IPv6 Chapter 13

Objectives Discuss the fundamental concepts of IPv6 Describe IPv6 practices Implement IPv6 in a TCP/IP network

Overview

IPv4 and IPv6 Internet Protocol version 4 (IPv4) Created around 1979 32-bit IP address space ► four billion IP addresses Allocation methods wasted addresses Internet Protocol version 6 (IPv6) 128-bit addresses Improved security, routing, other features 3.4 x 1038 addresses Note (p. 359): If you really want to know how many IP addresses IPv6 provides, here’s your number: 340,282,366,920,938,463,463,374, 607,431,768,211,456.

Test Specific IPv6 Basics

IPv6 Basics IPv6 and IPv4 differ in implementation Addressing numbers work differently Addressing numbers do not look alike IPv6 always uses link-local addressing Subnetting works differently

IPv6 Address Notation IPv6 address notation 128 bits written in hexadecimal 2001:0000:0000:3210:0800:200C:00CF:1234 Colon separator rather than the period used in IPv4 Quartet (or hextet) groups: 0000 to FFFF Note (p. 359): For those who don’t play with hex regularly, one hexadecimal character (for example, F) represents 4 bits, so four hexadecimal characters make a 16-bit group. Exam Tip (p. 359): CompTIA calls shortcuts for IPv6 addresses address compression.

IPv6 Address Notation: Shortcuts Leading zeros can be dropped from any group Example: 00CF becomes CF 2001:0000:0000:3210:0800:200C:00CF:1234 becomes 2001:0:0:3210:800:200C:CF:1234 A pair of colons (::) can represent a string of consecutive groups with a value of zero Only one double colon allowed per address Example: 2001::3210:800:200C:CF:1234 Note (p. 359): For those who don’t play with hex regularly, one hexadecimal character (for example, F) represents 4 bits, so four hexadecimal characters make a 16-bit group. Exam Tip (p. 359): CompTIA calls shortcuts for IPv6 addresses address compression.

IPv6 Address Notation (cont’d.) IPv6 loopback address ::1 Represents 0000:0000:0000:0000:0000:0000:0000:0001 IPv6 uses the “/x” Classless Inter-Domain Routing (CIDR) nomenclature Example address and subnet for a typical IPv6 host: FEDC::CF:0:BA98:1234/64 Cross Check: Loopback (p. 360) You learned about the IPv4 loopback address in Chapter 7, so check your memory as you read about the IPv6 loopback address here. What IP address or addresses could you use for a loopback address? When might you ping the loopback address? How would this differ from loopback testing discussed in Chapter 6? Note (p. 360): The unspecified address (all zeroes) can never be used, and neither can an address that contains all ones (all Fs in IPv6 notation).

Link-Local Address Self-generated (in manner of IPv4 APIPA) In implementation, the first 64 bits are always FE80::/64 Interface identifier: the second 64 bits Since Windows Vista, Windows clients have generated a 64-bit random number Old operating systems use a device’s MAC address to create an Extended Unique Identifier (EUI-64) Note (p. 361): Although only the FE80::/10 denotes the link-local address, according to the Request for Comments that defined link-local addressing (RFC 4291), the next 54 bits have to be zeroes. That means in implementation, a link-local address will start with FE80::/64.

Figure 13.1 Link-local address in Windows 8.1

IPv6 Subnet Masks Function like IPv4 subnet masks Last 64 bits are generated by the NIC Maximum of 64 bits for the subnet No subnet is ever longer than /64 IANA passes out /48 subnets to big ISPs ISPs and others will borrow another 16 bits for subnetting ISPs pass out /64 subnets to end users

The End of Broadcast IPv6 link-local address is a unicast address Multicast has existed a long time Multicast address: a set of reserved addresses designed to go to certain systems In IPv4, used Class D addresses (224.0.0.0/4) Only specific applications used multicast In IPv6, several IPv6-only multicast addresses are added to get specific jobs done

Multicasting (cont’d.) Multicast packets are encapsulated into Ethernet frames Address 01-00-5E-xx-xx-xx are reserved for IPv4 multicast frame destination addresses Address 33-33-xx-xx-xx-xx is used on Ethernet frames encapsulating IPv6 multicast packets Every computer sees the multicast frame Only processed by computers set up to process the frame

Figure 13.2 Multicast to routers

Anycasting Used commonly in DNS Every DNS server keeps IP addresses of root servers in a root hints file Anycasting gives clusters of computers the same IP address Routers use the Border Gateway Protocol (BGP) to determine the closest computer and sends to its anycast address

Global Unicast Addressing A global unicast address is required for Internet access An IPv6-capable gateway router passes out global IPv6 addresses When booted, the computer sends out a router solicitation message looking for a router The router tells the computer the prefix

Figure 13.3 Getting a global address

Global Addressing: An Example An IPv6-capable computer boots and sends out a router solicitation message (FF02::2) Router sends the prefix (2001:470:B8F9:1/64) The computer takes the prefix and adds the interface identifier or EUI-64 address Example EUI-64 address: 20C:29FF:FE53:45CA Global address results from the combination: 2001:470:B8F9:1:20C:29FF:FE53:45CA Exam Tip (p. 364): Computers using IPv6 need a global address to access the Internet.

