Internet Protocol v6 October 25, 2016 v6@nkn.in Table of Content - - PowerPoint PPT Presentation

Internet Protocol v6

October 25, 2016

v6@nkn.in

• Why IPv6?
• IPv6 Address Space
• Customer LAN Migration

Table of Content

Why IPv6? IPv6 Address Space

• Customer LAN Migration

• Why IPv6?
• IPv6 Address Space
• Customer LAN migration

Why IPv6? IPv6 Address Space

• Customer LAN migration

IPv4 DASH BOARD

THE REASON For IPv6

• The IANA pool of available IPv4 addresses

was exhausted on 3 February, 2011.

• APNIC is allocating IPv4 Addresses from its

last /8 IPv4 block.

Microsoft has managed to purchase 666,624 IP addresses from the bankrupt Canadian company Nortel for $7.5m . This works out to $11.25/IP. An exact list of blocks isn't available.

Address Distribution

I ETF I ANA RI R I SP End User

Regional Internet Registries (RIRs) distribute IPv4, IPv6, and AS numbers to the Internet community

RIRs

• Why IPv6?
• IPv6 Address Space
• Customer LAN migration

Why IPv6? IPv6 Address Space

• Customer LAN migration

IPv6 Address Space

• IPv6 Address is of 128 bits
• This means, total 340 282 366 920 938 463 463

374 607 431 768 211 456 IPv6 addresses are possible

• About 3.4×1038 (340 trillion trillion trillion) unique

IPv6 addresses. This means, we can roughly assigned 48,000 trillion trillion IPv6 addresses to every person Or, 6.7×1023 address to per m2 of land IPv6 Address is of 128 bits This means, total 340 282 366 920 938 463 463 374 607 431 768 211 456 IPv6 addresses are possible

• About 3.4×1038 (340 trillion trillion trillion) unique

IPv6 addresses. This means, we can roughly assigned 48,000 trillion trillion IPv6 addresses to every person Or, 6.7×1023 address to per m2 of land

How a IPv6 Address Space Look?

• x: x: x: x: x: x: x: x
• where x represents 16 bits written in hexadecimal format
• 2001: 4408: 0000: 0000: C1C0: 0000: ABCD: 0786
• Case insensitive
• 2001: 4408: 0000: 0000: c1c0: 0000: abcd: 0786
• Block of zero’s can be replaced with (: : ) but only once
• 2001: 4408: : C1C0: 0000: ABCD: 0786
• 2001: 4408: : C1C0: 0000: ABCD: 0786
• Leading zero’s can be omitted and but not the trailing one
• 2001: 4408: : C1C0: 0000: ABCD: 786
• In URL, it is enclosed in brackets

http: / / [ 2001: 4408: : C1C0: 0000: ABCD: 786] / index.html http: / / [ 2001: 4408: : C1C0: 0000: ABCD: 786] : 8080/ index.html

How a IPv6 Address Space Look?

• 128 bit address

gggg: gggg: gggg: ssss: xxxx: xxxx: xxxx: xxxx

Global Unicast Identifier

Network Portion Interface ID

Global Routing Prefix n <= 48 bits Subnet ID 64 – n bits Host

2405: 8a00: 0000: 0001: 0000: 0000: 0000: A100 2405: 8a00: 0: 1 : : A100

Example (Full Format) Abbreviated format

IPv6 – Address Scope

• Interface “expected” to have

multiple addresses

• IPv6 node MUST support

multicast

• Addresses have scope

Link Local (FE80::/10) Unique Local (FC00::/7) Global (2000::/3)

Link Local Unique Local Global

Interface “expected” to have multiple addresses IPv6 node MUST support multicast

• Addresses have scope

– Link Local (FE80::/10) – Unique Local (FC00::/7) – Global (2000::/3)

IPv6 – Address Types

Types of IPv6 Addresses – Unicast

A unicast address identifies a single network interface.

– Multicast

Address of a set of interfaces. One-to-many delivery to all interfaces in the set

Anycast

An anycast address is assigned to a group of interfaces, usually belonging to different nodes.

No more Broadcast addresses

Link Local

Types of IPv6 Addresses Unicast

A unicast address identifies a single network interface.

