Hardcore IPV6
Hardcore IPV6
BRKCRT-2000
Donnie Moss, Global Solutions Architect
CCIE#14074
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
Agenda
Introduction
IPv6 Basics
IPv6 Addressing Best Practices
IPv6 Network Side
IPv6 Routing Protocol Configuration
What Next?
Conclusion
3
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
IPv6 Certification Agenda
CCNA
Describe the technological requirements for running IPv6 in conjunction with
IPv4 (including: protocols, dual stack, tunneling, etc.).
Describe IPv6 addresses
4
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
IPv6 Certification Agenda
CCNP
Implement an IPv6 based solution, given a network design and a set of requirements
Determine network resources needed for implementing IPv6 on a network
Create an IPv6 implementation plan
Create an IPv6 verification plan
Configure IPv6 routing
Configure IPv6 interoperation with IPv4
Verify IPv6 solution was implemented properly using show and debug commands
Document verification results for an IPv6 implementation plan
Implement an IPv4 or IPv6 based redistribution solution
Create a redistribution implementation plan based upon the results from a redistribution analysis
Create a redistribution verification plan
Configure a redistribution solution
Verify that a redistribution was implemented
Document results of a redistribution implementation and verification plan
Identify the differences between implementing an IPv4 and IPv6 redistribution solution
5
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
IPv6 Certification Agenda
CCIE
Implement IPv6
Implement IP version 6 (IPv6) addressing and different addressing types
Implement IPv6 neighbor discovery
Implement basic IPv6 functionality protocols
Implement tunneling techniques
Implement OSPF version 3 (OSPFv3)
Implement EIGRP version 6 (EIGRPv6)
Implement filtering and route redistribution
Implement IPv6 multicast, PIM, and related multicast protocols, such as
Multicast Listener Discovery (MLD)
6
IPv6 Basics
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
Short History Of IP
8
1990
1991
1992
1993
1994
1995
1996
1997
1998
1999
2000
Prediction of the exhaustion of IPv4 Class B by 1994.
ROAD group formed to address routing.
Prediction of the exhaustion of IPv4 addresses by 2005-2011.
IPng Proposals solicitation (RFC 1550).
CATNIP, SIPP, TUBA analyzed. SIPP+ chosen. IPng wg started.
First specification: RFC 1883.
First attempt for provider-based address format.
First IPv6 exchange: 6tap.
Registries assign IPv6 prefixes. IPv6Forum formed.
Major vendors bundle IPv6 in their mainstream product line.
6bone started.
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
What is an IPv6 address?
IPv6 Address are 128 Bits (IPv4 was 32)
Each Address is Broken into 16 Octets
Each Pair of Octets is called a group
Address numbers are HEX
Valid Characters are 0-9 and A-F
Lower case is used to avoid confusion
Addresses are 4 Hex Characters per Group
Each Group is Seperated by a :
Example: abf1:dc71:0000:0000:0000:8375:7887:1109:0510
10
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
IPv6 Addresses
IPv6 addresses are 128 bits long
8 groups of four HEX characters
Separated by a colon (:)
50% for networks, 50% for interfaces(To support future EUI-64 MAC functionality)
nnnn:nnnn:nnnn:
xxxx:xxxx:xxxx:xxxx
Global Routing Prefix
3 bits 48 bits
Subnet ID
48 64
bits
Host
ssss:
2400:0000:134A: 0000:0000:0000:8A21 00A1:
Network Portion Interface ID
Global Unicast Identifier Example
2400:0:134A:: :8A21
A1:
Abbreviated Format
11
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
What is an IPv6 address?
When noting an IPv6 Address with a port number [square brackets] go
around the address
Example: [d3f1:0071:0000:0000:0000:8375:7887:1109:0510]:80
Those are long address?
To shorten address the longest run of all zeros can be shorted to ::
That reduces our example to : d3f1:0071::8375:7887:1109:0510/128
To shorten more leading zeros from each group can be omitted
That reduces our example to: d3f1:0071::8375:7887:1109:510/128
12
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
Are all addresses created equal?
Types of IPv6 Address
Unicast
One to one communication
Ex: Client to Server
Multicast
One to many (assigned grouping)
Example: Video Server to a group of clients
Anycast
One to many (assigned grouping)
Could be used to find nearest service
NO BROADCAST IN IPv6
14
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
Special IPv6 Address
Default Route
IPv4: 0.0.0.0/0
IPv6: ::/0
Loop Back Address
IPv4: 127.0.0.1
IPv6: ::1/128
Binary Prefix IPv6 Notation
Unspecified SRC 00 0 (128 bits) ::/128
Loopback 00 1 (128 bits) ::1/128
Multicast 1111 1111 FF00::/8
Link-local unicast 1111 1110 10 FE80::/10
Unique local unicast 1111 110 FC00::/7
Global unicast Everything else
Currently allocated space is
2000::/3
15
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
Multiple Addresses Per Interface
An IPv6 host interface requires the following IPv6 addresses for proper
operation:
A link-local address
Loopback address
All-nodes multicast address
Any additional Global and or ULA unicast and anycast addresses (configured
automatically or manually)
One Solicited-node multicast address for each of its unicast and anycast
addresses
Multicast addresses of any other groups to which the host belongs
16
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
IPv6 Privacy Extensions (RFC 3041/4941)
IEEE 24 bits OUI can be used to identify hardware
http://standards.ieee.org/regauth/oui/oui.txt
Temporary addresses for IPv6 host client application, e.g. web browser
Inhibit device/user tracking
Random 64 bit interface ID, then run Duplicate Address Detection
before using it
Rate of change based on local policy (recommended is 1 day default min is 7 days)
Now on By default in Win 7/8 and supported in OS X 10.8 Mountain Lion
2400
:0xxx
/32 /48 /64 /12
Interface ID
Recommendation: Use Privacy Extensions for
External Communication but not for Internal
Networks (Troubleshooting and Attack Trace Back)
RFC4941
:xxxx :ssss
17
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
Address Allocation
ISP are being allocated /32s
Customer are being allocated /48s
Same as /16 in v4 terms
Residential Customers are being assigned a /56
256 networks per home
18
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
Allocated Real World Usage
2^128 addresses total
2000::/3 is actually allocated
That means 2^125 addresses for Global Unicast Addressing
All networks are at least /64s per standard
125 64 = 61. So 2^61 possible networks in the currently allocated global
space.
2^61 = 2,305,843,009,213,693,952 or 2.3 QUINTILLION networks.
/48 is typical allocation to enterprise customer (-3 for set bits)
2^45 = 35,184,372,088,832 or 35 TRILLION enterprises
In comparison, the current IPv4 BGP table is ONLY 400,000 routes and
people complain!
19
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
PA and PI Allocation Process
Registries
Level Four
Enterprise
IANA
ISP Org
Provider Assigned
2000::/3
/48
2000::/3
/48
/12
/32
/12
Provider Independent
20
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
IPv6 Aggregation
ASEAN ISP
2401:04A0::/32
Customer B
APNIC
Region of the
IPv6 Internet
2400::/12
2401:04A0:0002:/48
2401:04A0:0001:/48
Customer A
Only
announces
the /32
prefix
Larger address space enables:
Aggregation of prefixes announced in the global routing table
Efficient and scalable routing In theory! (In 1995 Theory!)
21
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
IPv6 Multihoming
22
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
LIR Allocation Strategies (ISPs)
Your LIR (ISP) is assigned 2401:04FF::/32
We wish to allocate /48s out of the /32.
