Transcript Slide 1
CIS 185 CCNP ROUTE Ch. 8 Implementing IPv6 – Part 1 Rick Graziani Cabrillo College [email protected] Last Updated: Fall 2010 Materials Book: Implementing Cisco IP Routing (ROUTE) Foundation Learning Guide: Foundation learning for the ROUTE 642-902 Exam By Diane Teare Book ISBN-10: 1-58705-882-0 ISBN-13: 978-1-58705-882-0 eBook ISBN-10: 0-13-255033-4 ISBN-13: 978-0-13-255033-8 2 Recommended Reading The TCP/IP Guide: A Comprehensive, Illustrated Internet Protocols Reference [Hardcover] Charles M. Kozierok (Author) 3 IPv6 Part 1 Introducing IPv6 IPv6 Addressing in an Enterprise Network IPv6 Addressing Configuring and Verifying IPv6 Unicast Addresses Part 2 Routing IPv6 Traffic Part 3 Transitioning IPv4 to IPv6 Tunneling IPv6 Traffic Translation Using NAT-PT 4 Features of IPv6 Larger address space Elimination of NAT Elimination of broadcast addresses Simplified header for improved router efficiency Support for mobility and security Transition richness 5 Why Do We Need a Larger Address Space? Internet population Approximately 973 million users in November 2005 Emerging population and geopolitical and address space Mobile users phones, iPads, tablets ,etc Approximately 20 million in 2004 Mobile phones Already 1 billion mobile phones delivered by the industry Transportation Planes, trains, busses, automobiles Consumer devices Billions of home and industrial appliances 6 IP Address Allocation History 1981: IPv4 Protocol was published. 1985: 6% of IPv4 address space in use. 2001: 66% of IPv4 address space in use. 2010: 96% of IPv4 address space in use. 7 Larger Address Space IPv4 32 bits or 4 bytes long 4,200,000,000 possible addressable nodes IPv6 128 bits or 16 bytes: four times the bits of IPv4 3.4 * 1038 possible addressable nodes 340,282,366,920,938,463,374,607,432,768,211,456 5 * 1028 addresses per person 50,000,000,000,000,000,000,000,000,000 8 Larger Address Space Enables Address Aggregation Aggregation of prefixes announced in the global routing table Efficient and scalable routing 9 IPv6 Features Address assignment features: Using DHCP and Stateless Autoconfiguration. Built-in Support for Mobility: IPv6 supports mobility such that IPv6 hosts can move around the Internetwork, retain their IPv6 address and without losing current application sessions. Aggregation: IPv6’s huge address space makes for much easier aggregation of blocks of addresses in the Internet, making routing in the Internet more efficient. No need for NAT/PAT: The huge public IPv6 address space removes the need for NAT/PAT, which avoids some NAT-induced application problems and makes for more efficient routing. No Broadcasts: IPv6 does not use layer 3 broadcast addresses, instead relying on multicasts to reach multiple hosts. Transition tools: IPv6 has many rich tools to help with the transition from IPv4 to IPv6. 10 IPv6 Packet Header IPv6 has fewer fields The header is 64-bit aligned which enables fast, efficient, hardware-based processing. Hardware-based, efficient processing Improved routing efficiency and performance Faster forwarding rate with better scalability The IPv6 address fields are four times larger than in IPv4. IPv6 header is 40 octets IPv6 header is 20 octets in the IPv4 header. 11 IPv4 Header Version IHL Type of Service Identification Time to Live Protocol IPv6 Header Total Length Version Flags Fragment Offset Header Checksum Traffic Class Payload Length Flow Label Next Header Hop Limit Source Address Destination Address Legend Options Padding Source Address Field’s Name Kept from IPv4 to IPv6 Fields Not Kept in IPv6 Name and Position Changed in IPv6 Destination Address New Field in IPv6 The IPv4 header: 12 basic header fields + Options and Padding Data portion (usually transport layer segment) Fixed size of 20 octets An options field Variable-length options field increases the size of the total IP header IPv6 8 fields: 1 new (Flow Label); 7 similar IPv4; 7 not brought over from IPv4.12 Resources IPv6 Addressing At-A-Glance http://cisco.com/application/pdf/en/us/guest/tech/tk872/c1550/cdccont_0900aecd80 26003d.pdf IPv6 Extension Headers Review and Considerations http://cisco.com/en/US/partner/tech/tk872/technologies_white_paper0900aecd8054 d37d.shtml IPv6 Headers At-A-Glance http://cisco.com/application/pdf/en/us/guest/tech/tk872/c1482/cdccont_0900aecd80 260042.pdf IPv6 Mobility At-A-Glance http://cisco.com/application/pdf/en/us/guest/tech/tk872/c1482/cdccont_0900aecd80 260046.pdf Internet Protocol Version 6 Q&A http://cisco.com/en/US/partner/products/ps6553/products_qanda_item0900aecd803 715bf.shtml IPV6 Case Studies http://cisco.com/en/US/partner/products/ps6553/prod_case_studies_list.html IPv6 Allocations http://www.ripe.net/rs/ipv6/stats/ Cisco IPv6 Solutions http://cisco.com/en/US/partner/products/ps6553/products_white_paper09186a0080 13 2219bc.shtml Version: Contains 6 for IPv6 (IPv4 contains the number 4) Traffic class: Similar as type of service (ToS) field in IPv4. Flow label: New 20-bit field Allows multilayer switches and routers to handle traffic on a per-flow basis rather than per-packet, for faster packet-switching performance. This field can also be used to provide QoS. 14 Payload length: Same as IPv4 total length field Next header: 8-bit field determines the type of information that follows the basic IPv6 header. Similar to the protocol field of IPv4. 