IPv6 – now what? Philipp Kuhn Premier Field Engineer, Global Business Support phkuhn@microsoft.com

IPv6 Basics Deployment Best practice and current issues challenges

Limitations of IPv4 IPv6 Basics An IPv4 address walks into a bar and says: “Quick, give me a drink. I am exhausted!”

Limitations of IPv4 Exponential growth of the Internet and the exhaustion of the IPv4 address space Need for simpler configuration Requirement for security at the IP level Need for better support for prioritized and real-time delivery of data

Limitations of IPv4 The modern Internet has grown beyond its original intent

What about IPv5? The world is moving from IPv4 and going straight to IPv6 because Chuck Norris doesn’t like the number 5! When Alexander Bell invented the telephone he had 3 missed calls from Chuck Norris.

Capabilities of IPv6 IPv6 Basics An IPv6 packet walks into a bar. Nobody talks to him.

Capabilities of IPv6 More efficient packet header format Globally scalable address space Stateless and stateful address configuration Standardized support for Internet Security protocols Better support for prioritized delivery More efficient node discovery Extensibility

IPv4 vs. IPv6 Feature IPv4 IPv6 Address length 32 bits 128 bits IPsec header support Optional Required Prioritized delivery support Some Better Fragmentation Hosts and routers Hosts only Packet size 576 bytes 1280 bytes Link-layer address resolution ARP (broadcast) Multicast Neighbor Discovery Multicast membership IGMP Multicast Listener Discovery (MLD) Router Discovery Optional Required Uses broadcasts Yes No Configuration Manual, DHCP Automatic, DHCPv6 DNS name queries Uses A records Uses AAAA records DNS reverse queries Uses IN-ADDR.ARPA Uses IP6.ARPA

IPv6 terminology Node - Any device that runs an implementation of IPv6. Router - A node that can forward IPv6 packets not explicitly addressed to itself. Host - A node that cannot forward IPv6 packets not explicitly addressed to itself (a non router). Upper-layer protocol - A protocol above IPv6 that uses IPv6 as its transport. Link - The set of network interfaces that are bounded by routers and that use the same 64-bit IPv6 unicast address prefix. Network - Two or more subnets connected by routers. Neighbors - Nodes connected to the same link. Interface - The representation of a physical or logical attachment of a node to a link. Address - An identifier that can be used as the source or destination of IPv6 packets that is assigned at the IPv6 layer to an interface or set of interfaces. Packet - The protocol data unit (PDU) that exists at the IPv6 layer and is composed of an IPv6 header and payload.

The case for a IPv6 deployment IPv6 solves the address depletion problem IPv6 solves the disjoint address space problem IPv6 solves the international address allocation problem IPv6 restores end-to-end communication IPv6 uses scoped addresses and address selection IPv6 has more efficient forwarding IPv6 has support for security and mobility

IPv6 Basics IPv6 Address Space IPv4 is soon dead:beef.

IPv6 address space 128-bit address space 2128 possible addresses 340,282,366,920,938,463,463,374,607,431,768,211,456 addresses (3.4 x 1038 or 340 undecillion) 6.65 x 1023 addresses for every square meter of the Earth’s surface 128 bits to allow flexibility in creating a multi-level, hierarchical, routing infrastructure 64-bit subnet prefix and a 64-bit interface identifier

IPv6 address syntax IPv6 address in binary form 0010000000000001000011011011100000000000000000000010111100111011 0000001010101010000000001111111111111110001010001001110001011010 Divided along 16-bit boundaries 0010000000000001 0000110110111000 0000000000000000 0010111100111011 0000001010101010 0000000011111111 1111111000101000 1001110001011010 Each 16-bit chunk is further broken down into four discreet 4-bit chunks called “nibbles”. Each nibble will represent a different hexadecimal value Each 16-bit block is converted to hexadecimal and delimited with colons 2001:0DB8:0000:2F3B:02AA:00FF:FE28:9C5A Suppress leading zeros within each block 2001:DB8:0:2F3B:2AA:FF:FE28:9C5A

Compressing zeros A single contiguous sequence of 16-bit blocks set to 0 can be compressed to “::” (double-colon) Example: FE80:0:0:0:2AA:FF:FE9A:4CA2 becomes FE80::2AA:FF:FE9A:4CA2 FF02:0:0:0:0:0:0:2 becomes FF02::2 Cannot use zero compression to include part of a 16-bit block FF02:30:0:0:0:0:0:5 does not become FF02:3::5, but FF02:30::5 A double-colon can only be used once when compressing an address.

