Transcript ppt

CMPT 471
Networking II
ICMPv6
© Janice Regan, 2012
1
Link local - site local
 Link local addresses can only be used
with a direct physical connection (FE80::)
(addresses reached by IPv4 broadcast)
 Site local addresses can be routed within
a local site internet, but not onto the
Internet (FEC0::)
(similar to IPv4 reserved addresses like those
on network 192.168.0.0)
© Janice Regan, 2012
2
ICMPv6 message header format
 ICMPv6 message header format is the same as ICMPv4
 Each ICMP message has its own format, but all start
with the same three fields
 A type field (1 octet) indicating which type of ICMP
message follows
 A 1 octet code following the type that further defines
the message (see text for list)

For example type specifies destination unreachable, code
specifies router or host
 The 3rd common field is a 2 octet checksum. The
checksum is calculated the same way as the IPv4
checksum, including the entire ICPM PDU in the
calculation
© Janice Regan, 2012
3
Types and codes DIFFERENT
 The types and codes for ICMPv6
messages are completely different for
those of ICMPv4 messages
 Many of the same messages are available
but their types and codes are now different
 Messages are divided into two groups


Errors (message numbers 1 to 127)
Information messages (message numbers ≥ 128)
© Janice Regan, 2012
4
Some types and codes (error)
Message number
(message number for errors 1-127)
CODE
1 (destination unreachable)
0- no route to destination
1-communication administratively prohibited
3-address unreachable
4-port unreachable
2 (packet too big)
0
3 (time exceeded)
0-hop limit exceeded
1-fragment reassembly time exceeded
4 (parameter problem
0-erroneous header field encountered
1-next header type not recognized
2-unrecognized option
© Janice Regan, 2012
5
Some more types (information)
128
129
133
134
135
136
137
Message number
Echo request
Echo reply
Router solicitation
Router Advertisement
Neighbor solicitation
Neighbor advertisement
Redirect message
© Janice Regan, 2012
6
Destination Unreachable
 ICMPv6 Destination Unreachable message is
sent when a router cannot forward the packet to
(or toward) the destination because
 It has no route to the destination network in its
routing table
 It cannot find a requested host on its local network
 There is no server to deal with the incoming request
 The IPv6 address or port is administratively blocked
© Janice Regan, 2012
7
ICMPv6 Destination Unreachable
VERS 6 TRAFFIC CLASS
FLOW LABEL
NEXT HEADER
HOP LIMIT
PAYLOAD LENGTH
IPv6 source address
IPv6 destination address
TYPE (1)
CODE 0,1,2, or 3
CHECKSUM
unused
As much of invoking packet as will fit without the resulting
ICMPv6 packet exceeding the minimum IPv6 MTU of 1280
© Janice Regan, 2012
IPv6
header
Destination
unreachable
Message
(ICMPv6)
8
Destination unreachable: codes
0. No route to destination: No entry in routing table
. that goes to destination network and no default route
1. Administratively Blocked: may be sent from a firewall
that cannot forward a packet or if a host accepts only
authenticated echo requests and receives on that is not
authenticated
2. Address: cannot resolve network address, router on
destination network cannot find requested host
3. Port: no listening server
No message equivalent to IPv4 source quench
© Janice Regan, 2012
9
Packet too big
 Sent by a router that cannot forward a packet
because it is larger than the MTU of the
destination network.
 Used as part of the MTU discovery process
(source asks: how big should the packets I
send be?)
 Packet too big message includes a field for the
MTU of the network that the packet could not
enter (4 byte field after checksum, before data)
© Janice Regan, 2012
10
ICMPv6 TOO BIG message
VERS 6 TRAFFIC CLASS
FLOW LABEL
NEXT HEADER
HOP LIMIT
PAYLOAD LENGTH
IPv6 source address
IPv6 destination address
TYPE (2)
CODE 0
IPv6
header
CHECKSUM
MTU of next network (the network with smaller MTU that prevented the
packet being forwarded)
TOO BIG
Message
(ICMPv6)
As much of invoking packet as will fit without the resulting
ICMPv6 packet exceeding the minimum IPv6 MTU of 1280
© Janice Regan, 2012
11
MTU discovery
 Assume MTU should be the size on the




