IPv6 Next Generation Internet Protocol

How do you get ready? Dont get left out! Presented by Pete Morasca, Thomas Jefferson High School Science Technology

Is this for real?

IRS, DOE, other Federal departments are mandated to implement by 2008 Microsofts next generation OS and Server OS (VISTA, LONGHORN) have IPv6 automatically built-in Router manufacturers already have their OS routing the new protocol and transition mechanisms

OUTLINE
MAJOR FACTORS DRIVING THE NEED MAJOR CONCERNS IT-TEAM/ISP/APPS ADDRESSING/SUBNETTING COEXISTENCE AND MIGRATION ROUTING NAME RESOLUTION / DNS SERVERS SETTING UP A TEST LAB

MAJOR FACTORS DRIVING THE NEED

Large address space The 128-bit address space for IPv6 provides ample room to provide every device on the present and foreseeable future Internet with a globally reachable address. Efficient routing With a streamlined IPv6 header and addressing that supports hierarchical routing infrastructures, IPv6 routers on the Internet can forward IPv6 traffic faster than their IPv4 counterparts. Ease of configuration IPv6 hosts can configure themselves by either interacting with a Dynamic Host Configuration Protocol for IPv6 (DHCPv6) server or by interacting with their local router and using stateless address autoconfiguration. Stateful DHCPv6 is not really needed with a good router Enhanced security The IPv6 standards solve some of the security issues of IPv4 by providing better protection against address and port scanning attacks and by requiring that all IPv6 implementations support Internet Protocol security (IPsec) for cryptographic protection of IPv6 traffic.

MAJOR CONCERNS FOR ITTEAM / ISP / APPS

IT? Easier than IPv4 static or dynamic address assignment, just run the install mechanism, the router will do all the work Router engineer needs to learn the most ISPs need to agree on routing native IPv6 or at least tunnelling it. Assigning IPv6 addresses is more important APPS? Some will not care, others need to use the new protocol. Example Internet Explorer, will first use IPv6 address, then revert to IPv4 (can slow things down in a migration period)

ADDRESSING/SUBNETTING
Where do global addresses come from? The Hierarchy. TJs next hop is Virginia Tech so they gave us our global subnet 128 bit addresses (3.4x1038), 109 with IPv4 7x1023 global addresses for each square meter of the earths surface Link-local addresses (no router) similar to 169.254.0.0/16 used by microsoft Site-local addresses similar to the private 10.0.0.0/8 and 192.168.0.0/16

 2001:0468:0CC0:0000:02E0:81FF:FE25:FA65 is www.tjhsst.edu Shorten 2001:468:cc0::2E0:81FF:FE25:FA65 Tjs network is 2001:468:cc0::/48 2001:468:cc0:0000:0000:0000:0000:0001 164 subnets inside of TJ = 65,000 1616 nodes on each subnet = 1019 Link-local addresses have a prefix FE80::/64 no traffic is forwarded thru a router Site-local addresses have a prefix FEC0::/48 traffic forwards thru internal routers but not thru the border router to the world

 Instead of statefully using 2001:468:cc0:0000:0000:0000:0000:0001 the router will assign an address that has embedded, the ethernet (MAC) address according to a special algorithm that presumes the /64 mask for the network Thus subnets are best, but not required to be masked /64 The new address might look like 2001:468:cc0:0001:290:96ff:fec3:380a note that an IPCONFIG /ALL at a DOS prompt shows a MAC address of 00-90-96-c3-38-0a and note the underscore ff:fe above

 An example of a CISCO config: Interface Vlan1 Description Schools student network ipv6 address 2001:468:cc0:1::/64

 Other than the Unicast addresses, IPv6 uses Multicast, Anycast addresses (no Broadcast!!!) A multicast address is used for one-tomany interfaces, an anycast is used for one-to-one-of many, usually by routers to communicate via shortest distance

 s m

the number of bits chosen for subnetting the prefix length of the network being subnetted F the value of the subnet (in hex) f = m 48 the number of bits within the subnet already fixed n = 2s the number of network prefixes obtained i = 216-(f+s) the incremental value between each successive subnet (in hex) l = 48 + f + s the prefix length of the subnets