15 Hop limit: 8-bit field specifies the maximum number of hops that an IP packet can traverse. Similar to the time to live (TTL) field in IPv4 Because there is no checksum in the IPv6 header, an IPv6 router can decrease the field without recomputing the checksum 16 Source address: 128 bit source address of the packet Destination address: 128 bits destination address of the packet Extension headers: Optional The number of extension headers is not fixed, so the total length of the extension header chain is variable. Also a mechanism to provide support for future services without redesign of 17 the basic protocol IPv4 Fragmentation The The outgoing outgoing link link has has a a large enough MTU but to I smaller MTU so I have don’t reconstruct fragment the packets. packets. It is my job to reconstruct the packets. IP Packet IP Packet Network link with larger MTU IP Packet IP Packet IP Packet Network link with smaller MTU Network link with larger MTU IP Packet IP Packet IP Packet IP Packet IP Packet IP Packet When fragmentation occurs, it does not get reconstructed until it reaches the host. This takes processing time. Fragment Offset field identifies the order 18 MTU Discovery In IPv4 routers handle fragmentation, causing a variety of processing issues. IPv6 routers no longer perform fragmentation Use a discovery process is used to determine the optimum MTU to use Source IPv6 device attempts to send a packet at the size that is specified by the upper IP layers, (TCP, UDP, or application). If the device receives an Internet Control Message Protocol (ICMP) “packet too big” message: Retransmits the MTU discover packet with a smaller MTU This process is repeated until the device receives a response that the discover packet arrived intact. The device then sets the MTU for the session. In IPv6 fragmentation is only performed by the device sending a datagram, not by routers. 19 IPv6 Addressing in an Enterprise Network 20 Address Representation 128-bit IPv6 addresses are represented by breaking them up into eight 16-bit segments. Each segment is written in hexadecimal (non-case sensitive) between 0x0000 and 0xFFFF, separated by colons. An example of a written IPv6 address is 3ffe:1944:0100:000a:0000:00bc:2500:0d0b 21 Rule 1: Leading 0’s Two rules for reducing the size of written IPv6 addresses. The first rule is: The leading zeroes in any 16-bit segment do not have to be written; if any 16-bit segment has fewer than four hexadecimal digits, it is assumed that the missing digits are leading zeroes. Example 3ffe : 1944 : 0100 : 000a : 0000 : 00bc : 2500 : 0d0b 3ffe : 1944 : 100 : a : 0 : bc : 2500 : d0b 22 Rule 1: Leading 0’s Practice 3ffe : 0404 : 0001 : 1000 : 0000 : 0000 : 0ef0 : bc00 3ffe : 404 : 1 : 1000 : 0 : 0 : ef0 : bc00 3ffe : 0000 : 010d : 000a : 00dd : c000 : e000 : 0001 3ffe : 0 : 10d : a : dd : c000 : e000 : 1 ff02 : 0000 : 0000 : 0000 : 0000 : 0000 : 0000 : 0005 ff02 : 0 : 0 : 0 : 0 : 0 : 0 : 5 23 Rule 1: Leading 0’s Only leading zeroes can be omitted; trailing zeroes cannot, because doing so would make the segment ambiguous. You would not be able to tell whether the missing zeroes belonged before or after the written digits. 3ffe : 1944 : 100 : a : 0 : bc : 2500 : d0b Correct Original Address 3ffe : 1944 : 0100 : 000a : 0000 : 00bc : 2500 : 0d0b Wrong, Ambiguous Original Address 3ffe : 1944 : 1000 : a000 : 0000 : bc00 : 2500 : d0b0 24 Rule 2: Double colon :: equals 0000…0000 The second rule can reduce this address even further: Any single, contiguous string of one or more 16-bit segments consisting of all zeroes can be represented with a double colon. ff02 : 0000 : 0000 : 0000 : 0000 : 0000 : 0000 : 0005 ff02 : 0 : 0 : 0 : 0 : 0 : 0 : 5 ff02 : : 5 ff02::5 25 Rule 2: Double colon :: equals 0000…0000 Only a single contiguous string of all-zero segments can be represented with a double colon. Example: Both of these are correct 2001 : 0d02 : 0000 : 0000 : 0014 : 0000 : 0000 : 0095 2001 : d02 :: 14 : 0 : 0 : 95 2001 : d02 :: 14 : 0 : 0 : 95 OR 2001 : d02 : 0 : 0 : 14 :: 95 2001 : d02 : 0 : 0 : 14 :: 95 Another example: 2031 : 0000 : 130F : 0000 : 0000 : 09C0 : 876A : 130B 2031 : 0 : 130F :: 9C0 : 876A : 130B 26 Rule 2: Double colon :: equals 0000…0000 Using the double colon more than once in an IPv6 address can create ambiguity. Example 2001:d02::14::95 Illegal because the length of the two all-zero strings is ambiguous; it could represent any of the following IPv6 addresses: 2001:0d02:0000:0000:0014:0000:0000:0095 2001:0d02:0000:0000:0000:0014:0000:0095 2001:0d02:0000:0014:0000:0000:0000:0095 27 Network Prefixes IPv4, the prefix—the network portion of the address—can be identified by a dotted decimal or bitcount. 255.255.255.0 or /24 IPv6 prefixes are always identified by bitcount. The address is followed by a forward slash and a decimal number indicating how many of the first bits of the address are the prefix bits. CIDR notation or prefix notation 3ffe:1944:100:a::/64 16 32 48 64 bits 28 All 0’s IPv6 Address An IPv6 address consisting of all zeroes can be written simply with a double colon. There are two cases where an all-zeroes address is used. 1. Default address, The address is all zeroes and the prefix length is zero: ::/0 2. Unspecified address, which is used in some Neighbor Discovery Protocol procedures (later). An unspecified address is a filler, indicating the absence of a real IPv6 address. When writing an unspecified address, it is differentiated from a default address by its prefix length: ::/128 29 More later 30 Interface Identifiers in IPv6 Addresses In IPv6, a link is a network medium over which network nodes communicate using the link layer. Interface identifiers (IDs) in IPv6 addresses: Used to identify a unique interface on a link Thought of as the “host portion” of an IPv6 address. Required to be unique on a link Always 64 bits May be dynamically created based on Layer 2 media and encapsulation 31 The data link layer defines how IPv6 interface identifiers are created and how neighbor discovery deals with data link layer address resolution. RFCs describe these processes (not all supported by Cisco) Let’s look at the process for Ethernet Interface Identifier… 32 Calculating the Interface ID Using EUI-64 To automatically create a guaranteed-unique interface ID, IPv6 defines a method to calculate a 64-bit interface ID derived from that host's MAC address. The eighth bit in an IPv6 interface identifier, also known as the “G” bit, is the group/individual bit for managing groups. 