1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
|
%include "default.mgp"
%default 1 bgrad
%deffont "typewriter" tfont "MONOTYPE.TTF"
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
%nodefault
%back "blue"
%center
%size 8
IPv6 Introduction
%center
%size 4
by
Harald Welte <laforge@rfc2460.org>
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
IPv6 Introduction
What? Why?
What is IPv6?
Successor of currently used IP Version 4
Specified 1995 in RFC 2460
Why?
Address space in IPv4 too small
Routing tables too large
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
IPv6 Introduction
Advantages
Advantages
stateless autoconfiguration
multicast obligatory
IPsec obligatory
Mobile IP
Address renumbering
Multihoming
Multiple address scopes
smaller routing tables through aggregatable allocation
simplified l3 header
64bit aligned
no checksum (l4 or l2)
no fragmentation at router
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
IPv6 Introduction
Disadvantages
Disadvantages
Not widely deployed yet
In most cases access only possible using manual tunnel
OS support not ideal in most cases
W2k: IPv6 available from MS
Windows XP: IPv6 included
Linux has support, but not 100% RFC compliant
*BSD: full support (KAME)
Solaris 8/9/10: full support
Application support not ideal in most cases
Biggest problem: squid
supported: bind8/9, apache, openssh, xinetd, rsync, exim, zmailer, sendmail, qmail, inn-2.4(CVS), zebra, mozilla
Conclusion: Circular dependencies
no application support without OS support
no good OS support without applications
no wide deployment without applications
no applications without deployment
no deployment without applications
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
IPv6 Introduction
Deployment
Experimental (6bone)
Experimental 6bone (3ffe::) has been active since 1995.
Uses slightly different Addressing Architecture (RFC2471)
Phased out on 06/06/2006
No new pTLA assignments starting from 2005
Production (2001::)
Initial TLA's and sub-TLA's assigned in Sept 2000
Mostly used in education+research
Some commercial ISP's in .de are offering production prefixes
Why isn't IPv6 widely used yet?
No immediate need in Europe / North America
Big deployment cost at ISP's (Training, Routers, ..)
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
IPv6 Introduction
Technical: Address Space
IP Version 6 Addressing Architecture (RFC2373)
Format prefix, variable length
001: RFC2374 addresses, 1/8 of address space
0000 001: Reserved for NSAP (1/128)
0000 010: Reserved for IPX (1/128)
1111 1110 10: link-local unicast addresses (1/1024)
1111 1110 11: site-local unicast addresses (1/1024)
1111 1111 flgs scop: multicast addresses
flgs (0: well-known, 1:transient)
scop (0: reserved, 1: node-local, 2: link-local, 5: site-local, 8: organization-local, e: global scope, f: reserved)
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
IPv6 Introduction
Technical: Address Space
Aggregatable Global Unicast Address Format (RFC2374)
3bit FP (format prefix = 001)
13bit TLA ID - Top-Level Aggregation ID
13bit Sub-TLA - Sub-TLA Aggergation ID
19bit NLA - Next-Level Aggregation ID
16bit SLA - Site-Level Aggregation ID
64bit Interface ID - derived from 48bit ethernet MAC
Initial subTLA-Assignments
2001:0000::/29 - 2001:01f8::/29 IANA
2001:0200::/29 - 2001:03f8::/29 APNIC
2001:0400::/29 - 2001:05f8::/29 ARIN
2001:0600::/29 - 2001:07f8::/29 RIPE
loopback ::1
unspecified: ::0
embedded ipv4
IPv4-compatible address: 0::xxxx:xxxx
IPv6-mapped IPv4 (IPv4 only node): 0::ffff:xxxx:xxxx
anycast
allocated from unicast addresses
only subnet-router anycast address predefined (prefix::0000)
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
IPv6 Introduction
Technical: Header
%font "typewriter"
%size 3
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Version| Traffic Class | Flow Label |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Payload Length | Next Header | Hop Limit |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ Source Address +
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ Destination Address +
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
%font "standard"
4bit Version: 6
8bit Traffic Class
20bit Flow Label
16bit Payload Length (incl. extension hdrs)
8bit next header (same values like IPv4, RFC1700 et seq.)
