IPv6: Hype or Reality?

advertisement
IPv6: Hype or Reality?
Tim Helming
Director of Product Management
Corey, Nachreiner, CISSP,
Sr. Network Security Strategist
,
Welcome!
IPv6: Hype, or Reality?
Answer: Yes!
You’re here because v6 matters to you
We’re here to help!
Things we’ll answer:
•
•
•
•
How soon will I need v6?
How do I prepare?
What will the transition be like?
How can WatchGuard help me?
Come On In: The Water’s Fine!
IPv4 is dead…long live IPv4!
Last 2 /8’s Allocated…
So, what does v6 adoption
look like?
IPv6 is Everywhere….sort of…
Breadth, not depth
All regions are participating
Traffic Volumes Low
Source: Elise Gerich, IANA/ICANN
Sometimes “unofficial” data is the most
interesting…
IP
• IPv4: 5.5 Gbps worldwide
“Background
• IPv6: 407 kbps for a big /12
Radiation”
Graphic: Geoff Huston, APNIC
OK….Pencils and Binoculars Ready?
IPv6 Primer
IPv6 Field Guide
IPv6 Technical Brief
What’s the problem with IPv4?
Simply put, it doesn’t offer enough addresses…
World Population:
Around 6.8 billion
Number of IPv4 addresses:
Around 4.3 billion
It Gets Worse…
People (personal computers) aren’t the only thing online…
IPv6 Technical Benefits
Exponentially more IP addresses
Fixed headers means faster traffic
True end-to-end addressing. (No more NAT?)
Built in end-to-end security (IPSec)
Built in QoS functionality
Autoconfiguration
Great for mobiles
Quick IPv4 Address Recap
• Developed in 80s
• 232
• 4.3 billion possible addresses (4,294,967,296)
• Generally represented in decimal
• NAT allows more (1000s of devices can hide behind one IPv4 address)
One byte = 0 - 255
32-bit (four bytes) long
208.132.96.25
1101000.10000100.01100000.00011001
Dissecting an IPv6 Address
• Developed in 1998 (RFC 2460)
•2128
• 3.4 x 1038 or 340 Undecillion (what?) possible addresses
•Generally represented in hexadecimal (HEX)
•Who needs NAT!
Two bytes = 0 – FFFF (65535)
128-bits (16 bytes) long
340 282 366 920 938
463 463 374 607 431 768 211 456
2560:1900:4545:0003:0200:F8FF:FE21:67CF
0010000111011010000000001101001100000000000000000010111100111011
0000001010101010000000001111111111111110001010001001110001011010
Shortening IPv6 Addresses
2001:0019:0545:0003:0200:0000:0000:67CF
Remove preceding zeros
2001:19:545:3:200:0:0:67CF
Remove groups of zeros
2001:19:545:3:200::67CF
2001:19:545:3:200:::67CF
Reading HEX Primer
Hexadecimal (base 16) is a numeral system with sixteen symbols
• 0-9 = well… zero through nine (duh)
• A-F = 10 – 15
•10,11,12,13 = 16, 17, 18. 19
Converting HEX to decimal:
4D5F
(4 x 163) + (13 x 162) +(5 x 161 ) + (15 x 160)
(16384) + (3328)+(80)+(15)
19807 or (0100110101011111)
Types of IPv6 Addresses
•Unicast Address – a one-to-one address:
• Global – publicly routable address assigned by IANA (2000::/3)
• Link local – Local address assigned for auto configuration or neighbor
discovery, etc… not routed. (FE80::/10)
• Unique local – like private addresses. Just used at local site (FC00 or
FD00::/8)
• Special – special addresses like loopback or default gateway
• Compatible – used for IPv4 to IPv6 migration
•Multicast Address – an address intended for one-to-many communication:
• Multicast – sent to members in a multicast group
• Broadcast – sent to all address on a network (technically, now a allnodes multicast)
•Anycast Address – a new address used to send to the first receipient of a
group
IPv6 Hierarchical Addressing
Global Routing
Prefix
Prefix
SLA ID
Interface ID
2561:1900:4545:0003:0200:F8FF:FE21:67CF
TLA ID
NLA ID
IPv6 Subnetting
•CIDR only (slash notation)
•No concept of subnet masks
•/ followed by prefix size (decimal number 1-128)
2001:1900:4545:0003:0200:F8FF:FE21:67CF
/16 /32 /48
2001:1900:4545::/48
=
2001:1900:4545:0000:0000:0000:0000:0000 2001:1900:4545:FFFF:FFFF:FFFF:FFFF:FFFF
CIDR to range tool: http://www.ultratools.com/tools/ipv6CIDRToRange
What about MAC?
•Hosts generate a unique “Interface Identifier”
• Called 64-bit Extended Unique Identifier or EUI-64
• 48-bit MAC addresses converted by adding FFFE to the middle
1.
2.
3.
4.
MAC Address:
Split in half:
Insert FFFE:
Change 7th bit to 1:
90-3A-2B-06-2C-D1
90-3A-2B 06-2C-D1
90:3A:2B:FF:FE:06:2C:D1
92:3A:2B:FF:FE:06:2C:D1
What about ARP?
IPv6 replaces ARP with the Neighborhood Discovery Protocol. This new
protocol combines many functions:
Host-to-Host Functions
• Address resolution (uses ICMPv6 Neighbor advertisement and solicitation msgs)
• Duplicate address detection
• Next-Hop determination
• Neighbor unreachable detection
Host/Router Discovery Functions
• Router Discovery
• Prefix Discovery
• Parameter Discovery
• Address Autoconfiguration
Redirect Function
Stays same
Dropped
Simplified Headers Mean Faster Traffic
Name/position change
New
IPv4 Header
(20 bytes)
Version
Type of
Service
IHL
Identification
Time to
Live
Protocol
IPv6 Header
(40 bytes)
Total Length
Flags
Fragment
Offset
Header Checksum
Version
Traffic
Class
Payload Length
Flow Label
Next
Header
Source Address
Source Address
Destination Address
Options
Destination Address
Padding
Hop Limit
IPv6 OS Support
Field Guide to Common IPv6 Addresses
Common Address Field Guide (1)
•Loopback address (was 127.0.0.1)
0000:0000:0000:0000:0000:0000:0000:0001
or
::1
•Link-local address (was 169.254.0.0/16)
FE80::/10
FE80::28BB:0ACB:3F57:D837
Common Address Field Guide (2)
•Default route (was 0.0.0.0/0)
0000:0000:0000:0000:0000:0000:0000:0000/0
or
::/0
•Unique Local Address or ULA (Also called Site Local. Similar to private networks)
FC00::/7
FC00::28BB:0ACB:3F57:D837
Common Address Field Guide (3)
•Multicast address (was 224.0.0.0/4)
FF00::/8
FF02::1
•Anycast address (new – send to the nearest node in a group)
Looks like a unicast address
Common Address Field Guide (4)
•6to4 addresses
2002::/16
16 bits
2002
32 bit
IPv4 address
(hex)
16 bits
64 bits
SLA ID
Interface ID
207.134.42.111 =
2002:CF86:2A6F::/48
Common Address Field Guide (5)
•Unique Global (public IP address)
2000::/3
2260:F3A4:32CB:715D:5D11:D837
Common Address Field Guide (6)
Other addresses/ranges of lesser note:
42::/16 - The Retiolum Prefix
2001::/32 -Teredo tunneling (transition mechanism)
2001:2::/48 -Assigned to BMWG
2001:10::/28 - ORCHID (Overlay Routable Cryptographic
Hash Identifiers)
• 3FFE::/16 – 6Bone IPv6 Testbed addresses (legacy)
•
•
•
•
IPv6 Technical Summary
Glossary
•IP address: Internet protocol address. An address network devices use to
identify one another
•NAT: Network address translation. A standard to hide many special IPs behind
one real IP
•Hexadecimal: A base-16 numbering system consisting of 0-F
•Routing Prefix: The first 64-bits of an IPv6 address, which identifies routing
info
•Interface ID: The last 64-bits of an IPv6 address, which identifies a single host
•CIDR: Classless Inter-Domain Routing. A scalable method for assigning IPs
and routing packets
•MAC: Media Access Control address. A unique address for specific network
hardware
•ARP: Address resolution protocol. A standard for IPv4 devices to find one
another locally
•EUI-64: A unique 64-bit identifier of IPv6, based on MAC
•Network Discovery (ND) Protocol: IPv6 replacement for ARP and more…
Glossary (cont.)
•Addresses
• Unicast Address: Specific One-to-one address
• Multicast Address: An address to communicate from one-to-many
• Anycast Address: A new type of address to communicate from one to
the first in a group to receive.
• Loopback: Address that represents the local host
• Local Link: Required, non-routable address that connects to local
network, and is used for autoconfiguration
• Default Route: Address that represents where to send non-local traffic
• Unique Local: Non-global address similar to IPv4 private networks
• 6to4: One of many IPv6 transition mechanisms
• Unique Global: A specific, publicly routable IPv6 host address
Things We Haven’t Covered (Lots)
IPv6 Security
IPv6 QoS
DHCPv6
IPv6 & DNS
ICMPv6
Transition and Tunneling mechanisms
Header Extensions
IPv6 Mobility
And much more…
Extra Reading Material for Geeks
IPv6 Request For Comments (RFCs):
•
•
•
•
•
•
RFC 1752 (1995):
The Recommendation for IP Next Generation (IPng) Protocol
RFC 2460 (1998):
Internet Protocol Version 6 (IPv6) Specification
RFC 2462:
IPv6 Stateless Address Autoconfiguration
RFC 3775:
Mobility Support in IPv6
RFC 2893:
Transition Mechanisms for IPv6 Hosts and Routers
RFC 2373:
IP Version 6 Addressing Architecture
And many more (over 70 RFCs related to IPv6):
http://oversteer.bl.echidna.id.au/IPv6/RFC/
Wrapping Up
You Have Some New IPv6
Knowledge….Now What?
Continue Learning and Exploring!
Start Playing: Use v6 internally now, even if just in a
lab
Attend WatchGuard’s Upcoming Webinars!
Thank You!
Download