FortiGate II

IPv6

FortiGate 5.4.1
© Copyright Fortinet Inc. All rights reserved. Last Modified: Wednesday, April 29, 2020
1
Objectives
• Show IPv6 in the GUI
• Identify parts of IPv6 that are different from IPv4
o Header formats and extension headers
o Addresses, scopes, and prefixes
o Anycast and multicast addresses
o ICMPv6, neighbor discovery, and auto-configuration
• Describe the purpose of transition technologies
o NAT64, Tunneling, Dual-Stack
• Configure IPv6 interfaces and networks
o Choose stateless vs. stateful IP auto-configuration
o Create a NAT64 policy

2
Why Do I Care About IPv6?
• Only ~4.3 billion IPv4 addresses
o 7.1 billion people in 2016
o Notenough for each person, especially not
2 PCs, 1 phone, 1 tablet, 5 smart home devices
Internet of Things
• Top-level exhaustion: 31 January 2011
• ~3.4×1038 IPv6 addresses
• Many don’t realize their device is already on IPv6
• Hackers already targeting IPv6 devices,
running IPv6 darknet sites

3
Internet and the IPv6 Transition Today

http://www.google.ca/intl/en/ipv6/statistics.html

IPv6
IPv6
Only
Only

LAN
Internet LAN
Both
Both
Both
Both

IPv4
IPv4 2011 2015
Only
Only Top-level North
exhaustion America
regional
exhaustion

4
Improvements in IPv6
• IPv4 has design limitations
o Designed before most modern protocols (1980)
o Broken VPN connectivity due to NAT
o No encryption and authentication (IPsec, TLS)
o No automatic addressing (DHCP)
• IPv6 solves these
o NAT, DHCP, IPsec, others no longer needed

5
Showing IPv6 Settings on FortiOS
“Where Is IPv6?”
• System > Feature Select
o Enable IPv6 to enable in GUI
o Some settings are CLI only

7
IPv6 Visible in GUI
• Policy & Objects > IPv6
• Policy & Objects > IPv6 Dos Policy

8
FortiOS IPv6 Support
• Routing
• Firewall policies
• DoS policies
• Security profiles
• Geographical database
• Transition technologies (NAT64)

9
What’s Different in IPv6?
IPv4 and IPv6 Headers

Ver.
Ver. HL Ver.
Ver. Traffic
Traffic class
class Flow
Flow label
label
HL TOS
TOS Datagram
DatagramLength
Length
44 66 88 bits
bits 20
20 bits
bits

Datagram-ID Flags Payload

Payload Length
Length Next
Next Hdr.
Hdr. Hop
Hop Limit
Limit
Datagram-ID Flags Flag
FlagOffset
Offset 16
16 bits
bits 88 bits
bits 88 bits
bits

TTL
TTL Protocol
Protocol Header
HeaderChecksum
Checksum
Omits
Omits routing
routing
Source
SourceIP
IPAddress
Address Source
SourceAddress
Address headers
headers atat thethe
128
128 bits
bits next
next layer,
layer, ifif
Destination
DestinationIP
IPAddress
Address they
they aren’t
aren’t
needed
needed
IP
IPOptions
Options
(with
(withpadding
paddingififnecessary)
necessary)
IPv4

IPv6
Destination
DestinationAddress
Address
32 bits 128
128 bits
bits

32 bits

11
IPv6 Extension Headers
IPv6 Routing
Next Header:
Routing
Next Header:
Fragment
Fragment
Next Header: TCP TCP…

IPv6
Next Header:
Routing
Routing
Next Header: TCP TCP… Omit extension headers if
they are not needed.
• Routing
• Fragmentation
• Hop by Hop
• Destination Options
IPv6
Next Header: TCP TCP… •
•
ICMPv6
TCP
• UDP
• Authentication
• Encryption (IPsec built in)

12
Built-in IPsec VPN
• AH and ESP headers are integral to IPv6
• ESP is most commonly used
• AH and ESP provide the same security capabilities to IPv6, as
they did to IPv4
• https://tools.ietf.org/html/rfc4303

13
Traffic Shaping
• Flow label can support different QoS mechanisms
• Two IPv6 header fields:
o Traffic Class
o Flow Label

14
Transport Layer and Above: IPv6 Considerations

Protocol Description

HTTP If connecting via IP instead of domain name, browsers may require IPv6 address
in square brackets; example:
http://[2001:DB8:2a:1005:230:48ff:fe73:989d]
IPv6 may be in “Host:” and “Referer:” headers

DNS Add IPv6 name records (AAAA records) and corresponding reverse (PTR) record

SSL/TLS If certificate is based on IPv4 address (not FQDN), get an IPv6 certificate

15
IPv6 Interface Addresses and Subnets
Address Abbreviations
• Big addresses!
2001:0db8:7564:656e:7431:0000:0000:0001

• Auto-negotiation = Configuration often not required

• Can be written shorter
o Skip leading zeros in 16-bit block
2001:db8:7564:656e:7431:0:0:1
o Replace consecutive zeros with double colon (::)
2001:db8:7564:656e:7431::1
• Double colon can be used only once in an address

17
Address Types
• Address types:
o Unicast

o Anycast – Multiple NICs,

one receives (nearest)
o Multicast – Multiple NICs,
all receive

o No broadcast
• Why? Not necessary. Multicast can do the same thing.

