Professional Documents
Culture Documents
Sanog5 Pfs Ipv6 Tutorial PDF
Sanog5 Pfs Ipv6 Tutorial PDF
SANOG V
Dhaka, Bangladesh
11 February 2005
SANOG V
Presentation Slides
Available on
ftp://ftp-eng.cisco.com
/pfs/seminars/SANOG5-IPv6-Tutorial.pdf
SANOG V
Agenda
Introduction to IPv6
IPv6 Routing
OSPFv3
BGP for IPv6
IPv6 Filtering
Integration & Transition
Deployment
SANOG V
Introduction to IPv6
SANOG V
Agenda
SANOG V
SANOG V
Internet population
~600 million users in Q4 CY2002
~945M by end CY 2004 only 10-15%
How to address the future Worldwide population? (~9B in CY
2050)
SANOG V
SANOG V
Global
Addressing
Realm
10
IPv6 Markets
National Research & Education Networks (NREN) & Academia
Geographies & Politics
Wireless (PDA, 3G Mobile Phone networks, Car,...)
Home Networking
Set-top box/Cable/xDSL/Ethernet-to-the-home
e.g. Japan Home Information Services initiative
Distributed Gaming
Consumer Devices
Enterprise
Requires full IPv6 support on O.S. & Applications
Service Providers
SANOG V
11
Latest info:
playground.sun.com/ipv6/ipng-implementations.html
www.hs247.com
SANOG V
12
IPv6 Geo-Politics
Regional and Countries IPv6 Task Force
Europe http://www.ipv6-taskforce.org/
Belgium, France, Spain, Switzerland, UK,
North- America http://www.nav6tf.org/
Japan IPv6 Promotion Council http://www.v6pc.jp/en/index.html
China, Korea, India,
Relationship
Economic partnership between governments
China-Japan, Europe-China,
Tax Incentives
SANOG V
13
www.6net.org
NTT
U kerna
D e nm ark
Fo rskn in gsn ettet
N orw ay
UNINETT
F in la nd
FU N E T
Surfnet
S w ed en
N O R D U net
3 years project
9.5 5M from
European
Commission
+ 30 partners
7 Work Packages
7200
U nite d K in gd om
S w e d en
P O L -3 4
CESnet
G re e ce
G R net
T he N etherlands
G erm any
F ra nce
R enater
A u stria
Italy
S w itze rla nd
S w itch
6N ET C O RE
A T M L in k
DFN
STM 16 PO S
M anual IPv6 Tunnel
G iga b it E the rne t (T ride nt)
Hungarnet
A C O ne t
GARR
S T M 1 P O S /A T M
ST M 1 PO S (over L2 tunnel)
E1
14
15
16
SANOG V
17
SANOG V
18
Global
Addressing
Realm
SANOG V
19
Agenda
SANOG V
20
64 bits aligned
Authentication and Privacy Capabilities
IPsec is mandated
No more broadcast
SANOG V
21
IPv4 Header
Version
IHL
Type of Service
Identification
Time to Live
Total Length
Flags
Protocol
Fragment
Offset
Header Checksum
Version
Traffic Class
Payload Length
Flow Label
Next
Header
Hop Limit
Source Address
Source Address
Destination Address
Legend
Options
Padding
Destination Address
22
IPv4
32 bits
= 4,294,967,296 possible addressable devices
IPv6
128 bits: 4 times the size in bits
38
23
24
is ok
is NOT ok
(loopback address)
(unspecified address)
25
26
IPv6 Addressing
IPv6 Addressing rules are covered by multiples
RFCs
Architecture defined by RFC 3513
27
::/128
Loopback
::1/128
Link Local
1111 1110 10
FE80::/10
Multicast
1111 1111
FF00::/8
Global Unicast
everything else
SANOG V
28
Site
Host
16 bits
64 bits
Subnet-id
Interface ID
001
29
/32
/48
0410
/64
Interface ID
Registry
ISP prefix
Site prefix
LAN prefix
30
SANOG V
31
Aggregation benefits
Customer
no 1
ISP
2001:0410:0001:/48
Customer
no 2
Only
announces
the /32
prefix
2001:0410::/32
IPv6 Internet
2001:0410:0002:/48
32
Interface IDs
SANOG V
33
EUI-64
Ethernet MAC address
(48 bits)
00
00
90
90
27
27
FF
00
64 bits version
90
27
FF
17
FC
0F
17
FC
0F
FE
FE
17
FC
0F
1 = unique
Uniqueness of the MAC
000000X0
where X=
0 = not unique
X=1
Eui-64 address
02
90
27
FF
FE
17
FC
0F
34
interface Ethernet0
ipv6 address 2001:410:213:1::/64 eui-64
SANOG V
35
/32
/48
/64
0410
Interface ID
36
IPv6 Auto-Configuration
Stateless (RFC2462)
Host autonomously configures its own
Link-Local address
Router solicitation are sent by booting
nodes to request RAs for configuring
the interfaces.
