switchport Security

70-648, NAP, DHCP, IPNG, IPv4, IPV6, DNS, Global Names, WDS, Server Core, WAS, Server Manager, OCSP, WBAdmin, Group Policy, BitLocker, Active Directory, switch module, route module, firewall module, auto secure, network, router ospf, authentication, drupal.org

Tuesday, December 25, 2007

IP Next Generation (ng): IPv6

For starters, we don't have IPv5 that works the way we think it should work. It's somewhat a streaming protocol defined in RFCs 1190 and 1819 and works the same way as MPLS does, in some respect.

Ever wondered what an IPv6 number is? Do you understand what ipconfig /all and ifconfig spits out in the CLI about your IPv6 address? And do you know that you have more than one IPv6 address?

If you don't, read on!

What's in here?
-What is IPv6?
-The IPv6 Header

-Addressing Notation
-Zone Indices and Multi-homed servers
-Address and Communication Types
-WKA
video

What's IPV6?

IPv6 is a new IP protocol designed to replace IPv4, the Internet protocol that is predominantly deployed and extensively used throughout the world. IPv6 quadruples the number of network address bits from 32 bits (in IPv4) to 128 bits or approximately 3.4 x 1038 addressable nodes, which provides more than enough globally unique IP addresses for every network device on the planet. (From http://www.cisco.com)

How different is this from IPv4?

  • larger address space

Uses a 128-bit addressing format capable of 2^128 IPv6 addresses

  • Option for Stateless autoconfiguration and Stateful configuration for hosts through DHCPv6
  • Multicast
  • Link-local addresses
  • Support for payload of arounbd 65535 octets
  • Network layer security native support

IPSec is natively supported and built into IPv6.

  • MIPv6

MobileIP is available for both v4 and v6 that enables mobile devices to move seemlessly throughout a network. This is native in IPng.

  • faster processing due to no checksums
The IPv6 Header
The v6 header is noticeably more streamlined than its predecessor. This gives it the notion that v6 communication is a lot faster and more effiecient. Let's take a closer look at it.

Version
From the figure above, the first part of the header is the version field that has a value of 6, meaning IPv6.

Traffic Class is an 8-bit field that distinguishes a packet with different real-time delivery requirements used in differentiated services (Diffserv.)

MobileIP is available for both v4 and v6 that enables mobile devices to move seemlessly throughout a network. This is native in IPng.

Flow Label
Tags flow of packets; used for multilayer switching techniques and faster packet-switching performance

Payload length
As it denotes.

Next Header
This is like the Transport field in IPv4 telling you what's the content of the next header - TCP, UDP, or extension headers.

Hop limit
Better name for TTL where the default value decreases every router traversed by the packet. The advantage for this part in v6 is that there is no checksum involved and v4 incurs extra processing time.

Source Address

Destination Address

Extension headers
There might be a need for the missing fields in IPv4 so here is where this comes in handy. Currently, 6 types are defined as follows:
  • Hop-by-hop options - used for router alerts like for RSVP (resource reservation protocol) and MLD (multicast listener discovery v1) and the jumbograms
  • Destination options - carries optional info needed to be processed by destination nodes
  • Routing - used for source routing and MIPv6
  • Fragmentation - well, we still do have this one but it's used when we have to fragment
  • Authentication and Encapsulating Security payload headers - IPSec protocol stuff
  • Upper-layer header - kind like what the Next field does
Though we still can perform fragmentation for IPv6, what it normally does is to send MTU discover packets so that it can determine the optimum maximum transmission unit for a given session. It queries the link till it gets an appropriate response for what MTU to use when sending data on the line. This is done per link and cached to track the responses. But this can also be performed using the flow labels.

Source-based routing has the source telling how data should traverse the network.

Addressing Notation
It's very easy to distinguish what an IPv6 address looks like. The hard thing is writing it down and memorizing the address - that's why DNS becomes VERY important as well.

Given the ip 2002:03c9:0000:0000:0000:0000:1526:69ab, what are other alternatives to representing the address?

2002:03c9:0000:0000:0000:0000:1526:69ab can also be written as

  • 2002:03c9:0000:0000:0000::1526:69ab
  • 2002:03c9:0:0:0:0:1526:69ab
  • 2002:03c9:0:0::1526:69ab
  • 2002:03c9::1526:69ab
Note: You can only cut down on leading zeroes.

Representing the IPv4 address 192.168.168.170

  • ::ffff:192.168.169.170
  • ::ffff:c0a8:a9aa
or

  • 0:0:0:0:0:ffff:c0a8:a9aa


Note: c0a8:a9aa, if my conversion was correct (top of my head, sorry)

Special Addresses in IPv6

  • Link-local Address
  • Site-local Address
  • Multicast address


Link-local
:: /128 means software only
::1/128 means the loopback address for IPv6, not like IPv4 with 127.0.0.0/8!!!
fe80:: /10 the IPv4 APIPA equivalent

Site-local
fc00:: /7 unique site-local address that is centrally administered
fd00:: /7 unique site-local address that is locally administered

Note: Does this remind you of RFC1918-type of addresses?

