg:gggg: ssss:xxxx:xxxx:xxxx:xxxx 3ggg:gggg:gggg: ssss:xxxx:xxxx:xxxx:xxxx
Multicast addresses (FF00::/8)

FFzs: xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx
Flags (z) in 3rd nibble (4 bits) Scope (s) into 4th nibble
Represented in Binary and Hex

Type Global Unicast Address 001 Link Local Unicast Address 1111 1110 10 1111 1100 Unique Local Unicast Address 1111 1101 Multicast Address 1111 1111 Solicited Node Multicast Binary 2 or 3 FE80::/10 FC00::/7 FC00::/8(registry) FD00::/8 (no registry) FF00::/16 FF02::1:FF00/104 Hex
Cisco Confidential
28
An interface can have many addresses allocated to it

Address Type Link Local Unique Local
Global Unicast Auto-Config 6to4 Solicited Node Multicast All Nodes Multicast
Requirement Required Optional

Optional Optional Required Required
Comment Required on all interfaces Valid only within an Administrative Domain

Globally routed prefix Used for 2002:: 6to4 tunnelling Neighbour Discovery and Duplicate Detection (DAD) For ICMPv6 messages
Cisco Confidential
29
Provider Assigned
2000::/3
IANA
Provider Independent
2000::/3
/12
Registries
/12
/32
ISP
Org
/48
/48
Enterprise Level Four
Cisco Confidential
30
Provider
Site
Host
n Bits
64-n Bits
64 Bits
Global Routing Prefix

001
Subnet
Interface ID
Addresses for generic use of IPv6 Structured as a hierarchy to try and keep the aggregation
Cisco Confidential
31
Interface ID unicast address may be assigned in different ways

The IEEE defined 64-bit extended unique identifier (EUI-64) Auto-configured from a 64-bit EUI-64 or expanded from a 48-bit MAC Auto-generated pseudo-random number (to address privacy concerns) Assigned via DHCP Manually configured
EUI-64 format to do stateless auto-configuration

Expands the 48 bit MAC address to 64 bits by inserting FFFE into the middle To ensure chosen address is from a unique Ethernet MAC address The universal/local ( u bit) is set to 1 for global scope and 0 for local scope
64 Bits
Global Routing Prefix
Subnet
Interface ID
Cisco Confidential
32
Cisco uses the EUI-64 format to do stateless
auto-configuration
This format expands the 48 bit MAC address to 00 00 90 90 27
MAC Address 27 17 FC 17 FF 00 000000U0 U = 1 02 90 90 27 Where U= FF FE FE 17 FC 0F 0F FC 0F
64 bits by inserting FFFE into the middle 16 bits

To make sure that the chosen address is from a
unique Ethernet MAC address, the universal/local (u bit) is set to 1 for global scope and 0 for local scope
Cisco devices bit-flip the 7th bit
1 = Unique 0 = Not Unique FF FE 17 FC 0F
27
Cisco Confidential
33
IPv6 uses Ethernet Protocol ID (0x86DD)

Dest MAC Source MAC 0x86DD IPv6 Header and Payload
IPv4 uses Ethernet Protocol ID (0x0800)

Dest MAC Source MAC 0x0800 IPv4 Header and Payload
Cisco Confidential
34
10 Bits
54 Bits
64 Bits
Remaining 54 bits = 0 1111 1110 10 FE80::/10
Interface ID
Mandatory for communication between two IPv6 devices Automatically assigned by device using EUI-64 Also used for next-hop calculation in routing protocols Only link specific scope Remaining 54 bits could be zero or any manually configured
Cisco Confidential
35
n Bits
16 Bits
64 Bits
Global ID 1111 110L FC00::/7
Subnet
Interface ID
ULA are like RFC 1918 not routable on Internet ULA uses include Local communications
Inter-site VPNs (Mergers and Acquisitions)

FC00::/8 is Registry Assigned (L bit = 0), FD00::/8 is self generated (L bit = 1) Registries not yet assigning ULA space, http://www.sixxs.net/tools/grh/ula/
36
Cisco Confidential
An IPv6 multicast address has the prefix FF00::/8 (1111 1111)
Second octet defines lifetime and scope

8Bits 4 Bits 4 Bits 112 Bits
1111 1111
Flags R = 0 R = 1 P = 0 P = 1 T = 0 T = 1
0 R P T
Scope
Variable Format
Scope
No embedded RP Embedded RP Not based on unicast Based on unicast Permanent address (IANA assigned) Temporary address (local assigned)
1 2
Node Link
3
4 5 8 E
Subnet
Admin Site Organization Global
Cisco Confidential
37
Every Unicast prefix comes with 2^32 multicast group addresses

8Bits 4 Bits 4 Bits
8 Bits
8 Bits
64 Bits
32 Bits
1111 1111
0011
Scope ReservedLen
Unicast Prefix
Group ID
Example
Flags Scope Length Prefix Group ID P=1 (Unicast), T=1 (Temp) E (Global - 0011 in binary) 64 bits (0x40) 2001:db8:cafe:1:: 11ff:11ee
ff3e:40:2001:db8:cafe:1:11ff:11ee
Cisco Confidential
38
Address FF01::1 FF01::2 FF02::1 FF02::2 FF02::5 FF02::6 Node-Local Node-Local Link-Local Link-Local Link-Local Link-Local
Scope All Nodes
Meaning
All Routers All Nodes All Routers OSPFv3 Routers OSPFv3 DR Routers
FF02::1:FFXX:XXXX
Link-Local
Solicited-Node
02 means that this is a permanent address (t = 0) and has link scope (2)
http://www.iana.org/assignments/ipv6-multicast-addresses
For each Unicast and Anycast address configured there is a corresponding solicited-node
multicast (Layer 3 address)

Used in neighbor solicitation (NS) messages Multicast address with a link-local scope
Solicited-node multicast consists of

FF02::1:FF & {lower 24 bits from IPv6 Unicast interface ID}
64 Bits High Order 40 Bits Low Order 24 bits
Routing Prefix
Interface ID
FF02
0000
0000
0000
0000
0001
FF
Low 24
Cisco Confidential
40
Low order 32 bits IPv6 Multicast Address FF02:0000:0000:0000:0000:0001:FF17:FC0F
Corresponding Ethernet Address 33 IPv6 Ethernet Frame Multicast Prefix IPv6 multicast address to Ethernet mapping
33
FF
17
FC
0F
33:33:{Low Order 32 bits of the IPv6 multicast address}
Cisco Confidential
41
64 Bits Network ID
64 Bits Interface ID
FE80
0000
0000
0000
0200
0CFF
FE3A
8B18 24 bits
Link-Local
FF02
0000
0000
0000
0000
0001
FF
3A8B18 32 bits
Solicited Node Multicast
33
33
FF
3A
8B
18
Ethernet Multicast
Cisco Confidential
42
R1#show ipv6 interface e0 Ethernet0 is up, line protocol is up IPv6 is enabled, link-local address is FE80::200:CFF:FE3A:8B18 No global unicast address is configured Joined group address(es): All Nodes FF02::1 All Routers FF02::2 Solicited Node Multicast Address FF02::1:FF3A:8B18 MTU is 1500 bytes ICMP error messages limited to one every 100 milliseconds ICMP redirects are enabled ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds ND advertised reachable time is 0 milliseconds ND advertised retransmit interval is 0 milliseconds ND router advertisements are sent every 200 seconds ND router advertisements live for 1800 seconds Hosts use stateless autoconfig for addresses. R1#
Link-local address (FE80::)
Cisco Confidential
43
Cisco Confidential
44
IPv4 Header
Version IHL Type of Service Total Length Flags Protocol Fragment Offset Version
IPv6 Header
Traffic Class
Flow Label
Identification Time to Live Source Address Destination Address Options
Header Checksum
Payload Length
Next Header
Hop Limit
Padding
Source Address
Legend
Fields Name Kept from IPv4 to IPv6 Fields Not Kept in IPv6 Name and Position Changed in IPv6 New Field in IPv6 Destination Address
Cisco Confidential
45
V Class Len Destination
Flow 6
Hop
Flow 43
Hop
Flow 43
Hop
Source
Source 17
Source 60 6
Upper Layer TCP Header Payload
Routing Header
Routing Header Destination Options
Upper Layer UDP Header Payload
Upper Layer TCP Header
Payload
Extension Headers Are Daisy Chained
Cisco Confidential
46
Extension headers must be in the following sequence

Order 1 2 Basic IPv6 Header Hop-by-Hop Options Header Type 0 Header Code
3
4 5 6 7 8 9 Upper Layer Upper Layer Upper Layer
Dest Options (with Routing options)