RA indicates
SUBNET
PREFIX
SUBNET PREFIX +
MAC ADDRESS
Stateful
DHCPv6 required by most enterprises
Renumbering
Hosts renumbering is done by
modifying the RA to announce the old
prefix with a short lifetime and the new
prefix
Router renumbering protocol (RFC
2894), to allow domain-interior routers to
learn of prefix introduction / withdrawal
SANOG V
SUBNET PREFIX +
MAC ADDRESS
Auto-configuration
Mac address:
00:2c:04:00:FE:56
Host autoconfigured
address is:
prefix received + linklayer address
Sends network-type
information (prefix, default
route, )
38
Renumbering
Mac address:
00:2c:04:00:FE:56
Host auto-configured
address is:
39
Multicast use
Broadcasts in IPv4
Interrupts all devices on the LAN even if the intent of
the request was for a subset
Can completely swamp the network (broadcast
storm)
Broadcasts in IPv6
Are not used and replaced by multicast
Multicast
Enables the efficient use of the network
Multicast address range is much larger
SANOG V
40
MTU Issues
minimum link MTU for IPv6 is 1280 octets
(versus 68 octets for IPv4)
on links with MTU < 1280, link-specific
fragmentation and reassembly must be used
SANOG V
41
SANOG V
42
IPv4
Hostname to
IP address
IP address to
hostname
SANOG V
IPv6
A record:
AAAA record:
www.abc.test. A 192.168.30.1
PTR record:
PTR record:
1.30.168.192.in-addr.arpa. PTR
www.abc.test.
2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.0.8.1.c.0.
0.0.b.0.e.f.f.3.ip6.arpa PTR www.abc.test.
43
IPv4 Solution
IPv6 Solution
Addressing Range
32-bit, Network
Address Translation
128-bit, Multiple
Scopes
Autoconfiguration
DHCP
Serverless,
Reconfiguration, DHCP
Security
IPSec
IPSec Mandated,
works End-to-End
Mobility
Mobile IP
Quality-of-Service
Differentiated Service,
Integrated Service
Differentiated Service,
Integrated Service
IP Multicast
IGMP/PIM/Multicast
BGP
MLD/PIM/Multicast
BGP,Scope Identifier
SANOG V
44
Security
Nothing IPv4 doesnt do IPSec runs in both
but IPv6 mandates IPSec
QoS
Nothing IPv4 doesnt do
Differentiated and Integrated Services run in both
So far, Flow label has no real use
SANOG V
45
IPv6 Security
IPsec standards apply to both IPv4 and IPv6
All implementations required to support
authentication and encryption headers (IPsec)
Authentication separate from encryption for use
in situations where encryption is prohibited or
prohibitively expensive
Key distribution protocols are not yet defined
(independent of IP v4/v6)
Support for manual key configuration required
SANOG V
46
47
SANOG V
48
SANOG V
49
IPv6 Standards
Core IPv6 specifications are IETF Draft Standards
well-tested & stable
IPv6 base spec, ICMPv6, Neighbor Discovery, PMTU
Discovery,...