IPv4 special Addresses
::ffff:0:0 /96 - obsolete though
2002:: /16


Multicast
ff00:: /8 multicast addressing usage

Examples

  • ff02::1 - all hosts on segment
  • ff02::2 -
  • ff02::5 - must be for OSPF routers
  • ff02::6 - must be for OSPF DRs and BDRs
  • ff02::9 - all rip routers, most certainly
  • ff02:::1::ffxx:xxx - IPv6 arp message
  • ff05::101 - all NTP servers


Note: ff02::6, hmm? Remember IPvr OSPF DR and BDR multicast address? That's 224.0.0.6!

Zone Indices and Multi-homed servers
All IPv6 hosts, per NIC, have link-local addresses that are on the same network boundary or subnet. In that case, there will be problems when having a multi-homed server or router.

But how do we go around this problem?

Simple.

Through RFC4007, adding zone index for the interface solves the problem.

Example:

  • Microsoft - fe80::3%1
  • BSD - fe80::5%pcn0
  • Linux - fe80::5%eth0




Address and Communication Types
A multicast group is an arbitrary group of receivers that expresses an interest in receiving a particular data stream. This group has no physical or geographical boundaries—the receivers can be located anywhere on the Internet or in a private network. Receivers that are interested in receiving data flowing to a particular group must join the group by signaling their local router. This signaling is achieved with MLD protocol, which is the IPv6 equivalent of the IGMP protocol on IPv4. The network then delivers data to potentially unlimited receivers, using only one copy of the multicast data per subnet. (From http://www.cisco.com)

Unicast - host-to-host
Multicast - host-to-group
Anycast - host-to-closest host

[Side_Note]
What is MLD?
Multicast Listener Discovery (MLD)v1 performs the functions and is derived from version IGMPv2, while MLDv2 is equivalent to IGMPv3 and requires working with PIM-SSM. Unlike IGMP on IPv4, MLD uses ICMPv6 to carry its messages. All MLD messages are local to the link with a hop Limit of 1, and have enabled the Router Alert option.

There are three types of MLD messages:
1. Query
2. Report
3. Done

1. Query (Type = decimal 130)
General and Group Specific
In a Query message, the Multicast Address field is set to zero when it sends a General Query, which learns which Multicast addresses have listener on an attached link.

Group Specific or Multicast-Address-Specific Query, the address field is set to a specific IPv6 Multicast address. Thisquery learns whether a particular Multicast address has any listeners on an attached link.

2. Report (Type = decimal 131)
In a Report message, the Multicast Address field is that of the specific IPv6 Multicast address to which the sender islistening.

3. Done (Type = decimal 132)
In a Done message, the Multicast Address field is that of the specific IPv6 Multicast address to which the sender is ceasing to listen, respectively.
[/Side_Note]


Link-local Addresses

  • assigned automatically as host goes online
  • kind of like APIPA
  • always begins with fe80, first 10 bits are 1111 1110 10
  • last 64-bits are the 48-bit physical address of each NIC with FFFE in the middle
Say you MAC address is 00-00-0C-19-ab-cd. Your link-local address is fe80::0000:0Cff:fe19:abcd

Unique-local(RFC 4193)/Site-local Addresses(RFC 3513)

  • used within Enterprise networks to indetify boundary of their networks
  • kind of Private IP adddressing for IPv6
8-bits 40-bits 16-bits 48-bits
111 110[10] GlobalID SubnetID InterfaceID

fc00:: /8, which becomes fd00:: /8 if locally administered or assigned


Global Addresses
global routing prefix is 48 bits or less
subnetID is comprised of whatever bits are left after the global routing prefix demarc
have the high-level 3-bits set to 001

global routing prefix - n-bits

n-bits 64-n-bits interfaceID
[001..][..............][.................]

Multicast Addressing

  • first 8-bits are always FF
  • flag has currently 4 bits defined ---> 0RPT; 0 - unassigned, R - rendezvous point, P - unicast point, T - is it permanently assigned or 0 and temporary or 1
  • scope defines multicast function, 4-bits in length
Scope bits:

1 - interface-local
2
- link-local
3 - subnet-local
4 - admin-local
5 - site-local
8 - organization
e - global


Format

[111 111][Flag][Scope][Address]

Note: I'll add more to this section. A bit tired now.

We don't have broadcasting in IPv6 and Multicasting replaces that function for v6.

-Jaeson

No comments: