Fedv6tf-IPv6-new-friends

© 2012 Cisco and/or its affiliates. All rights reserved. 1

Cisco “Tech Session” IPv6 Has New Friends

Tim Martin

CCIE #2020

Solutions Architect

Spring 2015


•  IPv6 Address Refresh •  Neighbor Discovery Protocol •  Extension Headers •  Multicast Listener Discovery •  Summary


IPv6

IPv4 Address Depletion

2011

National IPv6 Strategies STEM

Mandate

Infrastructure Evolution

4G, DOCSIS 3.0, CGN

IPv6 OS, Content & Applications

Pref. by App’s in W7, S2008, OSX


• Early Adopters, from ~2001-2005 (6bone) • Chasm, Refinement from 2005-2009 (Tunneling) • Early Majority, Launch June 2012 (Transitioning)

54% 37% 70%

53% 17%


IPv6 Address Family

Multicast Anycast Unicast

Assigned Solicited Node

Unique Local Link Local Global Special Embedded

*IPv6 does not use broadcast addressing

Well Known Temp


•  IPv6 addresses are 128 bits long Segmented into 8 groups of 16 bits separated by (:) 32 HEX characters – a Prefix, not a mask •  Word, Group or Quad •  4 Hex characters, each contain 4 bits

Host Portion Network Portion

2001:0db8:0100:1111:0000:0000:0000:0001 2001 : 0db8 : 0100 : 1111 : 0000 : 0000 : 0000 : 0001

16 bits 16 bits 16 bits 16 bits 16 bits 16 bits 16 bits 16 bits

Host Id Subnet Id Global Routing Prefix


•  Leading 0’s can be omitted

•  The double colon (::) can appear only once

2001:0db8:0000: :0000:0000:0000:1e2a 00a4 Full Format

2001:db8:0: :0:0:0:1e2a a4 Abbreviated Formats

2001:db8:0: ::1e2a a4


Link-Local – Non routable exists on single layer 2 domain (fe80::/10) fe80:0000:0000:0000

:: xxxx:xxxx:xxxx:xxxx

fc00:gggg:gggg: xxxx:xxxx:xxxx:xxxx ssss:

fd00:gggg:gggg: xxxx:xxxx:xxxx:xxxx ssss:

Unique-Local – Routable within administrative domain (fc00::/7)

2000:NNNN:NNNN HHHH:HHHH:HHHH:HHHH Global – Routable across the Internet (2000::/3)

:SSSS:

3fff:NNNN:NNNN HHHH:HHHH:HHHH:HHHH :SSSS:


•  Always uses Link Local (fe80::/64) as its source

•  Hop Limit must be set to 255 Generalized TTL Security Mechanism

•  Neighbor discovery messages •  Router solicitation (ICMPv6 type 133) •  Router advertisement (ICMPv6 type 134) •  Neighbor solicitation (ICMPv6 type 135) •  Neighbor advertisement (ICMPv6 type 136) •  Redirect (ICMPv6 type 137)

IPv4 IPv6 ARP Request Neighbor Solicitation

Broadcast Solicited Node Multicast

ARP Reply Neighbor Advertisement

Unicast Unicast

NDP

RA RS

NS NA Redirects

NUD DAD

IPv6


•  Router solicitations (RS) are sent by nodes at bootup

•  Routers forward packets as well as provide provisioning services

RS

ICMP Type 133 IPv6 Source fe80::a IPv6 Destination ff02::2 Opt. 1 SLLA SRC Link Layer Address