33 bia: xxxx xx0x Configured: xxxx xx1x The Universally/Locally (U/L) bit is the seventh bit of the first byte and is used to determine whether the address is universally or locally administered. If 0, the IEEE, through the designation of a unique company ID, has administered the address. If 1, the address is locally administered - the network administrator has overridden the manufactured address and specified a different address. Seems to be some debate on whether Cisco should flip it if it is already a 1. “The standard says leave the U/L bit a 1 if it's a 1 and the "Cisco" way says to flip it regardless.” r34 Subnet: 2001:8:85a3:4289::/64 MAC Address: 001B:D55B:A408 Global Unicast Address: 2001:8:85a3:4289 : 021B:D5FF:FE5B:A408 Interface ID Because of privacy and security concerns, hosts may create a random interface identifier using the MAC address as a base. This is considered a privacy extension because, without it, creating an interface identifier from a MAC address allows activity to be tracked to the point of connection. Windows XP implements this capability 35 Three types of IPv6 Addresses Three types of IPv6 Addresses The three types of IPv6 address follow: 1. Unicast Global Unicast Link Local Unicast Site Local Unicast (now deprecated) 2. Multicast 3. Anycast Unlike IPv4, there is no IPv6 broadcast address. There is, however, an "all nodes" multicast address, which serves essentially the same purpose as a broadcast address. 37 Global Unicast Addresses A unicast address is an address that identifies a single device. A global unicast address is a unicast address that is globally unique. Has global scope. Also known as global aggregatable Globally unique and can therefore be routed globally with no modification. 38 Global Unicast Addresses The host portion of the address is called the Interface ID. Host can have more than one IPv6 interface Address more correctly identifies an interface on a host than a host itself. A single interface can have multiple IPv6 addresses, and can have an IPv4 address in addition. 39 Global Unicast Addresses Another big difference between IPv4 addresses and IPv6 addresses: location of the Subnet Identifier Subnet Identifier is part of the network portion of the address rather than the host portion. Allows an organization to use up to 65,536 individual subnets 40 Global Unicast Prefix Assignment The current global unicast address assignment IANA uses the range of addresses that start with binary value 001 or 2000::/3 The start with the same 3 bits (001) as 2000 4 hexadecimal digits, before the first colon More easily recognized as beginning with a hexadecimal 2 or 3. 0010 xxxx or 0011 xxxx ICANN assigns global unicast IPv6 addresses as public and globally-unique IPv6 addresses No need for NAT This is one-eighth (12.5%) of the total IPv6 address space and is the largest block of assigned addresses. 41 Assigning IPv6 Addresses http://www.iana.org/assignments/ipv6-unicast-address-assignments/ipv6unicast-address-assignments.xml https://www.arin.net/knowledge/rirs.html The Internet Corporation for Assigned Network Numbers (ICANN, www.icann.org) owns the process. ICANN assigns one or more IPv6 address ranges to each Regional Internet Registries (RIRs) The Internet Assigned Numbers Authority (IANA) formerly owned the address assignment process, but it was transitioned to ICANN. 42 2340::/12 The IPv6 global address assignment plan results in more efficient routing. ICANN owns the entire IPv6 address space ICANN assigns the rights to registry prefix 2340::/12 to one of the RIRs ARIN (in North America). ARIN has the rights to assign any IPv6 addresses that begin with the first 12 bits of hex 2340 (binary value 0010 0011 0100). 2116 addresses! 43 2340:1111::/32 NA-ISP1 asks ARIN for a prefix assignment. ARIN ensures that NA-ISP1 meets some requirements. ARIN assigns site prefix 2340:1111::/32 to NA-ISP1. 296 addresses This one address block may well be enough public IPv6 addresses for even the largest ISPs, without that ISP ever needing another IPv6 prefix. 44 2340:1111:AAAA::/48 Company1 asks their ISP, NA-ISP1, for the assignment of an IPv6 prefix. NA-ISP1 assigns Company1 the site prefix 2340:1111:AAAA::/48 280 addresses! Routers outside North America can have a single route prefix 2340::/12 in their routing table for all these IPv6 addresses which are assigned in North America. 45 2340:1111:AAAA::/48 A /48 prefix assigned to a single company is called either a global routing prefix or a site prefix. 1 Route for 2340::/12 1 Route for 2340::/12 Routers outside North America can have a single route prefix 2340::/12 in their routing table for all these IPv6 addresses which are assigned in North America. 46 Subnetting Global Unicast IPv6 Addresses Inside an Enterprise 2340:1111:AAAA::/64 2340:1111:AAAA::/48 The Enterprise engineer extended the length of the prefix as assigned by the ISP (/48) to /64. This creates a 16 bit subnet part of the address structure. The 16 bit subnet field allows for 216, or 65,536, subnets! There are no concerns about needing an all 0’s or all 1’s subnet in IPv6! 64 bit host field allows for 264 hosts per subnet. More than 1,000,000,000,000,000,000 addresses per subnet. Allows of the automatic IPv6 address assignment features to work well (later). 47 2340:1111:AAAA::/64 4 specific subnets to be used inside Company1: 2340:1111:AAAA:0001::/64 2340:1111:AAAA:0002::/64 2340:1111:AAAA:0003::/64 2340:1111:AAAA:0004::/64 Note: A valid abbreviation is to remove the 3 leading 0’s from the last shown quartet. 2340:1111:AAAA:1::/64 48 2340:1111:AAAA::/64 Interface ID Any number of subnet bits could be chosen for subnetting including the interface bits as long as the host field retained enough bits to number all hosts in a subnet. A /112 prefix length could be used, extending the original /48 prefix by 64 bits (4 hex quartets) - /112. Then we could have these 4 subnets and more: 2340:1111:AAAA::0001:0000/112 2340:1111:AAAA::0002:0000/112 2340:1111:AAAA::0003:0000/112 2340:1111:AAAA::0004:0000/112 49 Prefix Terminology Registry prefix Assigned by ICANN to an RIR 2340::/12 (to /23) ISP prefix Assigned by an RIR to an ISP1 2340:1111/32 Site prefix or global routing prefix Assigned by an ISP or registry to a customer (site) 2340:1111:AAAA/48 Subnet prefix Assigned by an Enterprise engineer for each individual link 2340:1111:AAAA:0001/64 50 IPv6 Addresses Unicast Global Unicast Link Local Site Local Multicast Anycast 51 Link Local Addresses Remaining 54 bits Scope is confined to a single link. Uniqueness is assured only on one link. Solves “chicken or the egg” problem (how do I get a network address if I don’t have one to communicate that with). Device can determine its own link local IPv6 address without needing to communicate