50
ICMPv6 (RFC2463)
RIP (RFC2080)
BGP (RFC2545)
IGMPv6 (RFC2710)
OSPF (RFC2740)
Jumbograms (RFC2675)
Autoconfiguration (RFC2462)
Radius (RFC3162)
DHCPv6 (RFC3315)
SANOG V
PPP (RFC2023)
Ethernet (RFC2464)
FDDI (RFC2467)
NBMA (RFC2491)
ATM (RFC2492)
ARCnet (RFC2497)
IEEE1394 (RFC3146)
FibreChannel (RFC3831)
51
Multi-homing
Address selection
Address allocation
DNS discovery
Anycast addressing
Flow-label semantics
API issues
52
V6ops
Replaces ngtrans working group
Focus moved to IPv6 operations from developing
transition tools and techniques
Multi6
Focus on multihoming for IPv6
Little progress apart from defining the problem
SANOG V
53
Conclusion
SANOG V
54
SANOG V
55
Routing in IPv6
Routing in IPv6 is unchanged from IPv4:
IPv6 has 2 types of routing protocols: IGP and EGP
IPv6 still uses the longest-prefix match routing
algorithm
IGP
RIPng (RFC 2080)
Cisco EIGRP for IPv6
OSPFv3 (RFC 2740)
Integrated IS-ISv6 (draft-ietf-isis-ipv6-05)
56
RIPng
SANOG V
57
SANOG V
58
OSPFv3 overview
SANOG V
59
60
Router1#
interface Ethernet0
ipv6 address 2001:1:1:1::1/64
ipv6 ospf 1 area 0
Area 0
Router2
LAN1: 2001:1:1:1::/64
interface Ethernet1
ipv6 address 2001:2:2:2::2/64
ipv6 ospf 1 area 1
ipv6 router ospf 1
router-id 1.1.1.1
area 1 range 2001:2:2::/48
Eth0
Router1
Eth1
LAN2: 2001:2:2:2::/64
Area 1
SANOG V
61
62
SANOG V
63
LAN1: 2001:0001::45c/64
Router1#
interface ethernet-1
ip address 10.1.1.1 255.255.255.0
ipv6 address 2001:0001::45c/64
ip router isis
ipv6 router isis
Ethernet-1
Router1
Ethernet-2
LAN2: 2001:0002::45a/64
interface ethernet-2
ip address 10.2.1.1 255.255.255.0
ipv6 address 2001:0002::45a/64
ip router isis
ipv6 router isis
router isis
address-family ipv6
redistribute static
exit-address-family
net 42.0001.0000.0000.072c.00
redistribute static
64
Multi-Topology ID Values
Multi-Topology ID (MT ID) standardized and in use in Cisco IOS:
MT ID #0 standard topology for IPv4/CLNS
MT ID #2 IPv6 Routing Topology.
SANOG V
65
Area B
LAN1: 2001:0001::45c/64
Ethernet-1
Router1
Ethernet-2
LAN2: 2001:0002::45a/64
Router1#
interface ethernet-1
ip address 10.1.1.1 255.255.255.0
ipv6 address 2001:0001::45c/64
ip router isis
ipv6 router isis
isis ipv6 metric 20
interface ethernet-2
ip address 10.2.1.1 255.255.255.0
ipv6 address 2001:0002::45a/64
ip router isis
ipv6 router isis
isis ipv6 metric 20
router isis
net 49.0000.0100.0000.0000.0500
metric-style wide
!
address-family ipv6
multi-topology
exit-address-family
66
67
Router1
Router2
AS 65001
AS 65002
3ffe:b00:c18:2:1::F
3ffe:b00:c18:2:1::1
Router1#
interface Ethernet0
ipv6 address 3FFE:B00:C18:2:1::F/64
!
router bgp 65001
bgp router-id 10.10.10.1
no bgp default ipv4-unicast
neighbor 3FFE:B00:C18:2:1::1 remote-as 65002
address-family ipv6
neighbor 3FFE:B00:C18:2:1::1 activate
neighbor 3FFE:B00:C18:2:1::1 prefix-list bgp65002in in
neighbor 3FFE:B00:C18:2:1::1 prefix-list bgp65002out out
exit-address-family
SANOG V
68
SANOG V
69
SANOG V
70
OSPFv2
April 1998 was the most recent revision
(RFC 2328)
OSPF uses a 2-level hierarchical model
SPF calculation is performed
independently for each area
Typically faster convergence than DVRPs
Relatively low, steady state bandwidth
requirements
SANOG V
71
OSPFv3 overview
SANOG V
72
73
74
Router-LSA
Network-LSA
Inter-Area-Prefix-LSA
Inter-Area-Router-LSA
AS-External-LSA
Group-membership-LSA
Type-7-LSA
Link-LSA
Intra-Area-Prefix-LSA
SANOG V
LSA
Function Code
LSA type
1
2
0x2001
0x2002
3
4
0x2003
0x2004
0x4005
5
6
7
8
9
0x2006
0x2007
0x0008