Which are available:
2401:E4FF:0000 through
2401:E4FF:f f f f
Recall the the bit structure is:
0010 0100 0000 0001: 1110 0100 1111 1111:| 0000 0000 0000 0000
0010 0100 0000 0001: 1110 0100 1111 1111:| 1111 1111 1111 1111
So there are 65,535 /48s in a /32
Same thought process as IPv4 subnetting!
23
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
Sub Allocation Strategies (ISPs)
Some ISPs want to allocate smaller blocks to residential & or SMEs
We wish to allocate /56s out of some /48s.
What could this look like?
2401:E4FF:1xxx to 1fff for residential customers
Sums to 2401:E4FF:1000/36 for router advertisement
Recall the the bit structure is:
0010 0100 0000 0001: 1110 0100 1111 1111:| 0001 0000 0000 0000
0010 0100 0000 0001: 1110 0100 1111 1111:| 0001 1111 1111 1111
i.e. There are, 65,535/48s in a /32 and 256/56's in a single /48
You can sub-allocate some /48's as /56s for residential use and some full /48s for corporate
customer use
If you only wanted to support residential customers there are aprox.16,7 Million /56s in
an entire /32 LIR allocation(24 bits)
24
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
Enterprise Allocation Strategy
Suppose you wish to give out /52s from the /48 for regions
2401:04A8:0000 : 0 | 000 : 0000 0000 or 2401:04A8::/52
2401:04A8:0000 : F | fff :0000 0000 or 2401:04A8:1f00::/52
Then you wish to divide out /56s from the /52 for departments
2401:04A8:0000 : 00 | 00 : 0000 0000 or 2401:04A8::/5
2401:04A8:0000 : FF | ff : 0000 0000 or 2401:04A8:1f00::/56
8 bits for local subnets per department gives 256 networks per department of
a nearly unlimited # of hosts (64bits for hosts!)
/48
/32
/52 4096
subnets
/48
/32
/56 256
subnets
25
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
Subnets longer then /64
/126 or /127 for P2P links
2401:0468:1FE::1/126 & 2401:0468:1FE::2/126
2401:0468:1FE::149/127
2401:0468:1FE:1921:6801:5201::/96 for NAT64 Mapping (example)
26
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
Address Types Summary (review)
Binary Prefix IPv6 Notation
Unspecified 00 0 (128 bits) ::/128
Loopback 00 1 (128 bits) ::1/128
Multicast 1111 1111 FF00::/8
Link-local unicast 1111 1110 10 FE80::/10
Unique local unicast 1111 110 FC00::/7
Global unicast Everything else
Currently allocated space is
2000::/3
27
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
Required Router Addresses
An IPv6 router interface is required to identify the following IPv6 addresses
for proper operation:
All valid host addresses
All-Routers multicast addresses
Subnet-router anycast addresses for all interfaces for which it is configured to act as
a router (prefix:: ; interface id=0)
Other unicast or anycast configured addresses
All other Anycast addresses with which the router has been configured.
All-Routers Multicast Addresses
Multicast Addresses of all other groups to which the router belongs.
28
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
IPv6 Addresses Examples
CR-6500-1>sh ipv6 int vlan 200
Vlan200 is up, line protocol is up
IPv6 is enabled, link-local address is FE80::2D0:D3FF:FE81:9000
Description: --- To Core ---
Global unicast address(es):
2001:DB8:12::1, subnet is 2001:DB8:12::/64
Joined group address(es):
FF02::1
FF02::2
FF02::5
FF02::D
FF02::16
FF02::1:FF00:1
FF02::1:FF81:9000
All nodes
All routers
OSPF Routers
All PIM Routers
All MLDv2 capable Routers
Global
Link-Local
Solicited Node Multicast
29
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
IPv6 Interface Identifier
CR-IT-SW3#sh int gi 1/0/3 | in bia
GigabitEthernet1/0/3 is up, line protocol is up
Hardware is Gigabit Ethernet, address is 000c.3a3e.82de (bia
000c.3a3e.82de)
CR-IT-SW3#
CR-IT-SW3#sh ipv6 interface gi 1/0/3
GigabitEthernet1/0/3 is up, line protocol is up
IPv6 is enabled, link-local address is FE80::20C:3aFF:FE3E:82DE [TEN]
Global unicast address(es):
2001:DB8:24:0:20C:3aFF:FE3E:82DE, subnet is 2001:DB8:24::/64 [EUI/TEN]
Joined group address(es):
FF02::1
FF02::2
FF02::1:FF3E:82DE
CR-IT-SW3#
CR-IT-SW3#sh run int gi 1/0/3
!
interface GigabitEthernet1/0/3
no switchport
ip address 10.149.24.1 255.255.255.0
ipv6 address 2001:DB8:24::/64 eui-64
!
30
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
Multicast Assigned Addresses
Meaning Scope
FF02::1 All nodes Link-local
FF02::2 All routers Link-local
FF02::9 All RIP routers Link-local
FF02::1:FFXX:XXXX Solicited-node Link-local
FF05::101 All NTP servers Site-local
FF05::1:3 All-DHCP servers Site-local
FF0x:: is reserved (x = 0..F).
Inside this range, the following are assigned:
31
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
IPv6 Multicast MAC Address Conversion
IPv6 Multicast
Address
Corresponding
Ethernet Address
Multicast Prefix
for Ethernet
Multicast
IPv6 multicast address to MAC address:
33:33:(least significant 32 bits from IPv6)
BAD
BEEF
0B AD BE EF 33 33
FF02 0000 0000 0000 0000 0001
32
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
Subnetting Techniques
Similar to IPv4 Subnetting
Make address meaningful!
Base Address on Location
Type of Service
User community
Now we are working with 128 bits instead of 32
We are also using HEX not BINARY!
33
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
Subneting Example
We are assigned 2011:0524:0000:0000::/48
Goal: Divide this into eight subnets.
Solution use bits 49, 50, and 51 as the subnet bits
First Three Bits of the first character in the fourth group
2011:0524:0000:0000::/48
34
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
Subnet
Subnet Binary
Group
Binary
HEX
1 000 0000 0
2 001 0010 2
3 010 0100 4
4 011 0110 6
5 100 1000 8
35
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
Address Break Down
Subnet
2011:0524:0000:0000::/48
2011:0524:0000:2000::/48
2011:0524:0000:4000::/48
2011:0524:0000:6000::/48
2011:0524:0000:8000::/48
2011:0524:0000:A000::/48
2011:0524:0000:C000::/48
2011:0524:0000:E000::/48
36
Host Focused IPv6
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
ICMPv6
Required for IPv6 to work properly - MUST NOT BE FILTERED!!!!
Completely Changed note new header type
Now includes IGMP
Types organized as follows 0-127 error messaging and 128-255
informational messaging
1 4 Error messages
128 129 Ping
130 132 Group membership
133 137 Neighbor discovery
38
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
ICMPv6 (Type Codes)
Type Description
1 Destination Unreachable
2 Packet Too Big
3 Time Exceeded
4 Parameter Problem
128 Echo Request
129 Echo Reply
130 Group Membership Query
131 Group Membership Report
132 Group Membership Reduction
133 Router Solicitation
134 Router Advertisement
135 Neighbor Solicitation
136 Neighbor Advertisement
137 Redirect
39
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
Neighbor Discovery & ICMPv6
Neighbor Discovery
DAD
NUD
Redirects
Address Resolution (equivalent to ARP)
Router Discovery
Neighbor Discovery Types that use ICMPv6
40
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
Neighbor Discovery& ICMPv6 (cont.)
IPv4 uses ARP to resolve local addresses
Relies on broadcasts
IPv6 does not have the concept of broadcasts
Still need a method to resolve local addresses
Use solicited-node multicast instead
IPv6 uses ICMPv6 the following types of message:
Neighbor solicitation
Neighbor advertisement
Router solicitation
Router advertisement
41
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
Autoconfiguration
IPv6 hosts can configure their own addresses automatically
Similar in function to IPv4 DHCP
Two methods:
Stateless autoconfiguration
Stateful autoconfiguration
Common ICMPv6 messages to both:
Router advertisements
Router solicitations
42
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
Router Advertisement
Used to configure hosts
Periodically sent to the all-nodes multicast group
Also sent in response to a router solicitation message
Options can contain:
Layer 2 address of the advertising router
On-link prefixes and lifetimes
MTU
32 bits
Type=134 Code Checksum
Reachable Time
Hop Limit M O RSV Router lifetime
Retransmit Timer
Options
43
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
Router Solicitation
Sent by hosts to locate on-link routers
Usually sent to the all-routers multicast group
Source address can be:
Unspecified
Local address
Router solicitation message consists of five fields
Type=133 Code Checksum
Reserved
Options
32 bits
44
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
Stateless Autoconfiguration
Build link-local address
Join all-nodes multicast group
Join solicited node multicast group
Send NS
My address is unique!
Send RS
No routers!
Try stateful configuration
Link-local only
Host 1
45
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
Stateless Autoconfiguration
Build link-local address
Join all-nodes multicast group
Join solicited node multicast group
Send NS
My address is unique!
Send RS
Send RA
Build on-link addresses
46
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
Stateful Autoconfiguration (1 of 2)
Build link-local address
Join all-nodes multicast group
Join solicited node multicast group
Send own NS
My address is unique!
Send RS
Send RA
(M bit = 0, O bit = 1)
Build on-link addresses
47
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
Stateful Autoconfiguration (2 of 2)
Send DHCP request
to FF05::1:3 (All DHCP Servers)
Send DHCP reply
(Unicast)
Read options and configure
parameters
48
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
Windows 7
Windows 7 Microsoft rebuilt the IPv6 stack for this release
Supports:
Selects IPv6 by default
Neighbor discovery
DHCPv6
Tunneling: ISATAP, Teredo, 6to4
Privacy Extensions enabled by default
Firewall supports statefull IPv6 filtering
DHCPv6 Client only additional support via external packages
For More info please see:
http://technet.microsoft.com/en-us/network/bb530961.aspx
49
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
Windows 7 Temporary Interface Identifier
50
C:\>netsh int ipv6 sh addr
Interface 1: Loopback Pseudo-Interface 1
Addr Type DAD State Valid Life Pref. Life Address
--------- ----------- ---------- ---------- ------------------------
Other Preferred infinite infinite ::1
Interface 12: isatap.{7218C71C-E509-4EF9-AB57-C08863056588}
Addr Type DAD State Valid Life Pref. Life Address
--------- ----------- ---------- ---------- ------------------------
Other Deprecated infinite infinite fe80::5efe:10.109.109.6%12
Interface 13: Local Area Connection* 9
Addr Type DAD State Valid Life Pref. Life Address
--------- ----------- ---------- ---------- ------------------------
Public Preferred infinite infinite 2001:0:5ef5:73bc:a2:3ac1:f592:92f9
Other Preferred infinite infinite fe80::a2:3ac1:f592:92f9%13
Interface 11: Local Area Connection
Addr Type DAD State Valid Life Pref. Life Address
--------- ----------- ---------- ---------- ------------------------
Temporary Preferred 6d23h49m31s 6d23h49m31s 2001:db8:9:cafe:a133:5fb8:31df:864a
Public Preferred 29d23h59m49s 6d23h59m49s 2001:db8:9:cafe:b407:e685:fb14:c12d
Other Preferred infinite infinite fe80::b407:e685:fb14:c12d%11
Windows 7 doesnt use the EUI-64 technique by default when forming its interface identifier, but
uses their randomly-generated interface identifiers
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
MAC OS X
Mac OS X 10.7 (supported from 10.4 onwards)
Mac OS X IPv6 stack is based on the KAME project (http://www.kame.net/)
Supports:
IPv6 enabled by default
GUI preferences tool or /usr/sbin/ip6 # ip6 a | # ip6 x
To accept Router Advertisements
sysctl -w net.inet6.ip6.accept_rtadv=1
Privacy addresses and EUI-64 Host addresses enabled by default
FreeBSDs IPFW supports stafeful and stateless filtering # ip6fw
Mail, Perl, Apache, PHP, BIND,(on Server ver.) all default IPv6 support
Tunnel support for IPIP, 6to4
DHCPv6 client mode only (hidden behind automatic config in GUI
No Server side direct solutions at this time (FreeBsd port is possible)
51
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
DUAL STACK (Default) BEHAVIOR
Unconditional (default) preference of IPv6 over IPv4
If the local Host client has an active IPv6 Interface:
Client Performs both an A and an AAAA record query
Wait for both to reply or timeout
If the AAAA query succeeds then initiate the browser
connection via IPv6
If the AAAA query fails or times out then initiate the
browser connection via IPv4
Sounds perfectly sane right? But,
52
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
DUAL STACK BEHAVIOR ISSUES
We must accept FOR NOW that the dual stack world is broken!
Failure of one or the other protocol to respond causes a variety
of different broken behaviors
How long will you wait before you fall back to IPv4?
Windows: 3 SYN Packets= Failure, 19 seconds
Mac OS X 7: 11 SYN Packets=Failure, 75 Seconds
Linux: 11 SYN Packets = Failure, between 75 Seconds and 180
Seconds
This is BAD! But stack tuning has its own issues
For a full explanation and lots of options germane to these issues please see:
Analyzing Dual Stack Behavior and IPv6 Quality
By Geoff Huston & George Michaelson of APNIC
https://ripe64.ripe.net/presentations/78-2012-04-16-ripe64.pdf
53
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
Concluding Thoughts
IPv6 is simply an address change at layer-3. So why is it so
complicated?
This stuff was supposedly finalized in 2000. So why are their new
RFCs and working groups forming every day to figure this stuff out?
Most OSs (x)NIXs implemented SLACC and thought they were
done. Not enough great support yet for DHCPv6
We will have to suffer through behavior changes until the end of
IPv4. My prediction is 10 yrs from now we will be about 85-95% fully
converted to IPv6
BTW we will have another round of issues to fight when we start
trying to reach IPv4 legacy resources via IPv6 only hosts at the tail
end of this decade of conversion
54
IPv6 Network Side
IPv6 Multicast
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
IPv4 and IPv6 Multicast Comparison
Service IPv4 Solution IPv6 Solution
Addressing Range 32-bit, Class D 128-bit (112-bit Group)
Routing
Protocol Independent, All IGPs and
MBGP
Protocol Independent, All IGPs and
MBGP with v6 mcast SAFI
Forwarding
PIM-DM, PIM-SM,
PIM-SSM, PIM-bidir, PIM-BSR
PIM-SM, PIM-SSM,
PIM-bidir, PIM-BSR
Group Management IGMPv1, v2, v3 MLDv1, v2
Domain Control Boundary, Border Scope Identifier
Interdomain Solutions
MSDP across Independent PIM
Domains
Single RP within Globally Shared
Domains
Static RP, BSR, No Auto-RP
Embedded RP
57
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
PIMv6
58
Ipv6 multicast-routing
Ipv6 pim rp-address (ipv6#)
Ipv6 pim anycast-rp address (anycast#) (peer addr#)
IPv6 Quality of Service
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
Quality of Service
IPv6 QoS
Same architectural models as IPv4
Differentiated Services (Traffic Class field)
Integrated Services (RSVP)
IPv6 traffic class
Value defined per applications, same DSCP for
applications over both IPv4 and IPv6 decision to
differentiate per protocol is an operational one
IPv6 flow label (RFC 3697)
A new 20-bit field in the IPv6 basic header
Its value cannot be changed by intermediate devices
No RFC regarding flow label usage yet
Transition
Mapping between IPv6 DSCP & IPv4 ToS or MPLS EXP
Version Traffic Class Flow Label
Payload Length Next Header Hop Limit
Source Address
Destination Address
60
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
Exercise with QoS
IPv6 QoS
This is an excellent opportunity to look at QoS as it stands currently within your
network
What will change with IPv6 deployment?
What needs to change with IPv6 deployment?
All of life is merely a matter of perspective!
Match/set for dscp/precedence now v4/v6 agnostic
Match ipv6 address is new
61
IPv6 Security:
Access-List Filtering
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
Cisco IOS IPv6 Extended Access Control Lists
Very much like in IPv4
Filter traffic based on
Source and destiion addresses
Next header presence
Layer 4 information
Implicit deny all at the end of ACL
Empty ACL means traffic allowed
Reflexive and time based ACL
Known extension headers (HbH, AH, RH, MH, destination, fragment) are scanned
until:
Layer 4 header found
Unknown extension header is found
Side note for 7600 & other switches:
No VLAN ACL
Port ACL on Nexus-7000, Cat 3750 (12.2(46)SE), Cat 4K (12.2(54)SG),
Cat 6K (12.2(33)SXI4)
63
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
IOS IPv6 Extended ACL
Can match on
Upper layers: TCP, UDP, SCTP port numbers
TCP flags SYN, ACK, FIN, PUSH, URG, RST
ICMPv6 code and type
Traffic class (only six bits/8) = DSCP
Flow label (0-0xFFFFF)
IPv6 extension header
routing matches any RH, routing-type matches specific RH
mobility matches any MH, mobility-type matches specific MH
dest-option matches any, dest-option-type matches specific destination options
auth matches AH
Can skip AH (but not ESP) since IOS 12.4(20)T
fragments keyword matches
Non-initial fragments (same as IPv4)
And the first fragment if the L4 protocol cannot be determined
undetermined-transport keyword matches (only for deny)
Any packet whose L4 protocol cannot be determined: fragmented or unknown extension header
64
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
Cisco IOS IPv6 ACL
65
Filtering Inbound Traffic to one Specific Destination Address
Prefix: 2001:db8:2c80:1000::/64
IPv6 Internet
2001:db8:2c80:1000::1
others
Serial 0
ipv6 access-list MY_ACL
remark basic anti-spoofing
permit any 2001:db8:2c80:1000::1/128
deny 2001:db8:2c80:1000::/64 any
interface Serial 0
ipv6 traffic-filter MY_ACL in
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
IPv6 ACL Implicit Rules - RFC 4890
Implicit entries exist at the end of each IPv6 ACL to allow neighbor discovery:
Nexus 7000 also allows RS & RA
66
permit icmp any any nd-na
permit icmp any any nd-ns
deny ipv6 any any
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
IPv6 ACL Implicit Rules
67
The beginners mistake is to add a deny log at the end of IPv6 ACL
Solution, explicitly add the implicit ACE
! Now log all denied packets
deny IPv6 any any log
! Hey . . . I forget about these implicit lines
permit icmp any any nd-na
permit icmp any any nd-ns
deny ipv6 any any
. . .
! Now log all denied packets
permit icmp any any nd-na
permit icmp any any nd-ns
deny ipv6 any any log
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
Example: Rogue RA & DHCP Port ACL
68
ipv6 access-list ACCESS_PORT
remark Block all traffic DHCP server -> client
deny udp any eq 547 any eq 546
remark Block Router Advertisements
deny icmp any any router-advertisement
permit any any
Interface gigabitethernet 1/0/1
switchport
ipv6 traffic-filter ACCESS_PORT in
Note: Nexus-7000 and Cat 3750 12.2(46)SE,
Catalyst 6500 12.2(33)SXI4, Catalyst 4500 12.2(54)SG
IPv6 Routing Protocol Configuration
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
Concept
IPv6 uses a separate routing table than IPv4
Routed vs- Routing Protocols
Routed Protocols transmit Payload
Routing Protocols transmit Path
Routed Protocols do not change
Example: HTTP and SMTP
Routing Protocols do change!
Some are unique to IPv6 (Ex: RIPMG)
Some like ISIS are the same
70
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
Basic IPv6 Commands
R1(config)# ipv6 unicast-routing
R1(config-if)# ipv6 address (#)
Ipv6 enable Link Local Only
Ipv6 address 3ffe:b00:c18:1:260:3eff:fe47:1500/64 Full Address
Ipv6 address 3ffe:b00:c18:1::/64 eui-64 Auto Assign on Net
R1(config)# ipv6 route (net/vlsm) (node#)
Ipv6 route ::/0 3ffe:b00:c18:1:260:3eff:fe47:1530
Show ipv6 neighbors
Ping (ipv6-addr)
71
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
L2 to L3 Mapping
Dont forget that this is another protocol!
Any interface using manual mapping needs to be updated
Frame-relay map ipv6
Dialer map ipv6
Etc.