Routing Header Fragment Header Authentication Header ESP Header Destination Options Mobility Header No Next Header TCP UDP ICMPv6
60
43 44 51 50 60 135 59 6 17 58
Cisco Confidential 47
Cisco Confidential
48
Next Header
44
IPv6 basic header
Fragment Header (44)
Next Header Identification Fragment Data
Reserved
Fragment Offset
00
Fragmentation is left to end devices in IPv6 Routers do not perform fragmentation Fragment header used when an end node has to send a packet larger than the path MTU
32-bit ID field (similar to IPv4)
Next Header is the original value of the next protocol, before fragmentation
Fragment Offset (13 bits) Represented in 8-octet units of the data following this header relative to the start of fragmentable part of the packet First fragment offset will always be zero M = more fragments flag
Cisco Confidential
50
Each Link has MTU a maximum transmission unit
Path MTU minimum MTU of all the links in a path between a source and a destination
Minimum link MTU for IPv6 is 1280 octets In comparison IPv4 minimum MTU is 68 octets
If Link MTU < 1280 then fragmentation and reassembly must be used
If IPv6 payload > 1280 fragmentation may need to be performed PMTU Discovery is expected to be performed by IPv6 end hosts
It should only apply if sending packets > 1280 bytes

For each destination, start by assuming MTU of first-hop link Exceeding the link MTU invokes ICMP packet too big back to source Message includes the offending link MTU value MTU is then cached by source for specific destination
Cisco Confidential
51
Source MTU 1500 MTU 1500 MTU 1400
Destination MTU 1300
Packet, MTU=1500 ICMPv6 Too Big, Use MTU=1400
Packet, MTU=1400
ICMPv6 Too Big, Use MTU=1300 Packet, MTU=1300
Store PMTU per destination (if received) Age out PMTU (10 mins), reset to first link MTU
Cisco Confidential
53
Internet Control Message Protocol version 6
Combines several IPv4 functions

ICMPv4, IGMP and ARP Message types are similar to ICMPv4
Destination unreachable (type 1)

Packet too big (type 2) Time exceeded (type 3) Parameter problem (type 4) Echo request/reply (type 128 and 129)
Cisco Confidential
54
Next Header
58
IPv6 basic header
ICMPv6 Header (58)
ICMPv6 Type ICMPv6 Data
ICMPv6 Code
Checksum
Also used for Neighbor Discovery, Path MTU discovery and Mcast listener discovery
(MLD)
Type - identifies the message or action needed Code is a type-specific sub-identifier. Checksum computed over the entire ICMPv6
ND uses ICMPv6 messages
Originated from node on link local with a hop limit of 255

Receivers checks hop limit is still 255 (has not passed a router) Consists of IPv6 header, ICMPv6 header, neighbor discovery header, and neighbor discovery
options
Five neighbor discovery messages
Message Router Solicitation (RS) Router Advertisement (RA) Neighbor Solicitation (NS) Purpose Prompt routers to send RA Advertise default router, prefixes Operational parameters Request link-layer of target ICMP Code 133 134 135 Sender Nodes Routers Node Target All routers Sender of RS All routers Solicited Node Target Node
Neighbor Advertisement (NA)
Response to NS (solicited) Advertise link-layer address change (Unsolicited)

Inform hosts of a better first hop
136
Nodes
Redirect
137
Routers
Replaces ARP, ICMP (redirects, router discovery)
Uses ICMPv6 header

Reachability of neighbours Hosts use it to discover routers, auto configuration of addresses (SLAAC) Duplicate Address Detection (DAD)
Cisco Confidential
57
Function
Address Assignment
Address Resolution Router Discovery Name Resolution
IPv4
DHCPv4
ARP RARP ICMP Router Discovery DNS
IPv6
DHCPv6, SLAAC, Reconfiguration ICMPv6 NS, NA Not Used ICMPv6 RS, RA DNS
Cisco Confidential
58
RS
RA
Router Solicitation ICMP Type IPv6 Source IPv6 Destination Query 133 A Link Local (FE80::1) All Routers Multicast (FF02::2) Please send RA
Router Advertisement ICMP Type IPv6 Source IPv6 Destination Data 134 A Link Local (FE80::2) All Nodes Multicast (FF02::1) Options, subnet prefix, lifetime, autoconfig flag
Router solicitations (RS) are sent by booting nodes to request RAs for configuring the interfaces Routers send periodic Router Advertisements (RA) to the all-nodes multicast address
Cisco Confidential
59
Neighbor Solicitation (NS)
Used to discover link layer address of IPv6 node

NS Function Address resolution Source Unicast Destination Solicited Node Multicast
Node reachability Duplicate Address Detection
Unicast ::0
Unicast Solicited Node Multicast
Neighbor Advertisement (NA) Response to neighbor solicitation (NS) message A node may also send unsolicited Neighbor Advertisements to announce a link-layer address change.
Cisco Confidential
60
A
NS NA
Neighbour Solicitation ICMP Type IPv6 Source IPv6 Destination 135 A Unicast B Solicited Node Multicast
Data Query
FE80:: address of A What is B link layer address?