CREATING A LIST OF SUBNETTED NETWORK PREFIXES

 The first new subnetted prefix: [48-bit prefix from ISP]:F::/l The next new subnetted prefix: [48-bit prefix from ISP]:F+i::/l etc. to a total of n

Example 1 (8 school district)

s= 3 m=48 F=0000 f= 48 48 =0 n = 23 = 8 i = 216 (0 + 3) = 213 = 8192 = 2000h l = 48 + 0 + 3 = 51

Subnet 2001:468:CC0::/48
2001:468:CC0:0000::/51 2001:468:CC0:2000::/51 2001:468:CC0:4000::/51 2001:468:CC0:6000::/51 2001:468:CC0:8000::/51 2001:468:CC0:A000::/51 2001:468:CC0:C000::/51 2001:468:CC0:E000::/51

Example 2 (one router network)

s= 16 m=48 F=0000 f= 48 48 =0 n = 216 = 65536 i = 216 (0 + 16) = 20 = 1 = 0001h l = 48 + 0 + 3 = 64

Subnet 2001:468:CC0::/48
2001:468:CC0:0000::/64 2001:468:CC0:0001::/64 2001:468:CC0:0002::/64 2001:468:CC0:0003::/64 2001:468:CC0:0004::/64 2001:468:CC0:0005::/64 2001:468:CC0:0006::/64 on up to 2001:468:CC0:FFFF::/64

COEXISTENCE AND MIGRATION

ISATAP addresses Teredo addresses Installing IPv6

 ISATAP addresses Intra-site Automatic Tunnel Addressing Protocol (ISATAP) addresses are composed of a valid 64-bit unicast address prefix and the interface identifier ::0:5EFE:w.x.y.z (where w.x.y.z is a unicast IPv4 address assigned to an interface). An example of a link-local ISATAP address is FE80::5EFE:131.107.4.92. ISATAP is defined in the Internet draft titled "Intra-Site Automatic Tunnel Addressing Protocol (ISATAP)" (draft-ietf-ngtrans-isatap-x .txt at http://www.ietf.org/internet-drafts/). For more information, see ISATAP in this white paper.

Host-to-Host Tunneling

 Teredo addresses Teredo addresses use the prefix 3FFE:831F::/32. An example of a Teredo address is 3FFE:831F:CE49:7601:8000:EFFF:62C3:FFFE. Beyond the first 32 bits, Teredo addresses are used to encode the IPv4 address of a Teredo server, flags, and the encoded version of a Teredo client's external address and port. Teredo is defined in the Internet draft titled "Teredo: Tunneling IPv6 over UDP through NATs" ( draft-huitema-v6ops-teredo-0x.txt at http://www.ietf.org/internet-drafts/). For more information, see Teredo

 Teredo is an address assignment and automatic tunneling technology that provides unicast IPv6 connectivity across the IPv4 Internet. 6to4 is another automatic tunneling technology that provides unicast IPv6 connectivity across the IPv4 Internet. However, 6to4 works well when a 6to4 router exists at the edge of the site. The 6to4 router uses a public IPv4 address to construct the 6to4 prefix and acts as an IPv6 advertising and forwarding router. The 6to4 router encapsulates and decapsulates IPv6 traffic sent to and from site nodes.

 Teredo is designed as a last resort transition technology for IPv6 connectivity. If native IPv6, 6to4, or Intrasite Automatic Tunnel Addressing Protocol (ISATAP) connectivity is present, the host does not act as a Teredo client. As more IPv4 edge devices are upgraded to support 6to4 and IPv6 connectivity becomes ubiquitous, Teredo will be used less and less until finally it is not used at all.

Installing IPv6
1.Log on to the computer with a user account that has privileges to change network configuration.2.Click Start, click Control Panel, and then double-click Network Connections.3.Right-click any local area connection, and then click Properties. 4.Click Install. 5.In the Select Network Component Type dialog box, click Protocol, and then click Add. 6.In the Select Network Protocol dialog box, click Microsoft TCP/IP version 6, and then click OK. 7.Click Close to save changes to your network connection.

 Alternately, from the Windows Server 2003 desktop, click Start, point to Programs, point to Accessories, and then click Command Prompt. At the command prompt, type netsh interface ipv6 install. The IPv6 protocol for Windows Vista and Windows Server Longhorn is installed and enabled by default. It appears as the Internet Protocol Version 6 (TCP/IP) component on the Configure tab when you obtain the properties of a connection or adapter in the Connections and Adapters folder (available from the Network Center).

