BRKRST-2301 - d2zmdbbm9feqrf.cloudfront.net · • Fate sharing between the data and control planes...
Transcript of BRKRST-2301 - d2zmdbbm9feqrf.cloudfront.net · • Fate sharing between the data and control planes...
BRKRST-2301
Tim Martin
CCIE #2020
@bckcntryskr
Enterprise IPv6 Deployment
Agenda
• General Design
• Host Configuration
• Campus Design
• Data Center
• Translation Techniques
• Internet Edge
• Conclusion
General Design
Project Planning for IPv6 Deployment
Create a project team, assign a PM
Identify business value & impacts
Assess equipment & applications for IPv6
Begin training & develop training plan
Develop the architectural solution
Obtain a prefix and build the address plan
Define an exception process for legacy systems
Update the security policy
Deploy IPv6 trials in the network
Test and monitor your deployment
Data CenterWAN Internet
SiSi SiSi SiSi SiSi SiSi SiSi
SiSi SiSi
SiSi SiSi
SiSi SiSiSiSi
SiSi
Access
Core
Distribution
Distribution
Access
Enterprise IPv6 Guidance
• Updated White Paper – Cisco.com
• RFC 7381 Enterprise IPv6 Guidlines
• No Major change to 2/3 Tier Architecture
Global Address Assignment
• /32 given to ISP (/29 in some geo’s)
• ISP assigns /48 to customers
• 65,536 customers could receive /48
• /48 is the smallest route advertised in DFZ
• 2001:db8:4646:xxxx::/64
• xxxx = subnets in your domain
Registries
Level FourEntity
IANA
ISPLIR
ORG
RIR
Subordinate
Global Address Assignment
• /32 given to ISP (/29 in some geo’s)
• ISP assigns /48 to customers
• 65,536 customers could receive /48
• /48 is the smallest route advertised in DFZ
• 2001:db8:4646:xxxx::/64
• xxxx = subnets in your domain
Registries
Level FourEntity
IANA
ISPLIR
ORG
PA
/48
2000::/3
/12
/32
RIR
Subordinate
Global Address Assignment
• /32 given to ISP (/29 in some geo’s)
• ISP assigns /48 to customers
• 65,536 customers could receive /48
• /48 is the smallest route advertised in DFZ
• 2001:db8:4646:xxxx::/64
• xxxx = subnets in your domain
Registries
Level FourEntity
IANA
ISPLIR
ORG
PA
/48
2000::/3
/12
/32
2000::/3
/48
/12
PI
/32
/48
RIR
Subordinate
Multi-national Model
• PA or PI from each region you operate in
• Coordination of advertised space within each RIR, policy will vary
• Most run PI from primary region
Building the IPv6 Address Plan• Methods
• Follow IPv4 (/24 only), Organizational, Location, Function based
• Hierarchy is key (A /48 example)
• Bit twiddle's dream (16 bit subnet strategy)
• 4 or 8 bits = (16 or 256) Regions (states, counties, agencies, etc..)
• 4 or 8 more bits = (16 or 256) Sub Levels within those Regions
• 4 more bits = (16) Traffic Types (Admin, Guest, Telephony, Video, etc..)
• Cisco IPv6 Addressing White Paper
• www.cisco.com/go/ipv6
• Avoid Monotonical Assignments
• (1000, 2000, 3000, etc.) vs. Sparse (0000, 4000, 8000, c000 )
Prefix Length Considerations
• Anywhere a host exists /64
• Point to Point /127
• Should not use all 0’s or 1’s in the host portion
• Nodes 1&2 are not in the same subnet
• Loopback or Anycast /128
• RFC 7421 /64 is here
• RFC 6164 /127 cache exhaust
Pt 2 Pt /127
WAN
Core/64 or /127
Servers/64
Hosts/64
Loopback/128
Where do I start?
• Core-to-Access – Gain experience with v6
• Access-to-Core – Securing and monitoring
• Internet Edge – Business continuity
Servers
Branch Access
WAN
Campus Core
AccessLayer
ISP ISP
InternetEdge
Where do I start?
• Core-to-Access – Gain experience with v6
• Access-to-Core – Securing and monitoring
• Internet Edge – Business continuity
Servers
Branch Access
WAN
Campus Core
AccessLayer
ISP ISP
InternetEdge
Where do I start?
• Core-to-Access – Gain experience with v6
• Access-to-Core – Securing and monitoring
• Internet Edge – Business continuity
Servers
Branch Access
WAN
Campus Core
AccessLayer
ISP ISP
InternetEdge
Where do I start?
• Core-to-Access – Gain experience with v6
• Access-to-Core – Securing and monitoring
• Internet Edge – Business continuity
Servers
Branch Access
WAN
Campus Core
AccessLayer
ISP ISP
InternetEdge
Dual Stack Mode
• Preferred Method, Versatile, Scalable and Highest Performance
• No Dependency on IPv4, runs in parallel on dedicated HW
• No tunneling, MTU, NAT or performance degrading technologies
• Does require IPv6 support on all devices
DistributionLayer
AccessLayer
CoreLayer
AggregationLayer (DC)
AccessLayer (DC)
IPv6/IPv4Dual-stack
Server
IPv6/IPv4 Dual-stack Hosts
IPv4 & IPv6 Combined
• Should we use both on the same link at Layer 3?
• Separate links, possibly to collect protocol specific statistics
• Routing protocols OSPFv3, EIGRP combined or separate?
• Fate sharing between the data and control planes per protocol
OSPFv3
EIGRP
Internet
2001:db8:1:1::/64
198.51.100.0/24IPv4 & IPv6
IPv4 & IPv6
2001:db8:6:6::/64
192.168.4.0/24
Infrastructure using Link Local Addressing
• Topology hiding, Interfaces cannot be seen by off link devices
• Reduces routing table prefix count, less configuration
• Need to use ULA or GUA for generating ICMPv6 messages
• What about DNS?, Traceroute, WAN Connections, etc..