Neighbour Advertisment ICMP Type IPv6 Source IPv6 Destination Data 136 B Unicast A Unicast FE80:: address of B, MAC Address
Cisco Confidential
61
Multicast MAC derived from IPv6 Solicited Node At this point we do not know actual MAC address MAC address of source
L3 Source: IPv6 Link-Local address L3 Destination: Solicited Node Address of target
IPv6 address of target that we are soliciting MAC address for
MAC address of source
Cisco Confidential
62
IPv6 source address of Neighbor Advertisement IPv6 Destination of original Neighbor Solicitation
Link layer address in response to NS
Cisco Confidential
63
Neighbors are only considered reachable for 30-seconds Stale indicates that ND packet must be sent again
Entry STALE due to no contact for > 30 secs (Age 50 secs)
After PING entry now reachable again (Age 0 secs)
Cisco Confidential
64
Neighbor is declared reachable if
The connection is making forward progress

Previously sent data is known to have been delivered correctly Source receives an NA in response to NS If neighbour status unknown then send NS Defined in RFC 4861 Section 7.3
Cisco Confidential
65
INCOMPLETE
Address resolution is in progress and the link-layer address of the neighbor has not yet been determined
REACHABLE The neighbor is known to have been reachable recently (within tens of seconds ago)
STALE
The neighbor is no longer known to be reachable but until traffic is sent to the neighbor, no attempt should be made to verify its reachability DELAY Delay sending probes for a short while in order to give upper layer protocols a chance to provide reachability confirmation PROBE
The neighbor is no longer known to be reachable, and unicast Neighbor Solicitation probes are being sent to verify reachability
Cisco Confidential
66
Neighbour Solicitation ICMP Type Ethernet DA 135 (Neighbour Solicitation) 33-33-FF-52-F9-D8 IPv6 Header IPv6 Source IPv6 Destination Hop Limit :: FF02::1:FF52:F9D8 255 NS Header Target Address FE80::260:8FF:FE52:F9D8
Destination address is itself

Tentative IP FE80::260:8FF:FE52:F9D8
MAC 00-60-08-52-F8-D8
NS
NS
Actual IP FE80::260:8FF:FE52:F9D8
C
MAC 00-60-08-52-F9-D8
Host B
Cisco Confidential
67
Neighbour Solicitation ICMP Type Ethernet DA 135 (Neighbour Solicitation) 33-33-00-00-00-01 IPv6 Header IPv6 Source IPv6 Destination Hop Limit FE80::260:8FF:FE52:F9D8 FF02::1 255 NA Header Target Address FE80::260:8FF:FE52:F9D8
All Nodes Multicast

Tentative IP FE80::260:8FF:FE52:F9D8
Neighbour Discovery Option Target L2 Address NA 00-60-08-52-F9-D8
Actual IP FE80::260:8FF:FE52:F9D8
C
MAC 00-60-08-52-F9-D8
Host B
Redirect is used by a router to informs hosts of a better first hop R2 A 1

