IPv6 Workshop - BCNET · 2015-12-16 · IPv6 Fundamentals April 28, 2014 33 Address Types IPv6...

Alvin Wong, Sr Network Analyst @ BCNETToby Wong, Network Analyst @ BCNETMicheal Jones, Systems Administrator @ Cybera

IPv6 Workshop

9:00AM 10:00AM:

IntroductionWhy IPv6?State of IPv6 AdoptionIPv6 FundamentalsIPv6 Deployment Options

Agenda

April 28, 2014 www.bc.net 2

10:00AM 10:15AM <Break>10:15AM 12:00PM

Assignment #1 Local RoutingAssignment #2 Campus Routing

12:00PM 1:00PM <Lunch>1:00PM 2:00PM

Assignment #3 - InterdomainRoutingAssignment #4 Router Security

Agenda


2:00PM 2:15PM <Break>2:15PM 3:00PM

Systems Introduction3:00PM 5:00PM

Systems Assignments (DNS, Web, Email, and Firewall)

Introductions


Alvin Wong, Sr. Network Analyst, BCNETemail: [email protected]

Toby Wong, Network Analyst, BCNETemail: [email protected]

Micheal Jones, Systems Administrator, Cyberaemail: [email protected]

Introduction


Tell us about you!

Name:What you do:Organization:Interest or experience in IPv6:Fun fact about you:

Introduction


IPv6 Community Lab

Network test-bed to gain IPv6 knowledge and experience on real hardwareBCNET, Canarie and Cisco donated the hardwareLab consists of 8 x Cisco 2800 routers, 1 x Cisco 3700 switch

https://www.bc.net/atl-conf/display/BCNETIPv6LAB/Home

Introduction


Why IPv6?


Inevitability

32-bit IPv4 address space limited to 4.3 billion unique addresses (developed in 1980s)

Running out of IPv4 addresses -- IANA/ICANN and RIRs /8s are depleting

APNIC and RIPE down to their last /8

Why IPv6


IANA Unallocated Address Pool Exhaustion: 03-Feb-2011

Projected RIR Address Pool Exhaustion Dates:

Why IPv6


http://www.potaroo.net/tools/ipv4/

RIR Projected Exhaustion Date

APNIC 19Apr2011 (actual)

RIPE 14Sep2012 (actual)

ARIN 19Mar2015

LACNIC 16Sep2014

AFRINIC 18Apr2020

Why IPv6


http://www.potaroo.net/tools/ipv4/plotend.png

More IP addresses!

Reduce reliance on NATReachability to growing IPv6 only networksGrowth in the number of network devicesNew countries and greater needs

Why IPv6


State of IPv6 Adoption




Content Provider LevelGoogleFacebookYahoo!BingNetflix

National Connectivity LevelCanarieHurricane ElectricTata CommunicationsShawPeer1


April 28, 2014 www.bc.net 15http://www.google.com/ipv6/statistics.html

Percentage of users that access Google via IPv6 < 3.4%



http://v6asns.ripe.net

Percentage of ASes Announcing IPv6 Prefixes



http://mnlab-ipv6.seas.upenn.edu/fig1



IPv6 deployment at BCNET

BCNET has been IPv6 ready many yearsFrom research to productionAddress space

Canarie address space (PA provider aggregatable)2001:410:1000::/40

Provider independent (PI) address space2607:f8f0::/32

IPv6 Fundamentals


IPv6 Fundamentals


IPv4 Header IPv6 Header

IPv6 Header vs IPv4 Header

IPv6 has fixed header length of 40 bytes (IPv4 was min. 20 bytes +options.)IPv6 removed:

Internet header length (IHL) fieldOptions fieldPadding field

IPv6 Uses Payload Length field instead of Total Length fieldProcessing advantages in using fixed-length header!

IPv6 Fundamentals



IPv4 Protocol field replaced with IPv6 Next Header field to indicate:

IPv6 Fundamentals


ICMPv6 (58)TCP (6)UDP (17)IPSEC AH (51)IPSEC ESP (50)

Fragment (44)

futureproof!


Removed IP fragmentation supportRemoved Fragment Offset, Identification, Flags fieldsRely on end-hosts to fragment and reassembleAll IPv6 hosts must accept minimum MTU of 1280 bytesICMPv6 vital to learn if packet-too-big

Removed Header Checksum (let TCP/UDP layer handle)TTL renamed as Hop LimitAdded new Flow label

IPv6 Fundamentals


IPv6 Fundamentals


IPv4 Header IPv6 Header

IPv6 = 128-bits (IPv4 = 32-bits)

340,282,366,920,938,463,463,374,607,431,768,211,456 addresses or:

= 3.4 x 1038

undecilliontrillion trillion

How many addresses is that?

IPv6 Fundamentals


If earth was made entirely of 1 cubic millimeter grains of sand, you could give a unique address to each grain in 300 million planets the size of the earth.

Enough addresses to be assigned to every atom of every human being on the planet and still be left 2.91 x 1038 addresses.