RA

ICMP Type 134 IPv6 Source fe80::2

IPv6 Destination fe80::a Data Options, subnet prefix,

lifetime, autoconfig flag

RS RA

A


•  M-Flag – Stateful DHCPv6 to acquire IPv6 address

•  O-Flag – Stateless DHCPv6 in addition to SLAAC

•  Preference Bits – Low, Med, High

•  Router Lifetime – Must be >0 for Default

•  Options - Prefix Information, Length, Flags

•  L bit – Only way a host get a On Link Prefix

•  A bit – Set to 0 for DHCP to work properly

Type: 134 (RA) Code: 0 Checksum: 0xff78 [correct] Cur hop limit: 64 ∞ Flags: 0x84 1… …. = Managed (M flag) .0.. …. = Not other (O flag) ..0. …. = Not Home (H flag) …0 1… = Router pref: High Router lifetime: (s)1800 Reachable time: (ms) 3600000 Retrans timer: (ms) 1000 ICMPv6 Option 3 (Prefix Info) Prefix length: 64 ∞ Flags: 0x80 1… …. = On link (L Bit) .1.. …. = No Auto (A Bit) Prefix: 2001:0db8:4646:1234::/64

RA


RA

type = 134 code = 0 checksum

hop limit M|O|H|pref router lifetime reachable time

retransmit timer

options (variable)

•  ICMPv6 – Type, Code, Checksum, Data

•  Data – Body of the Message Type (Required)

•  Option 1 – Source MAC, Option 5 – MTU

•  Option 3 – Prefix and Host Provisioning

•  Option 25 – Recursive DNS Servers, DNS Search List


Node A can start using address A

B A C

•  Unspecified Source (::), No Option 1 SLLA

•  Probing the Local Link to Verify Address Uniqueness

•  An NA Indicates Address in Use, Administrative Intervention Required

ICMP Type 135 NS IPv6 Source UNSPEC = :: IPv6 Dest. A Solicited Node Multicast

ff02::1:ff00:a Query Anyone Using “a”

NS

ICMP Type 136 NA IPv6 Source fe80::a IPv6 Dest. 02::1 Flags S = 0

O = 1

NA


•  Unicast address MUST build corresponding solicited-node multicast

•  Solicited-node multicast consists of ff02::1:ff/104 {lower 24 bits from IPv6 Unicast}

ff02 0000 0000 0000 0000 0001 ffbc fc0f

fe80 0000 0000 0000 1234 5678 9abc fc0f

33 33 BC FC 0F FF Every layer 3 IPv6 Multicast address Must map to the corresponding layer 2 Multicast address


R1#sh ipv6 int e0 Ethernet0 is up, line protocol is up

IPv6 is enabled, link-local address is FE80::200:CFF:FE3A:8B18 Global unicast address(es):

2001:DB8:0:1234::1 subnet is 2001:DB8:0:1234::/64 Joined group address(es): FF02::1 FF02::2 FF02::1:FF00:1 FF02::1:FF3A:8B18 MTU is 1500 bytes ICMP error messages limited to one every 100 milliseconds ICMP redirects are enabled ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds ND router advertisements are sent every 200 seconds *If EUI format is used then the 1rst solicited node mcast addr is used for both the LL & GU

Solicited-Node Multicast Address*


A! B!

ICMP Type 135 NS IPv6 Source fe80::a IPv6 Destination ff02::1:ff00:b Hop Limit 255 Target Address 2001:db8:1:46::b Query What is B link layer address? Opt. 1 SLLA A’s Link Layer Address

ICMP Type 136 NA IPv6 Source fe80::b

IPv6 Destination fe80::a Target Address 2001:db8:1:46::b Option 2 TLLA B’s Link Layer Address

*Flags R = Router S = Response to Solicitation O = Override cache information

NS NA

•  ARP replacement, Map’s L3 to L2.

•  Node B will add node A to it’s neighbor cache during this process w/o sending NS

•  Multicast for resolution (new), Unicast for reachability (cache)

DfGW


R2 A B

Packet

IPv6 Source 2001:db8:4646:1::b IPv6 Dest. 2001:db8:4646:1::a ULP variable

Redirect 137

IPv6 Source fe80::2 IPv6 Dest. 2001:db8:4646:1::b ICMPv6 Type 137 Target Addr. 2001:db8:4636:1::a