IPv6 Payload
2
Redirect
IPv6 Payload
Redirect Router R2 / Host A 2001:db8:c18:2:: / Host A IPv6 Payload IPv6 Dest / Source Hop Limit ICMP Type Ethernet DA / SA 137 (Neighbour Solicitation) Host A / Router R2 IPv6 Header Host A / Router R2 255 Redirect Data Target Address Redirected Prefix Router R1 2001:db8:c18:2::/64
R1
Ethernet DA/SA IPv6 Dest / Source Data
2001:db8:c18:2::/64
Cisco Confidential
69
Autoconfiguration is used to automatically assigned an address to a host plug and play Generating a link-local address, Generating global addresses via stateless address autoconfiguration Duplicate Address Detection procedure to verify the uniqueness of the addresses on a link
MAC 00:2c:04:00:fe:56
A 1
RS
R1 2
RA
2001:db8:face::/64
3
DAD
Host Autoconfigured Address comprises Prefix Received + Link-Layer Address if DAD check passes 2001:db8:face::22c:4ff:fe00:fe56
Router Advertisement (RA) Ethernet DA/SA Prefix Information Default Router Router R2 / Host A 2001:db8:face::/64 Router R1
Cisco Confidential
70
Prefixes can be given a lifetime in RA messages Allows seamless transition for renumbering to a new prefix
2001:db8:face::22c:4ff:fe00:fe56
A 1
RA
R1
2001:db8:face::/64 2001:db8:beef::/64
2
DAD for new prefix Router Advertisement (RA) Ethernet DA/SA Router R2 / Host A 2001:db8:face::/64, Lifetime 30 seconds 2001:db8:beef::/64, Lifetime 30 seconds
New Prefix 2001:db8:beef::22c:4ff:fe00:fe56
Current Prefix New Prefix
Cisco Confidential
71
Valid Lifetime for advertised prefixes (default 30 days) Preferred lifetime for addresses generated from SLAAC (default 7 days) interface Ethernet0 Original advertised prefix - new hosts will not use SLAAC with this prefix ipv6 nd prefix 2001:db8:face::/64 43200 0 New advertised prefix - new hosts will use SLAAC with this prefix ipv6 nd prefix 2001:db8:beef::/64 43200 43200 ! ! Alternative configuration ! interface Ethernet0 Time based configuration ipv6 nd prefix 2001:db8:face::/64 at Jul 31 2008 23:59 Jul 20 2008 23:59 ipv6 nd prefix 2001:db8:beef::/64 43200 43200
Cisco Confidential
72
r1#show ipv6 interface fast0/0 FastEthernet0/0 is up, line protocol is up IPv6 is enabled, link-local address is FE80::207:50FF:FE5E:9460 Global unicast address(es): None Joined group address(es): FF02::1 FF02::2 FF02::1:FF5E:9460 MTU is 1500 bytes ICMP error messages limited to one every 100 milliseconds ICMP redirects are enabled ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds ND advertised reachable time is 0 milliseconds ND advertised retransmit interval is 0 milliseconds ND router advertisements are sent every 30 seconds ND router advertisements live for 1800 seconds Hosts use stateless autoconfig for addresses. r1# show interface fast0/0 FastEthernet0/0 is up, line protocol is up Hardware is AmdFE, address is 0007.505e.9460 (bia 0007.505e.9460)
EUI-64 derived from MAC address 0007.505e.9460
Listening for all hosts multicast Listening for all routers multicast Solicited Node multicast for link-local address
MAC address 0007.505e.9460
Cisco Confidential
73
IPv6 Host Address Assignment Methods

Manual Assignment
Statically configured by human operator
Stateless Address Autoconfiguration (SLAAC RFC 4862)

Allows auto assignment of address through Router Advertisements
Stateful DHCPv6 (RFC 3315)

Allows DHCPv6 to allocate IPv6 address plus other configuration parameters (DNS, NTP etc)
DHCPv6-PD (RFC 3633)

Allows DHCPv6 to allocate entire subnets to a router/CPE device for further allocation
Stateless DHCPv6 (RFC 3736)

Combination of SLAAC for host address allocation DHCPv6 for additional parameters such as DNS Servers and NTP
IPv6 Integration V4.0
Cisco Public
74
DHCPv6
Updated version of DHCP for IPv4 to supports new addressing Can be used for renumbering DHCP Process is same as in IPv4, but,
Client first detects the presence of routers on the link If found, then examines router advertisements (RA) to determine if DHCPv6 can be used If no router found or if DHCPv6 can be used, then DHCPv6 Solicit message is sent to the All-DHCP-Agents multicast address using link-local as source
Multicast addresses used

FF02::1:2 = All DHCP Agents (servers or relays, Link-local scope)
FF05::1:3 = All DHCP Servers (Site-local scope)