interface the packet leaves the source through
If the packet is too large at an intermediate
router, that router drops the packet and sends
the source a packet too big message
Host now sends data with the smaller MTU
Process in previous 3 steps can be repeated
Host never sends with MTU below 1280 bytes
© Janice Regan, 2012
12
MTU discovery
NET 3
MTU 1500
IP packet
NET 2
MTU 1350
NET 3
MTU 1280
MTU = 1500
ICMP
TOO BIG message
MTU = 1350
IP packet MTU = 1350
ICMP
TOO BIG message
MTU =1280
IP packet MTU =1280
© Janice Regan, 2012
13
Time exceeded message
 Sent by a router when the lifetime of a packet
becomes 0
 Two possible situations
 Too many hops
 Waited too long for reassembly
 CODE = 2: When fragments do not arrive by
the time the reassembly time expires, a time
exceeded message will be sent to the source
© Janice Regan, 2012
14
Time exceeded: hop count 0
 Hop count is decremented at each router
 When hop count is 0 lifetime has expired
 CODE=1
 When decrementing the hop count results in a hop
count of zero the packet is dropped and a time
exceeded message is sent to the source
 When a packet arrives at a router and hop count = 0,
the packet is dropped and a time exceeded
message is sent to the source
© Janice Regan, 2012
15
ICMPv6 time exceeded
VERS 6 TRAFFIC CLASS
FLOW LABEL
NEXT HEADER
HOP LIMIT
PAYLOAD LENGTH
IPv6 source address
IPv6 destination address
TYPE (2)
CODE 0
CHECKSUM
MTU of next network (the network with smaller MTU that prevented the
packet being forwarded)
As much of invoking packet as will fit without the resulting
ICMPv6 packet exceeding the minimum IPv6 MTU of 1280
© Janice Regan, 2012
IPv6
header
Time
exceeded
Message
(ICMPv6)
16
traceroute6
 The traceroute6 command is an example of the use of






the time exceeded message
A UDP packet with a hop count of 1 is sent
The first router reached sends back a time exceeded
message
A packet with a hop count of 2 is sent
The second router in the path sends back a time
exceeded message
This is repeated, incrementing the hop count by 1 until
the packet reaches its destination
Ubuntu sends 3 copies of each packet sent in the description above
© Janice Regan, 2012
17
Echo Reply Echo Request
 Used to test reachability of hosts
 Message format same as IPv4 (but with
different type)
 Identifier and sequence number still used
to match reply with its request
 In IPv4 not authenticated, can be
authenticated in IPv6 (verify source)
 Improves security
© Janice Regan, 2012
18
ICMPv6 echo request/reply
VERS 6 TRAFFIC CLASS
FLOW LABEL
NEXT HEADER
HOP LIMIT
PAYLOAD LENGTH
IPv6 source address
IPv6 destination address
TYPE (128/129)
CODE
INDENTIFIER
0
CHECKSUM
SEQUENCE NUMBER
As much of invoking packet as will fit without the resulting
ICMPv6 packet exceeding the minimum IPv6 MTU of 1280
© Janice Regan, 2012
IPv6
header
Echo
request/reply
Message
(ICMPv6)
19
ping6 testing reachability
 The ping6 command for testing the reachability
of other hosts is an example of the use of echo
request/reply pairs
 Requests and replies are matched using the
identifier field and sequence number field (both
fields are identical for a matching reply and
request)
 If a matching reply is received host is reachable
 If no reply is received the host being “pinged” is
not reachable
© Janice Regan, 2012
20
© Janice
From
the Regan,
TCP/IP2012
Guide (online)
21
Neighbor Discovery protocol
 We have already discussed a part of the
neighbor Discovery protocol that replaces the
ARP protocol and gratuitous ARP for IPv4.
 Address resolution
 Duplicate address detection
 And additions to these protocol also adds some
additional functionality used in these tasks
 Neighbor unreachability
© Janice Regan, 2012
22
Neighbor solicitation (NS) message
VERS 6
FLOW LABEL
TRAFFIC CLASS
PAYLOAD LENGTH
NEXT HEADER
HOP LIMIT 255
IPv6 source address (address of A)
IPv6
header
IPv6 destination address (solicited-node multicast address of B)
TYPE (135)
CODE
0
CHECKSUM
RESERVED (set to 0)
IPv6 TARGET ADDRESS (link local IP ADDRESS of B)
Neighbor
solicitation
Message
(ICMP)
OPTIONS (VARIABLE LENGTH
Ethernet Address of source host A.
© Janice Regan, 2012
23
Neighbor advertisement (NA)
VERS 6
TRAFFIC CLASS
PAYLOAD LENGTH
FLOW LABEL
NEXT HEADER
HOP LIMIT 255
IP
header
IPv6 source address
IPv6 destination address
TYPE (136)
R|S|0
CODE 0
CHECKSUM
RESERVED (set to 0)
IPv6 TARGET ADDRESS (Copied from solicitation)
Neighbor
solicitation
Message
(ICMP)
OPTIONS (VARIABLE LENGTH)
Ethernet Address of source host (host B).
© Janice Regan, 2012
24
Router Discovery: Uses
 Router solicitation (RS) and Router
advertisement (RA) messages are used to
 Help hosts find the routers on the local