Opt. 2 TLLA 001C.2D3E.00AA

Redirect Packet

•  Cannot be used if destination is multicast

•  Hosts should not send redirects, Should be turned off on routed links

•  IPv6 Hosts Don’t Use Bitwise Masking, TLLA Avoids ND Round


IPv6 Header Hop-by-Hop Destination Opt TCP Header Payload

•  EH are daisy chained, processed in order •  Length is variable, must be on 8 byte boundary, typically 24 bytes •  If HbH is present, must be first, MUST (2460), Should be processed (7045)


Extension Header Type Hop-by-Hop Options 0 Destination Options* 60 Routing Header 43 Fragment Header 44 Authentication Header 51 ESP Header 50 Destination Options* 60 Mobility Header 135 Shim6 140 Experimental 253,254 No Next Header 59


Extension Header Type Hop-by-Hop Options Process by every router, must appear first Routing Header List or routers to cross Destination Options Processed by routers listed in 43 Fragment Header Processed by destination Authentication Header Authenticate packet after reassembly ESP Header Cipher the content of remaining information Destination Options Process only by destination

•  Fragmentation EH is applied on the source •  Destination Option is the only EH allowed to appear more than once


•  Potential DoS with poor IPv6 stack implementations •  PadN in DO, covert channeling – RFC 2460 states a max of 5 bytes (0x00) •  IPv6 Inspection – Only known EH, strict order, granular filtering •  Accept fragmentation, possibly ESP/AH, others as needed

Perfectly Valid IPv6 Packet According to the Sniffer

Routing Header out of order. DH should be last

Header Should Only Appear Once

Destination Header Which Should Occur at Most Twice

21


•  Forwarding nodes should not inspect EH’s (2460)

•  Discarding EH’s may cause connectivity failures

•  Firewalls, Load balancers, Packet classifiers (7045) Drops valid EH’s If part of the operators policy Router “Should” process hop-by-hop EH’s Drop deprecated RH types 0,1

•  RFC 6564 – uniformed format for extension headers


•  Header Chains {IPv6, EH’s, Upper Layer Header}

•  ULP Present or {NH = 59} Terminates the Chain

•  IP in IP (2nd IPv6 Header) May Also Terminate

•  First Fragment {Offset = 0, M = 1}, Must Include ULP

•  ICMPv6 Type 4, Code 3. Incomplete Header Chain

IPv6 NH = 60

DO NH = 60

DO NH = 60

DO NH = 60

DO NH = 60

DO NH = 60

DO NH = 60

DO NH = 60

IPv6 Header NH = 44

Frag NH = 60

DO NH = 6, >1400B


•  Segment Routing Header: Segment List describes the path of the packet: list of segments (IPv6 addresses) Next Segment: a pointer to the segment list element identifying the next segment HMAC & Flags fields

•  The Active Segment is set as the DA of the packet, using the “Next Segment”

•  Segments are identified by IPv6 addresses, no specific signaling is needed An SR node can be a router, a server, any appliance, application, …

X A

F

C B

E

Y

G

D

PAYLOAD IPv6 Hdr: DA=Y, SA=X

H

IPv6 Hdr: DA=C, SA=X SR Hdr: SL= C, F, H, Y PAYLOAD

IPv6 Hdr: DA=F, SA=X SR Hdr: SL= C, F, H, Y PAYLOAD

IPv6 Hdr: DA=H, SA=X SR Hdr: SL= C, F, H, Y PAYLOAD

PAYLOAD IPv6 Hdr: DA=Y, SA=X


Stop probing the wrong path with “ping”

Trace the live traffic: Detect the flaky link!

!