with any other device Ethernet link-local address uses MAC-address (EUI-64) for Interface ID Considered best practice to statically configure link local address (Interface ID) on serial interfaces (later) Link Local addresses come from the FE80::/10 range (FE80/10-FEB0/10), First 10 bits must be 1111 1110 10xx F E 8-B Creates the range FE8, FE9, FEA, FEB 1111 1110 10: 1000 1001 1010 1011 52 Local Unicast Addresses FE80::/10 FEC0::/10 Link-local unicast address, An identical address might exist on another link. Not routable off its link. The first 10 bits are always 1111111010 (FE80::/10). Devices that do not or have not yet been assigned global prefixes, can communicate with other devices. Uses EUI-64 for Ethernet and serial interface to make it unique More coming with Network Discovery Protocol… 53 When communicating with a link-local address, the outgoing interface must be specified because every interface is connected to FE80::/10 If you want to ping from one router to its neighbor using the neighbor’s linklocal address, you will be asked to input the interface on which you want to ping The router cannot determine the outgoing interface from a link-local destination address. 54 IPv6 Addresses Unicast Global Unicast Link Local Site Local Multicast Anycast 55 Site Local IPv6 Addresses Site Local unicast IPv6 addresses have the same function as IPv4 RFC1918 private addresses. Not be advertised into the Internet Now deprecated (RFC 3879, 2004) Site local - fec0::/10 Not necessary with the large number of Global Unicast addresses but this is an option. 56 IPv6 Addresses Unicast Global Unicast Link Local Unique Local Multicast Anycast 57 Multicast Addresses FE80::/10 FEC0::/10 Multicast address identifies a set of devices — a multicast group. A packet being sent to a multicast group is originated by a single device; Source address: unicast address Destination address: multicast address No reserved broadcast address like IPv4, but it does have a reserved allnodes multicast group. (FF02::1) 58 Multicast Addresses Multicasting Basic operation of IPv6 Router discovery Address autoconfiguration These functions are a part of the Neighbor Discovery Protocol, discussed later. 59 Multicast Addresses (FYI) The second octet of the address contains the prefix and transient (lifetime) flags, and the scope of the multicast address: Transient (T) flag: 0 for a permanent, or well-known, multicast address. 1 for a temporary multicast address Prefix (P) flag: Indicates a prefix. This flag allows part of the multicast group address to include the unicast prefix of the source network. Scope parameter: 1 for the node scope (for loopback transmission) 2 for the link scope (similar to unicast link-local scope) 5 for the site-local scope 8 for the organizational scope (for multiple sites) E for the global scope 60 Multicast Addresses (FYI) Example, a multicast address starting with FF02::/16 is: 1111 1111 0000 0010 Permanent multicast address Link-local scope There is no TTL field in IPv6 multicast packets because the scoping is defined inside the address. The multicast group ID consists of the lower 112 bits of the multicast address. 61 Multicast Addresses 62 FF02::1:FFXX:XXXX - Solicited-node multicast on a link XX:XXXX is the rightmost 24 bits of the corresponding unicast or anycast address of the node. Sent on a local link when a node wants to determine the link-layer address of another node on the same local link, similar ARP in IPv4 Next FF05::101 - “All Network Time Protocol (NTP) servers” Site-local scope Administratively assigned radius 63 Solicited-node Multicast Addresses IPv6: 2001:DB8:200:300:400:500:1234:5678 Solicited-node multicast address FF02::1:FF34:5678 IPv6: 2001:DB8:200:300:400:500:AAAA:BBBB Solicited-node multicast address: FF02:0:0:0:0:1:FFAA:BBBB A B C IPv6: 2001:DB8:200:300:400:501:AAAA:BBBB Solicited-node multicast address FF02::1:FFAA:BBBB FF02::1:FFXX:XXXX - Solicited-node multicast on a link XX:XXXX - Rightmost 24 bits of the unicast or anycast address of the node Sent on a local link when a node wants to determine the link-layer address of another node on the same local link, similar ARP in IPv4 Used in IPv6 for address resolution of an IPv6 address to a MAC address on a LAN segment. In very rare cases, the rightmost 24 bits of the unicast address of the target will not be unique on a link, but this will not cause a problem... 64 IPv6: 2001:DB8:200:300:400:500:1234:5678 Solicited-node multicast address FF02::1:FF34:5678 IPv6: 2001:DB8:200:300:400:500:AAAA:BBBB Solicited-node multicast address: FF02:0:0:0:0:1:FFAA:BBBB A Neighbor Solicitation: I know your IPv6 address Target IP = 2001:DB8:200:300:400:500:AAAA:BBBB What is your MAC address? NS (Neighbor Solicitation) B That Target IP Address is me! My MAC Address is 0013:19AA:BBBB (“Neighbor Advertisement” sent as a unicast.) C IPv6: 2001:DB8:200:300:400:501:AAAA:BBBB Solicited-node multicast address FF02::1:FFAA:BBBB DA = FF02::1:FF:0/104 + AA:BBBB The Target IP Address is NOT me. No NA returned. Node A desires to exchange packets with Node B Node A sends a neighbor discovery (solicitation) packet to the solicited-node multicast address of B, FF02::1:FFAA:BBBB. The packet contains (with other data) the full IPv6 address that Node A is looking for: 2001:DB8:200:300:400:500:AAAA:BBBB (target address) Both B and C are listening to the same solicited-node multicast address (FFAA:BBBB), so they both receive and process the packet. B sees that the target address matches its own IP Address and responds with a neighbor advertisement that includes its MAC address. C sees that the target address does not match its own IP address so does not respond. Nodes can have the same solicited-node multicast address on-link, but not cause issues 65 with neighbor discovery or solicitation process IPv6 Addresses Unicast Global Unicast Link Local Unique Local Multicast Anycast 66 Anycast Addresses An anycast address represents a service rather than a device The same address can reside on one or more devices providing the same service. Proposed in 1993; however, there is little experience with widespread anycast usage to date. On a Cisco router an IPv6 address becomes an anycast address when the keyword is added. 