0x2009
75
Link LSA
SANOG V
76
77
Similar to OSPFv2
Prefixing existing Interface and Exec mode commands
with ipv6
SANOG V
78
Exec mode
[no] show ipv6 ospf [<process ID>]
clear ipv6 ospf [<process ID>]
SANOG V
79
SANOG V
80
General purpose
[no] debug ipv6 ospf packets
[no] debug ipv6 ospf retransmission
[no] debug ipv6 ospf tree
SANOG V
81
Router1#
interface Ethernet0
ipv6 address 2001:1:1:1::1/64
ipv6 ospf 1 area 0
interface Ethernet1
ipv6 address 2001:2:2:2::2/64
ipv6 ospf 1 area 1
ipv6 router ospf 1
router-id 1.1.1.1
area 1 range 2001:2:2::/48
Area 0
Router2
LAN1: 2001:1:1:1::/64
Eth0
Router1
Eth1
LAN2: 2001:2:2:2::/64
Area 1
SANOG V
82
Area 1
2001:1:1:2::1/128 [110/1]
via FE80::205:5FFF:FEAF:2C38, Ethernet0
OI
2001:2:2::/48 [110/2]
via FE80::205:5FFF:FEAF:2C38, Ethernet0
SANOG V
83
ADV Router
1.1.1.1
3.3.3.3
Age
2009
501
Seq#
Checksum Link count
0x8000000A 0x2DB1
1
0x80000007 0xF3E6
1
ADV Router
1.1.1.1
Age
480
Seq#
Checksum
0x80000006 0x3BAD
Age
1761
982
Seq#
0x80000005
0x80000005
Prefix
2001:2:2:2::/64
2001:2:2:4::2/128
ADV Router
3.3.3.3
1.1.1.1
3.3.3.3
Age
245
236
501
Seq#
0x80000006
0x80000008
0x80000008
Checksum
0xF3DC
0x68F
0xE7BC
Interface
Lo0
Fa2/0
Fa2/0
Checksum
0xD670
0xC05F
0x3FF7
Ref lstype
0x2001
0x2002
0x2001
ADV Router
1.1.1.1
1.1.1.1
3.3.3.3
Age
480
236
245
Seq#
0x80000008
0x80000008
0x80000006
84
85
IPv6
Network
IPv6 Tunnel
IPv4
Backbone
IPv6
Network
interface Tunnel0
no ip address
ipv6 address 2001:0001::45C/64
ipv6 address FE80::10:7BC2:B280:11 link-local
ipv6 router ospf 1 area 0
tunnel source Ethernet2
tunnel destination 10.42.1.1
tunnel mode ipv6ip
!
ipv6 router ospf 1
SANOG V
IPv6
Tunnel
IPv6
Tunnel
IPv6
Network
86
Conclusion
87
SANOG V
88
RFC2545
Use of BGP Multiprotocol Extensions for IPv6
Inter-Domain Routing
SANOG V
89
90
SANOG V
Sub-AFI = 1
Unicast
Sub-AFI = 2
Sub-AFI = 3
Sub-AFI = 4
Label
Sub-AFI = 128
VPN
91
BGP Considerations
SANOG V
92
Routing Information
Independent operation
One RIB per protocol
e.g. IPv6 has its own BGP table
Distinct policies per protocol
SANOG V
93
C
B
AS1 AS2
SANOG V
94
Router ID
When no IPv4 is configured, an explicit bgp router-id
needs to be configured
BGP identifier is a 32 bit integer currently generated from
the router identifier which is generated from an IPv4
address on the router
95
BGP Configuration
Two options for configuring iBGP peering
Using link local addressing
ISP uses FE80:: addressing for iBGP neighbours
NOT RECOMMENDED
There are plenty of IPv6 addresses
Configuration complexity
96
BGP Configurations
Non Link Local Peering
network 2003:3:2::/64
network 2003:3:3::/64
Router A
AS 1
router bgp 1
no bgp default ipv4 unicast
bgp router-id 1.1.1.1
neighbor 3ffe:b00:ffff:2::2 remote-as 2
!
address-family ipv6
neighbor 3ffe:b00:ffff:2::2 activate
network 2003:3:2::/64
network 2003:3:3::/64
!
SANOG V
A
:1
3ffe:b00:ffff:2/64
AS 2
:2
B
97
BGP Configurations
Link Local Peering
Router A
AS 1
interface e2
ipv6 address 2001:412:ffco:1::1/64
!
router bgp 1
no bgp default ipv4 unicast
bgp router-id 1.1.1.1
neighbor fe80::260:3eff:c043:1143 remote-as 2
neighbor fe80::260:3eff:c043:1143 update source e2
address-family ipv6
neighbor fe80::260:3eff:c043:1143 activate
neighbor fe80::260:3eff:c043:1143 route-map next-hop out
!
route-map next-hop permit 5
set ipv6 next-hop 2001:412:ffco:1::1
AS
!
e2
2
B
fe80::260:3eff:c043:1143
SANOG V
98
BGP Configuration
Filtering Prefixes
IOS Prefix-list is used for filtering prefixes in IPv4
And for IPv6 too!
