IPv6 Workshop - BCNET · 2015-12-16 · IPv6 Fundamentals April 28, 2014 33 Address Types IPv6...
Transcript of IPv6 Workshop - BCNET · 2015-12-16 · IPv6 Fundamentals April 28, 2014 33 Address Types IPv6...
Alvin Wong, Sr Network Analyst @ BCNETToby Wong, Network Analyst @ BCNETMicheal Jones, Systems Administrator @ Cybera
IPv6 Workshop
9:00AM 10:00AM:
IntroductionWhy IPv6?State of IPv6 AdoptionIPv6 FundamentalsIPv6 Deployment Options
Agenda
April 28, 2014 www.bc.net 2
10:00AM 10:15AM <Break>10:15AM 12:00PM
Assignment #1 Local RoutingAssignment #2 Campus Routing
12:00PM 1:00PM <Lunch>1:00PM 2:00PM
Assignment #3 - InterdomainRoutingAssignment #4 Router Security
Agenda
April 28, 2014 www.bc.net 3
2:00PM 2:15PM <Break>2:15PM 3:00PM
Systems Introduction3:00PM 5:00PM
Systems Assignments (DNS, Web, Email, and Firewall)
Introductions
April 28, 2014 www.bc.net 4
Alvin Wong, Sr. Network Analyst, BCNETemail: [email protected]
Toby Wong, Network Analyst, BCNETemail: [email protected]
Micheal Jones, Systems Administrator, Cyberaemail: [email protected]
Introduction
April 28, 2014 www.bc.net 5
Tell us about you!
Name:What you do:Organization:Interest or experience in IPv6:Fun fact about you:
Introduction
April 28, 2014 www.bc.net 6
IPv6 Community Lab
Network test-bed to gain IPv6 knowledge and experience on real hardwareBCNET, Canarie and Cisco donated the hardwareLab consists of 8 x Cisco 2800 routers, 1 x Cisco 3700 switch
https://www.bc.net/atl-conf/display/BCNETIPv6LAB/Home
Introduction
April 28, 2014 www.bc.net 7
Why IPv6?
April 28, 2014 www.bc.net 8
Inevitability
32-bit IPv4 address space limited to 4.3 billion unique addresses (developed in 1980s)
Running out of IPv4 addresses -- IANA/ICANN and RIRs /8s are depleting
APNIC and RIPE down to their last /8
Why IPv6
April 28, 2014 www.bc.net 9
IANA Unallocated Address Pool Exhaustion: 03-Feb-2011
Projected RIR Address Pool Exhaustion Dates:
Why IPv6
April 28, 2014 www.bc.net 10
http://www.potaroo.net/tools/ipv4/
RIR Projected Exhaustion Date
APNIC 19Apr2011 (actual)
RIPE 14Sep2012 (actual)
ARIN 19Mar2015
LACNIC 16Sep2014
AFRINIC 18Apr2020
Why IPv6
April 28, 2014 www.bc.net 11
http://www.potaroo.net/tools/ipv4/plotend.png
More IP addresses!
Reduce reliance on NATReachability to growing IPv6 only networksGrowth in the number of network devicesNew countries and greater needs
Why IPv6
April 28, 2014 www.bc.net 12
State of IPv6 Adoption
April 28, 2014 www.bc.net 13
State of IPv6 Adoption
April 28, 2014 www.bc.net 14
Content Provider LevelGoogleFacebookYahoo!BingNetflix
National Connectivity LevelCanarieHurricane ElectricTata CommunicationsShawPeer1
State of IPv6 Adoption
April 28, 2014 www.bc.net 15http://www.google.com/ipv6/statistics.html
Percentage of users that access Google via IPv6 < 3.4%
State of IPv6 Adoption
April 28, 2014 www.bc.net 16
http://v6asns.ripe.net
Percentage of ASes Announcing IPv6 Prefixes
State of IPv6 Adoption
April 28, 2014 www.bc.net 17
http://mnlab-ipv6.seas.upenn.edu/fig1
State of IPv6 Adoption
April 28, 2014 www.bc.net 18
IPv6 deployment at BCNET
BCNET has been IPv6 ready many yearsFrom research to productionAddress space
Canarie address space (PA provider aggregatable)2001:410:1000::/40
Provider independent (PI) address space2607:f8f0::/32
IPv6 Fundamentals
April 28, 2014 www.bc.net 19
IPv6 Fundamentals
April 28, 2014 www.bc.net 20
IPv4 Header IPv6 Header
IPv6 Header vs IPv4 Header
IPv6 has fixed header length of 40 bytes (IPv4 was min. 20 bytes +options.)IPv6 removed:
Internet header length (IHL) fieldOptions fieldPadding field
IPv6 Uses Payload Length field instead of Total Length fieldProcessing advantages in using fixed-length header!