• RFC7404 – Details pros and cons
WAN/MAN
Internet
fe80::/64
fe80::/64
ULA/GUA
fe80::/64
ULA/GUA
ULA/GUA
ULA/GUA
ULA/GUA
Unique Local Address (ULA)
• Automatic Prefix Generation (RFC 4193) non sequential /48, M&A challenges
• To be avoided in most cases, draft-ietf-v6ops-ula-usage-recommendations-05
• Caution with older OS’s (RFC 3484) using ULA & IPv4
• Multiple policies to maintain (ACL, QoS, Routing, etc..)
Corporate
BackboneBranch 2
ULA Space fd9c:58ed:7d73::/48
Global – 2001:db8:cafe::/48
Internet
fd9c:58ed:7d73:3000::/64
2001:db8:cafe:3000::/64
fd9c:58ed:7d73::2::/64
Global
2001:db8:cafe::/48
To NAT or NOT
• NAT allows for client/server model, difficult to deploy peer-to-peer
• UDP/TCP only, ALG’s & protocol fixups, what about SCTP & DCCP..
• IETF does NOT recommend the use of NAT66 w/IPv6
• NAT ≠ Firewall – RFC 4864 (Local Network Protection)
• Wait, who did what – RFC 6269 (Issues with IP address sharing)
Firewall+NAT Internet
NAT-PT, NAT66, NPTv6, NAT64
Host Configuration & Behavior
IPv6 Host Portion Address AssignmentSimilar to IPv4 New in IPv6
Manually configured State Less Address Auto Configuration
SLAAC EUI64
SLAAC
Privacy Addressing
Assigned via DHCPv6
* Secure Neighbor Discovery (SeND)
Address, Which Address?
• Link Local (fe80::/10) is required for any device with IPv6 enabled
• At least 2 addresses per interface for global connectivity
• Majority of access layer devices will have LL as their Default Gateway
Host Addresses Router Addresses
DfG
W
Ethernet B8:E8:56:1A:2B:3C
IPv6 Link Local fe80::b8e8:56ff:fe1a:2b3c
IPv6 Global 2001:db8:1:46:a1b2:c:3:d4e5
Default Gwy. fe80::46:1
Ethernet 02:00:0C:3A:8B:18
IPv6 Link Local fe80::46:1
IPv6 Global 2001:db8:1:46::1
RA Prefix 2001:db8:1:46::/64
RA Provisioning
• M-Flag – Stateful DHCPv6 to acquire IPv6 address
• O-Flag – Stateless DHCPv6 in addition to SLAAC
• Preference Bits – Low, Med, High
• Router Lifetime – Must be >0 for Default
• Options - Prefix Information, Length, Flags
• L bit –Host installs the prefix as On Link
• A bit – Set to 0 for DHCP to work properly
Type: 134 (RA)
Code: 0
Checksum: 0xff78 [correct]
Cur hop limit: 64
∞ Flags: 0x84
1… …. = Managed (M flag)
.0.. …. = Not other (O flag)
..0. …. = Not Home (H flag)
…0 1… = Router pref: High
Router lifetime: (s)1800
Reachable time: (ms) 3600000
Retrans timer: (ms) 1000
ICMPv6 Option 3 (Prefix Info)
Prefix length: 64
∞ Flags: 0x80
1… …. = On link (L Bit)
.1.. …. = No Auto (A Bit)
Prefix: 2001:0db8:4646:1234::/64
RA
C:\Documents and Settings\>netsh
netsh>interface ipv6
netsh interface ipv6>show address
Querying active state...
Interface 5: Local Area Connection
Addr Type DAD State Valid Life Pref. Life Address
--------- ---------- ------------ ------------ -----------------------------
Public Preferred 29d23h58m25s 6d23h58m25s 2001:0db8:2301:1:202:8a49:41ad:a136
Temporary Preferred 6d21h48m47s 21h46m 2001:0db8:2301:1:bd86:eac2:f5f1:39c1
Link Preferred infinite infinite fe80::202:8a49:41ad:a136
netsh interface ipv6>show route
Querying active state...
Publish Type Met Prefix Idx Gateway/Interface Name
------- -------- ---- ------------------------ --- ---------------------
no Autoconf 8 2001:0db8:2301:1::/64 5 Local Area Connection
no Autoconf 256 ::/0 5 fe80::20d:bdff:fe87:f6f9
Host Address Acquisition
DHCPv6
• Source – FE80::1234, Destination - FF02::1:2
• Client UDP 546, Server UDP 547
• DUID – Different from v4, used to identify clients
• ipv6 dhcp relay destination 2001:db8::feed:1
DHCPv6 Server
2001:db8::feed:1
SOLICIT (any servers)
ADVERTISE (want this address)
REQUEST (I want that address)
REPLY (It’s yours)
DHCPv6
• Source – FE80::1234, Destination - FF02::1:2
• Client UDP 546, Server UDP 547
• DUID – Different from v4, used to identify clients
• ipv6 dhcp relay destination 2001:db8::feed:1
DHCPv6 Server
2001:db8::feed:1
DHCPv6 Solicit
DHCPv6 Relay
SOLICIT (any servers)
ADVERTISE (want this address)
REQUEST (I want that address)
REPLY (It’s yours)
Client Provisioning DHCPv6 & SLAAC
• How about both.. Reality for the foreseeable future
• SLAAC address tracking, Radius Accounting, Syslog, CAM table Scrapes
• Microsoft wont support RDNSS in RA’s
• DHCPv6 Challenges, MAC Address for Reservations, Inventory, Tracking
• Android doesn’t support DHCPv6
• Understand the Implications of Switching Methods
• Inconsistent amongst the OS’s
A B C
Internet
DHCPv6
Server
Disabling Privacy Addresses
• Enable DHCPv6 via the M flag
• Disable auto configuration via the A bit in the Prefix Info option