18
IP Addresses
Unicast address has:
• Network prefix (first n bits)
• Interface ID (last bits)

Unlike IPv4, each interface often

has multiple addresses
• Different scopes: 2001:db8:1::254/64
o Global

o Link local
• Neighbors can discover others’ interface
addresses
19
Subnetting
• Prefix (left-most bits) define network
o Often given by router
o Size varies
• Like /24, /28, etc. on IPv4
• “Which packets need routing to another subnet?” 48 bits 16 bits 64 bits

o CIDR notation only Interna

Interna
• No dotted decimal Global
Global Routing ll
Routing
001
001 Interface
Interface ID
ID
Prefix
Prefix Subnet
Subnet
• Why? Impractical for 128-bit addresses…
ID
ID
255.255.255.255.255.255.255.255.0.0.0.0.0.0.0.
0
2001:db8:1::254/64
• Examples:
o /48 for office (RFC 3117)
o /96 for dual stack prefix subnet
o /128 for point-to-point

20
Well-Known Prefixes

2000::/3 FD00::/8
●
Global unicast ●
Local (unique)
●
Like IPv4 public Internet IP ●
Like IPv4 private LAN IP

2002::/16 FE80::/10
Link local
6to4
●
● (not unique; not globally
routable)

::1/128 FF00::/8
●
Local Loopback ●
Multicast
21
Dynamic Routing
• Routing protocols have versions for IPv6 support
o RIPng

o BGP4+

o OSPFv3

• FortiOS supports IPv6 versions of dynamic routing protocols

22
Anycast & Multicast
IPv6 Anycast
• Packet to anycast address is routed to nearest interface
• Look like unicast addresses, but
• Assigned to two or more interfaces
o Typically belonging to different hosts

24
IPv6 Multicast
• FF00::/8
• Binary flags
o 0000 = permanent
o 0001 = transient
• Scopes
o Address indicates scope
o FF01 Node
o FF02 Link (like  224.0.0.1 on IPv4)
o FF05 Site
o FF08 Organization
o FF0E Global (Internet)

25
Example: IPv6 Multicast Scope

FF01:0:0:0:0:0:0:101
●
All NTP servers on same node as sender

FF02:0:0:0:0:0:0:101
●
All NTP servers on same link as sender

FF05:0:0:0:0:0:0:101
●
All NTP servers at same site as sender

FF0E:0:0:0:0:0:0:101
●
All NTP servers on Internet

26
Future of Address Management
Neighbor Discovery Protocol (NDP)
• Replaces ARP, ICMPv4 router discovery, and redirect
• Hosts and routers:
o Resolve MAC to IPv6 address
o Determine neighbor reachability
o Detect link-layer address changes
• All Hosts:
o Discover neighboring routers
o Auto-configure addresses, prefixes, and other parameters
• All Routers:
o Advertise their presence, on-link prefixes, and host configuration parameters
o Redirect hosts if a better next-hop router exists for a destination

28
Configuring Addresses Beyond Link-Local
• Global/ISP/private network (site) addresses
• Three ways:
o SLAAC

o DHCPv6

o Manually

29
SLAAC
• Stateless Address Auto-configuration
o Why? Unlike DHCP, router doesn’t remember list of host IPs
• No DHCP server required
• Link-local address generated from MAC address (EUI-64)
o Requires /64 as link-local subnet
• Global address generated using prefix from router

30
SLAAC (cont.)
Generate a link-local address
1. Generate a tentative link-local address.
2. Join multicast groups.
3. Send neighbor solicitation message (NDP) to tentative address.
4. Check for duplicate addresses on link.
Generate a global unicast address
5. Send a router solicitation message to the all-routers multicast
group. For each prefix with the autonomous flag on, the router
generates a router advertisement (RA).
6. Generate a global unicast address based on an advertised prefix.
7. Check for duplicate addresses.
31
DHCPv6
• Control address assignments (leases)
• Give DNS settings and other options
• Link-local address used for DHCP messages using UDP
• DHCP servers receive messages using link-scope multicast
• DHCP relay for when server is not on the same link

32
Manual Addressing
• If required (example: servers)

33
Configuring Interfaces on FortiOS
FortiOS Manual Addressing and SLAAC
# config system interface
# edit "port1"
# config ipv6
# set ip6-address 2001:db8:1::254/64
# set ip6-allowaccess ping https ssh
# set ip6-send-adv enable
# config ip6-prefix-list RA
# edit 2001:db8:1::/64
# set autonomous-flag enable
# set onlink-flag enable SLAAC