network segment
Help hosts Determine the range of addresses
in the local network segment (prefix discovery)
Supporting auto-config of IPv6 addresses
Help hosts discover MTU of the local segment
Help determine next hop destination
© Janice Regan, 2012
25
© Janice
From
the Regan,
TCP/IP2012
Guide (online)
26
Router Advertisement
 RAs tell hosts on the network how to find the




routers on the network and some properties of the
networks to which they are attached
Periodic RAs are usually sent at regular intervals.
They are sent to all hosts on the network (sent to
all hosts multicast address)
A responding Ra is sent to reply to RS
Host’s use RAs,
Routers ignore all received RAs.
© Janice Regan, 2012
27
IPv6: information in RA (1)
 Information in RAs support
 Router Discovery: How hosts locate routers
that reside on an attached link.
 Prefix Discovery: How hosts discover the set
of address prefixes that define which
destinations are on-link for an attached link.
(Nodes use prefixes to distinguish
destinations that reside on-link from those
only reachable through a router.)
From
RFC 2012
2461
© Janice
Regan,
28
IPv6: information in RA (2)
 Information in RAs support
 Address Auto configuration: How nodes
automatically configure an address for an
interface.
 Address resolution: How nodes determine
the link-layer address of an on-link
destination (e.g., a neighbor) given only the
destination's IP address. (supply needed
prefix information)
From
RFC 2012
2461
© Janice
Regan,
29
IPv6: information in RA (3)
 Information in RAs supports
 Next-hop determination: The algorithm for
mapping an IP destination address into the
IP address of the neighbor to which traffic for
the destination should be sent. The next- hop
can be a router or the destination itself.
 Parameter Discovery: How a node learns
such link parameters as the link MTU or such
Internet parameters as the hop limit value to
place in outgoing packets.
From
RFC 2012
2461
© Janice
Regan,
30
Improvements over IPv4
 RAs carry link-layer addresses
 No additional packet exchange is needed to resolve
the router's link-layer address. (ARP not needed)
 RAs carry prefixes for a link
 There is no need for mask request/reply messages to
obtain subnet or network sizes (masks)
 RAs enable Address Auto-configuration.
 RAs can advertise a link MTU
 Hosts use this MTU on the link,
 ensures that all nodes on the link use the same MTU
From
RFC 2012
2461
© Janice
Regan,
31
Periodic Router Advertisement
 Periodic RAs tell hosts on the network how to find
the routers on the network and some properties of
the networks to which they are attached
 Periodic RA’s are usually sent at regular intervals.
They are sent to all hosts on the network (sent to
all hosts multicast address)
© Janice Regan, 2012
32
Default Router: Router lifetime
 A default router is a router that is willing to
forward packets originating on the network
segment receiving the RA.
 Router Lifetime The lifetime associated with a
default router entry in the cache in units of
seconds (≤9000s). Default value is 3.
 A router which is not willing to be a default
router will advertise a lifetime of 0
© Janice Regan, 2012
33
Reply: Router advertisement
VERS 6
TRAFFIC CLASS
PAYLOAD LENGTH
FLOW LABEL
NEXT HEADER
HOP LIMIT 255
IPv6 source address (link local address of sending interface)
IP
header
IPv6 destination address (all nodes multicast address)
TYPE (134)
Cur Hop Limit
CODE 0
Flags
RESERVED
CHECKSUM
ROUTER LIFETIME
REACHABLE TIMER ≤1hr (time node assumes neighbor is reachable)
RETRANSMISSION TIMER (time in milliseconds between
retransmission of NS messages).
OPTIONS (VARIABLE LENGTH includes link layer address of
sending interface, prefix information may include MTU
© Janice Regan, 2012
Router
solicitation
Message
(ICMP)
34
Reachable Timer
 Reachable Time:. The number of milliseconds,
that a node assumes a neighbor is reachable
(after receiving a reachability confirmation)
 Used by neighbor unreachability detection.
 Applies to both hosts and routers
 Must be < 1hr (3,600,000 millisecond)
© Janice Regan, 201
35
Retransmission Timer
 Retransmission Timer : The number of
milliseconds, between retransmitted Neighbor
Solicitation messages. (default 0, unspecified,
do not change)
 Used by neighbor unreachability detection
 Use by address resolution
 Default value in RA is 0, which means
unspecified,
© Janice Regan, 2012
36
Router Advertisement Flags
 M: managed address configuration
 When set indicates addresses supplied by DHCPv6
 O: other configuration flag
 Other configuration information (e.g. DNS info) is