IPv6 Fundamentals
April 28, 2014 www.bc.net 21
IPv6 Header vs IPv4 Header
IPv4 Protocol field replaced with IPv6 Next Header field to indicate:
IPv6 Fundamentals
April 28, 2014 www.bc.net 22
ICMPv6 (58)TCP (6)UDP (17)IPSEC AH (51)IPSEC ESP (50)
Fragment (44)
futureproof!
IPv6 Header vs IPv4 Header
Removed IP fragmentation supportRemoved Fragment Offset, Identification, Flags fieldsRely on end-hosts to fragment and reassembleAll IPv6 hosts must accept minimum MTU of 1280 bytesICMPv6 vital to learn if packet-too-big
Removed Header Checksum (let TCP/UDP layer handle)TTL renamed as Hop LimitAdded new Flow label
IPv6 Fundamentals
April 28, 2014 www.bc.net 23
IPv6 Fundamentals
April 28, 2014 www.bc.net 24
IPv4 Header IPv6 Header
IPv6 = 128-bits (IPv4 = 32-bits)
340,282,366,920,938,463,463,374,607,431,768,211,456 addresses or:
= 3.4 x 1038
undecilliontrillion trillion
How many addresses is that?
IPv6 Fundamentals
April 28, 2014 www.bc.net 25
If earth was made entirely of 1 cubic millimeter grains of sand, you could give a unique address to each grain in 300 million planets the size of the earth.
Enough addresses to be assigned to every atom of every human being on the planet and still be left 2.91 x 1038 addresses.
IPv6 Fundamentals
April 28, 2014 www.bc.net 26
128-bit binary representation
00100110000001111111100011110000000000000000000000000000000000000000000001111000000000000000000000000000000000000101010010111110
Addresses represented by 8 groups of 16 bits separated by colons :
Use hexadecimals to shorten
e.g. 2607:F8F0:0000:0000:0078:0000:0000:54BE
IPv6 Fundamentals
April 28, 2014 www.bc.net 27
Hexadecimal Refresher
conveniently represent 4 binary bits
-lots of binary bits.
Case insensitive.
IPv6 Fundamentals
April 28, 2014 www.bc.net 28
Binary Decimal Hex
0000 0 0
0001 1 1
0010 2 2
0011 3 3
0100 4 4
0101 5 5
0110 6 6
0111 7 7
1000 8 8
1001 9 9
1010 10 A
1011 11 B
1100 12 C
1101 13 D
1110 14 E
1111 15 F
Two more optional shortcuts:
1) Leading zeros within a group are optional.
2607:f8f0:0000:0000:0078:0000:0000:54be
2607:f8f0:0000:0000:0078:0000:0000:54be
2607:f8f0:0:0:78:0:0:54be
IPv6 Fundamentals
April 28, 2014 www.bc.net 29
2) Multiple groups of zeroes can be replaced with ::
2607:f8f0:0:0:78:0:0:54be
or2607:f8f0:0:0:78::54be 2607:f8f0::78:0:0:54be
Beware: Use only once in an address, or else invalid and ambiguous!
e.g. 2607:f8f0::78::54be is invalid!
IPv6 Fundamentals
April 28, 2014 www.bc.net 30
IPv6 Address ComponentsLike IPv4, there are always two parts to an address:
NetworkHost (interface ID)
IPv6 Fundamentals
April 28, 2014 www.bc.net 31
Network bits Host bits
IPv6 Fundamentals
April 28, 2014 www.bc.net 32
Network bits Host bits
Just as in IPv4, we retain use of CIDR notation:
ipv6-address/prefix-length
E.g. 2001:0db8:0:cd30::/60
Network Prefix bits
IPv6 Fundamentals
April 28, 2014 www.bc.net 33
Address Types IPv6 Description
Unspecified :: Unassigned
Loopback ::1 Self address
Global Unicast 2000::/3 (20003FFF) One to one globally routable
LinkLocal Unicast FE80::/10 One to one within layer2 domain
Unique Local Unicast FC00::/7 and FD00::/7 One to one not globally routable
Multicast FF00::/8 One to many
Anycast Choose from Unicast One to nearest
IPv6 Address Types
No broadcast IPv6 relies heavily on multicast.