Multicast

Address of a set of interfaces. One-to-many delivery to all interfaces in the set

– Anycast

An anycast address is assigned to a group of interfaces, usually belonging to different nodes.

– No more Broadcast addresses

IPv6 Addresses – Unicast and Multicast

NKN-SP-LAN#show ipv6 int Vlan196 is up, line protocol is up IPv6 is enabled, link-local address is FE80::6E20:56FF:FEC5:47DF No Virtual link-local address(es): Description: "LAN SAGEMENT 2 10.1.196.1 " Global unicast address(es): 2001:4408:5205:196::1, subnet is 2001:4408:5205:196::/64 Joined group address(es): FF02::1 FF02::2 FF02::1:2 FF02::1:FF00:1 FF02::1:FFC5:47DF NKN-SP-LAN#show ipv6 int Vlan196 is up, line protocol is up IPv6 is enabled, link-local address is FE80::6E20:56FF:FEC5:47DF No Virtual link-local address(es): Description: "LAN SAGEMENT 2 10.1.196.1 " Global unicast address(es): 2001:4408:5205:196::1, subnet is 2001:4408:5205:196::/64 Joined group address(es): FF02::1 FF02::2 FF02::1:2 FF02::1:FF00:1 FF02::1:FFC5:47DF

All nodes All routers Global Link-Local

FF02::1:FFC5:47DF MTU is 1500 bytes ICMP error messages limited to one every 100 milliseconds ICMP redirects are enabled ICMP unreachable are sent ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds (using 30000) ND advertised reachable time is 0 (unspecified) ND advertised retransmit interval is 0 (unspecified) ND router advertisements are sent every 200 seconds ND router advertisements live for 1800 seconds ND advertised default router preference is High Hosts use DHCP to obtain routable addresses. FF02::1:FFC5:47DF MTU is 1500 bytes ICMP error messages limited to one every 100 milliseconds ICMP redirects are enabled ICMP unreachable are sent ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds (using 30000) ND advertised reachable time is 0 (unspecified) ND advertised retransmit interval is 0 (unspecified) ND router advertisements are sent every 200 seconds ND router advertisements live for 1800 seconds ND advertised default router preference is High Hosts use DHCP to obtain routable addresses.

All routers Solicit node multicast Address

IPv6 Address Type

• Unicast address scope

– Link local: Non routable exists on L2 domain (FE80::/10) – Unique-Local (ULA) – Routable with an administrative domain (similar to RFC 1918) (FC00::/7) Global – Routable across the Internet (2000::/3) Multicast addresses begin with FF00::/8

FE8 0 :0 0 0 0 :0 0 0 0 :0 0 0 0 : xxxx:xxxx:xxxx:xxxx

Unicast address scope Link local: Non routable exists on L2 domain (FE80::/10) Unique-Local (ULA) – Routable with an administrative domain (similar to RFC 1918) (FC00::/7) – Global – Routable across the Internet (2000::/3)

• Multicast addresses

– begin with FF00::/8

FC0 0 :gggg:gggg:

xxxx:xxxx:xxxx:xxxx ssss:

2 0 0 0 :gggg:gggg:

xxxx:xxxx:xxxx:xxxx ssss:

FF00:

XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX

IPv6 Address Types

Address Type IPv6 Binary Prefix IPv6 Prefix IPv4 Prefix Unspecified 000……0 (128 bits) ::/128 0.0.0.0/0 Loopback 000…..01 (128 bits) ::1/128 127.0.0.1 Unique Local Address 1111 110 FC00::/7 RFC 1918 {10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16} RFC 1918 {10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16} Link-local Unicast 1111 1110 10 FE80::/10

• Multicast

1111 1111 FF00::/8

224.0.0.0-239.255.255.255

Global Unicast 001 2000::/3 Class A, B & C

IPv4 & IPv6 Header Comparison

Version IHL Type of Service Total Length Identification Flags Fragment Offset Time to Live Protocol Header Checksum Source Address Version Traffic Class Flow Label Payload Length Next Header Hop Limit Source Address

IPv4 Header IPv4 Header IPv6 Header Header

Destination Address Source Address Destination Address

• field’s name kept from IPv4 to IPv6
• fields not kept in IPv6
• Name & position changed in IPv6
• New field in IPv6

Legend

IPv4 Header

• The IPv4 packet header consists of 14 fields, of which 13 are required. The
• The IPv4 packet header consists of 14 fields, of which 13 are required. The

14th field is optional (red background in table) and aptly named: options.