35
FortiOS DHCPv6 Server
# config system dhcp6 server
# edit 0
# set interface port1
# set dns-server1 2001:db8:1::254
# config ip-range
# edit 0
# set start-ip 2001:db8:1::2222
# set end-ip 2001:db8:1::2224

# config system interface

# edit port1
# config ipv6
# set ip6-address 2001:db8:1::254/64
# set ip6-allowaccess ping https ssh
# set ip6-send-adv enable
#
#
set ip6-manage-flag enable
set ip6-other-flag enable Advertise DHCPv6

36
FortiOS as DHCPv6/SLAAC Client
• DHCPv6 client
config system interface
edit "port6"
config ipv6
set ip6-mode dhcp
o Disable auto-configuration
set autoconf disable
o Renew lease
exec interface dhcp6client-renew <interface_name>

• SLAAC client
o Enable auto-configuration
set autoconf enable
o Disable RA
set ip6-send-adv disable

37
IPv6 Policies & Security Profiles
• Apply profiles like IPv4
• Most application layer protocols are
independent of addressing Policy & Objects > IPv6
o Same scans apply

38
End-to-End Connectivity
How Do We Support IPv4 and IPv6 Simultaneously?

• New IPv6 hosts still need to connect to legacy IPv4

• Addresses must be tunneled or translated

• Transition techniques
o Dual stack – IPv4 and IPv6 coexist on the same device
o NAT64 and DNS64 – Translation between IPv6
NAT64? 6in4?
and IPv4 addresses
o 6in4 – Encapsulate IPv6 traffic in IPv4 tunnel
Internet LAN
LAN
Internet

40
NAT64/DNS64
• NAT64/DNS64
o IPv6 NAT and DNS translation for IPv4 connectivity
o For IPv6 initialized traffic to an IPv4 network
o Traffic
flows using firewall policy with source IPv6 address and destination
IPv4 address
• NAT64 implemented using:
o config system nat64 (to set prefix, one for each vdom)
o config firewall policy64 (for the forwarding policy)

41
NAT64/DNS64
• DNS64 handled by FortiOS dnsproxy:
o Normally queries for AAAA record are processed and reply is sent to client
o Ifsystem nat64 has always-synthesize-aaaa-record, will query
for A record and create AAAA from ipv6prefix
config system nat64
set status enable
set nat64-prefix 64:ff9b::/96
set always-synthesize-aaaa-record enable
• Define a prefix for the NAT64 translations (default 64:ff9b::/96)
o Example: 12.20.120.12 >> 64:ff9b::0c14:780c /96

42
Example: NAT64/DNS64 policy
# config firewall policy64
# edit 0
# set srcintf "port1"
# set dstintf "port2"
# set srcaddr "all"
# set dstaddr "all"
# set action accept
# set schedule "always"
# set service "ANY"
# set logtraffic enable

43
NAT66
• NAT66 provides address independence at edge network
• IPv6 destination addresses:
config firewall vip6
config firewall vipgrp6

• IPv6 policy and IP pool address:

config firewall policy6
config firewall ippool6

44
Tunneling
• Simple Internet Transition (SIT) tunnel
o IPv6 to IPv4 tunnel, no security

• IPv4 to IPv6 tunnel (IPv6 tunnel in FortiOS)

o IPv4 to IPv6 tunnel, no security

• IPsec Interface Mode VPNs

o Using IPsec to secure IPv6-in-IPv4 tunnels

45
Connectivity Testing
IPv6 Troubleshooting Commands
# get router info6 routing-table
# diagnose ipv6 route list
# diagnose ipv6 neighbor-cache list
# execute ping6-options ?
# diag sniffer packet any 'ip6' 4

47
ICMPv6
Action by Message Related Messages Description

Destination unreachable 1 (codes 0-6) Packet cannot be delivered for reasons other than congestion
Common errors 2 Packet too big
3 Time exceeded
4 Parameter problem
Ping 128 Echo request
129 Echo reply
Neighbor Discovery Protocol (NDP) 133 Router Solicitation
134 Router Advertisement
135 Neighbor Solicitation
136 Neighbor Advertisement
137 Redirect
Multicast router discovery (MRD) 151 Multicast Router Advertisement
152 Multicast Router Solicitation
153 Multicast Router Termination

48
IPv6 over IPv4 IPsec

49
Review
 Show IPv6 settings on GUI
 Explain scope of different IPv6 addresses
 Compare stateless to stateful auto-negotiation
 SLAAC
 DHCPv6
 Transition technologies
 NAT64, tunneling 6in4, dual stack
 Configure the FortiGate to announce an IPv6 prefix
 Create a NAT64 policy
 Diagnose broken IPv6 connectivity
50