DHCP Messages: Clients listen UDP port 546; servers and relay agents listen on UDP port 547
IPv6 Integration V4.0
Cisco Public
75
DHCP Messages Initial Message Exchange Message Types Client Server (1) Server Client (2) Client Server (3) Server Client (4)
IPv4 4-way handshake Broadcast, Unicast DISCOVER OFFER REQUEST ACK
IPv6 4-way handshake Multicast, Unicast SOLICIT ADVERTISE REQUEST REPLY
Cisco Confidential
76
RA message contain flags that indicate address allocation combination (A, M and O bits) Use SLAAC only, Use DHCPv6 stateful, Use SLAAC and DHCPv6 for other options
Router 1 (DHCPv6 Relay) 1
RA
2001:db8:face::/64
DHCP Server
2
Send DHCP Solicit to FF02::1:2 (All DHCP Relays)
3
2001:db8:face::1/64, DNS1, DNS2, NTP
Router Advertisement (RA) A bit (Address config flag) M bit (Managed address configuration flag) O bit (Other configuration flag) Set to 0 - Do not use SLAAC for host config Set to 1 - Use DHCPv6 for host IPv6 address Set to 1 - Use DHCPv6 for additional info (DNS, NTP)
Cisco Confidential
77
RA message contain flags that indicate address allocation combination (A, M and O bits) Use SLAAC only, Use DHCPv6 stateful, Use SLAAC and DHCPv6 for other options
2
2001:db8:face::22c:4ff:fe00:fe56
A
1
RA
Router 1 (DHCPv6 Relay)

DHCP Server 2001:db8:face::/64
3
Send DHCP Solicit to FF02::1:2 for options only
4
DNS1, DNS2, NTP
Router Advertisement (RA) A bit (Address config flag) On-link Prefix M bit (Managed address configuration flag) O bit (Other configuration flag) Set to 1 - Use SLAAC for host address config 2001:db8:face::/64 Set to 0 - Do not use DHCPv6 for IPv6 address Set to 1 - Use DHCPv6 for additional info (DNS, NTP)
Cisco Confidential
78
Config options on Router interface
A bit (default) just use SLAAC

int e0/0 ipv6 address 2001:db8:1000::1/64
Host gets address and other SLAAC options. Nothing else
M bit & O bit (Stateful DHCP)

int e0/0 ipv6 address 2001:db8:1000::1/64 ipv6 nd managed-config-flag ipv6 nd other-config-flag ipv6 dhcp relay destination 2001:db8::10
Host gets full stateful config from DHCP server (2001:db8::10)
A bit & O bit (Stateless DHCP)

int e0/0 ipv6 address 2001:db8:1000::1/64 ipv6 nd other-config-flag ipv6 dhcp relay destination 2001:db8::10
Host get address from SLAAC and other config from DHCP server (2001:db8::10)
Cisco Confidential
79
Cisco Confidential
80
Default subnets in IPv6 have 264 addresses 10 Mpps = more than 58 000 years NMAP doesnt even support ping sweeps on
IPv6 networks
reconnaissance attacks will NOT go away in an
IPv6 environment, rather the tactics will be modified

passive techniques such as DNS name server
18,446,744,073,709,551,616 addresses / 10,000,000 pps = 1,844,674,407,370 seconds = 21,350,398 days = 58,494 years
resolution, to identify victim networks for more targeted exploitation