Figure 13.4 IPv6 configuration on OS X

Figure 13.5 Enabling prefix delegation on a SOHO router (called DHCP-PD on this router)

No-Default Routers Most routers have a default path Tier-one routers that connect to other tier-one routers cannot have any default route Known as no-default routers Huge routing table (500,000 routes)

Figure 13.6 No-default routers

Aggregation Every router uses a subset of the next higher router’s existing routes Reduces size and complexity of routing tables Gives detailed geographic picture of Internet organization IP address indicates location Part of IPv6 Note (p. 366): Keep this formula in mind: A 48-bit prefix from upstream router + 16-bit subnet from default gateway + 64-bit unique number = 128-bit IPv6 address.

Figure 13.7 Aggregation

Aggregation (cont’d.) How aggregation works The default gateway gives the first 64 bits of the IP address to computers The router gets its 48-bit prefix from the upstream router The router adds its own 16-bit subnet Tech Tip: Regional Internet Registries (p. 366) The IANA doesn’t actually pass out IPv6 prefixes. This job is delegated to the five Regional Internet Registries (RIRs): American Registry for Internet Numbers (ARIN) supports North America. RIPE Network Coordination Centre (RIPE NCC) supports Europe, the Middle East, and Central Asia. Asia-Pacific Network Information Centre (APNIC) supports Asia and the Pacific region. Latin American and Caribbean Internet Addresses Registry (LACNIC) supports Central and South America and parts of the Caribbean. African Network Information Centre (AfriNIC) supports Africa.

Figure 13.8 An IPv6 group of routers

Figure 13.9 Adding the first prefix

Figure 13.10 Adding the second prefix

Aggregation and Router Changes Example: change from ISP1 to ISP2 The new ISP passes out a different 32-bit prefix Example: 2AB0:3C05/32 The downstream routers make an “all nodes” multicast ► all clients get the new IP addresses IPv6 address changes are rare but a normal aspect of using IPv6

Figure 13.11 New IP address updated downstream

Using IPv6

Enabling IPv6 Table 13.2 lists IPv6 status of popular operating systems To check to see if IPv6 is running ipconfig in Windows ip addr in Linux or Mac OS X

Figure 13.12 IPv6 enabled in Windows 8.1

Figure 13.13 IPv6 enabled in Ubuntu 14.10

NAT in IPv6 NAT is not used in IPv6 All IP are addresses exposed to the Internet IPv6’s huge address space makes IP scanning nearly impossible IPsec is important for security Security options beyond IPv6 Encryption Firewall Exam Tip (p. 369): There was a proposed version of NAT for IPv6 called NAPT-PT (an earlier version was called NAT-PT). You might see this as an incorrect answer on the CompTIA Network+ exam.

Figure 13.14 Angry IP scanner at work

DHCP in IPv6 DHCPv6 works differently than in IPv4 Two modes of DHCPv6 The IP address and subnet are received from the gateway router DHCPv6 provides other information Two modes of DHCPv6 Stateful - works like DHCP in IPv4 Stateless - only passes out optional information Stateless is the norm Note (p. 370): IPv6 DHCP servers use DHCPv6. This is not the sixth version of DHCP, mind you, just the name of DHCP for IPv6. Cross Check: DHCP with IPv4 (p. 370) You read about the IPv4 version of DHCP in Chapter 7, so check your memory now. How does DHCP work? What does a DHCP lease do for you? What happens if your computer can’t get to a DHCP server but is configured for DHCP? Exam Tip (p. 370): There’s a push to get DNS server information added to IPv6 router advertisements. If this happens, the need for DHCPv6 might fall dramatically.