67 Preferred route A service is offered by three servers All three are advertising the service at the IPv6 address 3ffe:205:1100::15 The router does not know (or care) that it is being advertised by three different devices. Assumes that it has three routes to the same destination Chooses the lowest-cost route. In this is the route to server C with a cost of 20. Advantage of anycast addresses is that a router always routes to the "closest" or "lowest-cost" server. Provides: Redundancy Best Path 68 Comparing IPv6 Addresses with IPv4 Addresses Area 10 Lo 12 Lo 13 Lo 14 Lo 15 Area 0 R1 R2 Many differences between IPv4 and IPv6 but also many similarities. Consider the following IPv4 addresses: 172.16.12.0/24 172.16.13.0/24 172.16.14.0/24 172.16.15.0/24 The summary of these 4 routes is 172.16.12.0/22 Binary: 1010 1100.0001 0000.0000 1100.0000 0000 Hex: A C 1 0 : 0 C 0 0 Converting these individual networks to hexadecimal: AC10:0C00::/24 = 172.16.12.0/24 AC10:0D00::/24 = 172.16.13.0/24 AC10:0E00::/24 = 172.16.14.0/24 AC10:0F00::/24 = 172.16.15.0/24 The summary of these 4 routes is AC10:0C00::/22 69 Last bit MAC Last bit Link local address Interface address Link local address Interface address Link local address Interface address Link local address Interface address Using these four networks we configure IPv4 and IPv6 /32 loopback interfaces addresses on R1 Notice that the IPv6 loopback addresses have the interface ID field set to 1 on each of the networks. Each IPv6 loopback interface also has an automatically created link-local address. 70 The routers are running: OSPFv2 (for IPv4) OSPFv3 (for IPv6) 71 172.16.12.0/22 area 10 range 172.16.12.0 255.255.252.0 To examine what happens when IPv4 summarization is configured use debug ip routing The area 10 range 172.16.12.0 255.255.252.0 command is then configured on R1, to summarize the 4 IPv4 routes into 172.16.12.0/22. 72 AC10:C00::/22 area 10 range AC10:C00::/22 To examine what happens when IPv6 summarization is configured, the debug ipv6 routing area 10 range AC10:C00::/22 command is configured on R1, to summarize the 4 routes into AC10:0C00::/22. 73 Configuring and Verifying IPv6 Unicast Addresses 74 Neighbor Discovery Protocol NDP is defined in RFC 2461. It uses ICMPv6 to exchange the messages necessary for its functions; specifically, five new ICMPv6 messages are specified in RFC 2461: Router Advertisement (RA) messages Originated by routers to advertise their presence and link-specific parameters such as link prefixes, link MTU, and hop limits. These messages are sent periodically, and also in response to Router Solicitation messages. Router Solicitation (RS) messages Originated by hosts to request that a router send an RA. Neighbor Solicitation (NS) messages Originated by nodes to request another node's link layer address and also for functions such as duplicate address detection and neighbor unreachability detection. Neighbor Advertisement (NA) messages Sent in response to NS messages. If a node changes its link-layer address, it can send an unsolicited NA to advertise the new address. 75 Neighbor Discovery Protocol ipv6 unicast-routing RA (Router Advertisement) - Address, prefix, link MTU RS (Router Solicitation) - Need RA from Router Router Advertisement (RA) Originated by routers to advertise their presence and link-specific parameters such as link prefixes, link MTU, and hop limits. These messages are sent periodically, and also in response to Router Solicitation messages. Router must be configured with ipv6 unicast-routing Router will generate RA but NOT generate RS messages Router Solicitation (RS) messages are originated by hosts to request that a router send an RA. 76 NDP - Router Discovery What is the IPv6 prefix(s) on this subnet and what is the address of the IPv6 default router(s)? RS (Router Solicitation) RA (Router Advertisement) - Address, prefix, link MTU Source Add: (::) or link-local layer Dest. Add: All-routers multicast (FF02::2) Router Solicitation (RS) When a host first becomes active on a link, it can send an RS to solicit the immediate transmission of an RA. The source of the RS can either be the unspecified address (::) or the host's link-local IPv6 address. The destination is always the all-routers multicast (FF02::2). When a router receives an RS, it sends (after a delay of .5 seconds) an RA in response. 77 NDP - Router Discovery What is the IPv6 prefix(s) on this subnet and what is the address of the IPv6 default router(s)? 2340:1111:AAAA:1:213:19FF: FE7B:5004/64 RA (Router Advertisement) - Prefix, Default Router, link MTU Prefix = 2340:1111:AAAA:1::/64 Default Router = 2340:1111:AAAA:1:213:19FF:FE7B:5004/64 - Destination: All-nodes multicast address (FF02::1) - Sent between 4 - 1,800 seconds, default every 200 seconds Router Advertisement The destination address is the all-nodes multicast address (FF02::1). All hosts will receive this RA. Cisco routers automatically send RAs on Ethernet and FDDI interfaces whenever IPv6 is enabled on the router with the command: Router(config)# ipv6 unicast-routing The default interval is 200 seconds, and can be changed with the command: Router(config)# ipv6 nd ra-interval 78 NS (Neighbor Solicitation) - Request another node's link layer address NA (Neighbor Advertisement) - Sent in response to NS Neighbor Solicitation and Neighbor Advertisement Like IPv4, IPv6 devices need to determine the data link layer address used by devices on the same link. IPv4 uses Address Resolution Protocol (ARP) on LANs NDP (Network Discovery Protocol), using ICMPv6 Neighbor Solicitation (NS) Neighbor Advertisement (NA) More later… 79 Duplicate Address Detection (DAD) I need to make sure nobody else has this Global Unicast Address… My Global Address is 2340:1111:AAAA:1:213:19FF:FE7B:5004 “Tentative”: Need to do Duplicate Address Detection NS (Neighbor Solicitation) - Target Address = 2340:1111:AAAA:1:213:19FF:FE7B:5004 - Destination: Solicited-Node Multicast Address = FF02::1::FF7B:5004 The Destination, solicited-node multicast address is formed by prepending the prefix FF02:0:0:0:0:1: FF00::/104 to the last 24 bits of the target address. FF02::1:FF0A:2D51. This is a sort of broadcast for any device with these 24 bits in their Interface ID. Duplicate Address Detection is performed on unicast addresses prior to assigning them to an interface Duplicate Address Detection MUST take place on all unicast addresses, regardless of whether they are obtained through stateful, stateless or manual configuration The procedure for detecting duplicate addresses uses Neighbor Solicitation and Neighbor Advertisement messages 80 If a Neighbor Advertisement is not sent in response to this NS then the address is unique Link-local unicast address and global aggregatable unicast addresses can be assigned statically or dynamically. 