72
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
HSRP for v6
First Hop Router Redundancy
73
Modification to Neighbor Advertisement, Router
Advertisement, and ICMPv6 redirects
Virtual MAC derived from HSRP group number
and virtual IPv6 link-local address
HSRP
Standby
HSRP
Active
GLBP for v6
Modification to Neighbor Advertisement, Router
AdvertisementGW is announced via RAs
Virtual MAC derived from GLBP group number and
virtual IPv6 link-local address
GLBP
AVF,
SVF
GLBP
AVG,
AVF
Neighbor Unreachability Detection (NUD)
For rudimentary HA at the first HOP
Hosts use NUD reachable time to cycle to next
known default gateway (30s by default)
RA Sent
Reach-time =
5,000 msec
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
Static Name to Host Address Entries
Name to address resolution just like IPv4
Ipv6 host (name) (ipv6-address)
Can specify up to four addresses
You can run DHCP server and DNS server in IPv6
No concept of secondary addresses in IPv6, all are valid options
74
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
Neighbor Discovery Configuration
LAN1: 3000:b00:c18:1::/64
LAN2: 3000:b00:c18:2::/64
RA
RA
Fa0/0
Fa0/1
Fa0/0
interface FastEthernet0/0
ipv6 nd prefix 3000:b00:c18:1::/64 43200 43200
ipv6 nd ra-lifetime 0
interface FastEthernet0/1
ipv6 nd prefix 3000:b00:c18:2::/64 43200 43200
interface FastEthernet0/0
ipv6 nd prefix 3000:b00:c18:1::/64 43200 43200
R2
R1
IPv6 Internet
75
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
Prefix Renumbering
NEW network prefix: 3ffe:b00:c18:2::/64
Deprecated prefix: 3ffe:b00:c18:1::/64
Hosts:
Autoconfigured
IPv6 hosts
deprecated address 3ffe:b00:c18:1:260:8ff:fede:8fbe
preferred address 3ffe:b00:c18:2:260:8ff:fede:8fbe
Router configuration after renumbering:
Router advertisements
with expiration dates
OR:
interface FastEthernet0/0
ipv6 nd prefix 3ffe:b00:c18:1::/64 43200 0
ipv6 nd prefix 3ffe:b00:c18:2::/64 43200
interface FastEthernet0/0
ipv6 nd prefix 3ffe:b00:c18:1::/64 at Sep 1 2012 23:59 Sep 1 2012 23:59
ipv6 nd prefix 3ffe:b00:c18:2::/64 43200 43200
76
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
Concluding Thoughts
Subnetting in IPv6 is actually easier than IPv4
Only a few Bit boundaries to worry about:
/32 LIR (ISP) allocations
/48 Enterprise allocations
/56 Residential allocations
Valid subnet range /48 - /64
/126, /127, & /96 Special Subnets
77
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
Routing: The IPv4 IPv6 Parallel
RIP
RIPv2 for IPv4
RIPng for IPv6
Distinct but similar protocols with RIPng taking advantage of IPv6 specificities
OSPF
OSPFv2 for IPv4
OSPFv3 for IPv6
Distinct but similar protocols with OSPFv3 being a cleaner implementation that takes advantage of IPv6
specificities
IS-IS
Extended to support IPv6
Natural fit to some of the IPv6 foundational concepts
Supports Single and Multi Topology operation
EIGRP
Extended to support IPv6
(IPv6_REQUEST_TYPE, IPv6_METRIC_TYPE, IPv6_EXTERIOR_TYPE) Some changes reflecting
IPv6 characteristics
BGP
New MP_REACH_NLRI, MP_UNREACH_NLRI, AFI=2 with SAFI for Unicast/
/Label/VPN
Peering over IPv6 or IPv4 (route maps)
For all intents and purposes, IPv6 IGPs are similar to their IPv4 counterparts
IPv6 IGPs have additional features that could lead to new designs
78
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
Routing Protocols
Static Routes
BFD
RIPng
Graceful Restart and NSR
OSPFv3
IPv6 EH authentication
IPSec encryption (ESP Header)
Overloading
Graceful Restart and NSR
BFD (9.3)
P2P interface (9.4)
OSPF Rib-group for IPv6
Realm support (IPv4 support) but without TE support
IS-IS
Authentication
Unicast Mesh Groups
Multicast Mesh Groups
Graceful Restart and NSR
BFD for dual stack interface (not for v6-only)
ISIS Rib-groups for ipv6
Multitopology IS-IS
Unicast
Multicast
BGP
Authentication
BGP peering to IPv6 endpoints
IPv6 routes over IPv4 peering
IPv6 Prefix Limits
Interface counters
Graceful Restart and NSR
BGPv6 supported families:
family inet6 unicast
family inet6 multicast
family inet6 labeled-unicast
Inet4 unicast (not supported)
Routing Policy
IPv6 multicast scoping
IPv6 address family
IPv6 prefixes
IPv6 route destination address
79
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
Routing Protocols
IPv6 PIM
Multicast Address Support
PIMv2
PIM Anycast RP
Statically Defined RP
Embedded RP Addresses
Source-Specific Multicast (SSM)
Multicast Listener Discovery (v1 and
v2)
Bootstrap Router (BSR) for IPv6
Disable IPv6 PIM independently from
IPv4 (9.6)
L3VPN Multicast
NG MVPN: IPv6 multicast (2H2009)
MPLS Protocols
IPv6 Tunneling over MPLS LSPs
RSVP-TE for IPv6 (not scheduled yet)
LDP for IPv6 (not scheduled yet)
MPLS VPNs
6PE, 6VPE
VRF Table-label
80
IPv6 Routing Protocols:
Static Routes
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
Static Route Example
R1(config)# ipv6 route fde7:0e06:ef31::/48 null0
R1#sh ipv6 route static
IPv6 Routing Table - Default - 2 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
B - BGP, M - MIPv6, R - RIP, I1 - ISIS L1
I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary, D - EIGRP
EX - EIGRP external
O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
S FDE7:E06:EF31::/48 [1/0]
via Null0, directly connected
R1#
R1(config)# ipv6 route 2300:0106:aa23::/48 fa0/0
R1(config)#do sh ipv6 route static | begin ^S
S 2300:106:AA23::/48 [1/0]
via FastEthernet0/0, directly connected
S FDE7:E06:EF31::/48 [1/0]
via Null0, directly connected
R1(config)#
82
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
Static Options
All static parameters are optional
Parameters are like any other static route
R1(config)#ipv6 route 2300:0106:aa23::/48 fa0/0 ?
<1-254> Administrative distance
X:X:X:X::X IPv6 address of next-hop
multicast Route only usable by multicast
nexthop-vrf Nexthop IPv6 VRF
tag Tag value
unicast Route only usable by unicast
<cr>
83
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
Routing Policy
Configured in the same way as routing policy for IPv4
Similar match conditions and actions
Create policy first
then apply to inteface (PBR), neighbor (BGP), or routing protocol
One new match condition
Match protocol ipv6
Routing table built the same as always!
Nothing new to learn for IPv6 though process
84
IPv6 Routing Protocols:
OSPFv3
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
OSPFv3
Changes from OSPFv2
Per Link Processing
Addition of flooding scope
New Link LSA
Handling of unknown LSA types
Virtual Link Changes
Authentication changes
86
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
OSPFv3
Per Link Processing
IPv6 uses the term link instead of network or subnet to indicate communication
Interfaces connect to links
Adjacencies are formed on link local addresses
Multiple IPv6 subnets can be assigned to a single link
Two nodes can talk directly over a single link, even if they do not share a common IPv6 subnet
Network address and mask do not impact the formation of adjacencies
87
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
OSPFv3
Flooding Scope
Each LSA now contains two bits indicating the flooding scope
AS scope, LSA is flooded throughout the AS
Area scope, LSA is flooded only within an area
Link-local scope, LSA is flooded only on the local link
These changes also impact the names of the LSAs
Type 3 (Summary LSA) is now called the inter-area-prefix-LSA
Type 4 (Autonomous System Border LSA) is now called the inter-area-router-LSA
Other new LSAs have been added
88
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
OSPFv3
LSA Name LS Type code Flooding scope LSA Function code
Router LSA 0x2001 Area scope 1
Network LSA 0x2002 Area scope 2
Inter-Area-Prefix-LSA 0x2003 Area scope 3
Inter-Area-Router-LSA 0x2004 Area scope 4
AS-External-LSA 0x4005 AS scope 5
Group-membership-LSA 0x2006 Area scope 6
Type-7-LSA 0x2007 Area scope 7
Link-LSA 0x0008 Link-local scope 8
Intra-Area-Prefix-LSA 0x2009 Area scope 9
Flooding Scope
89
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
OSPFv3
Handling Unknown LSA Types
Each LSA now contains an unknown LSA bit
0: Treat this LSA as a link local
1: Store and flood this LSA even if you dont understand it
This allows the deployment of new features in the future
Routers that dont understand the new feature will simply store and forward the LSA
Features can be deployed at edges, within a flooding domain, etc., without the need to upgrade
all routers
90
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
OSPFv3
Virtual Link Requirements
At least one global/unique local IPv6 address in the transit area
OSPFv3 normally sends LSAs with a link local source address
This wont work over a virtual link the packet needs to be forwarded through the intervening area
Advertisement of a /128 prefix
If no /128 is available in the table, a /128 from within an existing prefix space will be used
This provides most-specific reachability between the endpoints of the virtual link
91
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
OSPFv3
Authentication
OSPFv3 currently only supports IPsec for authentication
Group keying is painful for IPsec
There is current work in GDOI and other spaces to make group keying work better for this space
There is current work in the OSPF working group to allow HMAC-SHA and other forms
of in packet authentication
92
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
OSPFv3
93
Router1#
interface POS1/1
ipv6 address 2001:410:FFFF:1::1/64
ipv6 enable
ipv6 ospf 100 area 0
interface POS2/0
ipv6 address 2001:B00:FFFF:1::2/64
ipv6 enable
ipv6 ospf 100 area 1
ipv6 router ospf 100
router-id 10.1.1.3
Router2#
interface POS3/0
ipv6 address 2001:B00:FFFF:1::1/64
ipv6 enable
ipv6 ospf 100 area 1
ipv6 router ospf 100
router-id 10.1.1.4
Configuration & Show Example
POS 3/0
2001:b00:ffff:1::1/64
2001:b00:ffff:1::2/64
POS 2/0
Area 1
Area 0
POS 1/1
2001:410:ffff:1::1/64
A
B
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
OSPFv3
Router2#sh ipv6 ospf int pos 3/0
POS3/0 is up, line protocol is up
Link Local Address FE80::290:86FF:FE5D:A000, Interface ID 7
Area 1, Process ID 100, Instance ID 0, Router ID 10.1.1.4
Network Type POINT_TO_POINT, Cost: 1
Transmit Delay is 1 sec, State POINT_TO_POINT,
Timer intervals configured, Hello 10, Dead 40, Wait 40,
Retransmit 5
Hello due in 00:00:02
Index 1/1/1, flood queue length 0
Next 0x0(0)/0x0(0)/0x0(0)
Last flood scan length is 3, maximum is 3
Last flood scan time is 0 msec, maximum is 0 msec
Neighbor Count is 1, Adjacent neighbor count is 1
Adjacent with neighbor 10.1.1.3
Suppress hello for 0 neighbor(s)
Configuration & Show Example
POS 3/0
2001:b00:ffff:1::1/64
2001:b00:ffff:1::2/64
POS 2/0
Area 1
Area 0
POS 1/1
2001:410:ffff:1::1/64
A
B
94
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
OSPFv3
Router2#sh ipv6 ospf neighbor detail
Neighbor 10.1.1.3
In the area 1 via interface POS3/0
Neighbor: interface-id 8, link-local address
FE80::2D0:FFFF:FE60:DFFF
Neighbor priority is 1, State is FULL, 12 state changes
Options is 0x630C34B9
Dead timer due in 00:00:33
Neighbor is up for 00:49:32
Index 1/1/1, retransmission queue length 0, number of
retransmission 1
First 0x0(0)/0x0(0)/0x0(0) Next 0x0(0)/0x0(0)/0x0(0)
Last retransmission scan length is 2, maximum is 2
Last retransmission scan time is 0 msec, maximum is 0 msec
Configuration & Show Example
POS 3/0
2001:b00:ffff:1::1/64
2001:b00:ffff:1::2/64
POS 2/0
Area 1
Area 0
POS 1/1
2001:410:ffff:1::1/64
A
B
95
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
OSPFv3
96
Router2#sh ipv6 route
IPv6 Routing Table - 5 entries
Codes: C - Connected, L - Local, S - Static, R - RIP,
B BGP, U - Per-user Static route
I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea
O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1,
OE2 - OSPF ext 2
OI 2001:410:FFFF:1::/64 [110/2]
via FE80::2D0:FFFF:FE60:DFFF, POS3/0
C 2001:B00:FFFF:1::/64 [0/0]
via ::, POS3/0
L 2001:B00:FFFF:1::1/128 [0/0]
via ::, POS3/0
L FE80::/10 [0/0]
via ::, Null0
L FF00::/8 [0/0]
via ::, Null0
Configuration & Show Example
POS 3/0
2001:b00:ffff:1::1/64
2001:b00:ffff:1::2/64
POS 2/0
Area 1
Area 0
POS 1/1
2001:410:ffff:1::1/64
A
B
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
Same As OSPFv2
Similarities:
One of the similarities is the RID
OSPFv3 maintains a 32-bit RID that represents the router in the link-state database
The RID is not related to an IPv6 address like it is in IPv4
Requires explicit configuration (assuming no IPv4 addresses are present) because
IPv6 addressing cannot be used
97
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
Cisco IPv6 and OSPF
Customized globally
R1(config)# ipv6 router ospf (#)
R1(config-router)# area (#) range ..
Enabled on an interface
R1(config-if)# ipv6 ospf (#) area-id (#)
R1(config-if)# ipv6 ospf (#) neighbor (addr)
98
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
IPv6 and OSPF
Authentication is interesting
Requires IPSec be used by OSPF
Authentication fields are no longer part of OSPF packet, but signaled to IPv6 security
99
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
IPv6 and OSPF - Security
Two methods, AH or ESP
Ipv6 ospf authentication
Ipv6 ospf encryption
Examples (interface config)
Ipv6 ospf authentication ipsec spi 500 md5 1234567890abcdef1234567890abcdef
Ipv6 ospf encryption ipsec spi 1001 esp null sha1
123456789A123456789B123456789C123456789D
Examples (area config encryption same format)
Area 0 authentication ipsec spi 422 md5 1234567890abcdef1234567890abcdef
100
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
Router ID Selection
Router ID selection:
IPv6 networks preserve the 32-bit router ID
This is not an IPv4 address, it just looks like one!
You can set RID manually under routing-options, although an existing IPv4 address
can be used
The Junos OS uses the first non-127/8 address it finds as the RID
lo0 is the first interface activated, so a non-127/8 configured here serves as the RID
If the Junos software does not find a suitable address on lo0, it examines the next interface
activated (normally fxp0)
IPv6 functionality should not depend on another protocol being configured, so set RID
manually!