IPv6 prefixes Express routes, address spaces, or address ranges IPv6 always uses address/prefix-length notation Similar to CIDR notation Examples 2001:DB8:0:2F3B::/64 for a subnet prefix 2001:DB8:3F::/48 for a route prefix

IPv6 address types Global addresses Local-use addresses (Link-local) Unique local addresses Special addresses

Global addresses Address scope is the entire IPv6 Internet Equivalent to public IPv4 addresses Structure Global Routing Prefix (part of the Public Routing Topology – along with 001 prefix) Subnet ID (Site Topology) Interface ID

Link-local addresses Address scope is a single link Equivalent to APIPA IPv4 addresses FE80::/64 prefix Used for: Single subnet, routerless configurations Neighbor Discovery processes

Zone IDs Link-local addresses are ambiguous Multiple links (common) Multiple sites (uncommon) Zone ID is used to identify a specific interface (e.g. multiple NICs) Zone ID is typically set to the interface index of the sending interface Examples: ping fe80::2b0:d0ff:fee9:4143%3 tracert fe80::f282:2b0:d0ff:fee9:4143%2 Zone IDs are only used for link-local addresses since routable addresses are non-ambiguous

Unique local addresses Private to an organization, yet unique across all of the sites of the organization FD00::/8 prefix Replacement for site-local addresses Global scope, no zone ID required

Special addresses Unspecified Address 0:0:0:0:0:0:0:0 or :: Loopback Address 0:0:0:0:0:0:0:1 or ::1

Well-known multicast addresses All multicast addresses begin with FF (1111 1111) Prefixes FF01 – Node-local FF02 – Link-local FF05 – Site Local Suffixes 1 – All nodes 2 – All routers 1:2 – DHCP Servers + Relay Agents 1:3 – LLMNR

IPv4 addresses and IPv6 equivalents IPv4 Address IPv6 Address Multicast addresses (224.0.0.0/4) IPv6 multicast addresses (FF00::/8) Broadcast addresses N/A Unspecified address is 0.0.0.0 Unspecified address is :: Loopback address is 127.0.0.1 Loopback address is ::1 Public IP addresses Global unicast addresses Private IP addresses Unique-local addresses (FD00::/8) APIPA addresses Link-local addresses (FE80::/64) Dotted decimal notation Colon hexadecimal format Subnet mask or prefix length Prefix length notation only

IPv6 Interface Identifiers IPv6 Basics IPv6 Interface Identifiers A TCP packet walks in to a bar and says “I want a beer”, barman says “you want a beer?” and TCP packet says “yes, a beer”.

Original plan… Last 64 bits of an auto-configured IPv6 address would be populated with the interface’s MAC address But… MAC is only 48 bits, so EUI-64 was created to allow a predictable and repeatable transformation from 48 bits to 64 bits Privacy advocates argued that all internet communications could now be traced to a person Beginning with Windows Vista and Windows Server 2008, a randomized method is utilized to determine the Interface ID instead of EUI-64 Netsh int ipv6 set global randomizeidentifiers=enabled|disabled

How does a host obtain an IPv6 address? There are four general methods for obtaining an IPv6 address: Statically configured Stateless Address Auto Configuration (SLAAC) Stateless DHCPv6 Stateful DHCPv6 The host decides which method to used based on the configuration of a Router Advertisement message Note: Link-local addresses are always generated regardless of any other options

Router advertisements IPv6 enabled hosts, are always listening for RA’s Additionally, a host will request a RA by sending a Router Solicitation when the host’s configuration changes Host powers up Network Change Notification An RA is usually sent by a Layer 3 device, and has specific options available RA’s control both addressing and routing on the host

Router advertisement options RFC 4861 Autonomous flag (A bit) – Hosts will generate an address based on this RA and if this bit is enabled. Valid Lifetime – a 32-bit number representing the length of time (in seconds) that a prefix will be used in the host’s routing table Managed Address Configuration flag (M bit) – Hosts will contact a DHCPv6 server to obtain an IPv6 address if this bit is set Other Stateful Configuration flag (O bit) – Hosts will contact a DHCPv6 server to obtain non-address configuration information if this bit is set.

A typical IPv6 deployment… DHCP jokes are leased.

Overall IPv6 deployment strategy IPv6 Deployment is not your “typical” IT project With proper planning, an organization’s IPv6 deployment should happen as a normal evolution over the course of time Specific IT investments focused on IPv6 should be very limited Ensure IPv6 capabilities as part of normal refresh interval in infrastructure components Readiness planning process is key to success Communications across groups has become much more important

Overall IPv6 deployment strategy People “What do we know about IPv6?” Process “How will our existing processes be impacted by IPv6?” Technology “What impact will IPv6 have on our existing hardware/software landscape?” Inventory is key Develop and revise a scorecard to track progress Schedule Quarterly Review with stakeholders

Factors in determining project duration Scope of the deployment Scale of the deployment Required organizational preparedness activities Protocol dependencies of the application inventory IPv6 capabilities of the operating systems IPv6 capabilities of the networking hardware Monitoring and management capabilities of the network IPv6 capability of the directory infrastructure And others …