8bit hop limit (TTL)
128bit source address
128bit dest address
extension headers:
hop-by-hop options
routing
fragment
destination options
IPsec (AH/ESP)
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
IPv6 Introduction
Technical: Layer 2 <-> Address mapping
Ethernet: No more ARP, everything within ICMPv6
No Broadcast, everything built using multicast.
all-nodes multicast address ff02::1
all-routers multicast address ff02::2
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
IPv6 Introduction
Technical: Address Configuration
router discovery
routers periodically send router advertisements
hosts can send router solicitation to explicitly request RADV
prefix discovery
router includes prefix(es) in ICMPv6 router advertisements
other nodes receive prefix advertisements and derive their final address from prefix + EUI64 of MAC address
neighbour discovery
machines can discover it's neighbours without advertising router
%page
IPv6 Introduction
How to get connected
In case of static IPv4 address
SIT (ipv6-in-ipv4) tunnel possible
http://www.join.uni-muenster.de/
In case of dynamic IPv4 address
ppp (ipv6 over ppp) tunnel (pptp, l2tp) possible
sitctrl (linux <-> linux)
atncp (*NIX), http://www.dhis.org/atncp/
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
IPv6 Introduction
Stateless Autoconfiguration
Address space is split in two 64bit halves
Upper 64bit '2001:780:44:1100:' used to specify a network segment (/64)
Lower 64bit '204:61ff:fe5c:74b9' used to specify node within segment
Lower 64bit are generated from 48bit mac address with 'fffe' in the middle
Potential Problem: Privacy
IETF Solution: RFC3041 "Privacy Extension"
uses additional 'alias' IPv6 adresses that are created randomly and only valid for hours/days
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
IPv6 Introduction
DNS and IPv6
Forward resolval (hostname->address)
IPv4 uses "IN A" record
IPv6 uses "IN AAAA" record
A particular hostname can have both A and AAAA
Reverse resolval (address->hostname)
Uses ".ip6.arpa." suffix
Uses hexadecimal instead of decimal notation
4.4.0.0.0.0.0.0.0.8.7.0.1.0.0.2.ip6.arpa.
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
IPv6 Introduction
BSD Sockets API and IPv6
new structures
in_addr has become in6_addr
sockaddr_in has become sockaddr_in6
new API's like getaddrinfo are compatible with ipv6 and ipv4
portable applications use sockaddrr_storage and don't make assumptions about it's size
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
IPv6 Introduction
Configuration under Linux
Router/Gateway
Runs radvd or zebra for for sending router advertisements
Client
Just has to load "ipv6" module and configure interface up
Receives prefix-advertisements(s) and autoconfigures address
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
IPv6 Introduction
IPv6 option headers
New concept of option header
Any number of option headers between l3 and l4 header
With one exception only processed ad sender and receiver
Defined option headers
Hop-by-hop options (processed by every node)
Destination options
Routing header
Fragment header
Authentication (AH)
Encapsulating Security Payload (ESP)
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
IPv6 Introduction
IPv6 specific security issues
hop-by-hop options header
should be filtered out at typical internet gateway
routing header
should be filtered out like IPv4 loose source / record route
ICMPv6
has to be allowed for neighbour discovery to work
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
IPv6 Introduction
IPv6 specific security issues
iptables -> ip6tables changes
matching of ah/esp
not by -p !
matching of fragments
not by -f !
no connection tracking in mainline kernel yet
existing ip6_conntrack patchces (deprecated)
code duplication
no interaction between ip_conntrack/ip6_conntrack
existing nf_conntrack patches
one code base to rule them all
ipv4 and ipv6 plugins
l3 independent tcp and udp modules independent
l3 independent helpers
BUT: no NAT as of now :(
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%page
IPv6 Introduction
Further Reading
http://www.ipv6-net.org/ (deutsches IPv6 forum)
http://www.6bone.net/ (ipv6 testing backbone)
http://www.freenet6.net/ (free tunnel broker)
http://hs247.com/ (list of tunnel brokers)
http://www.bieringer.de/ (ipv6 for linux)
http://www.linux-ipv6.org/ (improved ipv6 for linux)
http://www.kame.net/ (ipv6 for *BSD)
http://www.join.uni-muenster.de/ (ipv6 at DFN/WiN)
http://www.gnumonks.org/ (slides of this presentation)
And of course, all relevant RFC's
|