Example:
ipv6 prefix-list in-filter seq 5 permit 3ffe::/16 le 32
ipv6 prefix-list in-filter seq 6 permit 2001::/16 le 48
SANOG V
99
BGP Configuration
Manipulating Attributes
Prefer routes from AS 2 (local preference)
3ffe:b00:c18:2:1::1
3ffe:b00:c18:2:1::f
AS 1
router bgp 1
no bgp default ipv4-unicast
neighbor 3FFE:B00:C18:2:1::1
neighbor 3FFE:B00:C18:2:1::2
!
address-family ipv6
neighbor 3FFE:B00:C18:2:1::1
neighbor 3FFE:B00:C18:2:1::1
neighbor 3FFE:B00:C18:2:1::1
neighbor 3FFE:B00:C18:2:1::2
neighbor 3FFE:B00:C18:2:1::2
network 3FFE:B00::/24
exit-address-family
!
route-map fromAS2 permit 10
set local-preference 120
SANOG V
remote-as 2
remote-as 3
AS 2
3ffe:b00:c18:2:1::2
AS 3
activate
prefix-list in-filter in
route-map fromAS2 in
activate
prefix-list in-filter in
100
BGP Configuration
Carrying IPv4 inside IPv6 peering
IPv4 prefixes can be carried inside an IPv6 peering
101
SANOG V
102
Neighbour Information
SANOG V
TblVer
400386
0 3d11h
State/PfxRcd
498
103
Conclusion
SANOG V
104
IPv6 Filtering
SANOG V
105
SANOG V
106
SANOG V
107
SANOG V
108
SANOG V
109
SANOG V
110
Logging
(conf-ipv6-acl)# permit tcp any any log-input
(conf-ipv6-acl)# permit ipv6 any any log
Time based
(conf)# time-range bar
(conf-trange)# periodic daily 10:00 to 13:00
(conf-trange)# ipv6 access-list tin
(conf-ipv6-acl)# deny tcp any any eq www time-range bar
(conf-ipv6-acl)# permit ipv6 any any
SANOG V
111
Evaluate
Apply the packet against a reflexive ACL.
Multiple evaluate statements are allowed per ACL.
The implicit deny any any rule does not apply at the end of a reflexive
ACL; matching continues after the evaluate in this case.
SANOG V
112
113
114
SANOG V
115
2000::45a/64
Ethernet-0
Router1
ipv6 access-list In
permit tcp host 2000::1 eq www host 2001::2 time-range
tim reflect myp
permit icmp any any router-solicitation
Ethernet-1
2001::45a/64
116
SANOG V
117
DMZ
2001:0001::45a/64
ethernet0/0
Internet
Serial0/0
2001:0003::45a/64
FW
FW#
interface ethernet0/0
ipv6 address 2001:0001::45a/64
ipv6 traffic-filter dmz-in6 in
interface ethernet0/1
ipv6 address 2001:0002::45a/64
ipv6 traffic-filter internal-in6 in
ipv6 traffic-filter internal-out6 out
interface serial0/0
ipv6 address 2001:0003::45a/64
ipv6 traffic-filter exterior-in6 in
ipv6 traffic-filter exterior-out6 out
ethernet0/1
ipv6 access-list vty
deny ipv6 any any log-input
2001:0002::45a/64
Internal
IPv6 Firewall
SANOG V
line vty 0 4
ipv6 access-class vty in
ipv6 access-list dmz-in6
permit ipv6 host 2001:0001::100 any
118
119
120
121
SANOG V
122
SANOG V
123
IPv4-IPv6 Co-existence/Transition
SANOG V
124
Application
TCP
UDP
TCP
UDP
IPv4
IPv6
IPv4
IPv6
0x0800
0x86dd
0x0800
Pre
Ap ferred
plic
atio metho
ns
d
ser on
ver
s
0x86dd
Frame
Protocol ID
125
www.a.com
=*?
DNS
Server
3ffe:b00::1
10.1.1.1
IPv4
IPv6
3ffe:b00::1
126
SANOG V
127
B
Done
DNS
server
Resp=3ffe:b00:ffff:1::1 Type=AAAA
OR
Non-existent
Query=www.example.org Type=A
Resp=192.168.30.1 Type=A
128
SANOG V
129
Dual-Stack
Router
IPv6 and IPv4
Network
router#
ipv6 unicast-routing
interface Ethernet0
ip address 192.168.99.1 255.255.255.0
ipv6 address 2001:410:213:1::1/64
IPv4: 192.168.99.1
IPv6: 2001:410:213:1::1/64
IPv6-enable router
If IPv4 and IPv6 are configured on one interface, the
router is dual-stacked
Telnet, Ping, Traceroute, SSH, DNS client, TFTP,
SANOG V
130
Semi-automated
Tunnel broker
Automatic
Compatible IPv4 (RFC 2893) : Deprecated
6to4 (RFC 3056)
6over4: Deprecated
ISATAP
SANOG V
131
IPv6
Host
Transport
Header
Data
IPv4
IPv6
Network
IPv6
Host
Dual-Stack
Router
Dual-Stack
Router
IPv6
Network
IPv6 Header
Transport
Header
Data
132
Dual-Stack
Router2
IPv4
IPv4: 192.168.99.1
IPv6: 3ffe:b00:c18:1::3
IPv6
Network
IPv4: 192.168.30.1
IPv6: 3ffe:b00:c18:1::2
router1#
router2#
interface Tunnel0
ipv6 address 3ffe:b00:c18:1::3/64