 Alternately, from the Windows XP or Windows Server 2003 desktop, click Start, point to Programs, point to Accessories, and then click Command Prompt. At the command prompt, type netsh interface ipv6 uninstall.

ROUTING

ip name-server 198.38.31.9 ip name-server 2001:2F0:0:8800::1:1 ! ! ipv6 unicast-routing ipv6 dhcp pool IPv6-dhcp-pool dns-server 2001:468:CC0:0:2E0:81FF:FE25:FAE8 dns-server 2001:2F0:0:8800::1:1 domain-name tjhsst.edu !

interface FastEthernet2/0 description Systems Lab IPv6 only no ip address duplex auto speed auto ipv6 address 2001:468:CC0::/64 ipv6 nd other-config-flag ipv6 dhcp server IPv6-dhcp-pool ! interface FastEthernet2/1 description LAN IPv6 only no ip address duplex auto speed auto ipv6 address 2001:468:CC0:1::/64 ipv6 nd other-config-flag ipv6 dhcp server IPv6-dhcp-pool !

interface ATM3/0.1 point-to-point description Network VA and Internet-1 ip address 63.170.115.114 255.255.255.252 ip access-group 104 in atm pvc 1 0 34 aal5snap ! interface ATM3/0.2 point-to-point description Abilene Internet-2 ip address 65.172.70.210 255.255.255.252 ip access-group 104 in atm pvc 2 0 33 aal5snap ipv6 address 2001:468:CFE:3001::2/64 ipv6 traffic-filter IPv6-103 in !

 router bgp 3140 bgp log-neighbor-changes neighbor 2001:468:CFE:3001::1 remote-as 7066 neighbor 63.170.115.113 remote-as 7066 neighbor 63.170.115.113 description Network Virginia neighbor 65.172.70.209 remote-as 7066 neighbor 65.172.70.209 des Network Virginia Internet 2 neighbor 157.130.61.57 remote-as 701 !

! address-family ipv4 no neighbor 2001:468:CFE:3001::1 activate neighbor 63.170.115.113 activate neighbor 63.170.115.113 route-map nwv-local-pref-110 in neighbor 65.172.70.209 activate neighbor 65.172.70.209 route-map i2-local-pref-120 in neighbor 157.130.61.57 activate neighbor 157.130.61.57 route-map redundant out no auto-summary no synchronization network 198.38.16.0 mask 255.255.240.0 exit-address-family ! address-family ipv6 neighbor 2001:468:CFE:3001::1 activate network 2001:468:CC0::/48 exit-address-family !

ipv6 route 2001:468:CC0::/48 Null0 ! ipv6 access-list IPv6-103 deny ipv6 2001:468:CC0::/48 any permit tcp any host 2001:468:CC0:0:2E0:81FF:FE25:FA65 eq www permit tcp any any eq 22 permit tcp any any established deny tcp any any permit udp any any eq ntp permit udp any any eq domain permit icmp any any echo-reply permit icmp any any time-exceeded permit icmp any any unreachable permit icmp any any deny ipv6 any any !

NAME RESOLUTION / DNS SERVERS

DNS Infrastructure A Domain Name System (DNS) infrastructure is needed for successful coexistence because of the prevalent use of names (rather than addresses) to refer to network resources. Upgrading the DNS infrastructure consists of populating the DNS servers with records to support IPv6 name-to-address and address-toname resolutions. After the addresses are obtained using a DNS name query, the sending node must select which addresses are used for communication.

 Address Records The DNS infrastructure must contain the following resource records (populated either manually or dynamically) for the successful resolution of domain names to addresses: A records for IPv4-only and IPv6/IPv4 nodes AAAA records for IPv6-only and IPv6/IPv4 nodes

 Pointer Records The DNS infrastructure must contain the following resource records (populated either manually or dynamically) for the successful resolution of address to domain names (reverse queries): PTR records in the IN-ADDR.ARPA domain for IPv4-only and IPv6/IPv4 nodes PTR records in the IP6.ARPA domain for IPv6only and IPv6/IPv4 nodes (optional).

SETTING UP A TEST LAB