• Enable Router preference to high
• Enable DHCPv6 relay
interface fastEthernet 0/0
ipv6 address 2001:db8:1122:acc1::/64 eui-64
ipv6 nd managed-config-flag
ipv6 nd prefix default no-autoconfig
ipv6 nd router-preference high
ipv6 dhcp relay destination 2001:db8:add:café::1
Campus Design
First Hop Router Redundancy
• Neighbor Unreachability Detection
• Rudimentary HA at the first HOP, that is slow to detect failures
• Hosts use “reachable time” to cycle next known default
• HSRP for IPv6
• Modification to NA, RA and ICMPv6 redirects
• Virtual MAC derived from HSRP group # and virtual IPv6 LLA
• GLBP for IPv6
• Default Gateway is announced via RA’s from Virtual MAC
• Responds to NDP, directs hosts to Active Virtual Forwarder
• VRRP for IPv6
• Multi-vendor interoperabilty
RA
Reach-time
HSRP
Standby
HSRP
Active
GLBP
AVG
AVF
GLBP
AVG
AVF
IPv6 QoS Policy & Syntax
• IPv4 syntax has used “ip” following match/set statements
• Example: match ip dscp, set ip dscp
• New match criteria
• match dscp
• match precedence
• New set criteria
• set dscp
• set precedence
• Supports both versions
Personal Computer Operating Systems
• Windows
• Mac OS X
• Linux
Appliances & Networking
• Printers
• Access Points
• Switches
• Routers
AV Equipment
• Speakers
• Cameras
• Displays
• AV Receivers
Zeroconf over IPv6
• ff02::fb – Multicast DNS – mDNS (Apple Bonjour) (Chromecast)
• ff02::2:ff/104 – Node Information Query (FreeBSD)
• ff02::c – Simple Service Discovery Protocol – SSDP, UPnP (Microsoft)
• ff02::1:3 – Link Local Multicast Name Resolution – LLMNR (File Sharing)
IPv4 vulnerabilities & Countermeasures
• Catalyst Integrated Security Features (CISF)
• Dug Song - dsniffPort
Security
IPv6 Hacking Tool’s
• ARP is replaced by Neighbor Discovery Protocol
• Nothing authenticated
• Static entries overwritten by dynamic ones
• Stateless Address Autoconfiguration
• rogue RA (malicious or not)
• Attack tools are real!
• Parasit6
• Fakerouter6
• Alive6
• Scapy6
• …
IPv6 Snooping
IPv6 First Hop Security (FHS)
RA Guard
DHCPv6 Guard
Source/Prefix Guard
Destination Guard
Protection:• Rogue or
malicious RA• MiM attacks
Protection:• Invalid DHCP
Offers• DoS attacks• MiM attacks
Protection:• Invalid source
address• Invalid prefix• Source address
spoofing
Protection:• DoS attacks • Scanning• Invalid destination
address
RA Throttler
ND Multicast Suppress
Reduces:• Control traffic
necessary for proper link operations to improve performance
Core Features Advance Features Scalability & Performance
Facilitates:• Scale
converting multicast traffic to unicast
IPv6 FHS RA Guard – RFC 6105
• Port ACLinterface FastEthernet0/2
ipv6 traffic-filter ACCESS_PORT in
deny icmp any any router-advertisement
• Feature Basedinterface FastEthernet0/2
ipv6 nd raguard
• Policy Basedipv6 snooping policy HOST
security-level guard
limit address-count 2
device-role node
interface GigabitEthernet1/0/2
ipv6 snooping attach-policy HOST
IPv6 FHS RA Guard – RFC 6105
• Port ACLinterface FastEthernet0/2
ipv6 traffic-filter ACCESS_PORT in
deny icmp any any router-advertisement
• Feature Basedinterface FastEthernet0/2
ipv6 nd raguard
• Policy Basedipv6 snooping policy HOST
security-level guard
limit address-count 2
device-role node
interface GigabitEthernet1/0/2
ipv6 snooping attach-policy HOST
RA
RA
RA
RA
ROUTER
Device-role
IPv6 FHS RA Guard – RFC 6105
• Port ACLinterface FastEthernet0/2
ipv6 traffic-filter ACCESS_PORT in
deny icmp any any router-advertisement
• Feature Basedinterface FastEthernet0/2
ipv6 nd raguard
• Policy Basedipv6 snooping policy HOST
security-level guard
limit address-count 2
device-role node
interface GigabitEthernet1/0/2
ipv6 snooping attach-policy HOST
HOST
Device-role
RA
IPv6 FHS RA Guard – RFC 6105
• Port ACLinterface FastEthernet0/2
ipv6 traffic-filter ACCESS_PORT in
deny icmp any any router-advertisement
• Feature Basedinterface FastEthernet0/2
ipv6 nd raguard
• Policy Basedipv6 snooping policy HOST
security-level guard
limit address-count 2
device-role node
interface GigabitEthernet1/0/2
ipv6 snooping attach-policy HOST
RA
IPv6 FHS – DHCPv6 Guard
• Prevent Rogue DHCP responses from misleading the client
DHCP Server
DHCP Client
IPv6 FHS – DHCPv6 Guard
• Prevent Rogue DHCP responses from misleading the client
DHCP Server
DHCP Req.
DHCP Client
IPv6 FHS – DHCPv6 Guard
• Prevent Rogue DHCP responses from misleading the client
DHCP Server
DHCP Req.
I am a DHCP
Server
DHCP Client
IPv6 FHS – DHCPv6 Guard
• Prevent Rogue DHCP responses from misleading the client
DHCP Server
DHCP Req.
