IPv6: Hype or Reality? Tim Helming Director of Product Management Corey, Nachreiner, CISSP, Sr. Network Security Strategist , Welcome! IPv6: Hype, or Reality? Answer: Yes! You’re here because v6 matters to you We’re here to help! Things we’ll answer: • • • • How soon will I need v6? How do I prepare? What will the transition be like? How can WatchGuard help me? Come On In: The Water’s Fine! IPv4 is dead…long live IPv4! Last 2 /8’s Allocated… So, what does v6 adoption look like? IPv6 is Everywhere….sort of… Breadth, not depth All regions are participating Traffic Volumes Low Source: Elise Gerich, IANA/ICANN Sometimes “unofficial” data is the most interesting… IP • IPv4: 5.5 Gbps worldwide “Background • IPv6: 407 kbps for a big /12 Radiation” Graphic: Geoff Huston, APNIC OK….Pencils and Binoculars Ready? IPv6 Primer IPv6 Field Guide IPv6 Technical Brief What’s the problem with IPv4? Simply put, it doesn’t offer enough addresses… World Population: Around 6.8 billion Number of IPv4 addresses: Around 4.3 billion It Gets Worse… People (personal computers) aren’t the only thing online… IPv6 Technical Benefits Exponentially more IP addresses Fixed headers means faster traffic True end-to-end addressing. (No more NAT?) Built in end-to-end security (IPSec) Built in QoS functionality Autoconfiguration Great for mobiles Quick IPv4 Address Recap • Developed in 80s • 232 • 4.3 billion possible addresses (4,294,967,296) • Generally represented in decimal • NAT allows more (1000s of devices can hide behind one IPv4 address) One byte = 0 - 255 32-bit (four bytes) long 208.132.96.25 1101000.10000100.01100000.00011001 Dissecting an IPv6 Address • Developed in 1998 (RFC 2460) •2128 • 3.4 x 1038 or 340 Undecillion (what?) possible addresses •Generally represented in hexadecimal (HEX) •Who needs NAT! Two bytes = 0 – FFFF (65535) 128-bits (16 bytes) long 340 282 366 920 938 463 463 374 607 431 768 211 456 2560:1900:4545:0003:0200:F8FF:FE21:67CF 0010000111011010000000001101001100000000000000000010111100111011 0000001010101010000000001111111111111110001010001001110001011010 Shortening IPv6 Addresses 2001:0019:0545:0003:0200:0000:0000:67CF Remove preceding zeros 2001:19:545:3:200:0:0:67CF Remove groups of zeros 2001:19:545:3:200::67CF 2001:19:545:3:200:::67CF Reading HEX Primer Hexadecimal (base 16) is a numeral system with sixteen symbols • 0-9 = well… zero through nine (duh) • A-F = 10 – 15 •10,11,12,13 = 16, 17, 18. 19 Converting HEX to decimal: 4D5F (4 x 163) + (13 x 162) +(5 x 161 ) + (15 x 160) (16384) + (3328)+(80)+(15) 19807 or (0100110101011111) Types of IPv6 Addresses •Unicast Address – a one-to-one address: • Global – publicly routable address assigned by IANA (2000::/3) • Link local – Local address assigned for auto configuration or neighbor discovery, etc… not routed. (FE80::/10) • Unique local – like private addresses. Just used at local site (FC00 or FD00::/8) • Special – special addresses like loopback or default gateway • Compatible – used for IPv4 to IPv6 migration •Multicast Address – an address intended for one-to-many communication: • Multicast – sent to members in a multicast group • Broadcast – sent to all address on a network (technically, now a allnodes multicast) •Anycast Address – a new address used to send to the first receipient of a group IPv6 Hierarchical Addressing Global Routing Prefix Prefix SLA ID Interface ID 2561:1900:4545:0003:0200:F8FF:FE21:67CF TLA ID NLA ID IPv6 Subnetting •CIDR only (slash notation) •No concept of subnet masks •/ followed by prefix size (decimal number 1-128) 2001:1900:4545:0003:0200:F8FF:FE21:67CF /16 /32 /48 2001:1900:4545::/48 = 2001:1900:4545:0000:0000:0000:0000:0000 2001:1900:4545:FFFF:FFFF:FFFF:FFFF:FFFF CIDR to range tool: http://www.ultratools.com/tools/ipv6CIDRToRange What about MAC? •Hosts generate a unique “Interface Identifier” • Called 64-bit Extended Unique Identifier or EUI-64 • 48-bit MAC addresses converted by adding FFFE to the middle 1. 2. 3. 