IPv6 Fundamentals
April 28, 2014 www.bc.net 34
Prefix Size Allocations
/12 Regional Internet Registry allocations from IANA/ICANN
/20 Local Internet Registry extra large allocations
/24 Local Internet Registry large allocations
/28 Local Internet Registry medium allocations
/32 Local Internet Registry minimum allocations
/48 Default end sites assignment
/64 Single Enduser LAN (default prefix size for SLAAC)
IPv6 Address Allocations
From Global Unicast 2000::/3 range.
IPv6 Fundamentals
April 28, 2014 www.bc.net 35
Address Description Usage
FF02::1 All IPv6 nodes address Similar to broadcast
FF02::2 All routers address Communicate with all routers
FF02::5 OSPF Similar to 224.0.0.5 for OSPFv2
FF02::6 OSPF DRs Similar to 224.0.0.6 for OSPFv2
FF02::9 RIP Routers Similar to 224.0.0.9 for RIPv2
FF02::A EIGRP Routers Similar to 224.0.0.10 for OSPFv2
FF02:0:0:0:0:1:FF00::/104appended w/ last24bits of MAC address
Solicited Node Multicast
Duplicate Address DetectionNeighbour Discovery (like ARP)
Common IPv6 Multicast Addresses
Interface ID (Host bits)64-bits are requiredCan be assigned in the following ways:
ManuallyDHCPAutomatic self-configuration
EUI-64 (IEEE standard for 64-bit MAC address)Modified EUI-64 (IEEE standard for 64-bit MAC derived from older 48-bit MAC)
Pseudo-random numberDepends on OSOften used for privacy
IPv6 Fundamentals
April 28, 2014 www.bc.net 36
Network bits Host bits
Modified EUI-64Modified EUI-64 is derived from the 48-bit MAC address:
1. insert FF:FE in the middle2. complement (invert) 7th bit.
E.g. 00:0C:29:0C:47:D5 (MAC address)
00:0C:29:FF:FE:0C:47:D5
02:0C:29:FF:FE:0C:47:D5
IPv6 Fundamentals
April 28, 2014 www.bc.net 37
Network bits Host bits
IPv6 Fundamentals
April 28, 2014 www.bc.net 38
Network Host (Interface) ID
64 bits 020C:29FF:FE0C:47D5
Modified EUI-64
E.g. 00:0C:29:0C:47:D5 (MAC address)
Stateless Address Auto Configuration (SLAAC)
Automatic self-assignment of IPv6 unicast addressesNo manual configuration of hosts or routers neededNo DHCP servers neededFor network bits:
Assign Link-local Prefix: FE80::/64Assign Global Prefix: Learned from Router Advertisement
For host bits:Use EUI-64 or random bits (privacy)
IPv6 Fundamentals
April 28, 2014 www.bc.net 39
Duplicate Address Detection (DAD)
Host interfaces:
1. -
2. Send a Neighbor Solicitation (NS)Src :: (unspecified)Dst: Solicited-Node multicast address
FF02:0:0:0:0:1:FF00::/104 w/ last 24-bits of wanted address
3. -
IPv6 Fundamentals
April 28, 2014 www.bc.net 40
Neighbour Discovery Protocol (NDP)NDP defines the following five ICMPv6 packet types and their purposes:
Router Solicitation (RS) - used by hosts to locate routers Router Advertisement (RA) - used by routers to advertise their presenceRedirect - used by routers to inform hosts of a better first hop for a destinationNeighbor Solicitation (NS) - used by nodes to determine the link-layer address of a neighborNeighbor Advertisement (NA) - used by nodes to respond to a Neighbor Solicitation message
Once again, ICMPv6 is fundamentally important!