I am a DHCP
Server
DHCP Client
• Deep control packet Inspection
• Address Glean (ND , DHCP, data)
• Address watch, Binding Guard
IPv6 FHS – Snooping
• Source Address Validation Improvement (SAVI) link security feature
• Analyzes control or data traffic, detect IP address and switch port
• Stores and updates a Binding Table to ensure rogue users cannot spoof
Intf IPv6 MAC VLAN State
g1/0/10 ::000A 001A 110 Active
g1/0/11 ::001C 001C 110 Stale
g1/0/16 ::001E 001E 200 Verifying
IPv6 Binding Table (RFC6620)
IPv6 Source
Guard
IPv6 Destination
GuardDevice Tracking
IPv6 FHS – IPv6 Source Guard
• Mitigates Address High Jacking, Ensures Proper Prefix
Host A Host A First Hop Switch
Intf IPv6 MAC VLAN State
g1/0/10 ::000A 001A 110 Active
g1/0/11 ::001C 001C 110 Stale
g1/0/16 ::001E 001E 200 Verifying
g1/0/21 ::0021 0021 200 Active
Intf IPv6 MAC VLAN State
g1/0/10 ::000A 001A 110 Active
g1/0/11 ::001C 001C 110 Stale
g1/0/16 ::001E 001E 200 Verifying
g1/0/21 ::0021 0021 200 Active
NANA
IPv6 FHS – IPv6 Source Guard
• Mitigates Address High Jacking, Ensures Proper Prefix
Host A Host A First Hop Switch
Intf IPv6 MAC VLAN State
g1/0/10 ::000A 001A 110 Active
g1/0/11 ::001C 001C 110 Stale
g1/0/16 ::001E 001E 200 Verifying
g1/0/21 ::0021 0021 200 Active
Intf IPv6 MAC VLAN State
g1/0/10 ::000A 001A 110 Active
g1/0/11 ::001C 001C 110 Stale
g1/0/16 ::001E 001E 200 Verifying
g1/0/21 ::0021 0021 200 Active
NANA
NA
~Host A
IPv6 FHS – IPv6 Source Guard
• Mitigates Address High Jacking, Ensures Proper Prefix
Host A Host A First Hop Switch
Intf IPv6 MAC VLAN State
g1/0/10 ::000A 001A 110 Active
g1/0/11 ::001C 001C 110 Stale
g1/0/16 ::001E 001E 200 Verifying
g1/0/21 ::0021 0021 200 Active
Intf IPv6 MAC VLAN State
g1/0/10 ::000A 001A 110 Active
g1/0/11 ::001C 001C 110 Stale
g1/0/16 ::001E 001E 200 Verifying
g1/0/21 ::0021 0021 200 Active
NANA
NA
NA
~Host A ~Host A
IPv6 Destination Guard
• Mitigate prefix-scanning attacks and Protect ND cache
• Drops packets for destinations without a binding entry
IPv6 Destination Guard
• Mitigate prefix-scanning attacks and Protect ND cache
• Drops packets for destinations without a binding entry
Ping 2001:db8::1
Ping 2001:db8::4
Ping 2001:db8::3
Ping 2001:db8::2
IPv6 Destination Guard
• Mitigate prefix-scanning attacks and Protect ND cache
• Drops packets for destinations without a binding entry
Intf IPv6 MAC VLAN State
g1/0/10 ::0001 001A 110 Active
g1/0/11 ::001C 001C 110 Stale
g1/0/16 ::001E 001E 200 Verifying
Ping 2001:db8::1
Ping 2001:db8::4
Ping 2001:db8::3
Ping 2001:db8::2
IPv6 Destination Guard
• Mitigate prefix-scanning attacks and Protect ND cache
• Drops packets for destinations without a binding entry
Intf IPv6 MAC VLAN State
g1/0/10 ::0001 001A 110 Active
g1/0/11 ::001C 001C 110 Stale
g1/0/16 ::001E 001E 200 Verifying
NS 2001:db8::1
Ping 2001:db8::1
Ping 2001:db8::4
Ping 2001:db8::3
Ping 2001:db8::2
IPv6 Destination Guard
• Mitigate prefix-scanning attacks and Protect ND cache
• Drops packets for destinations without a binding entry
Intf IPv6 MAC VLAN State
g1/0/10 ::0001 001A 110 Active
g1/0/11 ::001C 001C 110 Stale
g1/0/16 ::001E 001E 200 Verifying
Forward packet
Lookup Table
foundNo
Yes
NS 2001:db8::1
Ping 2001:db8::1
Ping 2001:db8::4
Ping 2001:db8::3
Ping 2001:db8::2
Private VLAN’s
• Prevent Node-Node Layer-2 communication
• Promiscuous (router port) talks to all other port types
• Isolated port can only contact a promiscuous port/s
• Community ports can contact their group and promiscuous port/s
• DAD ND Proxy
• Prevents address conflicts
• Internet Edge, Data Center
• Reducing attack surface, malware propagation
• Service Provider
• Client/customer isolationCommunity
Ports
Community
Ports Isolated
Port
Promiscuous
Port
WiFi
Wireless LAN Controller BCP’s
• WLC version 8.x increases support of IPv6
• CAPWAP, SNMP, NTP, Radius, Syslog, CDP, WebAuth
• Interface groups, same SSID over multiple VLAN’s
• IPv6 binding table supports FHS & ND Multicast suppression
Wireless LAN Controller BCP’s
• WLC version 8.x increases support of IPv6
• CAPWAP, SNMP, NTP, Radius, Syslog, CDP, WebAuth
• Interface groups, same SSID over multiple VLAN’s
• IPv6 binding table supports FHS & ND Multicast suppression
BRKEWN-2006
Wi-Fi Multicast Background
• Radio is a shared media• Hosts must “awaken” to see if Multicast is for them• Multicat packets are not acknowledged or retransmitted• AP transmits bcast/mcast frames at the lowest possible rate• Broadcast/Multicast up to 10x more time in air
• IEEE 802.11a mcast: 6 Mbps, ucast up to 54 Mbps
• IEEE 802.11n mcast: 15 Mbps, ucast up to 150 Mbps
• 802.11 Header:
• Protected Frame Field delineates acknowledged frames
Neighbor Discovery Multicast Suppression
• Scaling 802.11 multicast reliability issues
• NDP process is multicast “chatty”, Unicasting reduces the effect
• Caching allows the Controller to “proxy” the NA, based on gleaning
2
4
Neighbor Discovery Multicast Suppression
• Scaling 802.11 multicast reliability issues
• NDP process is multicast “chatty”, Unicasting reduces the effect
• Caching allows the Controller to “proxy” the NA, based on gleaning
(NS)
2
4
Neighbor Discovery Multicast Suppression
• Scaling 802.11 multicast reliability issues
• NDP process is multicast “chatty”, Unicasting reduces the effect