available from the DHCPv6 server
 Redundant if M flag is set
 H: Mobile Home agent flag
 Allows continued connectivity when moving from
one connection to internet to another, routing
packets from home location to present location
© Janice Regan, 2012
37
Router Advertisement Flags
 PRF (2bits) Router selection preference
 Optional, administrator configured
preference, helps multi homed host pick
different preferred routers available on
different links
 P: Neighbor Discovery Proxy Flag
 Proxy for cases when bridging is not possible
© Janice Regan, 2012
38
Router advertisement options
Option format
TYPE
LENGTH
DATA (variable length)
OPTIONS
 Link layer address
 MTU
 Prefix
© Janice Regan, 2012
39
Router/Parameter/Prefix
Discovery
 A booting host does not want to wait for the next
periodic router advertisement
 A booting host can send a router solicitation
(RS) message to the all routers multicast
address to prompt an immediate RA.
 The default routers on the local link will each
reply with an immediate RA
 The information in these RAs will allow the
booting host to discover the routers, parameters,
and prefixes for the local network segment
© Janice Regan, 2012
40
Router solicitation message
VERS 6
FLOW LABEL
TRAFFIC CLASS
PAYLOAD LENGTH
NEXT HEADER
HOP LIMIT 255
IPv6 source address (IPv6 address of sending interface)
IPv6
header
IPv6 destination address (all-routers multicast address)
TYPE (133)
CODE
0
CHECKSUM
RESERVED (set to 0)
OPTIONS (VARIABLE LENGTH
Ethernet Address of source the sending host.
© Janice Regan, 2012
Router
solicitation
Message
(ICMP)
41
Router Solicitation
 Sent by a host to determine where the routers
on the local network are and parameters to use
 When a host needs this information NOW not at the
end of the next interval (which may be several
minutes)
 Receiving a RS will cause the default routers to
unicast a router advertisement to the requestor
 Receiving a RS will reset the routers periodic
transmission timer (next RA will be 1 period after
reception of the RS)
© Janice Regan, 2012
42
Reply: Router advertisement
VERS 6
TRAFFIC CLASS
PAYLOAD LENGTH
FLOW LABEL
NEXT HEADER
HOP LIMIT 255
IPv6 source address (link local address of sending interface)
IP
header
IPv6 destination address (source address of the RS being replied to)
TYPE (134)
Cur Hop Limit
CODE 0
Flags
RESERVED
CHECKSUM
ROUTER LIFETIME
REACHABLE TIMER ≤1hr (time node assumes neighbor is reachable)
RETRANSMISSION TIMER (time in milliseconds between
retransmission of NS messages).
OPTIONS (VARIABLE LENGTH includes link layer address of
sending interface, prefix information may include MTU
© Janice Regan, 2012
Router
solicitation
Message
(ICMP)
43
Prefix Discovery
 How a host determines the set of prefixes
that are on-link, the size and initial
address of each range of valid addresses
(accessible without going through a router)
 Prefixes sent as part of the options in the RA
tell us the on link addresses that are
available
 How are the prefixes sent in the RA?
© Janice Regan, 2012
44
What a prefix option looks like
TYPE 3
LENGTH 4
PREFIX LENGTH |L|A| RESERVED
VALID LIFETIME (time in seconds after RA is sent that the prefix is valid)
PREFERRED LIFETIME
RESERVED (both reserved fields must be all 0)
PREFIX (PREFIX LENGTH bits of the binary digits in the prefix of the IP
address, followed by 128-PREFIXLENGTH zeros)
L Flag is set when prefix can be used to determine if addresses are on link
A Flag is set when prefix can be used for autonomous address configuration
A lifetime of all 1’s represents infinity
© Janice Regan, 2012
45
Prefix discovery
 Each router should include all prefixes it
supports on the local link in the options
field of the RA.
 Prefix options with the L flag sent are
available on link
 Host can combine prefixes with L bit set
from the RA’s of all routers to determine
all available prefixes on the local link
© Janice Regan, 2012
46
Parameter Discovery
 How a node learns IP and link parameters used
to send packets
 link parameters as such as




the link MTU to determine size of packets to send
the retransmission time for NS messages
Router lifetime
Determine approach to configuration (M flag)
 Internet parameters such as the hop limit
value to place in outgoing packets. (from the
Cur Hop limit field in the RA)
© Janice Regan, 2012
47
Parameter Discovery: uses
 Router announcements allow one to
 Choose stateful configuration (DHCP M flag 1)
 Or choose stateless auto configuration of addresses
(M flag 0)
 Update values such as Cur Hop Limit Reachable
Time, and Retransmission Timer, MTU.