• Internet Header Length (IHL)

– The second field (4 bits) is the Internet Header Length (IHL), which is the number of 32-bit words in the header. – The minimum value for this field is 5 (RFC 791), which is a length of 5× 32 = 160 bits = 20

• bytes. Being a 4-bit value, the maximum length is 15 words (15× 32 bits) or 480 bits = 60

bytes.

Control Protocol(s)

• IPv4 Control Protocols:

– ARP (for Ethernet) – ICMP – IGMP

IPv6 Control Protocols:

ICMPv6

(IPv6 Next Header Value 58) Must be fully implemented and supported

IPv4 Control Protocols:

ARP (for Ethernet) ICMP IGMP

• IPv6 Control Protocols:

– ICMPv6

(IPv6 Next Header Value 58) Must be fully implemented and supported

MULTICAST

• IPv6 node MUST support Multicast
• All node with “similar” addresses share the same

solicited-node multicast addresses

• Solicited-node multicast address format:

– Globally-assigned prefix FF02::1:FF00:0/104 low-order 24 bits of a node address

Example: a node 2405:8A00:100:200::A101:3258 joins the multicast group FF02::1:FF01:3258 FF02:0:0:0:0:1:FF01:3258 (expanded form) IPv6 node MUST support Multicast All node with “similar” addresses share the same solicited-node multicast addresses Solicited-node multicast address format:

– Globally-assigned prefix FF02::1:FF00:0/104 – low-order 24 bits of a node address

Example: a node 2405:8A00:100:200::A101:3258 joins the multicast group FF02::1:FF01:3258 FF02:0:0:0:0:1:FF01:3258 (expanded form)

RSERVED MULTICAST ADDRESSES

Address Scope Use

FF01::1 Node-local All Nodes FF01::2 Node-local All Routers FF02::1 Link-local All Nodes FF02::2 Link-local All Routers FF02::2 Link-local All Routers FF05::2 Site-local All Routers FF02::1:FFxx:xxxx Link-local Solicited-Node

MAXIMUM TRANSMISSION UNIT (MTU)

MTU is the maximum size of IP packet that can be transmitted without fragmentation. In IPv6, MTU must be of at least 1280 bytes while in IPv4 it was only 68 bytes. IPv6 uses Path MTU discovery protocol to find the smallest MTU and works on that MTU there on.

PATH MTU DISCOVERY PATH MTU DISCOVERY 4000 1300 9000 1500

Settle down at 1300 Bytes Path MTU discovery is mandatory in IPv6 because Routers doesn’t perform fragmentation in IPv6. IPv6:- Fragmentation is handled by the Source through Path MTU discovery.

Anycast

• The same “anycast” address is assigned to a

group of interfaces (nodes)

• A packet sent to an anycast address is

delivered to the “nearest” interface (node) having this address Allow to increase the service reliability Allocated from the unicast address space The same “anycast” address is assigned to a group of interfaces (nodes) A packet sent to an anycast address is delivered to the “nearest” interface (node) having this address

• Allow to increase the service reliability
• Allocated from the unicast address space

• Why IPv6?
• IPv6 Address Space
• Customer LAN migration

– IPv6 Address Allocation Address Assignment Security

Why IPv6? IPv6 Address Space Customer LAN migration

– IPv6 Address Allocation – Address Assignment – Security

Customer LAN Migration to IPv6

• IPv6 Address Allocation
• Address Assignment
• Security

IPv6 Address Allocation Address Assignment

• Security

Customer LAN Migration to IPv6

• IPv6 Address Allocation
• Address Assignment
• Security

IPv6 Address Allocation Address Assignment

• Security

NKN IPv6 Address Space

• NKN has got 2405:8A00::/32 IPv6 address

block from APNIC.