• Caching allows the Controller to “proxy” the NA, based on gleaning
(NS)
2
4
Neighbor Discovery Multicast Suppression
• Scaling 802.11 multicast reliability issues
• NDP process is multicast “chatty”, Unicasting reduces the effect
• Caching allows the Controller to “proxy” the NA, based on gleaning
(NS)
00:24:56:75:44:33 2001:db8:0:20::2
00:24:56:11:93:28 2001:db8:0:20::4
2
4
Neighbor Discovery Multicast Suppression
• Scaling 802.11 multicast reliability issues
• NDP process is multicast “chatty”, Unicasting reduces the effect
• Caching allows the Controller to “proxy” the NA, based on gleaning
(NS)
00:24:56:75:44:33 2001:db8:0:20::2
00:24:56:11:93:28 2001:db8:0:20::4
(Unicast NA)
2
4
Router Advertisement Throttler
• Scaling the mobility access environment
• NDP process is multicast “chatty”, consumes airtime
• Rate limit RA’s from the legitimate router
• Inspect the RS, convert the responding RA to L2 Unicast
Router Advertisement Throttler
• Scaling the mobility access environment
• NDP process is multicast “chatty”, consumes airtime
• Rate limit RA’s from the legitimate router
• Inspect the RS, convert the responding RA to L2 Unicast
Periodic (RA’s)
Router Advertisement Throttler
• Scaling the mobility access environment
• NDP process is multicast “chatty”, consumes airtime
• Rate limit RA’s from the legitimate router
• Inspect the RS, convert the responding RA to L2 Unicast
Router Solicitation (RS)
Triggered (RA)
Periodic (RA’s)
Routing Protocols
Routing Considerations
• Enable IPv6 routing
• “ipv6 unicast-routing”
• “no switchport”
• IPv6 Next Hop
• Link local addresses
• Router ID
• Unique 32-bit number that identifies the router
• Happens to be written in dotted decimal notation
• Resource Utilization
Management Routing
Switching Services
Routing Considerations
• Enable IPv6 routing
• “ipv6 unicast-routing”
• “no switchport”
• IPv6 Next Hop
• Link local addresses
• Router ID
• Unique 32-bit number that identifies the router
• Happens to be written in dotted decimal notation
• Resource Utilization
Management Routing
Switching Services
BRKRST-2022
Static Routing
• IGP’s use Link Local Address’s
• Redistribution needs GUA or ULA
• May need “Multi-Hop”
• Static can be tragic, no auto update
Ipv6 unicast-routing
!
!direct
Ipv6 route 2001:db8:2::/48 ethernet 1/0
!
!recursive
Ipv6 route 2001:db8:5::/48 2001:db8:4::1
EIGRP (IP 88)
• fe80::/64 Source ff02::A Destination
• 2 New TLV’s – internal-type & external-type
• No Split Horizon, Auto Summary Disabled
• Stub reduces topology & queries
• Large scale hub and spoke environments
Ipv6 unicast-routing
!
Interface loopback0
Ipv6 address 2001:db8:1000::1/128
Ipv6 eigrp 11
!
Interface ethernet 0/0
Ipv6 address 2001:db8:5000:31::1/64
Ipv6 eigrp 11
!
Ipv6 router eigrp 11
Passive-interface loopback0
Eigrp router-id 10.10.10.10
OSPFv3 (IP 89)
• fe80::/64 Source ff02::5, ff02::6 (DR’s)
• Link-LSA (8) – Local Scope, NH
• Intra-Area-LSA (9) – Routers Prefix’s
• Use Inter-Area-Prefix (3) – Between ABR’s
• Full mesh environments, if tuned correctly
• RFC 5838 (AF), RFC 7166 (AT)
Ipv6 unicast-routing
!
Interface loopback0
Ipv6 address 2001:db8:1000::1/128
Ipv6 ospf 8 area 0
!
Interface ethernet 0/0
Ipv6 address 2001:db8:5000:31::1/64
Ipv6 ospf 8 area 0
!
Ipv6 router ospf 8
router-id 10.10.10.10
passive-interface loopback0
Wide Area Network
WAN Branch
• Private Circuit – Business as usual, Routing Protocols
• Internet Circuit – DMVPN for scalability and resiliency
• Local Internet “hop off” is Multi homing
Branch
WAN
::1::2
::3 ::1
::2
::3
::4
::1 ::2
::3
::5
::2
::3
Main Site
DMVPN with IPv6
• Scaling IPSec VPN’s
• Simple GRE tunneling
• NHRP for dynamic site discovery
WAN
HE2
HE1
BR1-2
BR1-1
interface Tunnel2
description to HUB
no ip address
ipv6 address 2001:DB8:CAFE:C5C0::B/127
ipv6 mtu 1400
no ipv6 redirects
ipv6 nhrp authentication CISCO
ipv6 nhrp network-id 100
ipv6 nhrp holdtime 300
ipv6 nhrp nhs 2001:DB8:CAFE:C5C0::A nbma 2001:DB8:CAFE:37::B multicast
ipv6 nhrp shortcut
ipv6 eigrp 10
tunnel source GigabitEthernet0/0
tunnel mode gre multipoint ipv6
tunnel key 100
tunnel protection ipsec profile SPOKE
IPv6 Transport
IPv6 & MPLS
• 6PE (RFC 4798)
• Utilizes Existing IPv4 Transport
• MP-BGP Next Hop ::ffff:A.B.C.D/96
• 6PE (RFC 4659)
• Utilizes Address Family (AF) in VRF Context
• Allows for VPN Functionality
• LDPv6 (RFC 7552)
• LDP session ove IPv6
• Peer discovery
• TTL securityVRF VRF
Segment Routing over IPv6
• The notion of a “segment” is not new in IPv6
• Segments can be used for service chaining or forwarding
• Segment Routing leverages RFC 2460 Routing Header by defining a new type
• Improves Routing Header
• Enhance the source routing model
• Introduces security
• Segment Routing does NOT require a forklift upgrade of the network
• SR and non-SR nodes can co-exist
• Gradual deployment
• Full interoperability
• Backward compatibility HA
G
D
F
CB
E
IPv6 Hdr
PAYLOAD
SR HeaderSegments: C,F,H
SR-IPv6
Data Center
IPv6 Transition Stages in the Data Center
• IPv4 Only Data Center• IPv6 Translation on the Front End
• Dual Stack • Both IPv4 & IPv6 Into the Data Center
• IPv6 Only Data Center• IPv4 Translation on the Front End
• What is the Cost of Each Stage?