IPv6 Fundamentals


128-bit binary representation

00100110000001111111100011110000000000000000000000000000000000000000000001111000000000000000000000000000000000000101010010111110

Addresses represented by 8 groups of 16 bits separated by colons :

Use hexadecimals to shorten

e.g. 2607:F8F0:0000:0000:0078:0000:0000:54BE

IPv6 Fundamentals


Hexadecimal Refresher

conveniently represent 4 binary bits

-lots of binary bits.

Case insensitive.

IPv6 Fundamentals


Binary Decimal Hex

0000 0 0

0001 1 1

0010 2 2

0011 3 3

0100 4 4

0101 5 5

0110 6 6

0111 7 7

1000 8 8

1001 9 9

1010 10 A

1011 11 B

1100 12 C

1101 13 D

1110 14 E

1111 15 F

Two more optional shortcuts:

1) Leading zeros within a group are optional.

2607:f8f0:0000:0000:0078:0000:0000:54be

2607:f8f0:0000:0000:0078:0000:0000:54be

2607:f8f0:0:0:78:0:0:54be

IPv6 Fundamentals


2) Multiple groups of zeroes can be replaced with ::

2607:f8f0:0:0:78:0:0:54be

or2607:f8f0:0:0:78::54be 2607:f8f0::78:0:0:54be

Beware: Use only once in an address, or else invalid and ambiguous!

e.g. 2607:f8f0::78::54be is invalid!

IPv6 Fundamentals


IPv6 Address ComponentsLike IPv4, there are always two parts to an address:

NetworkHost (interface ID)

IPv6 Fundamentals


Network bits Host bits

IPv6 Fundamentals



Just as in IPv4, we retain use of CIDR notation:

ipv6-address/prefix-length

E.g. 2001:0db8:0:cd30::/60

Network Prefix bits

IPv6 Fundamentals


Address Types IPv6 Description

Unspecified :: Unassigned

Loopback ::1 Self address

Global Unicast 2000::/3 (20003FFF) One to one globally routable

LinkLocal Unicast FE80::/10 One to one within layer2 domain

Unique Local Unicast FC00::/7 and FD00::/7 One to one not globally routable

Multicast FF00::/8 One to many

Anycast Choose from Unicast One to nearest

IPv6 Address Types

No broadcast IPv6 relies heavily on multicast.

IPv6 Fundamentals


Prefix Size Allocations

/12 Regional Internet Registry allocations from IANA/ICANN

/20 Local Internet Registry extra large allocations

/24 Local Internet Registry large allocations

/28 Local Internet Registry medium allocations

/32 Local Internet Registry minimum allocations

/48 Default end sites assignment

/64 Single Enduser LAN (default prefix size for SLAAC)

IPv6 Address Allocations

From Global Unicast 2000::/3 range.

IPv6 Fundamentals


Address Description Usage

FF02::1 All IPv6 nodes address Similar to broadcast

FF02::2 All routers address Communicate with all routers

FF02::5 OSPF Similar to 224.0.0.5 for OSPFv2

FF02::6 OSPF DRs Similar to 224.0.0.6 for OSPFv2

FF02::9 RIP Routers Similar to 224.0.0.9 for RIPv2

FF02::A EIGRP Routers Similar to 224.0.0.10 for OSPFv2

FF02:0:0:0:0:1:FF00::/104appended w/ last24bits of MAC address

Solicited Node Multicast

Duplicate Address DetectionNeighbour Discovery (like ARP)

Common IPv6 Multicast Addresses

Interface ID (Host bits)64-bits are requiredCan be assigned in the following ways:

ManuallyDHCPAutomatic self-configuration

EUI-64 (IEEE standard for 64-bit MAC address)Modified EUI-64 (IEEE standard for 64-bit MAC derived from older 48-bit MAC)

Pseudo-random numberDepends on OSOften used for privacy

IPv6 Fundamentals



Modified EUI-64Modified EUI-64 is derived from the 48-bit MAC address:

1. insert FF:FE in the middle2. complement (invert) 7th bit.

E.g. 00:0C:29:0C:47:D5 (MAC address)

00:0C:29:FF:FE:0C:47:D5

02:0C:29:FF:FE:0C:47:D5

IPv6 Fundamentals



IPv6 Fundamentals


Network Host (Interface) ID

64 bits 020C:29FF:FE0C:47D5

Modified EUI-64

E.g. 00:0C:29:0C:47:D5 (MAC address)

Stateless Address Auto Configuration (SLAAC)

Automatic self-assignment of IPv6 unicast addressesNo manual configuration of hosts or routers neededNo DHCP servers neededFor network bits:

Assign Link-local Prefix: FE80::/64Assign Global Prefix: Learned from Router Advertisement

For host bits:Use EUI-64 or random bits (privacy)

IPv6 Fundamentals


Duplicate Address Detection (DAD)

Host interfaces:

1. -

2. Send a Neighbor Solicitation (NS)Src :: (unspecified)Dst: Solicited-Node multicast address

FF02:0:0:0:0:1:FF00::/104 w/ last 24-bits of wanted address

3. -

IPv6 Fundamentals


Neighbour Discovery Protocol (NDP)NDP defines the following five ICMPv6 packet types and their purposes:

Router Solicitation (RS) - used by hosts to locate routers Router Advertisement (RA) - used by routers to advertise their presenceRedirect - used by routers to inform hosts of a better first hop for a destinationNeighbor Solicitation (NS) - used by nodes to determine the link-layer address of a neighborNeighbor Advertisement (NA) - used by nodes to respond to a Neighbor Solicitation message

Once again, ICMPv6 is fundamentally important!