81 IPv6 Unicast Address Configuration and Verification Commands no ipv6 unicast-routing Host ipv6 unicast-routing Router Use the ipv6 unicast-routing global configuration command to enable the forwarding of IPv6 unicast datagrams Router will generate Router Advertisements but NOT generate Router Solicitation messages 82 Configuring Addresses Static global unicast address Static multiple globable unicast addresses IPv6 unnumbered Static link-local address Stateless autoconfiguration Stateful DHCPv6 autoconfiguration 83 Static Global Unicast Assignment R1(config)# inter fa0/0 R1(config-if)# ipv6 address 2001:1::1/64 84 no ipv6 unicast-routing Host ipv6 unicast-routing Router RA (Router Advertisement) - All nodes multicast - Prefix, Default Router, link MTU R1 no ipv6 unicast-routing – Used on R1 to disable the routing capabilities; the router will act as an end-station for IPv6. debug ipv6 nd - ICMP network discovery debugging is enabled As soon as the debugging is enabled, router advertisements (RAs) start being seen from R2 on FastEthernet 0/0 from its link-local address. 85 no ipv6 unicast-routing Host ipv6 unicast-routing Router NS (Neighbor Solicitation) - Request another node's link layer address Next an IPv6 address, 2001:1::1/64, is configured on R1’s FastEthernet 0/0. Note: The entire address is configured. The EUI-64 format for the interface ID was not used. The debug output shows: Prefix 2001:1::1/64 is added to the interface R1 sends a neighbor solicitation (NS) for that address (DAD). R1 confirms that this address is unique on the link. Neighbor Advertisement with Target IPv6 address not received. 86 no ipv6 unicast-routing Host ipv6 unicast-routing Router NA (Neighbor Advertisement) - This is my address. RA (Router Advertisement) - All nodes multicast - Prefix, Default Router, link MTU To continue the debug output shows: R1 then sends a neighbor advertisement (NA), which includes its address. NAs are sent when there is an address is configured or changed on an interface The debug confirms that the address is up on the interface. R1 received another periodic RA from R2. 87 ipv6 unicast-routing ipv6 unicast-routing Router Router RA (Router Advertisement) - All nodes multicast - Prefix, Default Router, link MTU ipv6 unicast-routing - IPv6 routing is enabled on R1 (now a router) Was no ipv6 unicast routing R1 sends Router Advertisements which includes: MTU of the interface (1500 bytes) Prefix configured on the interface (2001:1::/64) 88 Verify the interface parameters. Interface FastEthernet 0/0 has: Link-local address Global unicast address Has joined several multicast groups, including: FF02::1 (all hosts) FF02::2 (all routers) ND information, including How often RAs are sent How long they live 89 Configuring Addresses Static global unicast address Static multiple globable unicast addresses IPv6 unnumbered Static link-local address Stateless autoconfiguration Stateful DHCPv6 autoconfiguration 90 Assigning Multiple Global Aggregatable Addresses Fa0/0 R1 IPv6 interfaces can have multiple addresses (on different networks) which can be used simultaneously. To illustrate the difference between IPv4 and IPv6, examine the FastEtherenet 0/0 interface on R1… 91 10.10.10.10.1/24 20.20.20.1/24 2001:1::1/64 2002:1::1/64 R1 has an IPv4 and an IPv6 address. Notice what happens when another IPv4 IP address is assigned and the configuration is viewed again. When the IPv4 address 20.20.20.1 is configured the original address is gone. The original IPv4 address of 10.10.10.1/24 is restored and another IPv6 global aggregatable unicast address is configured. The new IPv6 address is added to the interface and did not overwrite the original IPv6 address. IPv6 does not have the concept of secondary addresses With IPv6 as an interface can have 92 multiple addresses. Configuring Addresses Static global unicast address Static multiple globable unicast addresses IPv6 unnumbered Static link-local address Stateless autoconfiguration Stateful DHCPv6 autoconfiguration 93 IPv6 Unnumbered Interfaces Lo10 Ser0/0/0 R1 IPv6 supports unnumbered interfaces A loopback interface is created and configured with an IPv6 address. The Serial 0/0/0 interface is then configured to use the IPv6 address of the loopback interface, with the ipv6 unnumbered loopback 10 command. show ipv6 interface s0/0/0 shows that Serial 0/0/0 interface uses the IPv6 address from interface loopback 10. For the next topic, remember that a device’s link-local address is assigned 94 dynamically by default, using a prefix FE80::/10 and the EUI-64 format interface ID. Configuring Addresses Static global unicast address Static multiple globable unicast addresses IPv6 unnumbered Static link-local address Stateless autoconfiguration Stateful DHCPv6 autoconfiguration 95 Static Link-Local Address Assignment Fa0/0 R1 Link-local FE80: Link-local addresses can also be statically assigned using: EUI-64 format Manually configured interface ID Using the ipv6 address FE80::1 link-local command; the interface ID is set to 1. show ipv6 interface fa0/0 shows that the link-local address has been overwritten (not using the EUI by default) Unlike the global unicast address, an interface can only have one link-local address. 