Traditional IPv4 Only
• Legacy
• Load Balancer inline
• No translation in this design
• Services are Firewalled
Internet FirewallEdge Router Load Balancer Switch Web, Email, Etc.
IPv4
IPv4 Only Data Center
• Dual Stack Front End
• Translation via NAT/Proxy/SLB
• Easy to Turn Up
• Hard to Move Forward
• False Sense of Accomplishment
FirewallEdge Router Load Balancer Switch Web, Email, Etc.
NAT/Proxy/SLB
IPv4/IPv6 IPv4
Internet
Dual Stacked
• IPv4 & IPv6 Addressing on All Devices
• Incremental Operational Cost (~20%)
• Double Everything (ACL’s, SLA’s, etc.)
• Two Data Planes, Two Control Planes
• Recommended Approach
FirewallEdge Router Load Balancer Switch Web, Email, Etc.
IPv4/IPv6
Internet
IPv6 Only Data Center
• Dual Stack Front End
• Translation via NAT/Proxy/SLB
• Forces Developers to use IPv6
• Reduces Operational Costs
• Eliminates Complexity within the DC
Load Balancer Switch Web, Email, Etc.
NAT/Proxy/SLB
IPv6IPv4/IPv6
Migrating Applications to IPv6
• Inconsistent API’s use of IPv6 Addresses• Data types, Headers, Structures, Sockets, oh my
• Home grown App’s may only support IPv4
• Pressure vendors to move to protocol agnostic framework
• RFC 3493 – Open Socket Call, 64 bit structure align to HW
• RFC 3542 – Raw Socket, ping, Traceroute, r commands
198.51.100.44:8080 [2001:db8:café:64::26]:8080
IPv6 Application Porting
• RFC 4038 - http://tools.ietf.org/html/rfc4038
• Covers Application Aspects of IPv6 Transition
• RFC 5014 - http://tools.ietf.org/html/rfc5014
• Covers IPv6 Socket API for Source Address Selection
• If you have developers trying to figure out how to port their applications
• https://www.arin.net/knowledge/preparing_apps_for_v6.pdf
• https://www.getipv6.info/display/IPv6/Porting+Applications
Translation Techniques
Translation Techniques
Application Support
Server Load Balancer
IPv6
IPv4
IPv6
Internet
Stateful NAT64
Client Visibility
IPv4
IPv6
IPv4
Internet
SW = Poor Performance
Proxy
IPv6
IPv4
IPv6
Internet
Framework for Translation
• RFC 6144
• 8 Total Scenarios (4, 7, 8 are NA)
• 1, 2, 3 Involve Internet Connectivity
• 5 & 6 Are Focused on Intranet Connectivity
• Stateless Translation
• Algorithmic Mapping
• Initiation from IPv4 or IPv6
• Stateful Translation
• Uses a State Table for Translation
• Generally Initiation is from IPv6
Version IHL Type of Service Total Length
Identification Flags Fragment Offset
Time to Live Protocol Header Checksum
Source Address
Destination Address
Version
Traffic Class Flow Label
Payload Length Next Header Hop Limit
Source Address
Destination Address
IPv4
Internet
IPv4
Internet
IPv4
Network
IPv6
Network
IPv6
Network
IPv6
Internet
IPv6
Network
IPv4
Network
IPv4
Network
IPv6
Network
1
2
3
5
6
DNS64
2001:db8:122:344::6DNS Server
192.168.90.101
192.0.2.0/242001:db8:122:344::/64
DNS64
DNS46
IPv6 PC
.1::2
AAAA Record
Network-Specific Prefix
3001::/96
DNS64
Step 1 IPv6 PC queries AAAA Record for v4 Server
2001:db8:122:344::6DNS Server
192.168.90.101
192.0.2.0/242001:db8:122:344::/64
DNS64
DNS46
IPv6 PC
.1::2
AAAA Record
Network-Specific Prefix
3001::/96
DNS64
Step 1 IPv6 PC queries AAAA Record for v4 Server
2001:db8:122:344::6DNS Server
192.168.90.101
192.0.2.0/242001:db8:122:344::/64
DNS64
DNS46
IPv6 PC
.1::2
Network-Specific Prefix
3001::/96
Step 2 DNS responds “empty” AAAA Record
DNS64
Step 1 IPv6 PC queries AAAA Record for v4 Server
2001:db8:122:344::6DNS Server
192.168.90.101
192.0.2.0/242001:db8:122:344::/64
DNS64
DNS46
IPv6 PC
.1::2
A Record
Network-Specific Prefix
3001::/96
Step 3 Translator Sends A Record for v4Server
Step 2 DNS responds “empty” AAAA Record
DNS64
Step 1 IPv6 PC queries AAAA Record for v4 Server
2001:db8:122:344::6DNS Server
192.168.90.101
192.0.2.0/242001:db8:122:344::/64
DNS64
DNS46
IPv6 PC
.1::2
A Record
Network-Specific Prefix
3001::/96
Step 3 Translator Sends A Record for v4Server
Step 2 DNS responds “empty” AAAA Record
Step 4 DNS Server responds A Record for IPv4Server
DNS64