Preparing for an IPv6 deployment Infrastructure technology pieces An IPv6 Addressing Plan DNS Servers for name resolution of IPv6 AAAA records Packet inspection technologies that can operate with IPv6 IPv6 configuration at the network edge IPv6 capability of network computers For Native IPv6: DHCP Servers capable of issuing DHCP options to IPv6 clients IPv6-capable routers configured following an IPv6 routing design

Implementing the IPv6 deployment Introduce a Pool of IPv6 Addresses Best Option: Acquire an IPv6 prefix Traditionally from ISP Provider Independent if multi-homed Other options include: 6to4 address corresponding to current public IPv4 address Unique Local IPv6 Unicast Configure IPv6-Compatible Name Resolution AAAA Records IP6.ARPA for PTR records

Implementing the IPv6 deployment Introduce a Pool of IPv6 Addresses There will be IPv4-only resources that you want to expose over IPv6 You want to avoid full IPv4 NAT Introduce some IPv6-to-IPv4 translation points in your network NAT64 Network Address Translation/Protocol Translation (NAT-PT) device This has been deprecated as an IETF standard in favor of NAT64 DNS64

IPv6 support in Microsoft products Best practice and current issues challenges IPv6 support in Microsoft products WHOIS going to tell us a Domain Name joke?

What does IPv6 compatible mean? According to the Microsoft Common Engineering Criteria: “All Microsoft server products are required to support both IPv6 and IPv4. In addition, all server products are required to be configurable to run in dual-stack (IPv4 and IPv6) or IPv6-only modes.” http://www.microsoft.com/cec/en/us/cec-overview.aspx#data-ipv6 Additionally: “The goal is feature parity. Whatever a customer can do using IPv4, they should be able to do using IPv6, with the same level of security, performance, and scalability.”

Microsoft products that do not support IPv6 “Microsoft has informed Gartner that it does not plan to ship another full version of…Forefront Threat Management Gateway (TMG). The product is effectively in sustaining mode, with Microsoft continuing to ship Service Pack (SP) updates…for the standard support life cycle — five years of mainstream support and five years of extended support.” Magic Quadrant for Secure Web Gateway, 25 May, 2011

Microsoft’s strategy with IPv6 Microsoft plans to have full dual-stack and IPv6-only capabilities for all enterprise-class products Microsoft’s has been working on achieving this capability since 2007

Current issues opportunities Best practice and current issues challenges Current issues opportunities An ARP request goes to McDonald’s and asks for a Big MAC.

Application dependencies Most applications follow the OSI model, thus they are IP agnostic (Recommended) They pass a name to the TCP/IP stack and let the stack determine how to connect (using RFC 3484) Some applications try to handle IP connectivity on their own by opening a socket (Not recommended) These applications must specifically be coded to support IPv6 Some applications (or scripts) assume that the returned IP is in dotted decimal notation They fail on reading an IPv6 address

Hardware dependencies Network infrastructure hardware which inspect, modify, or route IP packets must specifically support IPv6 Examples: Routers Firewalls Load Balancers WAN Accelerators Intrusion Detection/Prevention Systems Proxy Servers Network probes and protocol analyzers

Transition technologies Transition Technologies can cause issues Whenever a machine has a public IPv4 address assigned it will automatically generate a 6to4 address as well 6to4 addresses are global routable addresses 6to4 addresses register in DNS Solution: Don’t use public IPv4 addresses inside a corporate network or disable 6to4 using Group Policy

Stay up-to-date Recommended updates for Windows 8/8.1/Server 2012/2012 R2 Make sure you install the monthly update rollups Recommended updates for Windows 7/Server 2008 R2 An enterprise hotfix rollup is available for Windows 7 SP1 and Windows Server 2008 R2 SP1 http://support.microsoft.com/kb/2775511 An IPv6 readiness update is available for Windows 7 and for Windows Server 2008 R2 http://support.microsoft.com/kb/2750841

Disabling IPv6 – Don’t do it Best practice and current issues challenges Disabling IPv6 – Don’t do it How do you catch an Ether bunny? With an Ethernet.

Keeping IPv6 enabled Microsoft recommends leaving IPv6 enabled even when not in active use, although disabling IPv6 is a supported action Microsoft products are not tested with IPv6 disabled. Disabling IPv6 places that host and application into a less-tested state Leaving IPv6 enabled, even when not in use, does not impact production networks

Leave it enabled Don’t remove this checkbox on a regular NIC Unbinds IPv6 from that one interface Cannot be scripted IPv6 loopback is still enabled

In case you really need to… Recommend using the DisabledComponents Registry Key Documented in http://support.microsoft.com/kb/929852 The DisabledComponents key does not exist by default and must be created Leave the IPv6 box checked in the NIC properties when using the DisabledComponents Key Only use this as a last resort. However there is no technical reason to disable IPv6 in Windows

Done! Q&A A UDP packet walks into a bar without a checksum. Nobody cares.

4/11/2017 11:47 AM © 2013 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION. © 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.