101
IPv6 Routing Protocols:
MBGP
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
MP-BGP Basics
Path Vector Protocol
Carries sequence of AS numbers indicating path
Ties Autonomous Systems together via Peering
Multiple address families: ipv4, ipv6, unicast, multicast
Si Si
Si Si
Si Si
Si Si
Si Si
AS 101
AS 201
AS 301
Peering
103
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
BGP-4 Extensions for IPv6
TCP Interaction
BGP-4 runs on top of TCP
This connection could be setup either over IPv4 or IPv6
Router ID
When no IPv4 is configured, an explicit bgp router-id needs to be configured
This is needed as a BGP Identifier, this is used as a tie breaker, and is sent within the
OPEN message
104
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
Non Link Local Peering
Router A
router bgp 1
no bgp default ipv4 unicast
bgp router-id 1.1.1.1
neighbor 2001:db8:ffff:2::2 remote-as 2
address-family ipv6
neighbor 2001:db8:ffff:2::2 activate
network 2003:3:2::/64
network 2003:3:3::/64
AS 1
AS 2
2001:db8:ffff:2/64
:1
:2
network 2003:3:2::/64
network 2003:3:3::/64
B
A
105
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
BGP-4 Extensions for IPv6 (RFC 2545)
BGP-4 carries only 3 pieces of information which is truly IPv4 specific:
NLRI in the UPDATE message contains an IPv4 prefix
NEXT_HOP path attribute in the UPDATE message contains a IPv4 address
BGP Identifier is in the OPEN message & AGGREGATOR attribute
To make BGP-4 available for other network layer protocols, RFC 2858
(obsoletes RFC 2283) defines multi-protocol extensions for BGP-4
Enables BGP-4 to carry information of other protocols e.g MPLS,IPv6
New BGP-4 optional and non-transitive attributes:
MP_REACH_NLRI
MP_UNREACH_NLRI
Protocol independent NEXT_HOP attribute
Protocol independent NLRI attribute
106
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
BGP-4 Extensions for IPv6
Address Family Information (AFI) for IPv6
AFI = 2 (RFC 1700)
Sub-AFI = 1 Unicast
Sub-AFI = 2 (Multicast for RPF check)
Sub-AFI = 3 for both Unicast and Multicast
Sub-AFI = 4 Label
Sub-AFI= 128 VPN
107
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
BGP-4 Extensions for IPv6
Next-hop contains a global IPv6 address or potentially a link local (for iBGP
update this has to be changed to global IPv6 address with route-map)
The value of the length of the next hop field on MP_REACH_NLRI attribute is
set to 16 when only global is present and is set to 32 if link local is present as
well
Link local address as a next-hop is only set if the BGP peer shares the subnet
with both routers (advertising and advertised)
108
AS1 AS2
B
A
C
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
BGP Overview
Path-vector EGP that uses multiple path attributes to select the active route
Originally designed for IPv4
Extended to carry additional information
Multicast
VPNs
IPv6
MBGP specifications
Multiprotocol extensions for BGP-4
RFC 4760January 2007
Use of BGP-4 multiprotocol extensions for IPv6 interdomain routing
RFC 2545
109
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
MP-BGP and IPv6
Multiprotocol extensions for BGP4:
Adds new fields to identified the type of route being advertised
Make it possible to carry IPv6 routes on top of IPv4 BGP sessions
IPv6-specific extensions:
Scoped addresses: NEXT_HOP contains a global IPv6 address and potentially a link-
local address (only when there is link-local reachability with the peer)
NEXT_HOP and NLRI are expressed as IPv6 addresses and prefixes in the
multiprotocol attributes
110
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
Address-Families are new RIBs
Address families began with MBGP to separate RIB entries
Common address-families are
IPv6 (unicast | multicast)
Nsap
IPv4 Multicast
Vpnv4
Vpnv6
Ipv4 unicast vrf (name)
Default is IPv4 Unicast
111
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
Prior to Address Families
Router bgp 1001
Neighbor 10.1.1.4 remote-as 1001
Neighbor 10.1.1.4 update-source loopback 0
Neighbor 10.1.1.4 route-map Bob in
Neighbor 10.1.1.4 send-community
Network 10.1.100.0 mask 255.255.255.0
Network 10.1.101.0 mask 255.255.255.0
Redistribute static
112
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
Way to Think About the Old Way
Router bgp 1001
[Connections]
Neighbor 10.1.1.4 remote-as 1001
Neighbor 10.1.1.4 update-source loopback 0
address-family ipv4
Neighbor 10.1.1.4 route-map Bob in
Neighbor 10.1.1.4 activate
Neighbor 10.1.1.4 send-community
Network 10.1.100.0 mask 255.255.255.0
Network 10.1.101.0 mask 255.255.255.0
Redistribute static
113
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
Activate Each Neighbor
Multiple neighbors can carry some or all of the supported families
Activate each one
Each RIB filters separately
Each RIB name is important for NLRI information to be kept correctly
Each RIB/Family information is separate
Useful for running separate info over separate links/peering information
114
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
MBGP Configuration
AS 65001 AS 65002
Router2 Router1
Router1#
interface FastEthernet0/0
ipv6 address 3FFE:B00:C18:2:1::F/64
router bgp 65001
no bgp default ipv4-unicast
neighbor 3FFE:B00:C18:2:1::1 remote-as 65002
address-family ipv6
neighbor 3FFE:B00:C18:2:1::1 activate
neighbor 3FFE:B00:C18:2:1::1 prefix-list bgp65002in in
neighbor 3FFE:B00:C18:2:1::1 prefix-list bgp65002out out
exit-address-family
3ffe:b00:c18:2:1::F 3ffe:b00:c18:2:1::1
115
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
MBGP Prefix Bidirectional Filtering
116
Filtering BGP routing updates
3FFE:0B00:0001::/48
3FFE:0300::/32
3FFE:0B00::/24
Router2
Router1
3ffe:b00:c18:2:1::F 3ffe:b00:c18:2:1::1
Router1#
router bgp 65001
no bgp default ipv4-unicast
neighbor 3FFE:B00:C18:2:1::1 remote-as 65002
address-family ipv6
neighbor 3FFE:B00:C18:2:1::1 activate
neighbor 3FFE:B00:C18:2:1::1 prefix-list bgp65002in in
neighbor 3FFE:B00:C18:2:1::1 prefix-list bgp65002out out
network 3FFE:B00::/24
exit-address-family
ipv6 prefix-list bgp65002in seq 5 permit 3FFE::/16 le 24
ipv6 prefix-list bgp65002out seq 5 permit 3FFE::/16 le 24
3ffe:b00::/24
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
MBGP Config with Inbound Filtering
Configure BGP to accept legal prefixes only (prefix-list)
117
3ffe:b00:c18:2:1::f
3ffe:b00:c18:2:1::1
AS 65002
AS 65003
AS 65001
3ffe:b00:c18:2:1::2
router bgp 65001
no bgp default ipv4-unicast
neighbor 3FFE:B00:C18:2:1::1 remote-as 65002
neighbor 3FFE:B00:C18:2:1::2 remote-as 65003
address-family ipv6
neighbor 3FFE:B00:C18:2:1::1 activate
neighbor 3FFE:B00:C18:2:1::2 activate
neighbor 3FFE:B00:C18:2:1::1 prefix-list Legal in
neighbor 3FFE:B00:C18:2:1::2 prefix-list Legal in
network 3FFE:B00::/24
exit-address-family
ipv6 prefix-list Legal seq 5 permit 2001::/16 le 35
ipv6 prefix-list Legal seq 10 permit 3FFE::/17 ge 24 le 24
ipv6 prefix-list Legal seq 15 permit 3FFE:8000::/17 ge 28 le 28
ipv6 prefix-list Legal seq 20 permit 2002::/16
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
Configuration EIGRP
hostname R1
!
ipv6 unicast-routing
!
interface Loopback0
no ip address
ipv6 address 1010:AB8::/64 eui-64
ipv6 enable
ipv6 eigrp 1
!
ipv6 router eigrp 1
router-id 2.2.2.2
no shutdown
!
118
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
Troubleshooting
show ipv6 eigrp events
show ipv6 eigrp interfaces
show ipv6 eigrp neighbors
show ipv6 interface
show ipv6 ospf
show ipv6 route
show ipv6 route bgp
119
IPv6 Whats Next?
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
IPv4 to IPv6 Transition Challenges
16+ methods, possibly in combination
Dual stack
Consider security for both protocols
Cross v4/v6 abuse
Resiliency (shared resources)
Tunnels
Bypass firewalls (protocol 41 or UDP)
Can cause asymmetric traffic (hence breaking stateful firewalls)
121
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
Dual Stack Host Considerations
Host security on a dual-stack device
Applications can be subject to attack on both IPv6 and IPv4
Fate sharing: as secure as the least secure stack...
Host security controls should block and inspect traffic from both IP versions
Host intrusion prevention, personal firewalls, VPN
clients, etc.
122
Dual Stack Client
IPv4 IPsecVPN with No
Split Tunneling
Does the IPsec Client Stop an
Inbound IPv6 Exploit?