Step 1 IPv6 PC queries AAAA Record for v4 Server
2001:db8:122:344::6DNS Server
192.168.90.101
192.0.2.0/242001:db8:122:344::/64
DNS64
DNS46
IPv6 PC
.1::2
Step 5 Translates it to a AAAA Record
AAAA RecordNetwork-Specific Prefix
3001::/96
Step 3 Translator Sends A Record for v4Server
Step 2 DNS responds “empty” AAAA Record
Step 4 DNS Server responds A Record for IPv4Server
NAT64
Network-Specific Prefix
3001::/96
2001:db8:122:344::6
IPv4 Server
192.0.2.33
2001:db8:122:344::/64
Dynamic NAT64
Static NAT46
IPv6 PC
.1::2 192.0.2.0/24
NAT64
Source IPv6 2001:db8:122:344::6 Dest. IPv6 3001::c000:221
Network-Specific Prefix
3001::/96
2001:db8:122:344::6
IPv4 Server
192.0.2.33
2001:db8:122:344::/64
Dynamic NAT64
Static NAT46
IPv6 PC
.1::2 192.0.2.0/24
NAT64
Source IPv6 2001:db8:122:344::6 Dest. IPv6 3001::c000:221
Network-Specific Prefix
3001::/96
2001:db8:122:344::6
IPv4 Server
192.0.2.33
2001:db8:122:344::/64
Dynamic NAT64
Static NAT46
IPv6 PC
.1::2 192.0.2.0/24
Source IPv4 192.0.2.1 Dest. IPv4 192.0.2.33
NAT64
Source IPv4 192.0.2.33 Dest. IPv4 192.0.2.1
Source IPv6 2001:db8:122:344::6 Dest. IPv6 3001::c000:221
Network-Specific Prefix
3001::/96
2001:db8:122:344::6
IPv4 Server
192.0.2.33
2001:db8:122:344::/64
Dynamic NAT64
Static NAT46
IPv6 PC
.1::2 192.0.2.0/24
Source IPv4 192.0.2.1 Dest. IPv4 192.0.2.33
NAT64 Source IPv6 3001::c000:221 Dest. IPv6 2001:db8:122:344::6
Source IPv4 192.0.2.33 Dest. IPv4 192.0.2.1
Source IPv6 2001:db8:122:344::6 Dest. IPv6 3001::c000:221
Network-Specific Prefix
3001::/96
2001:db8:122:344::6
IPv4 Server
192.0.2.33
2001:db8:122:344::/64
Dynamic NAT64
Static NAT46
IPv6 PC
.1::2 192.0.2.0/24
Source IPv4 192.0.2.1 Dest. IPv4 192.0.2.33
SLB64 Translation Technique
• Virtual IP (VIP), SNAT Pool
• Publish Appropriate AAAA Record
• IPv6 to IPv4, Similar to NAT64
• OS/App dictate design parameters
• Rapid Time to Deploy
ServersWWW
ISP-A ISP-B
UCSServers
Dual Stack
IPv4 Only
SLB64 Translation Technique
• Virtual IP (VIP), SNAT Pool
• Publish Appropriate AAAA Record
• IPv6 to IPv4, Similar to NAT64
• OS/App dictate design parameters
• Rapid Time to Deploy
ServersWWW
ISP-A ISP-B
UCSServers
Dual Stack
IPv4 Only
X-Forwarded-For (XFF)
• Web Server Logging for Geo Location, Analytics, Security, etc..
• Source IP of client requests will be logged as the SNAT or other NAT’d address
• Packet may go through multiple proxies
X-Forwarded-For: client, proxy1, proxy2
GET / HTTP/1.1
Host: www.foo.org
User-Agent: Mozilla Firefox/3.0.3
Accept: text/html,application/xhtml+xml,application/xml
Accept-Language: en-us,en
Keep-Alive: 300
x-forward-for: 2001:db8:ea5e:1:49fa:b11a:aaf8:91a5
Connection: keep-aliveServersWWW
Global IPv6 Address
---Translation---
Source NAT Pool
Internet Edge
Web Cache Control Protocol (WCCPv2)
• Need WCCPv2 for IPv6 support
• Configure separate group instances for dual stack operation
ipv6 wccp 91 redirect-list lookat6
!
interface vlan10
ipv6 address 2001:db8:babe:10::1/64
ipv6 wccp 91 redirect in
!
ipv6 access-list lookat6
permit tcp 2001:db8:babe:10::/64 any eq www
permit tcp 2001:db8:babe:10::/64 any eq 4432001:db8:babe:10::/64
Internet
Internet Edge to ISP
Internet Edge to ISP
Single Link
Single ISP
Enterprise
ISP 1
Default
Route
Internet Edge to ISP
Single Link
Single ISP
Enterprise
ISP 1
Default
Route
Dual Links
Single ISP
ISP 1
POP1 POP2
Enterprise
Internet Edge to ISP
Single Link
Single ISP
Enterprise
ISP 1
Default
Route
Dual Links
Single ISP
ISP 1
POP1 POP2
Enterprise
Multi-Homed
Multi-Prefix
Enterprise
ISP2
USA
ISP4
BGP
ISP3
ISP 1
Europe
Checking in with the ISP
• Do you support dual stack peering?
• Do you have a separate (SLA) for IPv6?
• Do you support BGP peering over IPv6?
• Do you have a FULL IPV6 route table?
• What is the maximum prefix length?
• What about DNS…
Hosted Cloud Service
• Maximum prefix length offered by the cloud provider?
• Access to provisioning and billing portal over IPv6?
• Global IPv6 addressing for VM’s in your environment?