96 Configuring Addresses Static global unicast address Static multiple globable unicast addresses IPv6 unnumbered Static link-local address Stateless autoconfiguration Stateful DHCPv6 autoconfiguration 97 Stateless Autoconfiguration of IPv6 Addresses I need: IP Address IP subnet mask (prefix length) Default router IP address DNS IP address(es) The stateless approach is used when a site is not particularly concerned with the exact addresses hosts use, so long as they are unique and properly routable. Host can autoconfigure themselves by appending their IPv6 interface identifier (in EUI-64 format) to the 64 bit prefix received in the RA. The stateful approach is used when a site requires tighter control over exact address assignments. (DHCPv6 server) 98 Link-local Address = Link-local Prefix + Interface Identifier (EUI-64 format) FE80 [64 bits] + [48 bit MAC u/l flipped + 16 bit FFFE] A NS (Neighbor Solicitation) ICMPv6 type 135 Destination: Solicited-Node Multicast Address = FF02::1:FF:0/104 + AA:BBBB (last 24 bits) Target address = Link-local address NA (Neighbor Advertisement) ICMPv6 type 136 First – Make sure the Link-local Address is unique Nodes begin the autoconfiguration process by generating a link-local address for the interface. Link-local prefix + interface's identifier Must verify that this "tentative" link-local address is not already in use on the link Sends a Neighbor Solicitation message containing the tentative link-local address as the target. If another node is already using that address, it will return a Neighbor Advertisement saying so. If a node determines that its tentative link-local address is not unique, autoconfiguration stops 99 and manual configuration of the interface is required. IP Address IP subnet mask (prefix length) Default router IP address DNS IP address(es) RS (Router Solicitation) ICMPv6 type133 RA (Router Advertisement) ICMPv6 type134 Source = Link-local address Destin = FF02::1 All nodes multicast address Query = Prefix, Default Router, MTU, options Source = :: or link-local address Destin = FF02::2 All routers multicast address Query = Send me your RA IPv6 Address = Prefix + Interface ID (EUI-64 format) [64 bits] + [48 bit MAC u/l flipped + 16 bit FFFE] Second – Now that the device has its link-local address it will look for the rest Now that the device can communicate on the link, it looks for autoconfiguration information A node can send out Router Soliciation messages Router Advertisements are also sent periodically. All routers on the network reply to the RS immediately Router Advertisement to all-nodes multicast address The prefix included in the route advertisement is used as the /64 prefix for the host address. 100 The Interface ID used is EUI-64 format. IP Address IP subnet mask (prefix length) Default router IP address DNS IP address(es) NS (Neighbor Solicitation) DAD (No NA returned) Destination: Solicited-Node Multicast Address = FF02::1:FF:0/104 + AA:BBBB (last 24 bits) Target address = IPv6 Address NA (Neighbor Advertisement) ICMPv6 type 136 Third– Host does DAD process Host sends Neighbor Solicitation with its IPv6 address as the Target Address If there is not a NA returned then the address is unique. 101 A B NS (Neighbor Solicitation) ICMPv6 type 135 Source = IPv6 Address of A Destin = Solicited-node multicast of B Data = Link-layer (MAC) Address of A Query = Target IPv6 address, what is your link-layer (MAC) address? NA (Neighbor Advertisement) ICMPv6 type 136 Source = IPv6 Address of B Destin = IPv6 Address of A Data = Here is my link-layer (MAC) Address A can send IPv6 packets to B B can send IPv6 packets to A Neighbor Discovery (like ARP) – Neighbor Solicitation and Neighbor Advertisement Neighbor discovery or solicitation process works on any IPv6 device An ICMP message type 135, NS, is sent on the link. The destination node with the Target IPv6 address responds with an ICMP message type 136, Neighbor Advertisement. 102 The two devices are now able to communicate on the link because they know each other’s link-layer addresses. Stateless Autoconfiguration of IPv6 Addresses Create Link-local address Link-local Address = Link-local Prefix + Interface Identifier (EUI-64 format) FE80 [64 bits] + [48 bit MAC u/l flipped + 16 bit FFFE] NS (Neighbor Solicitation) A Make sure Link-local address is unique Make sure Link-local address is unique DAD: Okay if no NA returned Destination: Solicited-Node Multicast Address Target address = Link-local address Get Network Prefix to create Global unicast address RS (Router Solicitation) Get Prefix and other information RA (Router Advertisement) Source = Link-local address Destin = FF02::1 All nodes multicast address Query = Prefix, Default Router, MTU, options DAD IPv6 Address = Prefix + Interface ID (EUI-64 format) [64 bits] + [48 bit MAC u/l flipped + 16 bit FFFE] NS (Neighbor Solicitation) Make sure IPv6 Address is unique Target Address = IPv6 Address DAD: Okay if no NA returned 103 Example: Review on your own no ipv6 unicast-routing Host no ipv6 unicast-routing Router R1(config-if)# ipv6 address-autoconfig NS (Neighbor Solicitation) DAD (No NA returned) RS (Router Solicitation) debug ipv6 nd FastEthernet0/0 is configured with the ipv6 address autoconfig command. Note: If a router is configured with ipv6 address auto-config and no ipv6 unicast-routing, it will only generate RS messages and NOT RA messages. The interface creates a link-local address Verifies it with the DAD process R1 then starts to send out RS messages, looking for autoconfiguration information. R2 is not yet configured, so the RS messages are not answered. 104 Example: Review on your own no ipv6 unicast-routing Host no ipv6 unicast-routing Router R1(config-if)# ipv6 address-autoconfig NS (Neighbor Solicitation) DAD (No NA returned) RS (Router Solicitation) The output of the show ipv6 interface command confirms that R1 has a link-local address, but not a global unicast address. The show ipv6 routers command confirms that there are no routers available to provide R1 with stateless autoconfiguration. 