The future of the Internet - An IPv6 Fundamentals Tutorial

by Craig Miller

Outline

0. Introduction to Networking

OSI Model - Creative Commons

1. Why do we need IPv6?

The world has run out of IP addresses. IPv4 uses a 32 bit address which is a total of 4 billion addresses. However there are already 6 billion people in the world, and many of us have multiple devices, each with its own address. In order for the internet to continue to grow, a larger address space is required.

Adding another octet would require a new IP protocol, a change in the IP header, and all routers, computers, and devices connected to the internet. But only providing an additional 255 times the address space. This only delay the internet address problem for another 10 to 15 years, then we would require yet another overhaul of the entire internet.

For fun: a dramatization of running out of IP addresses.

Global Deployment of IPv6 is 15% of all internet traffic today as measured by Google

2. Not your Grandmother's IP

IPv6 Header - Usenix.org

3. IPv6 Addressing

When writing IPv6 addresses, it is common to use the compressed form, of substituting a double-colon :: for a single long string of zeros in the middle of the address. Thus 2001:0db8:0123:0000:0000:0000:0000:0010 becomes 2001:db8:123::10


Hands On - IP Addressing

Attempt/Answer the following:

Look at Tools of the Trade


4. Router Advertisements

5. DNS is your friend

Intro to Wireshark

Hands On - RAs and DNS

Attempt/Answer the following:

Sample Wireshark Captures


6. Firewalls - Naked without NAT, NOT!

Firewalls control the flow of traffic. They typically placed at choke points in the network, where control is more easily managed. Every modern home router has a stateful firewall, and the capability to do IPv4 NAT. Think of the firewall and NAT as separate operations which can both happen inside your router.

Make sure you set up the traffic rules on your IPv6 firewall before connecting to the internet. Do NOT block all ICMPv6 at the firewall, you will quickly become disconnected (ICMPv6 NDP and RAs are needed for connectivity).

7. Transitions

Since IPv6 is a different networking protocol, the network will be in a transition phase for sometime. The most common transitional method is Dual-Stack.

Transitional Mechanisms


Hands On -- Firewalls & Transitions

Attempt/Answer the following:

Look at Tools of the Trade


8. Operating System Support for IPv6

Most common OSs have had support for IPv6 since the mid 2000s. However the level of support has varied by platform. A more detailed comparison shows the subtle differences.

OSIPv6 Command
Linux (alpha 1996) (2.6 2005)ip addr, ip neigh, ip route
BSD (4.x 2000)ifconfig, sbp, netstat -r
BayRS (11.2 1999)Used sitemanager to configure
Cisco IOS (2001)show ipv6 , show ipv6 neighbors, show ipv6 route
Windows (XP SP1 2002)netsh show address, netsh show neighbors, netsh show route
Mac OSX (10.3 2003)ifconfig, sbp, netstat -r
Android (1.0 2010)No DHCPv6 support, v5.x+ uses RAs for DNS
Apple iOS (4.x 2010)v4.3 DHCPv6 Support, v10.x IPv6-only support

9. More on IPv6 Addresses and Scope

There are 5 types of IPv6 addresses:

World Address Allocation - APNIC preso by Networks Nurul Islam Roman

At present the entire world of IPv6 addresses has been allocated out of the 2000::/3 range. To simplify global routing tables, the following prefixes have been allocated to geographical areas:

The router will send an RA which will include a prefix (the first 64-bits of an address), which then each host will create a host unique last 64 bits, thus creating a globally unique unicast address.

Unique Local Address (ULA)

ULAs are used like RFC 1918 Private Addresses, in that they are not routed on the internet. But unlike IPv4, there are two key advantages over the familiar 192.168.0.0 address:

  1. No duplicate addresses. Addresses must select a random value for bits 8-48 (40 bits total)
  2. To help ensure that there are no duplicate addresses, there is a internet registry of addresses, while not required by the RFC is a good idea.

ULAs always start with FD.

Multicast Scope

The 4th byte of a multicast address represnts scope, or who wide will the multicast packet travel. For example, a multicast packet destine to all nodes on the link (will not cross a router) would be addressed to ff02::1 (all-nodes)

nScope
1Interface local
2Link-local
5Site-local
8Organizational Local
EGlobal

Scope allows for more control of multicast than IPv4, which is always global, unless routers are not configured to forward it.

Link-Local addresses

Link-local addresses always start with FE80:: They are only significant on the link, and it is quite possible to have duplicate link-local addresses on different links. Link-local address is a basic unit of IPv6, since each host defines its own link-local address, the host does not need any other devices to create a unique address on the link. With that address, it can request services, such as requesting a RA from the router, and then DHCPv6 if the M-bit is set.

10. More on ICMPv6 and Neighbour Discovery

Neighbour Discovery - Creative Commons - Mendoza - Argentina ana.diedrichs@gridtics.frm.utn.edu.ar

In order to send a packet whether close or far, and Ethernet header must be prepended to the datagram. In IPv4, in order to get the destination MAC address of the host or gateway router, an ARP (Address Resolution Protocol) is broadcast to all on the LAN. The host/router with that IP address responds with its MAC address.

Since there is no broadcast in IPv6, another method is required. Since each host has a link-local address at wake up time (boot), the sender can send out an ICMPv6 Type 135, Neighbour Solicitation, using the its link-local address as a source address. It will use use a multicast address, FF02::1 or FF02::1:ff41:44a (if the last three bytes of the destination IPv6 address are 41:044a).

The replying host/router will reply with a neighbour advertisement (type 136), a unicast packet with the Link-local destination address of the requester.


Hands On -- Addressing & Neighbour Discovery

Attempt/Answer the following:


11. IPv6 Header and Extension Headers

In order to quadruple the length of the IP address, but minimize the size of the IPv6 header, much of the information contained in an IPv4 header has been removed. The designers were able to squeeze in two (2) 128-bit addresses, in a 40 byte header.

Extension Headers - Cisco

Extension headers are between the IPv6 header and the next header (typically TCP or UDP). The following types are defined by RFC 2640:

  1. Hop-by-Hop Options
  2. Routing (Type 0) - Removed by RFC 5095
  3. Fragment
  4. Destination Options
  5. Authentication (AH)
  6. Encapsulating Security Payload (ESP)

Security implications of extension headers.

RA Guard has been devised to prevent the bad guys from sending out bogus RAs, thus attempting Man-in-the-middle attacks. Unfortunately, Cisco, created a hardware version of RA Guard, stepping 40 bytes into the packet looking for an ICMPv6 header with the Type 134 (RA). Unfortuntely, the bad guys quickly figured out if they put an extension header in between the IPv6 header and the ICMPv6 header (which is where it belongs), that they could defeat the hardware based RA Guard.

Therefore there IPv6 packets which come from the same LAN segment (think broadcast domain in IPv4) with the following extension headers should not be accepted: Hop-by-hop, Fragment, Destination options.


Hands On - Extension Headers

Attempt/Answer the following:


12. DHCPv6 & Prefix Delegation

DHCPv6 was standardized in 2003 by RFC 3315 and work similar to DHCPv4. However the options have different numbers, and a few additional options have been added, such as Prefix Delegation


Hands On - DHCPv6 & Prefix Delegation

Attempt/Answer the following:


13. Using IPv6 in the real world


System V -> Systemd Network Configuration

The AT&T System V method of configuration has been around for decades, and is well understood. However in 2010, systemd was added to the Fedora Core repository by Lennart Poettering. The stated goal was to "Unify configuration" of the Linux systems. systemd has been adopted by the major Linux distros: RedHat, Ubuntu, Debian, Raspian.

There are a number of outstanding IPv6 bugs in systemd

Command to display systemd version: /usr/lib/systemd/systemd --version

LinOxide has a very good systemd cheatsheet

systemd overview - creative commons

System V network configuration example

Network configuration is located in /etc/network/interfaces

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
#allow-hotplug eth0
#NetworkManager#iface eth0 inet dhcp
auto eth0
iface eth0 inet static
    address 10.1.1.14 
    gateway 10.1.1.1
    netmask 255.255.255.0
    dns-nameservers 10.1.1.14 10.1.1.18
iface eth0 inet6 static
    address 2001:470:ebbd:0::f014
    netmask 64

Restart network services /etc/init.d/networking restart

systemd-networkd configuration example

Network configuration is located in /etc/system/network/<intf>.network

[Match]
Name=eth0

[Network]
DHCP=ipv4
Address=2001:470:ebbd:583::f014/64
IPv6PrivacyExtensions=yes
#IPv6Token=::12:34:56:78

Restart network services systemctl restart systemd-networkd.service