IPv6 HDR IPv6 Exploit
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
IPv6 Tunneling Summary
RFC 1933/2893 configured
and automatic tunnels
RFC 2401 IPSec tunnel
RFC 2473 IPv6 generic
packet tunnel
RFC 2529 6over4 tunnel
RFC 3056 6to4 tunnel
RFC 5214 ISATAP tunnel
MobileIPv6 (uses RFC2473)
RFC 4380 Teredo tunnels
RFC5569 6RD
Only allow authorized endpoints
to establish tunnels
Static tunnels are deemed as more
secure, but less scalable
Automatic tunneling mechanisms
are susceptible to packet forgery
and DoS attacks
These tools have the same risk
as IPv4, just new avenues of exploitation
Automatic IPv6 over IPv4 tunnels could
be secured by IPv4 IPSec
123
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
DNS: Basic Ideas
DNS in IPv6 is much like DNS in IPv4
Keep files and delegations as simple as possible.
Can use IPv4 as transport for DNS for now.
Modern versions of Bind will work Bind9 is stable and works with IPv6.
There is work on dynamic DNS in progress, but we dont need to worry about
that for now.
124
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
IPv4 IPv6
Hostname
to
IP address
A record:
www.abc.test. A
192.168.30.1
IPv6 and DNS
AAAA record:
www.abc.test. AAAA
2001:db8:C18:1::2
IP address
to
hostname
PTR record:
2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.0.8.
1.c.0.
8.b.d.0.1.0.0.2.ip6.arpa. PTR
www.abc.test.
PTR record:
1.30.168.192.in-addr.arpa.
PTR
www.abc.test.
125
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
DNS Example (IPv4-Only)
DNS Request (h.root-servers.net) (QTYPE=A)
IPv4 A Response (128.63.2.53)
H.ROOT-SERVERS.NET. 210892 IN A 128.63.2.53
Sample DNS Response
IPv4-Only Host
DNS Server
126
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
DNS Example (IPv6-Only)
DNS Request (h.root-servers.net) (QTYPE=AAAA)
IPv6 AAAA Response (2001:500:1::803f:235 )
IPv4-Only Host
DNS Server
H.ROOT-SERVERS.NET. 210892 IN AAAA 2001:500:1::803f:235
Sample DNS Response
127
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
DNS Example (Dual-Stack)
DNS
Server
Dual-Stack Host
DNS Request (h.root-servers.net) (QTYPE=AAAA, A)
I prefer IPv6
addresses
IPv6 AAAA Response (2001:500:1::803f:235 )
IPv4 A Response (128.63.2.53)
H.ROOT-SERVERS.NET. 210892 IN AAAA 2001:500:1::803f:235
H.ROOT-SERVERS.NET. 210892 IN A 128.63.2.53
Sample DNS Response
128
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
DNS Capture Default IPv6 init
A and AAAA Queries
for www.google.com
IPv6 Transport Preferred
Response IPv4 and
IPv6 Addresses
129
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
DNS Enhancements for IPv6
RFC 3596
DNS extensions to support IP version 6
Name to address records
AAAA record type (equivalent to IPv4 A record)
Example record
host1.microsoft.com IN AAAA 2001:DB8::1:DD48:AB34:D07C:3914
Address to name records
New reverse domain called IP6.ARPA.
Example record for 2001:DB8::1:DD48:AB34:D07C:3914 (or
2001:0DB8:0000:0001:DD48:AB34:D07C:3914)
4.1.9.3.C.7.0.D.4.3.B.A.8.4.D.D.1.0.0.0.0.0.0.0.8.B.D.0.1.0.0.2.IP6.ARPA. IN PTR
host1.microsoft.com
130
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
Name Resolution Support in Windows
Resolution Options:
1. Entries in the Hosts file
2. DNS resolver support
3. DNS Server service support
4. DNS dynamic update
5. DNS zone transfers
6. Source and destination address selection
7. LLMNR support
8. Support for ipv6-literal.net names
9. Peer Name Resolution Protocol
10. Name Resolution Policy Table
11. DNS Security Extensions (DNSSEC)
131
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
DNS Issues
Upgrade DNS servers to support IPv6
Adding AAAA record for a specific server to the DNS Server requires ALL
services to be IPv6 aware
LDAP or AD IPv6 Aware
All Services running on the Server
Interim solution is to use a temporary name (see Google IPv6 start in
2008)
ipv6.google.com vs. www.google.com
This practice helps reduce the issue of unhappy dual-stack hosts by eliminating
the multiprotocol response to DNS requests
132
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
Forward Lookups
Uses AAAA records for assign IPv6 addresses to names.
Multiple addresses possible for any given name for example, in a multi-
homed situation.
Can assign A records and AAAA records to a given name/domain.
(Once IPv6 is more stable globally)
Can also assign separate domains for IPv6 and IPv4.
BCP today.
Dont be afraid to experiment!
133
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
Upstream Support
How to get IPv6?
Tunnel Brokers
Hurricane Electric
RoutintHouse.com
SixXS
Others: http://en.wikipedia.org/wiki/List_of_IPv6_tunnel_brokers
6 to 4 Gateway
134
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
Participate in the My Favorite Speaker Contest
Promote your favorite speaker through Twitter and you could win $200 of Cisco
Press products (@CiscoPress)
Send a tweet and include
Your favorite speakers Twitter handle @CiscoKid14074
Two hashtags: #CLUS #MyFavoriteSpeaker
You can submit an entry for more than one of your favorite speakers
Dont forget to follow @CiscoLive and @CiscoPress
View the official rules at http://bit.ly/CLUSwin
Promote Your Favorite Speaker and You Could be a Winner
135
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
SP Related Official Cisco Training Offerings
Course Description Cisco Certification
Building Cisco Service Provider
Next-Generation Networks, Part 1
(SPNGN1), and Part 2 (SPNGN2)
These courses introduce Cisco SP IP Next-Generation Network
technologies and solutions, including OSI and TCP/IP models, IPv4/v6
addressing, switching, routing, transport types, security, network
management, and Cisco operating systems.
CCNA Service Provider
Deploying Cisco Service Provider
Network Routing (SPROUTE)
This course covers the implementation of routing protocols (OSPF, IS-
IS, BGP), route manipulations, and high availability routing features
within SP IP NGN environments.
CCNP Service Provider
Deploying Cisco Service Provider
Advanced Network Routing
(SPADVROUTE)
This course covers advanced routing topics in BGP, as well as
multicast services including PIM-SM, and IPv6 within SP IP NGN
environments.
CCNP Service Provider
Implementing Cisco Service
Provider Next-Generation Core
Network Services (SPCORE)
This course covers core network services, including MPLS-LDP
features, MPLS traffic engineering, QoS queuing mechanisms, and
transport technologies within SP IP NGN environments.
CCNP Service Provider
Implementing Cisco Service
Provider Next-Generation Edge
Network Services (SPEDGE)
This course covers edge network services, including MPLS Layer 3
VPNs, Layer 2 VPNs, and Carrier Ethernet services within SP IP NGN
environments.
CCNP Service Provider
For more details please visit : http://learningnetwork.cisco.com
Questions: Visit the Learning@Cisco Booth
136
2014 Cisco and/or its affiliates. All rights reserved. BRKCRT-2000 Cisco Public
R&S Related Official Cisco Training Offerings
Course Description Cisco Certification
CCIE R&S Advanced Workshops
(CIERS-1 & CIERS-2) plus
Self Assessments, Workbooks & Labs
Expert level trainings including: instructor led workshops,
self assessments, and practice labs to prepare candidates
for the CCIE R&S practical exam.
CCIE