If the value given is 0 this means that the existing values
should continue to be used, NOT that values should be set
to the default or to 0
 Immediately send to router after receiving and
processing RA because Link local IP addresses and
hardware level addresses of the router are provided
© Janice Regan, 2012
48
Updating parameters
 A router may send a RA to update any
parameter/option that can have only one value
 If a different value is given in the RA that the host is
presently using, the value the host is using should
be updated.
 Some parameters (Cur Hop limit, Reachable Time
and Retransmission Timer) can be given the value 0
(unspecified). This means that the current value
should continue to be used.
© Janice Regan, 2012
49
Auto configuration outline
INIT
Generate address
start timers
(preferred lifetime,
valid lifetime)
Timers restarted by
arrival of RA
Or DHCPv6 renewal
PREFERRED
Normal operation
TENTATIVE
INVALID
Preferred lifetime expires
Verify
address
With DAD\
RA
received
VALID
DEPRECATED
existing connections should use
new connections might not
valid lifetime expires
© Janice Regan, 2012
50
IPv6 auto configuration (1)

To make it easier to connect to a network IPv6
provides a process for auto configuration of IP
address (and more) for a given node
1.
When a node connects to the network it
constructs a link local address (tentative
address)
© Janice Regan, 2012
51
Construction of address
1.
When a node connects to the network it
constructs a link local address (tentative
address)

The address begins with the link local prefix
fe80::0/64 (link local address starts with 1111 1110
10 or fe80 followed by 54 0’s )
 The last 64 bits will contain a modified Ethernet
address of the node. The 64 bits will consist of
 The first 24 bits of the Ethernet address
 The Intermediate 16 bits will be FFFE (if the
IEEE 802 algorithm is used)
 The final 24 bits of the Ethernet address
© Janice Regan, 2012
52
IPv6 auto configuration (2)

To make it easier to connect to a network IPv6
provides a process for auto configuration of IP
address (and more) for a given node
2.
Node checks address using DAD



sends NS to solicited node multicast address
If a NA is received stop (NEED MANUAL CONFIG)
Otherwise assign the link local address to the
interface
© Janice Regan, 2012
53
DAD details
1.
2.
.
The next step is duplicate address detection (DAD,
one of the parts of the neighbor discover protocol).




Some vendors ship multiple interfaces with the same Ethernet
address, or units with configurable addresses, there is a finite
chance that the constructed link local address is already in
use.
A neighbor solicitation message with type 135 is sent to the
tentative unicast address (source address 0::0)
If there is already a host with the tentative address it will reply
to the neighbor solicitation message with a neighbor
advertisement message multicast to all nodes multicast
address. This message indicates it is send in reply to a
solicitation message
If a reply to the neighbor solicitation message is received auto
configuration aborts
© Janice Regan, 2012
54
IPv6 auto configuration (3a)
.
1.
Send router solicitation from the link local
address to the all routers multicast address
4. If no router advertisements are received this
indicates there is not IPv6 capable router
available
3.

The node will attempt to obtain an IP address using
DHCPv6
 If no DHCPv6 server is available the node
communicates to other IPv6 hosts only locally, using
the link local address (skip remaining autconfig steps)
© Janice Regan, 2012
55
IPv6 auto configuration (3b)
1.
.
3. Send a router solicitation message from the
link local address to the all routers multicast
address
4. Any IPv6 router that receives the router
solicitation message will reply with a router
advertisement unicast to the link local address
of the auto-configuring node
© Janice Regan, 2012
56
IPv6 auto configuration (4)
 Use the parameters in the RA (or from DHCPv6)
to set the parameters of the interface (MTU,
Retrans time, Reachable time, Hop Limit)
 Choose default routers (Lifetime ≠0). Note that
only default routers can have default routes
 Use each of the prefixes with the A flag set in the
RA (or from DHCPv6) to determine global
address, test address with DAD, and initialize
corresponding global address on the interface
 Each interface has 1 address for each prefix
57
© Janice Regan, 2012