IPv6 Fundamentals
April 28, 2014 www.bc.net 41
IPv6 InterfacesCommon to have sets of IPv6 addresses
Loopback (::1)Link Local (fe80::/64 address)Global Unicast (2xxxx::/64 address)Temporary (randomized for privacy)
Windows Vista or laterMac OSX Lion or later
distros
Join multiple multicast groupsAll NodesSolicited Node Multicast
IPv6 Fundamentals
April 28, 2014 www.bc.net 42
IPv6 RoutingIGP
RIPngIS-ISOSPFv3EIGRP for IPv6
EGPMP-BGP
IPv6 Fundamentals
April 28, 2014 www.bc.net 43
IPv6 Deployment Options
April 28, 2014 www.bc.net 44
Native:IPv6 OnlyDual Stack (both IPv4 and IPv6)
Proxy:Proxy and Translation
Tunneling:6to4TeredoISATAP
IPv6 Deployment Options
April 28, 2014 www.bc.net 45
Suggestions:Use a phased approachPrepare to support both IPv6 and IPv4 simultaneouslyStart at perimeter and move towards center of networkPrioritize public facing services such as web and email (business priority)Embed IPv6 requirements for equipment/software refresh cyclesDevelop IPv6 architecture standards and technical requirementsEstablish governance bodies to oversee adoption, including a Steering Committee and a Community of PracticeCreating a change management strategy, including policies, training, and communications
IPv6 Deployment Options
April 28, 2014 www.bc.net 46
Lab Assignments
April 28, 2014 www.bc.net 47
Dual-Stack Wireless SSID: BCNETv6DemoPassword: IPv6BCNETDemoPassword
Notice the IPv6 Addresses you have assigned (Link-Local, Global Unicast)
Verify by visiting: http://test-ipv6.com
More IPv6 Laptop Config Info: http://goo.gl/ziA5M
Configure your Laptop for IPv6
April 28, 2014 www.bc.net 48
Lab Site
April 28, 2014 www.bc.net 49
Please visit BCNET IPv6 Community Lab site:
https://wiki.bc.net/atl-conf/display/BCNETIPv6LAB/Home
or
http://goo.gl/BjjFi
Router Login AccountsYou can use SSH to login into your router.username: v6gurupassword: v6demo
Server (VM) Login AccountsYou can use SSH to login to the servers.usernames: v6gurupassword: v6demo
If you are using Windows, you can use Putty, a free SSH client.
Lab Login
April 28, 2014 www.bc.net 50
Lab Topology
April 28, 2014 www.bc.net 51
Setup Local Routing
1. Assign two /64 subnets out of the assigned netblock (/60) for your group. These /64 subnets are for Net1 and Net2.
2. Configure these two subnets on your router.
3. Stateless address auto configuration for each subnet (Net1 & Net2) (Router Advertisement) should automatically be activated.
4. Verify that your VMs have IPv6 addresses from the ranges you assigned via SLAAC.
Lab Assignment #1
April 28, 2014 www.bc.net 52
Setup OSPF
Lab Assignment #2
April 28, 2014 www.bc.net 53
Setup OSPF
1. Configure the IPv6 addresses on the connection towards your two neighbouringrouters. IPv6 addresses to be used are in your provided group worksheets.Remember that these are 802.1q tagged links.
2. Configure OSPFv3 on your router, we will use area 0 and no authentication.3. Configure the NET1 & NET2 interfaces (GigabitEthernet0/0 & GigabitEthernet0/1) as
passive OSPF interfaces.4. Make sure your router establishes adjacencies with both neighbouring routers.5. Confirm routing tables that Net1, Net2 and your uplink prefixes are announced.6. Disable IPv6 routers advertisements on these backbone links between routers.7. Verify connectivity to your networks and VMs.
Lab Assignment #2
April 28, 2014 www.bc.net 54
1 Hour
Return at 1:00PM
Break
April 28, 2014 www.bc.net 55
Setup BGP
1. Configure the IPv6 addresses on the connection towards the BCNET router.
2. Configure BGP on your router and have it peer with BCNET router (AS65527).
3. Announce the prefix assigned to you (aggregated /60 block , not the individual /64's) to BCNET over BGP).
4. Verify if you receive default IPv6 route ::/0 from BCNET.
5. Verify if you can ping6/traceroute6 to www.bc.net.
Lab Assignment #3
April 28, 2014 www.bc.net 56
Security
Configure an ACL that allows access to your router for:snmp (udp 161)telnet (tcp 23)ssh (tcp 22) Only from IPv6 source address within the /60 prefix assigned to you. Deny all other traffic
Lab Assignment #4
April 28, 2014 www.bc.net 57
Thank you!
April 28, 2014 www.bc.net 58
http://www.bc.net | [email protected] | 604.822.1348