blob: 310decabf38b8a8fe3388d613173e8d45d1bbf0f (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
|
Details of stateless autoconfiguration
address space is split in two 64bit halves
upper 64bit are used to specify a particular network segment
lower 64bit are used for individual nodes in one segment
lower 64bit are generated from 48bit mac address with 'fffe' in the middle
potential problem: privacy
DNS and IPv6
forward resolval (hostname -> address)
ipv4 uses 'IN A' record
ipv6 uses 'IN AAAA' record
a particular hostname can have A and AAAA records
reverse resolval
uses .ip6.arpa. suffix
uses hexadecimal instead of decimal notation:
4.4.0.0.0.0.0.0.0.8.7.0.1.0.0.2.ip6.arpa.
portable applications under *BSD/Linux do round-robin between all records, with a preference of ipv6 for the first try.
BSD Sockets API and IPv6
struct in_addr has become in6_addr
new API's like getaddrinfo() instead of gethostbyname() support _both_ ipv4 and ipv6
apart from that, everything is the same.
configuration under linux
router/gateway
runs radvd or zebra for sending router advertisements
client
just has to load 'ipv6' module and configure an interface up
recevies prefix-advertisement(s) and auto-configures address accordingly
IPv6 specific security issues
packet filter has to explicitly allow neighbour discovery, since it's inside ipv6/icmpv6
special attention to option headers
most sites won't want routing or hop-by-hop options
neighbour cache DoS:
compare with existing neighbour cache issues in large (/16) networks
in ipv6, the standard is /64 for every segment (!)
one advantage: port scanning of whole networks way more difficult :)
|