• NKN is allocating /48 block to every connected

member institute.

• /48 is the minimum number required for

multihoming. Each and every institute can do a multihoming using NKN IPv6 address block. NKN IPv6 ANYCAST DNS SERVER

2405:8A00:AA::AA

NKN has got 2405:8A00::/32 IPv6 address block from APNIC. NKN is allocating /48 block to every connected member institute.

• /48 is the minimum number required for

multihoming.

• Each and every institute can do a multihoming

using NKN IPv6 address block.

• NKN IPv6 ANYCAST DNS SERVER

– 2405:8A00:AA::AA

Address allocation plan for an Institute

• Each Institute got /48 v6 address block from NKN

– From this block, user has the flexibility to have 2^16 (i.e., 65536) LANs in its network – Each LAN will have 2^64 global IP addresses for client allocation

• User also has the option to have Unique local

addresses in its LAN and do the NATing at the firewall

FC00::/7 is the ULA segment But if you are thinking that using ULA will provide you an add-on security feature then think again Not a recommended practice but implementation depends on user requirement

Each Institute got /48 v6 address block from NKN

From this block, user has the flexibility to have 2^16 (i.e., 65536) LANs in its network Each LAN will have 2^64 global IP addresses for client allocation

• User also has the option to have Unique local

addresses in its LAN and do the NATing at the firewall

– FC00::/7 is the ULA segment – But if you are thinking that using ULA will provide you an add-on security feature then think again – Not a recommended practice but implementation depends on user requirement

v6 Address Allocation in NKN

a00: : / 32 dress Block

2405:8a00:8000::/35 2405:8a00:8000::/35 2405:8a00:6000::/35 2405:8a00:6000::/35

2405:8a00:8000::/48 2405:8a00:8001::/48 2405:8a00:8002::/48 2405:8a00:9fff::/48 2405:8a00:6002::/48 2405:8a00:6001::/48 2405:8a00:6000::/48 2405:8a00:7fff::/48

MUMBAI NKN POP

. . . .

• NKN has got a 2405:8a00::/32 IPv6 block from

APNIC.

• We divide this /32 block into Eight /35 blocks.
• First /35 block, is used for NKN Network

Infrastructure use. Rest Seven /35 block is assigned to NKN seven super core POPs. Every Super core will aggregating multiple institute. We have assigned /48 block of IPv6 to every Institute from respected super core block of /35.

BANGLURU NKN POP

2405: 8a00 NKN IPv6 Addre

2405:8a00:6000::/35 2405:8a00:6000::/35 2405:8a00:4000::/35 2405:8a00:4000::/35 2405:8a00:2000::/35 2405:8a00:2000::/35

2405:8a00:4002::/48 2405:8a00:4001::/48 2405:8a00:4000::/48 2405:8a00:7fff::/48 2405:8a00:5fff::/48 2405:8a00:2000::/48 2405:8a00:2001::/48 2405:8a00:2002::/48 2405:8a00:3fff::/48

• HYD. NKN POP

DELHI NKN POP

. . . . NKN has got a 2405:8a00::/32 IPv6 block from APNIC. We divide this /32 block into Eight /35 blocks. First /35 block, is used for NKN Network Infrastructure use.

• Rest Seven /35 block is assigned to NKN seven

super core POPs.

• Every Super core will aggregating multiple

institute.

• We have assigned /48 block of IPv6 to every

Institute from respected super core block of /35.

IPv6 Address Allocation to Institutes

NKN allocates / 48 to every Institute.

For Example:

Consider a case of Delhi : Block 2405: 8a00: 2000: : / 35 is allocated to Delhi NKN POP . From the given blocks, we will use multiples

• f / 48 blocks for institutes.

2405:8a00:2000::/35

2405: 8a00: 2000: : / 48 2405: 8a00: 2001: : / 48 2405: 8a00: 2002: : / 48

• Address Block 2405: 8a00: 2000: : / 35 is allocated

to Delhi Super Core NKN POP .

• First block of this / 35 is 2405: 8a00: 2000: : / 48

2405:8a00:2000::/35

2405: 8a00: 2002: : / 48

. . . . . . .