IPv6 Fundamentals


IPv6 InterfacesCommon to have sets of IPv6 addresses

Loopback (::1)Link Local (fe80::/64 address)Global Unicast (2xxxx::/64 address)Temporary (randomized for privacy)

Windows Vista or laterMac OSX Lion or later

distros

Join multiple multicast groupsAll NodesSolicited Node Multicast

IPv6 Fundamentals


IPv6 RoutingIGP

RIPngIS-ISOSPFv3EIGRP for IPv6

EGPMP-BGP

IPv6 Fundamentals


IPv6 Deployment Options


Native:IPv6 OnlyDual Stack (both IPv4 and IPv6)

Proxy:Proxy and Translation

Tunneling:6to4TeredoISATAP



Suggestions:Use a phased approachPrepare to support both IPv6 and IPv4 simultaneouslyStart at perimeter and move towards center of networkPrioritize public facing services such as web and email (business priority)Embed IPv6 requirements for equipment/software refresh cyclesDevelop IPv6 architecture standards and technical requirementsEstablish governance bodies to oversee adoption, including a Steering Committee and a Community of PracticeCreating a change management strategy, including policies, training, and communications



Lab Assignments


Dual-Stack Wireless SSID: BCNETv6DemoPassword: IPv6BCNETDemoPassword

Notice the IPv6 Addresses you have assigned (Link-Local, Global Unicast)

Verify by visiting: http://test-ipv6.com

More IPv6 Laptop Config Info: http://goo.gl/ziA5M

Configure your Laptop for IPv6


Lab Site


Please visit BCNET IPv6 Community Lab site:

https://wiki.bc.net/atl-conf/display/BCNETIPv6LAB/Home

or

http://goo.gl/BjjFi

Router Login AccountsYou can use SSH to login into your router.username: v6gurupassword: v6demo

Server (VM) Login AccountsYou can use SSH to login to the servers.usernames: v6gurupassword: v6demo

If you are using Windows, you can use Putty, a free SSH client.

Lab Login


Lab Topology


Setup Local Routing

1. Assign two /64 subnets out of the assigned netblock (/60) for your group. These /64 subnets are for Net1 and Net2.

2. Configure these two subnets on your router.

3. Stateless address auto configuration for each subnet (Net1 & Net2) (Router Advertisement) should automatically be activated.

4. Verify that your VMs have IPv6 addresses from the ranges you assigned via SLAAC.

Lab Assignment #1


Setup OSPF

Lab Assignment #2


Setup OSPF

1. Configure the IPv6 addresses on the connection towards your two neighbouringrouters. IPv6 addresses to be used are in your provided group worksheets.Remember that these are 802.1q tagged links.

2. Configure OSPFv3 on your router, we will use area 0 and no authentication.3. Configure the NET1 & NET2 interfaces (GigabitEthernet0/0 & GigabitEthernet0/1) as

passive OSPF interfaces.4. Make sure your router establishes adjacencies with both neighbouring routers.5. Confirm routing tables that Net1, Net2 and your uplink prefixes are announced.6. Disable IPv6 routers advertisements on these backbone links between routers.7. Verify connectivity to your networks and VMs.

Lab Assignment #2


1 Hour

Return at 1:00PM

Break


Setup BGP

1. Configure the IPv6 addresses on the connection towards the BCNET router.

2. Configure BGP on your router and have it peer with BCNET router (AS65527).

3. Announce the prefix assigned to you (aggregated /60 block , not the individual /64's) to BCNET over BGP).

4. Verify if you receive default IPv6 route ::/0 from BCNET.

5. Verify if you can ping6/traceroute6 to www.bc.net.

Lab Assignment #3


Security

Configure an ACL that allows access to your router for:snmp (udp 161)telnet (tcp 23)ssh (tcp 22) Only from IPv6 source address within the /60 prefix assigned to you. Deny all other traffic

Lab Assignment #4


Thank you!


http://www.bc.net | [email protected] | 604.822.1348

IPv6 Workshop - BCNET · 2015-12-16 · IPv6 Fundamentals April 28, 2014 33 Address Types IPv6...

Documents

Transcript of IPv6 Workshop - BCNET · 2015-12-16 · IPv6 Fundamentals April 28, 2014 33 Address Types IPv6...