4. MAC Address: Split in half: Insert FFFE: Change 7th bit to 1: 90-3A-2B-06-2C-D1 90-3A-2B 06-2C-D1 90:3A:2B:FF:FE:06:2C:D1 92:3A:2B:FF:FE:06:2C:D1 What about ARP? IPv6 replaces ARP with the Neighborhood Discovery Protocol. This new protocol combines many functions: Host-to-Host Functions • Address resolution (uses ICMPv6 Neighbor advertisement and solicitation msgs) • Duplicate address detection • Next-Hop determination • Neighbor unreachable detection Host/Router Discovery Functions • Router Discovery • Prefix Discovery • Parameter Discovery • Address Autoconfiguration Redirect Function Stays same Dropped Simplified Headers Mean Faster Traffic Name/position change New IPv4 Header (20 bytes) Version Type of Service IHL Identification Time to Live Protocol IPv6 Header (40 bytes) Total Length Flags Fragment Offset Header Checksum Version Traffic Class Payload Length Flow Label Next Header Source Address Source Address Destination Address Options Destination Address Padding Hop Limit IPv6 OS Support Field Guide to Common IPv6 Addresses Common Address Field Guide (1) •Loopback address (was 127.0.0.1) 0000:0000:0000:0000:0000:0000:0000:0001 or ::1 •Link-local address (was 169.254.0.0/16) FE80::/10 FE80::28BB:0ACB:3F57:D837 Common Address Field Guide (2) •Default route (was 0.0.0.0/0) 0000:0000:0000:0000:0000:0000:0000:0000/0 or ::/0 •Unique Local Address or ULA (Also called Site Local. Similar to private networks) FC00::/7 FC00::28BB:0ACB:3F57:D837 Common Address Field Guide (3) •Multicast address (was 224.0.0.0/4) FF00::/8 FF02::1 •Anycast address (new – send to the nearest node in a group) Looks like a unicast address Common Address Field Guide (4) •6to4 addresses 2002::/16 16 bits 2002 32 bit IPv4 address (hex) 16 bits 64 bits SLA ID Interface ID 207.134.42.111 = 2002:CF86:2A6F::/48 Common Address Field Guide (5) •Unique Global (public IP address) 2000::/3 2260:F3A4:32CB:715D:5D11:D837 Common Address Field Guide (6) Other addresses/ranges of lesser note: 42::/16 - The Retiolum Prefix 2001::/32 -Teredo tunneling (transition mechanism) 2001:2::/48 -Assigned to BMWG 2001:10::/28 - ORCHID (Overlay Routable Cryptographic Hash Identifiers) • 3FFE::/16 – 6Bone IPv6 Testbed addresses (legacy) • • • • IPv6 Technical Summary Glossary •IP address: Internet protocol address. An address network devices use to identify one another •NAT: Network address translation. A standard to hide many special IPs behind one real IP •Hexadecimal: A base-16 numbering system consisting of 0-F •Routing Prefix: The first 64-bits of an IPv6 address, which identifies routing info •Interface ID: The last 64-bits of an IPv6 address, which identifies a single host •CIDR: Classless Inter-Domain Routing. A scalable method for assigning IPs and routing packets •MAC: Media Access Control address. A unique address for specific network hardware •ARP: Address resolution protocol. A standard for IPv4 devices to find one another locally •EUI-64: A unique 64-bit identifier of IPv6, based on MAC •Network Discovery (ND) Protocol: IPv6 replacement for ARP and more… Glossary (cont.) •Addresses • Unicast Address: Specific One-to-one address • Multicast Address: An address to communicate from one-to-many • Anycast Address: A new type of address to communicate from one to the first in a group to receive. • Loopback: Address that represents the local host • Local Link: Required, non-routable address that connects to local network, and is used for autoconfiguration • Default Route: Address that represents where to send non-local traffic • Unique Local: Non-global address similar to IPv4 private networks • 6to4: One of many IPv6 transition mechanisms • Unique Global: A specific, publicly routable IPv6 host address Things We Haven’t Covered (Lots) IPv6 Security IPv6 QoS DHCPv6 IPv6 & DNS ICMPv6 Transition and Tunneling mechanisms Header Extensions IPv6 Mobility And much more… Extra Reading Material for Geeks IPv6 Request For Comments (RFCs): • • • • • • RFC 1752 (1995): The Recommendation for IP Next Generation (IPng) Protocol RFC 2460 (1998): Internet Protocol Version 6 (IPv6) Specification RFC 2462: IPv6 Stateless Address Autoconfiguration RFC 3775: Mobility Support in IPv6 RFC 2893: Transition Mechanisms for IPv6 Hosts and Routers RFC 2373: IP Version 6 Addressing Architecture And many more (over 70 RFCs related to IPv6): http://oversteer.bl.echidna.id.au/IPv6/RFC/ Wrapping Up You Have Some New IPv6 Knowledge….Now What? Continue Learning and Exploring! Start Playing: Use v6 internally now, even if just in a lab Attend WatchGuard’s Upcoming Webinars! Thank You!