/ 48 Blocks

• First block of this / 35 is 2405: 8a00: 2000: : / 48

is allocated to Institute 1.

• Second block of this / 35 is 2405: 8a00: 2001: : / 48

is allocated to Institute 2.

2405: 8a00: 3fff: : / 48

Customer LAN Migration to IPv6

• IPv6 Address Allocation
• Address Assignment
• Security

IPv6 Address Allocation Address Assignment

• Security

IPv6 Address Assignment

Similar to IPv4 Similar to IPv4 New in IPv6 New in IPv6

Manually configured Stateless configuration

Router Solicitation Router Announcement

2 1

(/64 prefix, timers, etc…)

Assigned via DHCP

DHCPv6 Request DHCPv6 Reply RS RA 2 1 4 3

(/64 prefix, timers, etc…)

IPv6 Address = /64 prefix + EUI-64 (e.g. MAC address)

Auto-generated pseudo-random number (rfc3041)

Router Solicitation Router Announcement

2 IPv6 Address = /64 prefix + Random 64 bits (rfc3041) 1

IPv6 Address Assignment

Various IPv6 address assignment methods are as follows:  Manual Assignment  Stateless Address Autoconfiguration (SLAAC)  Stateless DHCPv6  Stateful DHCPv6  DHCPv6 Prefix Delegation(DHCPv6-PD) Various IPv6 address assignment methods are as follows:  Manual Assignment  Stateless Address Autoconfiguration (SLAAC)  Stateless DHCPv6  Stateful DHCPv6  DHCPv6 Prefix Delegation(DHCPv6-PD)

IPv6 Address Assignment

Various IPv6 address assignment methods are as follows:  Manual Assignment  Stateless Address Autoconfiguration (SLAAC)  Stateless DHCPv6  Stateful DHCPv6  DHCPv6 Prefix Delegation(DHCPv6-PD) Various IPv6 address assignment methods are as follows:  Manual Assignment  Stateless Address Autoconfiguration (SLAAC)  Stateless DHCPv6  Stateful DHCPv6  DHCPv6 Prefix Delegation(DHCPv6-PD)

Stateless Address Auto-configuration (SLAAC)

• The network should have at least one IPv6

router configured to send periodic Router Advertisements (RA) announcements.

• IPv6 host when connected to the network

sends a ICMPv6 Router Solicit (RS) message and picks up ICMPv6 RA as a response from IPv6 router.

• The IPv6 host uses a combination of IPv6

prefix received in RA message and its link layer address to form a IPv6 address.

• The network should have at least one IPv6

router configured to send periodic Router Advertisements (RA) announcements.

• IPv6 host when connected to the network

sends a ICMPv6 Router Solicit (RS) message and picks up ICMPv6 RA as a response from IPv6 router.

• The IPv6 host uses a combination of IPv6

prefix received in RA message and its link layer address to form a IPv6 address.

SLAAC Continue….

RA Message Sends Network-Type Information At boot time, an IPv6 host build a Link-Local address, then its global IPv6 address(es) from RA

Subnet Prefix + Interface-ID Subnet Prefix + Interface-ID

At boot time, an IPv6 host build a Link-Local address, then its global IPv6 address(es) from RA

1. Router Advertisement (RA) sent with “A-Flag” = ON (Default behavior) 1. Router Advertisement (RA) sent with “A-Flag” = ON (Default behavior)

ICMP type = 134 Src = Router link layer address Dst = All node multicast address (ff02::1) Data = link-layer address of Router Prefix = 2405:8a00:1::/64

Auto-configuration with “no collisions” Offers “plug and play”

EUI-64 Addressing format

Extended Unique Identifier

00 26 B9 FF FE 9B 95 49 FF FE 00 26 B9 9B 95 49 00 26 B9 9B 95 49

• Interface-ID can be manually

configured

• Using stateless auto-

configuration

• This format expands the 48 bit

MAC address to 64 bits by inserting FFFE into the middle 16 bits U bit is inverted when using EUI- 64 format