tunnel source 192.168.99.1
tunnel destination 192.168.30.1
tunnel mode ipv6ip
interface Tunnel0
ipv6 address 3ffe:b00:c18:1::2/64
tunnel source 192.168.30.1
tunnel destination 192.168.99.1
tunnel mode ipv6ip
133
6to4
Router2
IPv4
E0
192.168.99.1
E0
192.168.30.1
Network prefix:
2002:c0a8:6301::/48
2002:c0a8:1e01::/48
=
6to4 Tunnel:
Is an automatic tunnel method
Gives a prefix to the attached
IPv6 network
2002::/16 assigned to 6to4
Requires one global IPv4 address
on each Ingress/Egress site
SANOG V
IPv6
Network
=
router2#
interface Loopback0
ip address 192.168.30.1 255.255.255.0
ipv6 address 2002:c0a8:1e01:1::/64 eui-64
interface Tunnel0
no ip address
ipv6 unnumbered Ethernet0
tunnel source Loopback0
tunnel mode ipv6ip 6to4
ipv6 route 2002::/16 Tunnel0
134
6to4 Relay
6to4
Router1
6to4
Relay
IPv4
IPv6
Network
IPv6
Network
192.168.99.1
Network prefix:
2002:c0a8:6301::/48
=
router1#
interface Loopback0
ip address 192.168.99.1 255.255.255.0
ipv6 address 2002:c0a8:6301:1::/64 eui-64
interface Tunnel0
no ip address
ipv6 unnumbered Ethernet0
tunnel source Loopback0
tunnel mode ipv6ip 6to4
ipv6 route 2002::/16 Tunnel0
ipv6 route ::/0 2002:c0a8:1e01::1
SANOG V
IPv6
Internet
IPv6 address:
2002:c0a8:1e01::1
6to4 relay:
Is a gateway to the rest of
the IPv6 Internet
Default router
Anycast address (RFC 3068) for
multiple 6to4 Relay
135
Tunnel Broker
1. Web request 2. Tunnel info response
on IPv4.
on IPv4.
IPv4
Network
Tunnel
Broker
3. Tunnel Broker
configures the tunnel
on the tunnel server or
router.
IPv6
Network
Tunnel broker:
Tunnel information is sent via http-ipv4
SANOG V
136
137
0000:5EFE
IPv4 address
138
ISATAP
192.168.4.1
fe80::5efe:c0a8:0401
3ffe:b00:ffff:5efe:c0a8:0401
192.168.2.1
IPv4 Network
fe80::5efe:c0a8:0201
Src Addr
Dest Addr
fe80::5efe:c0a8:0201
fe80::5efe:c0a8:0401
Src Addr
Dest Addr
fe80::5efe:c0a8:0401
fe80::5efe:c0a8:0201
Prefix = 3ffe:b00:ffff::/64
Lifetime, options
139
IPv6 Network
ISATAP
IPv4 Network
192.168.4.1
fe80::5efe:c0a8:0401
fe80::5efe:c0a8:0201
3ffe:b00:ffff:5efe:c0a8:0201
192.168.3.1
3ffe:b00:ffff:5efe:c0a8:0401
fe80::5efe:c0a8:0301
3ffe:b00:ffff:5efe:c0a8:0301
A
IPv6 Network
3ffe:b00:ffff::/64
ISATAP
SANOG V
fe80::/64
140
API
BIS (Bump-In-the-Stack) (RFC 2767)
BIA (Bump-In-the-API)
ALG
SOCKS-based Gateway (RFC 3089)
NAT-PT (RFC 2766 & RFC 3152)
SANOG V
141
SANOG V
142
NAT-PT Concept
IPv4
NAT-PT
Interface
IPv6
Interface
IPv4 Host
IPv6 Host
2001:0420:1987:0:2E0:B0FF:FE6A:412C
172.16.1.1
SANOG V
143
IPv6
Interface
IPv6 Host
IPv4 Host
2001:0420:1987:0:2E0:B0FF:FE6A:412C
172.16.1.1
2
Src: 172.17.1.1
Dst: 172.16.1.1
3
Src: 172.16.1.1
Dst: 172.17.1.1
SANOG V
1
Src: 2001:0420:1987:0:2E0:B0FF:FE6A:412C
Dst: PREFIX::1
4
Src: PREFIX::1
Dst: 2001:0420:1987:0:2E0:B0FF:FE6A:412C
144
SANOG V
145
SANOG V
Ipv6 field
IPv4 field
Action
Version = 6
Version = 4
Overwrite
Traffic class
DSCP
Copy
Flow label
N/A
Set to 0
Payload length
Total length
Adjust
Next header
Protocol
Copy
Hop limit
TTL
Copy
146
Type=A Q=host.nat-pt.com
3
Type=A R=172.16.1.5
6
Type=PTR Q=5.1.16.172.in-addr-arpa
7
Type=PTR R=host.nat-pt.com
SANOG V
IPv6 Host
1
Type=AAAA Q=host.nat-pt.com
4
Type=AAAA R=2010::45
5
Type=PTR Q=5.4.0...0.1.0.2.IP6.INT
8
Type=PTR R=host.nat-pt.com
147
Ethernet-2
DNS query
Ethernet-1
DNS query
DNS v6
Host A
148
Enabling NAT-PT
[no] ipv6 nat
SANOG V
149
Debug commands
debug ipv6 nat
debug ipv6 nat detailed
SANOG V
150
TCP translations time out after 24 hours, unless a RST or FIN is seen
on the stream, in which case it times after 1 minute
[no] ipv6 nat translation tcp-timeout <seconds>
[no] ipv6 nat translation finrst-timeout <seconds>
[no] ipv6 nat translation icmp-timeout <seconds>
SANOG V
151
.200
LAN2: 192.168.1.0/24
Ethernet-2
Ethernet-1
interface ethernet-1
ipv6 address 2001:2::10/64
ipv6 nat
!