Debug ECMP Networks

Simplify Operations

Always on app visibility

Enhance Applications

Charge level for battery-operated devices (sensors) included in data traffic: No need to drain

battery for OAM

R1

R2

R4

R5

R3 R6

Derive IPv6 Traffic Matrix

Optimize Planning

Delay Trend Analysis

Enhance Visibility

A trip-recorder for your traffic at line rate performance, using HBH in fast path


•  MLD uses LL source addresses

•  MLD packets use “Router Alert” in HBH Destination is not the routers interface

•  3 msg types: Query, Report, Done

•  MLDv1 = (*,G) shared, MLDv2 = (S,G) source

MLD snooping

MLD IGMP Message Type

ICMPv6 Type Function

MLDv1 (RFC2710) IGMPv2 (RFC 2236) Listener Query

Listener Report

Listener Done

130

131

132

Used to find out if there are any multicast listeners

Response to a query, joins a group

Sent by node to report it has stopped listening

MLDv2 (RFC 3810) IGMPv3 (RFC 3376) Listener Query

Listener Report

130

143

Used to find out if there are any multicast listeners

Enhanced reporting, multiple groups and sources


•  Hosts send MLD report to alert router they wish to join a multicast group

•  Router then joins the tree to the source or RP

MLD Report (A)

ICMP Type 131

IPv6 Source fe80::209:5bff:fe08:a674

IPv6 Destination ff38::276

Hop Limit 1

Group Address ff38::276

Hop-by-Hop Header

Router Alert Yes

MLD Report

A MLD Report

B I wish to receive

ff38::276 I wish to receive

ff38::276

MLD Report (B)

ICMP Type 131

IPv6 Source fe80::250:8bff:fE55:78de


Hop Limit 1


Hop-by-Hop Header

Router Alert Yes

(S, G)

Source for multicast ff38::276

fe80::209:5bff:fe08:a674 fe80::250:8bff:fE55:78de fe80::207:85ff:fe80:692


MLD Done (A)

ICMP Type 132


IPv6 Destination ff02::2 (All routers)

Hop Limit 1


Hop-by-Hop Header

Router Alert Yes

MLD Done (A)

A

fe80::209:5bff:fe08:a674 MLD Report (B)

B

fe80::250:8bff:fE55:78de

I wish to leave ff38::276

I am watching ff38::276

MLD Query (C)

ICMP Type 130

IPv6 Source fe80::207:85ff:fe80:692


Hop Limit 1

Hop-by-Hop Header

Router Alert Yes

Query (C

)

fe80::207:85ff:fe80:692

C MLD Report (B)

ICMP Type 131

IPv6 Source fe80::250:8bff:fE55:78de


Hop Limit 1


Hop-by-Hop Header

Router Alert Yes


MLD Report (A)

ICMP Type 143



Hop Limit 1

# of Records Include/exclude

Group Address ff38::4000:ba11

Hop-by-Hop Header

Router Alert Yes

MLD Report

A I wish to receive FF38:4000:BA11

(S, G)

Source for multicast FF38::4000:BA11

fe80::209:5bff:fe08:a674


•  General Query ff02::1 Group list empty, who’s listening?

•  Group Specific Query ff38::4000:ba11 Anyone still interested in this stream?

•  Group & Source Specific Query 2001:db8:cafe::1, ff38::4000:ba11

•  Filter Mode, Change Record

•  Multiple routers on link Lowest address value assumes Querier role

A Q

uery

Source for multicast ff38::4000:ba11




•  Gain Operational Experience now

•  Security enforcement is possible

•  Control IPv6 traffic as you would IPv4

•  “Poke” your Provider’s

•  IPv6 is here now are you?

33


•  NANOG On The Road – Herndon, VA •  FREE event, but registration required •  Tuesday June 23rd 8:30 to 5:00PM, Evening reception 5:00PM to 6:30PM •  Westin Washington Dulles: 2520 Wasser Terrace, Herndon, VA 20171

•  NANOG sits at the junction of Internet infrastructure and network operations in North America, sharing a rich cooperative history with the operator.

•  Several presentations on IPv6, DNSSEC, RPKI and other networking topics •  See more at: https://www.nanog.org/meetings/road7/home


Fedv6tf-IPv6-new-friends

Internet

cisco andor

ipv6 addresses

ipv6 source fe80

ipv6 destination fe80

cisco tech session ipv6

ipv6 destination ff02

xxxx fc00

nnnn hhhh