000000U0 Where U= 1 = Unique 0 = Not Unique 02 26 B9 FF FE 9B 95 49 U = 1

EUI-64 Format

Interface-ID can be manually configured

Using stateless auto- configuration

This format expands the 48 bit MAC address to 64 bits by inserting FFFE into the middle 16 bits

• U bit is inverted when using EUI-

64 format

Auto-generated pseudo-random number (rfc3041)

• Auto- generating 64 bit interface identifier

using random algorithm

• Keeping privacy

How to Disable:

C:\> netsh interface ipv6 set privacy state=disable C:\> netsh interface ipv6 set global randomizeidentifiers=disabled

Auto- generating 64 bit interface identifier using random algorithm Keeping privacy

• How to Disable:

– C:\> netsh interface ipv6 set privacy state=disable – C:\> netsh interface ipv6 set global randomizeidentifiers=disabled

Why not SLAAC ?

• Does not provide DNS/NTP servers to be used by

client

• No authorization to obtain address on the network

– Attack on Router Discovery – Attack on Address Configuration (Rogue RA) Attack on Address Resolution

DoS with DAD is always possible ( just like ARP spoofing in IPv4) Does not provide DNS/NTP servers to be used by client No authorization to obtain address on the network

Attack on Router Discovery – Attack on Address Configuration (Rogue RA) – Attack on Address Resolution

• DoS with DAD is always possible ( just like ARP

spoofing in IPv4)

IPv6 Address Assignment

Various IPv6 address assignment methods are as follows:  Manual Assignment  Stateless Address Autoconfiguration (SLAAC)  Stateless DHCPv6  Stateful DHCPv6  DHCPv6 Prefix Delegation(DHCPv6-PD) Various IPv6 address assignment methods are as follows:  Manual Assignment  Stateless Address Autoconfiguration (SLAAC)  Stateless DHCPv6  Stateful DHCPv6  DHCPv6 Prefix Delegation(DHCPv6-PD)

Stateless DHCPv6

• Host is configured an address

based on SAC but other information like DNS will be received via DHCPv6

• DHCP server must be

preconfigured with other configuration like DNS.

• Router/L3 in between DHCP

server and host must be preconfigured as relay router Host will receive:

List of DHCPv6 Servers Network address (using SAC) List of DNS etc (using DHCPv6) Domain search list option (using DHCPv6)

DHCPv6 Server Edge Router(R1) Edge Router(R2)

Host is configured an address based on SAC but other information like DNS will be received via DHCPv6 DHCP server must be preconfigured with other configuration like DNS.

• Router/L3 in between DHCP

server and host must be preconfigured as relay router

• Host will receive:

– List of DHCPv6 Servers – Network address (using SAC) – List of DNS etc (using DHCPv6) – Domain search list option (using DHCPv6)

L3 Switch L2 Switch L2 Switch

Stateless DHCPv6

DHCPv6-Serv-1 DHCPv6-Relay-3 Core Router 1. Router Advertisement (RA) sent, containing link prefix, with “A-Flag” = ON (Default behavior) also with “O-Flag” = ON 1. Router Advertisement (RA) sent, containing link prefix, with “A-Flag” = ON (Default behavior) also with “O-Flag” = ON

• Stateless DHCPv6 normally

combines stateless auto- configuration for address assignment, DHCPv6 exchange for all other configuration settings.

DHCPv6-Client-1 DHCPv6-Relay-3

• 2. Client auto-configures address based on prefix
• ption in RA, then sends DHCPv6 SOLICIT
• 2. Client auto-configures address based on prefix
• ption in RA, then sends DHCPv6 SOLICIT

IPv6 Address Assignment

Various IPv6 address assignment methods are as follows:  Manual Assignment  Stateless Address Autoconfiguration (SLAAC)  Stateless DHCPv6  Stateful DHCPv6  DHCPv6 Prefix Delegation(DHCPv6-PD) Various IPv6 address assignment methods are as follows:  Manual Assignment  Stateless Address Autoconfiguration (SLAAC)  Stateless DHCPv6  Stateful DHCPv6  DHCPv6 Prefix Delegation(DHCPv6-PD)

Stateful DHCPv6

• DHCP server must be

preconfigured with pool of IP prefixes.