interface ethernet-2
ip address 192.168.1.1 255.255.255.0
ipv6 nat prefix 2010::/96
ipv6 nat
!
ipv6 nat v6v4 source 2001:2::1 192.168.2.1
ipv6 nat v4v6 source 192.168.1.200 2010::60
!
LAN1: 2001:2::/64
2001:2::1
SANOG V
152
.100
.200
Ethernet-2
Ethernet-1
LAN1: 2001:2::/64
2001:2::1
SANOG V
interface ethernet-1
ipv6 address 2001:2::10/64
ipv6 nat
!
interface ethernet-2
ip address 192.168.1.1 255.255.255.0
ipv6 nat
ipv6 nat prefix 2010::/96
!
ipv6 nat v4v6 source 192.168.1.100 2010::1
!
ipv6 nat v6v4 source route-map map1 pool v4pool1
ipv6 nat v6v4 pool v4pool1 192.168.2.1 192.168.2.10
prefix-length 24
!
route-map map1 permit 10
match interface Ethernet-2
LAN2: 192.168.1.0/24
153
.200
IPv6 source
--- ---
---
--- 192.168.2.1
2001:2::1
IPv6 destn
IPv4 destn
2010::60
192.168.1.200
---
LAN2: 192.168.1.0/24
Ethernet-2
Router1
Ethernet-1
LAN1: 2001:2::/64
2001:2::1
SANOG V
154
.200
LAN2: 192.168.1.0/24
Ethernet-2
Router1
Ethernet-1
LAN1: 2001:2::/64
2001:2::1
SANOG V
155
NAT-PT Summary
Points of note:
ALG per application carrying IP address
No End to End security
no DNSsec
no IPsec because different address realms
Conclusion
Easy IPv6 / IPv4 co-existence mechanism
Enable applications to cross the protocol barrier
SANOG V
156
SANOG V
157
Unix
Webserver
SANOG V
158
Unix
Nameserver
BIND 9 supports IPv6 by default
To enable IPv6 nameservice, edit /etc/named.conf:
options {
listen-on-v6 { any; };
};
zone workshop.net" {
type master;
file workshop.net.zone";
};
zone 0.1.4.0.1.0.0.2.ip6.arpa" {
type master;
Sets up reverse
zone for IPv6 hosts
file workshop.net.rev-zone";
};
SANOG V
159
Unix
Sendmail
Sendmail 8 as part of a distribution is usually
built with IPv6 enabled
But the configuration file needs to be modified
160
Unix Applications
OpenSSH
Uses IPv6 transport before IPv4 transport if
IPv6 address available
Mozilla/Firefox
Supports IPv6, but still hampered by broken
IPv6 nameservers
SANOG V
161
Windows XP
SANOG V
162
SANOG V
163
2002
2003
2004
2005
2006
2007-2010
Q Q Q Q Q Q Q Q Q Q Q Q Q Q Q Q Q Q Q Q
1 2 3 4 1 2 3 4 1 2 3 4 1 2 3 4 1 2 3 4
Early adopter
Application porting
te d
u
b
tri ng?
s
i
D ami
G
Consumer adoption
<=
Enterprise adoption
<=
f
yo
t
i
l
bi
ila ions
a
v
t
ca
ll a
F u p pl i
A
164
2003
2004
2005
2006
2007-2010
Q Q Q Q Q Q Q Q Q Q Q Q Q Q Q Q
1 2 3 4 1 2 3 4 1 2 3 4 1 2 3 4
Identifying the
business case
Funding the
project
Training
Registering for an
IPv6 prefix
Testing
Deploying
Production
How long do you need for each phase of an IPv6 deployment project?