105 Example: Review on your own no ipv6 unicast-routing Host Fa0/0 = 2001:1:1:1001::1/64 ipv6 unicast-routing Router RA (Router Advertisement) Network prefix = 2001:1:1001::/64 ipv6 unicast-routing command is configured on R2 Required for R2 to provide stateless autoconfiguration to R1. Immediately, R2 begins to send updates to the all nodes multicast address FF02::1 on the FastEthernet 0/0 interface Includes the network prefix (2001:1:1001::/64) to be used by nodes to automatically configure themselves 106 Example: Review on your own no ipv6 unicast-routing Host IPv6 Address = Prefix + Interface ID (EUI-64 format) Fa0/0 = 2001:1:1:1001::1/64 ipv6 unicast-routing Router RA (Router Advertisement) Network prefix = 2001:1:1001::/64 2001:1:1001:0:219:56FF:FE2C:9F60 NS (Neighbor Solicitation) Target IPv6 = 2001:1:1001:0:219:56FF:FE2C:9F60 R1 receives an RA autoconfigures the address DAD Sends NS with IPv6 address as Target IP address No NA received 107 Example: Review on your own no ipv6 unicast-routing Host IPv6 Address = Prefix + Interface ID (EUI-64 format) Fa0/0 = 2001:1:1:1001::1/64 ipv6 unicast-routing Router RA (Router Advertisement) Network prefix = 2001:1:1001::/64 2001:1:1001:0:219:56FF:FE2C:9F60 Default Router = FE80::219:55FF:FEDF:AD22 show ipv6 interface confirms: The interface has a global unicast address, the prefix is the same as R2 advertised. The last line of this command output lists the default router as R2. 108 When the Router is lost Fa0/0 = 2001:1:1:1001::1/64 no ipv6 unicast-routing no ipv6 unicast-routing Host IPv6 Address = Prefix + Interface ID (EUI-64 format) Router X RA (Router Advertisement) Network prefix = 2001:1:1001::/64 2001:1:1001:0:219:56FF:FE2C:9F60 Default Router = FE80::219:55FF:FEDF:AD22 R2: no ipv6 unicast-routing – Router no longer sending Router Advertisements The default router configuration is lost Host still has its global unicast address using the network prefix that was assigned by stateless autoconfiguration. Host retains its global address for 30 days (2592,000 seconds) , so long as the interface does not go down. If interface goes down, the prefix assignment will be lost. 109 Stateless Autoconfiguration of IPv6 Addresses Create Link-local address Link-local Address = Link-local Prefix + Interface Identifier (EUI-64 format) FE80 [64 bits] + [48 bit MAC u/l flipped + 16 bit FFFE] NS (Neighbor Solicitation) A Make sure Link-local address is unique Make sure Link-local address is unique DAD: Okay if no NA returned Destination: Solicited-Node Multicast Address Target address = Link-local address Get Network Prefix to create Global unicast address RS (Router Solicitation) Get Prefix and other information RA (Router Advertisement) Source = Link-local address Destin = FF02::1 All nodes multicast address Query = Prefix, Default Router, MTU, options DAD IPv6 Address = Prefix + Interface ID (EUI-64 format) [64 bits] + [48 bit MAC u/l flipped + 16 bit FFFE] NS (Neighbor Solicitation) Make sure IPv6 Address is unique Target Address = IPv6 Address DAD: Okay if no NA returned 110 Configuring Addresses Static global unicast address Static multiple globable unicast addresses IPv6 unnumbered Static link-local address Stateless autoconfiguration Stateful DHCPv6 autoconfiguration 111 DHCPv6 Server Stateful DHCP DHCPv6 Solicit Dest: FF02::1:2 (Reserved multicast for unknown DHCP server) DHCPv6 Reply DHCPv6 Request DHCPv6 Similar DHCP for IPv4 Reply Host sends a (multicast) packet searching for the DHCP server. DHCP server replies. DHCP client sends a message asking for a lease of an IP address DHCP server replies, listing an IPv6 address, prefix length, default router, and DNS IP addresses. DHCPv4 and DHCPv6 actually differ in detail, but the basic process remains the same. DHCPv6 servers retain state information about each client, such as the IP address leased to that client . 112 Unicast Connectivity on Broadcast Multiaccess Links MAC address-to-IPv4 address mapping: IPv4 ARP process MAC address-to-IPv6 address mapping: ICMPv6 neighbor discovery process The difference between these two processes: ARP messages are not sent in IP packets (ARP over Ethernet). IPv6 ICMP messages are sent in IPv6 packets. NS message is ICMP Type 135 NA message is ICMP Type 136 STALE state means that entry has not been used within in the reachable time REACH state means that the entry has been used in the reachable time 113 Please read the last few pages of this section on your own: Unicast Connectivity on Broadcast Links Unicast Connectivity on Point-to-Point Links Unicast Connectivity on Point-to-Mulitpoint Links 114 IPv6 Part 1 Introducing IPv6 IPv6 Addressing in an Enterprise Network IPv6 Addressing Configuring and Verifying IPv6 Unicast Addresses Part 2 Routing IPv6 Traffic Part 3 Transitioning IPv4 to IPv6 Tunneling IPv6 Traffic Translation Using NAT-PT 115 Solicited-node multicast addresses There are two solicited-node multicast addresses The one with FF02 and the last six digits (2C:9F60) match the last six digits of the link-local address. This is the solicited-node multicast address associated with the linklocal address. Note: The first solicited-node multicast address is associated with the global unicast address. 116 Solicited-node multicast addresses The changed link-local address results in changing this solicited node multicast address The solicited-node multicast address begins with FF02 and the last six digits (0B:000C, shortened to 0B:C) match the last six digits of the new link-local address. Note: The first solicited-node multicast address is associated with the global unicast address. 117 First a ping is sent from R1 to R2 Show ipv6 neighbors (neighbor discovery) shows both the global unicast address and the link-local address. Soon after the show command, we observe that the global unicast address goes to a STALE state. The STALE state occurs when the specified address that was formerly in the REACH state has not been heard within the time specified in the ipv6 nd reachable-time milliseconds command. Default = 0 which it is up to the receiving devices to set and track the reachable time value The STALE state means that entry has not been used within in the reachable time; the REACH state means that the entry has been used in the reachable time. 118 Instead of relying on dynamic neighbor discovery, a static mapping between an IPv6 unicast address and a MAC address can be configured using the ipv6 neighbor command. show ipv6 neighbor command to verify the configuration. The static entry does not have an age value and will be in a REACH state permanently. 119 CIS 185 CCNP ROUTE Ch. 8 Implementing IPv6 – Part 1 Rick Graziani Cabrillo College [email protected] Last Updated: Fall 2010