• Router/L3 in

between DHCP server and host must be preconfigured as relay router Host will receive:

List of DHCPv6 Servers Network address List of DNS etc Domain search list

• ption

DHCPv6 Server Edge Router (R1) Edge Router (R2)

DHCP server must be preconfigured with pool of IP prefixes. Router/L3 in between DHCP server and host must be preconfigured as relay router

• Host will receive:

– List of DHCPv6 Servers – Network address – List of DNS etc – Domain search list

• ption

L3 Switch Edge Router (R1) L2 Switch L2 Switch Edge Router (R2)

Stateful DHCPv6

RA’s can be used to control DHCPv6 Client Behavior

DHCPv6-Serv-1 Core Router 1. Router Advertisement (RA) sent with “M-Flag” = ON with “A-Flag” = OFF 1. Router Advertisement (RA) sent with “M-Flag” = ON with “A-Flag” = OFF DHCPv6-Client-1 DHCPv6-Relay-3 DHCPv6-Relay-1

• 2. Client sends DHCPv6 SOLICIT
• 2. Client sends DHCPv6 SOLICIT

Example: Stateful DHCPv6

DHCPv6 Server Edge Router(R1) L2 Switch Pool of /64 prefixes from 2405:8a00::/32 DHCPv6 Address Assignment 2405:8a00:1000:1::2/64 2405:8a00:1000:1::/64 2405:8a00:1000:2::/64 L2 Switch 2405:8a00:1000:1::1/64 2405:8a00:1000:2::1/64 2405:8a00:1000:1::2/64 L3 Switch Proxy

IPv6 Address Assignment

Various IPv6 address assignment methods are as follows:  Manual Assignment  Stateless Address Autoconfiguration (SLAAC)  Stateless DHCPv6  Stateful DHCPv6  DHCPv6 Prefix Delegation(DHCPv6-PD) Various IPv6 address assignment methods are as follows:  Manual Assignment  Stateless Address Autoconfiguration (SLAAC)  Stateless DHCPv6  Stateful DHCPv6  DHCPv6 Prefix Delegation(DHCPv6-PD)

DHCPv6- Delegation Model – rfc3633

• DHCP server will delegate prefix addresses to

Edge router

• Edge router (which act as a delegation client

for a DHCP server) will act as a DHCP server for Host same as in stateful/ stateless DHCPv6.

• DHCP server must be preconfigured with

prefix address to be delegated to Edge router.

• Router in between Edge Router and DHCP

server must be preconfigured as relay router Intermediary routers/L3 between end system and edge routers must be preconfigured as relay router. Host will receive:

List of DHCPv6 Servers Network address List of DNS etc Domain search list option

DHCPv6 Server PE Edge Router (R2) PE Edge Router (R1)

DHCP server will delegate prefix addresses to Edge router Edge router (which act as a delegation client for a DHCP server) will act as a DHCP server for Host same as in stateful/ stateless DHCPv6. DHCP server must be preconfigured with prefix address to be delegated to Edge router.

• Router in between Edge Router and DHCP

server must be preconfigured as relay router

• Intermediary routers/L3 between end system

and edge routers must be preconfigured as relay router.

• Host will receive:

– List of DHCPv6 Servers – Network address – List of DNS etc – Domain search list option

L3 Switch L2 Switch L2 Switch

DHCPv6 Server Edge Router acting as DHCP Server L2 Switch Pool of /64 prefixes from 2405:8a00::/32 DHCPv6 Address Assignment 2405:8a00:1000:0001::2/64 2405:8a00:1000:1::/56 2405:8a00:1000:256::/56

Example: DHCPv6 Delegation Model: Stateful / Stateless

DHCPv6 Address Delegation 2405:8a00:1000:0001::/56 L2 Switch 2405:8a00:1000:0001::1/64 2405:8a00:1000:0002::1/64 2405:8a00:1000:0001::2/64 DHCPv6 Address Assignment 2405:8a00:1000:0001::2/64 Proxy L3 Switch

DHCP Deployment Strategy

• Stateful DHCPv6 without Delegation

– Central DHCPv6 server assigning address to all end clients – Each L3/ Router’s routed ports/SVIs preconfigured with static /64 addresses – Each L3/ Router configured as relay – Each client is assigned a DHCPv6 address based on L3 segment

DHCPv6 Delegation model – Stateful DHCPv6

Central DHCP server delegating /56 prefixes to Edge routers Edge router in turn acting as DHCPv6 server for downstream clients.