SANOG V
165
166
IPv6 Header
Transport
Header
Data
IPv6 Header
Transport
Header
Data
167
SANOG V
168
ISP scenario
Configured Tunnels or Native IPv6 between
IPv6 Core Routers
Configured Tunnels or Native IPv6 to IPv6
Enterprises Customers
IPv6 Site A
6Bone
Service
Provider
IPv4 backbone
Enterprise/Home scenario
UNIVERSITY
IPv6 Site B
169
IPv4 and IPv6 Control & Data planes should not impact
each other
Feedback, requirements & experiments are welcome
SANOG V
170
Campus scenario
Enterprise
Leased Line,
DSL, FTTH
ISP
ENT/SOHO
Residential
Dial, DSL,
FTTH, Cable
Transparent IPv4-IPv6
access services
Core may not go dual-stack
before sometimes to avoid a
full network upgrade
SOHO
Residential
SANOG V
IPv4/v6 Servers
DNS, Web, News,
171
172
145.95.0.0
MP-iBGP sessions
v6
v4
v6
CE
192.76.10.0
2001:0420::
v6
2001:0421::
CE
6PE
2001:0621::
v6
6PE
v4 CE
IPv6
IPv4
MPLS
Dual Stack
IPv4-IPv6
routers
6PE
6PE
v4 192.254.10.0
CE
IPv6
173
Legacy mobile
signaling
Network
Applications &
Services *)
SCP
GPRS
Access
Network
Mh
PS Domain
Mm
Cx
CSCF
Gr
TE
MT
BSS/GRAN
Um
Iu
TE
UTRAN
MT
R
Gb
MGCF
Gi
Gc
SGSN
1
MGW
Iu
Mc
Nc
MSC server
CS Domain
PSTN/
Legacy/External
Nb
Mc
MS Circuit
Switch
Access
Network
T-SGW *)
Gi
MGW
Uu
IM Domain
Mc
GGSN
Gn
Iu
Gi
MRF
Gf
Iu
A
Mg
Mr
Gi
EIR
MPLS offers
ATM + IP + IPv6
switching
Mw
Ms
CAP
HSS *)
Multimedia
IP Networks
CSCF
R-SGW
GMSC server
C
CAP
CAP
Applications
& Services *)
Signalling Interface
Signalling and Data Transfer Interface
T-SGW *)
Mh
HSS *)
R-SGW *)
*) those elements are duplicated for figure
layout purpose only, they belong to the same
logical element in the reference model
174
Requires
Full Network upgrade (software &
potentially hardware)
Native IPv6 Network Management
Solutions
IPv6-Only
Infrastructure
SANOG V
175
Phases
IPv6 Tunnels
over IPv4
Dedicated Data
Link layers for
Native IPv6
MPLS 6PE
Dual stack
IPv6-Only
SANOG V
176
Residential
6Bone
DSL,
FTTH,
Dial
ISATAP
Telecommuter
IPv6 IX
Enterprise
SANOG V
177
Still a lot to do
Though IPv6 has all the functional capability of
IPv4 today:
Implementations are not as advanced (e.g., with
respect to performance, multicast support,
compactness, instrumentation, etc.)
Deployment has only just begun
Much work to be done moving application, middleware,
and management software to IPv6
Much training work to be done (application developers,
network administrators, sales staff,)
Some of the advanced features of IPv6 still need
specification, implementation, and deployment work
SANOG V
178
IPv6 Implementations
Most Operating Systems now deliver an IPv6 stack
Internetworking vendors are committed on IPv6
support
Interoperability events, e.g. TAHI, UNH, ETSI,
SANOG V
179
IPv6 Forum
+100 companies
Cisco is a founding member
www.ipv6forum.com
Mission is to promote IPv6 not to specify it (IETF)
Holds and supports the IPv6 summit in many
countries around the World
SANOG V
180
IPv6 Conclusion
IPv6 Ready for Production Deployment?
Evaluate IPv6 products and services, as available
Major O.S., applications and infrastructure for the IT industry
New IP appliances, e.g3G (NTT DoCoMo,), gaming,
IPv6 services from ISP
181
Presentation Slides
Available on
ftp://ftp-eng.cisco.com
/pfs/seminars/SANOG5-IPv6-Tutorial.pdf
SANOG V
182
IPv6 Tutorial
SANOG V
Dhaka, Bangladesh
11 February 2005
SANOG V
183