ISP-A ISP-B
Routing
Switching
Services
Multi Homed, Multi Prefix (BGP)
• Peer over IPv6 for IPv6 prefixes
• Solve for Ingress & Egress separately
• MD5 shared secret’s, IPSec could be used
• Controlling TTL, accepting >254 only (allow -1)
• Prefix Size Filtering, /32 - /48
router bgp 200
bgp router-id 4.6.4.6
neighbor 2001:db8:café:102::2 remote-as 2014
neighbor 2001:db8:café:102::2 ttl-security hops 1
neighbor 2001:db8:café:102::2 password cisco4646
ISP A ISP B
Internet
Common Deployment Scenarios
• Avoid Over Tuning BGP• Longest Match, Highest Local-Pref, Shortest AS-Path
• Peer with IPv6, “no bgp default ipv4-unicast”
• Split Your Allocation /44 = (2) /45’s• AS Path prepend to prefer one ISP over the other
• iBGP link Between Edge Routers is Required• To avoid black hole. GRE, L3 VPN, MAN/WAN
• Dynamic Routing Protocol or HSRP at FW • When more than one Edge Router is used
• eBGP Multi-hop to Core thru FW• Increase Metrics, so that DCI Link is not Preferred
ISP A ISP B
AS 64498
EIGRP 10
Subnets X,Y,Z Subnets A,B,C
AS 65535 AS 65534
Internet
Multi Homed – NPTv6 (RFC 6296)
• Small to Medium Enterprise
• Swaps Left Most Bits of Address
• Equal length Prefix’s
• Modification of RFC 6724 API or RFC 7078• Site scoped ULA connecting to GUA
• No Protocol “fixups”, Unless ALG’s are Supported
• “IETF does not recommend NAT technology for IPv6”
ISP-A ISP-B
fd07:18:403e::/48
2001:db8:11::/48 2001:db8:55::/48
Multi Homed (LISP)
• Small to Medium Enterprise
• Tunneling the PA IPv6 over LISP
• Provider Allocated /48
• Hosted by PxTR Provider
• Avoids Multi Prefix PA Issues
• Possibly an ISP that is IPv4 Only
• SHIM6, HIP, ILNP etc.
• OS Mods, Code Change
Dual Stack
Internet
MR/MS PxTRMR/MS PxTR
Client172.16.99.100
2001:db8:ea5e:1::/64
2001:db8:cafe::/48
xTRs
192.168.1.x/30
2001:db8:cafe:103::/64
2001:db8:cafe::/48
IPv6 Bogon and Anti-Spoofing Filtering
• Bogon filtering (data plane & BGP route-map): http://www.cymru.com/Bogons/ipv6.txt
• Anti-spoofing (RFC2827, BCP38), Multi homed filtering (RFC3704, BCP 84)
• uRPF – Unicast Reverse Path Forwarding
Enterprise Internet
B2B
Securing the Edge, FW and/or Perimeter Router
• Address Range- Source of 2000::/3 at minimum vs. “any”, permit assigned space
• ICMPv6- Error types thru, NDP to, RFC4890
• Extension Headers- Allow Fragmentation, others as needed. Block HBH & RH type 0
• IPv6 ACL’s- IPv6 traffic-filter – to apply ACL to an interface
permit icmp any any nd-na
permit icmp any any nd-ns
deny ipv6 any any log
Operations & Management
IPv4 IPv6
A record:
IPv6 and DNS
• Add an IPv6 address to a host, create AAAA record in DNS zone
• Repeat for every name server from sub zones to parent zone
• Glue records, add an entry in DNS for the IPv6 address of your name servers
• Inbound SMTP mail transfer agents (MTA) require reverse lookup (PTR)
Function IPv4 IPv6
Hostname
to
IP Address
A Recordwww.abc.test. A 192.168.30.1
AAAA Record (Quad A) www.abc.test AAAA 2001:db8:C18:1::2
IP Address
To
Hostname
PTR Record
1.30.168.192.in-addr.arpa. PTR
www.abc.test.
PTR Record2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.0.8.1.c.
0.8.b.d.0.1.0.0.2.ip6.arpa PTR www.abc.test.
Resilient DDI Design
• Anycast Address for Client Access to DHCP/DNS
• Uses the same address in multiple locations
• Simple, Scalable and Reliable Solution
• Global Unicast Address (GUA) for Service Uptime
• DNS server injects /128 via OSPF
DDI2
2001:db8:aa::21
2001:db8:aa::21
2001:db8:aa::
Cost 10
I pick DNS1
closest metric
2001:db8:aa::
Cost 30
2001:db8:aa::
Cost 20
DDI3
2001:db8:aa::21
DDI4
2001:db8:aa::21
Command
&
Control
GUA
DDI1
2001:db8:aa::21
IPv6 In-band Operation & Management (iOAM6)
Stop probing the
wrong path with “ping”
Trace the live traffic:
Detect the flaky link!
!
Debug ECMP Networks
Simplify Operations
Always on app visibility
Enhance Applications
Charge level for
battery-operated devices
(sensors) included in data
traffic: No need to drain
battery for OAM
R1
R2
R4
R5
R3 R6
Derive IPv6 Traffic Matrix
Optimize Planning
Delay Trend Analysis
Enhance Visibility
A trip-recorder for your traffic at inline at rate performance
Uses Destination Option extension header
IPv6 SP Troubleshooting Guide RIPE-631
Conclusion
Key Take Away
• Gain Operational Experience now
• IPv6 is already here and running well
• Control IPv6 traffic as you would IPv4
• “Poke” your Provider’s
• Lead your OT/LOB’s into the Internet
Recommended Reading
Complete Your Online Session Evaluation
• Please complete your online sessionevaluations after each session.Complete 4 session evaluations& the Overall Conference Evaluation(available from Thursday)to receive your Cisco Live T-shirt.
• All surveys can be completed viathe Cisco Live Mobile App or theCommunication Stations
Thank you