Stateful DHCPv6 without Delegation

Central DHCPv6 server assigning address to all end clients Each L3/ Router’s routed ports/SVIs preconfigured with static /64 addresses Each L3/ Router configured as relay – Each client is assigned a DHCPv6 address based on L3 segment

• DHCPv6 Delegation model – Stateful DHCPv6

– Central DHCP server delegating /56 prefixes to Edge routers – Edge router in turn acting as DHCPv6 server for downstream clients.

Open Source IP Registrar (OSIR)

OSIR is a full feature solution that provides Dynamic Host Configuration Protocol (DHCP) service and delivers client management feature. https://osiradmin.nkn.in

Auto Installation Link Management Lease Management

OSIR is a full feature solution that provides Dynamic Host Configuration Protocol (DHCP) service and delivers client management feature. https://osiradmin.nkn.in

Auto Installation Policy Management Lease Management Client Management Failover Management

OSIR

Customer LAN Migration to IPv6

• IPv6 Address Allocation
• Address Assignment
• Security

IPv6 Address Allocation Address Assignment

• Security

IPv6 What to look out and how to assess??

WATCH OUT ??

Network Infrastructure: Routers Bandwidth Shapers Switches Layer2 Layer3 Devices Data Centre Devices : Load Balancers Clients: PC’s on the LAN Servers Proxy/ UTM Network Printers Display System Antivirus/ HIPS Load Balancers Firewall IPS/IDS Virtual Machines ( VMWARE/

ZEN)

Blade management consoles IP KVM Display System Antivirus/ HIPS

WATCH OUT ??

Infrastructure: Power/Infra management S/W UPS management Console Building Management System Software Stacks: Windows/Linux/Solaris/ AIX IIS6 & above / Apache 2 & above AAA server Bind 9.5 & above Database ( Transaction Log ) Logging Server ( Syslog / Special tools like Web trends) System Access Control System Cameras Digital Video Recorders Wi-Fi Systems: WIFI controllers AAA Servers Software Stacks: Windows/Linux/Solaris/ AIX IIS6 & above / Apache 2 & above AAA server Bind 9.5 & above Database ( Transaction Log ) Logging Server ( Syslog / Special tools like Web trends)

IPv6 Supported Devices

• Operating System:

Windows XP(service Pack2), Windows Vista, Windows 7, Windows 8 Linux RHEL5, RHEL6, Fedora12 and above

• Cisco Routers:

IOS 12.2 and above Juniper routers

Junos 6.0R2 and above

Operating System: Windows XP(service Pack2), Windows Vista, Windows 7, Windows 8 Linux RHEL5, RHEL6, Fedora12 and above

• Cisco Routers:

IOS 12.2 and above

• Juniper routers

Junos 6.0R2 and above

Best Deployment Practices

• Deployment Strategy at LAN side

– All clients should be configured with global IP addresses, thus no – NAT scenario – Block all sessions initiated from outside on non-server segments – Block all irrelevant neighbor discovery protocol messages from outside the LAN except DHCPv6. e.g NS, NA,RS, RA All standard security portfolios of IPv4 should also be implemented for IPv6 Use L2 switches with L3 capabilities to stop rogue Routers and DHCPv6 servers from spoofing the LAN

Deployment Strategy at LAN side

All clients should be configured with global IP addresses, thus no – NAT scenario Block all sessions initiated from outside on non-server segments – Block all irrelevant neighbor discovery protocol messages from outside the LAN except DHCPv6. e.g NS, NA,RS, RA – All standard security portfolios of IPv4 should also be implemented for IPv6 – Use L2 switches with L3 capabilities to stop rogue Routers and DHCPv6 servers from spoofing the LAN

Security IPv6

IPv4 Vulnerabilities IPv6 Vulnerabilities

Specific IPv6 Issues Specific IPv4 Issues

Thank You Thank You