Figure 13.15 DHCPv6 server in action

DNS in IPv6 Most DNS servers now support IPv6 addresses DNS servers supporting IPv6 use AAAA records

Figure 13.16 IPv6 addresses on DNS server

Moving to IPv6

Moving to IPv6 IPv4 and IPv6 Parts of the Internet ready for IPv6 Can run both IPv4 and IPv6 on your computers and routers at the same time Parts of the Internet ready for IPv6 All root DNS servers support IPv6 resolution Almost all tier-one ISP routers properly forward IPv6 packets Routers and servers may not yet be IPv6-ready Tech Tip: IPv6 Security (p. 371) IPv6 is just now gaining wide support, so there are issues in connecting to the IPv6 world. IPv6 has potential security risks as well as less-than-perfect support with operating systems. Don’t connect to the IPv6 Internet on a mission-critical computer.

Figure 13.17 IPv4 and IPv6 on one computer

Figure 13.18 The IPv6 gap

Tunnels IPv4-to-IPv6 tunnels bridge the gap Encapsulate IPv6 traffic into an IPv4 tunnel to get to an IPv6-capable router

Figure 13.19 The IPv4-to-IPv6 tunnel

6to4 tunnels A tunneling protocol that enables IPv6 traffic to use the IPv4 Internet without having to set up explicit tunnels Usually connects two routers directly Normally requires public IPv4 address Uses public relay routers Addresses always start with 2002::/16

6to4 tunnels (cont’d.) 192.88.99.1 is the 6to4 anycast address Challenging to set up

6in4 Also called IPv6-in-IPv4 One of the most popular tunneling standards One of only two tunneling protocols that can go through a NAT

Teredo Tunnels NAT-traversal IPv6 tunneling protocol Built into Microsoft Windows Addresses start with 2001:0000:/32 Many people use third-party tool that supports 6to4 or 6in4 Try This! Using Teredo (p. 373) If you’re using Windows XP (with Service Pack 1 or later) or later, you have nothing to lose but your chains, so try this! You can use Teredo to access the IPv6 Internet as long as you have access to the Internet normally and your computer is not part of a Windows domain; it’s possible to use Teredo on a domain, but the process gets a little ugly in my opinion. Beware! Some home routers can’t handle Teredo, and many high-end routers are specifically designed to prevent this traffic (it’s a great way to get around many network defenses), so if Teredo doesn’t work, blame the router. Here are the steps in Windows Vista or later: 1. Make sure the Windows Firewall is enabled. If you have a third-party firewall, turn it off. 2. Go to Start and type cmd in the Start Search box, but don’t press enter yet. Instead, right-click the command prompt option above and select Run as administrator. 3. From the command prompt, type these commands, followed by enter each time: netsh interface teredo set state client exit 4. Test by typing ipconfig /all. You should see an adapter called “Tunnel adapter Teredo tunneling pseudo-interface” (or something close to that) with an IP address starting with 2001. 5. Then type ping ipv6.google.com to make sure you can reach the Internet. 6. Open a Web browser and go to an IPv6 Web site, like www.sixxs.com or ipv6.google.com. 7. Remember, Microsoft loves to change things. If these steps don’t work, search for new instructions on the Microsoft Web site.

Miredo Tunnels Open-source implementation of Teredo for Linux and other UNIX-based systems

Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) Works within an IPv4 network Adds IPv4 address to an IPv6 prefix for endpoints Example address: 2001:DB8::98CA:200:131.107.28.9. Other tunneling standards have more common IPv6 addressing structure Note (p. 374): You rarely have a choice of tunneling protocol. The tunneling protocol you use is the one your tunnel broker provides and is usually invisible to you.

Tunnel Brokers Someone must act as the far endpoint Must know the tunneling standard and how to connect to the endpoint Create the actual tunnel Usually offer a custom-made endpoint client May use automatic configuration protocols Tunnel Setup Protocol (TSP) Tunnel Information and Control protocol (TIC)

Setting Up a Tunnel Each tunnel broker has its own setup Read the instructions carefully The text installation example uses Gogo6 client Join and download at www.gogo6.com Install the client Enter the Gateway6 address, user name, and password Click Connect, and you are now on the IPv6 Internet Status tab shows IP information

Figure 13.20 Gateway6 Client Utility

Figure 13.21 Gateway6 Client Utility Status tab

Overlay Tunnels Enables two IPv6 networks to connect over an existing IPv4 infrastructure, e.g., the Internet The routers that connect the IPv6 networks to the IPv4 infrastructure: Run dual stack—both IPv4 and IPv6 Can encapsulate the traffic from the local network into IPv4 packets

Overlay Tunnels (cont’d.) Can connect an IPv4 client to an IPv6 network: Using protocols—like 6to4, ISATAP, and others—or By creating manual tunnels

IPv6 is Here, Really! IPv6 is happening now or will happen very soon IPv4 addresses are all but exhausted “The Big Switchover” is coming soon Learn IPv6—it is important!