Neighbour discovery-based attacks will also
replace counterparts on IPv4 such as ARP spoofing
Cisco Confidential
81
Potential router CPU attacks if aggressive scanning Router will do Neighbor Discovery... And waste CPU and memory Built-in rate limiter but no option to tune it Using a /64 on point-to-point links => a lot of addresses to scan! Using /127 could help (RFC 6164) Using infrastructure ACL prevents this scanning iACL: edge ACL denying packets addressed to your routers
Cisco Confidential
82
Viruses and email, IM worms: IPv6 brings no change Other worms: IPv4: reliance on network scanning
IPv6: not so easy (see reconnaissance) => will use alternative techniques
Worm developers will adapt to IPv6 IPv4 best practices around worm detection and mitigation remain valid
Cisco Confidential
83
An extension header Processed by the listed intermediate routers Two types Type 0: similar to IPv4 source routing (multiple intermediate routers) Type 2: used for mobile IPv6
Next Header
43
IPv6 basic header
Routing Header (43)
Next Header
Ext Hdr Length
RH Type
Segments Left
Routing Header Data
Cisco Confidential
84
What if attacker sends a packet with RH containing A -> B -> A -> B -> A -> B -> A -> B -> A .... Packet will loop multiple time on the link A-B An amplification attack!
Till Hop Limit exhausted A
Cisco Confidential
85
Apply same policy for IPv6 as for Ipv4: Block Routing Header type 0 Prevent processing at the intermediate nodes no ipv6 source-route (in IOS only) Windows, Linux, Mac OS: default setting At the edge With an ACL blocking routing header, specifically type 0 RFC 5095 (Dec 2007) RH0 is deprecated Default IOS changed in 12.4(15)T to ignore and drop RH0 No need to configure no ipv6 source-route
Cisco Confidential
86
Router Solicitations Are Sent by Booting Nodes to Request Router Advertisements for Stateless Address Auto-Configuring
RA/RS w/o Any Authentication Gives Exactly Same Level of Security as ARP for IPv4 (None)
Attack Tool: fake_router6 Can Make Any IPv6 Address the Default Router
RS
RA
RA
Router Solicitation ICMP Type IPv6 Source IPv6 Destination Query 133 A Link Local (FE80::1) All Routers Multicast (FF02::2) Please send RA
Router Advertisement ICMP Type 134
IPv6 Source IPv6 Destination Data
A Link Local (FE80::2) All Nodes Multicast (FF02::1) Options, subnet prefix, lifetime, autoconfig flag
Cisco Confidential
87
No Security Mechanisms Built into Discovery Protocol therefore very similar to ARP Attack Tool: Parasite6 Answer to all NS, Claiming to Be All Systems in the LAN... A
NS NA NA
Neighbour Solicitation ICMP Type IPv6 Source IPv6 Destination Data Query 135 A Unicast B Solicited Node Multicast FE80:: address of A What is B link layer address?
Neighbour Advertisment ICMP Type IPv6 Source IPv6 Destination Data 136 B Unicast A Unicast FE80:: address of B
Cisco Confidential
88
Certification paths Anchored on trusted parties, expected to certify the authority of the routers on some prefixes Cryptographically Generated Addresses (CGA) IPv6 addresses whose the interface identifier is cryptographically generated RSA signature option Protect all messages relating to neighbor and router discovery Timestamp and nonce options Prevent replay attacks
Cisco Confidential
89
Private/public key pair on all devices for CGA Overhead introduced Routers have to do many public/private key calculation (some may be done in advance of use) => Potential DoS target Routers need to keep more state Available: Linux Microsoft: no support Vista, probably in Windows 2008 Future implementation: Cisco IOS
Cisco Confidential
90
IPv6 stacks are new and could be buggy IPv6 enabled application can have bugs Some examples Linux DoS caused by memory leaks in IPv6 tunnels (May 2008) Apple Mac OS X IPv6 Packet Processing Double-Free Memory Corruption (November 2007) Cisco Security Advisory: IPv6 Routing Header (May 2007)
OpenBSD remote code execution in IPv6 stack (March 07)

Python getaddrinfo() remote IPv6 buffer overflow Apache remote IPv6 buffer overflow ...
Cisco Confidential
91
Significant changes More relied upon

ICMP Message Type Connectivity Checks Informational/Error Messaging Fragmentation Needed Notification Address Assignment Address Resolution Router Discovery Multicast Group Management Mobile IPv6 Support ICMPv4 X X X ICMPv6 X X X X X X X X
ICMP policy on firewalls needs to change to support IPv6
Cisco Confidential
92
BGP, ISIS, EIGRP no change: An MD5 authentication of the routing update OSPFv3 has changed and pulled MD5 authentication from the protocol and instead is
supposed to rely on transport mode IPSec

RIPng, PIM also rely on IPSec IPv6 routing attack best practices Use traditional authentication mechanisms on BGP and IS-IS Use IPSec to secure protocols such as OSPFv3 and RIPng
Cisco Confidential
93
IPv6 mandates the implementation of IPsec IPv6 does not require the use of IPsec Some organisations believe that IPsec should be used to secure all flows... Interesting scalability issue (n2 issue with IPsec) Need to trust endpoints and end-users because the network cannot secure the traffic: No IPS, no ACL, & no firewall policy points can be used Network telemetry is blinded: NetFlow is of little use Network srvices hindered: what about QoS?
Recommendation: Do not use IPsec end to end within an administrative domain. Suggestion: Reserve IPsec for residential or hostile environment or high profile targets.
94
Cisco Confidential
Let the Games Begin Sniffers/packet capture

Snort
TCPdump Sun Solaris snoop COLD Ethereal Analyzer Windump WinPcap NetPeek
Scanners
IPv6 security scanner Halfscan6 Nmap Strobe Netcat
DoS Tools
6tunneldos
4to6ddos
Imps6-tools
Sniffer Pro
Packet forgers
Scapy6 SendIP Packit Spak6
Worms
Slapper
Advisories/field notices
http://www.cisco.com/warp/public/707/cisco-sa-20050126ipv6.shtml
http://www.kb.cert.org/vuls/id/658859
Complete tool
http://www.thc.org/thc-ipv6/
Enabling IPv6 traffic inside the VPN Client tunnel Use VPN connection Can transfer IPv6 traffic over public IPv4
Cisco Confidential
96
IPv4 and IPv6 Transport in SSL

IPv6 PC AnyConnect
IPv4
ASA 8.0 SSL VPN Concentrator Dual Stack
IPv6 Network
Train your network operators and security managers on IPv6 Selectively filter ICMP (RFC 4890) Block Type 0 Routing Header at the edge Copy the IPv4 Best Common Practices If management plane is only IPv4,block IPv6 to the core devices (else infrastructure ACL for IPv6) Determine what extension headers will be allowed through the access control device Use traditional authentication mechanisms on BGP and IS-IS Use IPsec to secure protocols such as OSPFv3 and RIPng Document procedures for last-hop traceback
Cisco Confidential
98
Questions ?

Cips 2012 0046

Enviado por

Dados do documento

Título original

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

Cips 2012 0046

Enviado por

Direitos autorais:

Formatos disponíveis

Harpreet Singh

R .Sankara Narayanan rsnaraya@cisco.com

2010 Cisco and/or its affiliates. All rights reserved.

2010 Cisco and/or its affiliates. All rights reserved.

The Growing Internet

Governmental directives & initiatives

The Growing Internet Challenge

0 Today Sep 2011

The pool of IPv4 address blocks is dwindling rapidly

While the number of new Internet devices is exploding

2009 Cisco Systems, Inc. All rights reserved.

Hey Buddy, Can you spare an IPv4 address?

2010 Cisco and/or its affiliates. All rights reserved.

Source: Tony Hain, Cisco Systems http://www.tndh.net/~tony/ietf/IPv4-rir-pools.pdf

2010 Cisco and/or its affiliates. All rights reserved.

Based on what we know is true today (Conservative)

World Population Connected Devices

Connected Devices Per Person

More connected devices than people

Source: Cisco IBSG, 2010

2010 Cisco and/or its affiliates. All rights reserved.

2010 Cisco and/or its affiliates. All rights reserved.

IPv6 is an enabler, it is NOT a new service. It allows anything to connect to everything

IPv4 address pool exhausted

2010 Cisco and/or its affiliates. All rights reserved.

IPv4 Address Run-Out

National IPv6 Strategies

US DoD, China, India NGI, EU

Cisco Highly ConfidentialControlled Access

2010 Cisco and/or its affiliates. All rights reserved.

Sandviken Kommun http://[2001:b48:10::3]

http://[2001:49f0:1000::3] http://[2001:252:0:1::2008:6] http://[2607:f0d0:1000:11:1::2]

http://[2406:0:6a:4::167] http://[2a02:250::6] http://[2a01:e0c:1:1599::1]

2010 Cisco and/or its affiliates. All rights reserved.

How Do We Get There from Here?

Education and Careful Planning are crucial

2009 Cisco Systems, Inc. All rights reserved.

Enabling an Orderly, Incremental Transition

2009 Cisco Systems, Inc. All rights reserved.

2011 Cisco and/or its affiliates. All rights reserved.

2011 Cisco and/or its affiliates. All rights reserved.

2011 Cisco and/or its affiliates. All rights reserved.

Service Addressing Range IP Provisioning Security Mobility

MLD/PIM/MBGP, Scope Identifier

2011 Cisco and/or its affiliates. All rights reserved.

IPv6 addresses are 128 bits long

2011 Cisco and/or its affiliates. All rights reserved.

Only announces the /32 prefix ISP

2001:DB8::/32 IPv6 Internet 2001::/16

2001:DB8:0002:/48 /23 2001 /32 /48 /64 Interface ID

Registry ISP prefix Site prefix Subnet prefix

Hex numbers are not case sensitive

Abbreviations are possible

2011 Cisco and/or its affiliates. All rights reserved.

Loopback address representation

2011 Cisco and/or its affiliates. All rights reserved.

Addresses are assigned to interfaces

An IPv6 interface is expected to have multiple addresses and multiple scopes

Valid and preferred lifetime

2011 Cisco and/or its affiliates. All rights reserved.

Three types of unicast address scopes

Multicast addresses (FF00::/8)

Represented in Binary and Hex