Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

Understanding IPv6

advertisement 
Understanding IPv6
Nicholas A. Hay
Monroe County ISD
nicholas.hay@monroeisd.us
Some of the session materials in the
presentation were from a presentation that
Merit sponsored with a presenter from
NYSERNet. A thank you goes to Jeff
Harrington for his presentation and materials
I used for this presentation.
Why IPv6?
• Address Depletion
– As of 2/2011, the IANA free pool has been depleted.
– APNIC and RIPE are under emergency allocation
policies and ARIN is projected to be depleted in
March 2015.
• Services Providers who run out of IPV4 addresses
are planning on implementing Carrier Grade NATs
(sometimes referred to as NAT444)
– Services like VPNs, Remote Desktop, Skype, etc.
may stop working from home networks to campuses.
– How will that impact your user community?
Why IPv6?
• Removes the need to NAT since every address is
a public address.
– NAT can break things, especially multimedia.
• The size of the address space is 2^128, versus
2^32 in IPv4.
• Every organization receiving IPv6 address space
will have enough addresses to cover current and
long term needs.
• IPv6 may be the only way to continue to provide
some services.
• IPv4 will probably be phased out over the next 15
years. It is not a matter of if but when.
Why IPv6?
• IPv6 only networks on the internet are
increasing.
– The XBOX network is a IPv6 only network.
• Note: a lot of IP phone systems do not
support IPv6.
Why move to IPv6?
• Worldwide communication. IPv6 is needed for
populated areas such as China and Europe.
• IPv6 only networks will be appearing sooner than
later.
• Networks have grown haphazardly and
organically.
– Subnets have been allocated inefficiently.
– Services have grown past their intended purpose.
– Cannot make changes to design now, cannot impact
services in production.
• IPv6 gives you the opportunity for a fresh look at
your network design.
Why move to IPv6?
• Adoption has been slow for no particular
reason.
– No deadline like Y2K
– No killer app
– IPv6 compatibility is now a requirement for
government bids.
– People are desentizied since there has been
a lot of buzz about it but people are not
seeing any urgency at implementing.
Why move to IPv6 now?
• Security
– Most devices are already running IPv6.
– Exploits for IPv6 already exist
• Deployment
– IPv6 requires planning and may take 1-2
years to implement
• Eliminate the need to NAT users and
devices.
IPv4 vs IPv6 Packet Types
• Similarities
– Unicast
– Multicast
– Anycast
• Differences
– No Broadcast in IPv6.
• This feature is taken over by multicast
• Helps mitigate some DDoS attacks
IPv6 Addressing Usage
• 2 distinct components
– 64-bit field designated for the network portion
– 64-bit field designated for the host portion
• There are a few exceptions
IPv6 Address Representation
• All addresses are 128 bits
• Write as sequence of eight groups of four
hex digits (16 bits each) separated by
colons
• E.g.
3ffe:3700:0200:00ff:0000:0000:0000:0001
Types of Unicast Addresses
• Unspecified address
– All zeros (::)
– Used as source address during initialization
– Also used in representing default
• Loopback address
– Low-order one bit (::1)
– Same as 127.0.0.1 in IPv4
• Link-local address
–
–
–
–
–
Unique on a subnet
Auto configured
High-order: FE80::/10
Low-order: interface identifier
Routers must not forward any packets with link-local source or
destination addresses
Obtaining IPv6 Addresses
• Provider-Independent (PI)
– You can reserve a range from ARIN and you
can move it from one ISP to another.
• Provider-Assigned (PA)
– The minimum you should receive is a /48
– Only usable if you have a single connection.
– You get this from your ISP that is part of their
scope.
IPv6 Addresses Scope
• Sizing
– http://www.howfunky.com/2014/01/gettingyour-first-ipv6-address.html
Number of Sites
Prefix Block Size
1
/48
2-12
/44
13-192
/40
193-3,072
/36
3,072 - 49,152
/32
Representation of IPv6 Address
• All addresses are 128 bits
• Write as sequence of eight groups of four
hex digits (16 bits each) separated by
colons
– Leading zeros in group may be omitted
– A contiguous all-zero group may be replaced
by “::”
• Only one such group can be replaced
IPv6 Notation
• In IPv6 every address is written:
– <ipv6-address> / <prefix length>
• For example:
– 2001:0db8::/36
– 2001:0db8::/32
• At the bit level:
– 0010 0000 0000 0001: 0000 1101 1011 1000::/36
– 0010 0000 0000 0001: 0000 1101 1011 1000::/32
• These look the same, except for the prefix length
IPv6 Addressing Example
• Consider
– 3ffe:3700:0200:00ff:0000:0000:0000:0001
• This can be written as
– 3ffe:3700:200:ff:0:0:0:1 or
– 3ffe:3700:200:ff::1
• Both reduction methods are used here.
Assigning IPv6 Addresses
• Static
– Similar to IPv6, but it is not as easy to configure or
remember as IPv6
– Good for Servers and Printers.
• Stateless Address Autoconfiguration (SLAAC)
– Assumes that each interface can provide a unique
identifier for that interface
• DHCPv6
– Provides DNS info
– Better control and tracking of IPv6 usage
– Doesn’t work on Android devices. SLAAC is needed.
Assigning IPv6 Addresses
• Most organizations will probably need to
implement SLAAC and DHCPv6
IPv6 Security Considerations
• Most of the same threats still exist
–
–
–
–
Sniffing
Rogue devices
Man-in-the-middle (MITM) attacks
Flooding
• IPsec is built-in to IPv6 spec
– Could mitigate most of these threats, if used
– IPv4 ESP traffic estimated as low as 0.9%
– IPv6 accounts for <1% of traffic on Internet2,
making IPsec usage largely insignificant
– http://www.uoregon.edu/~joe/ipv6-security/
IPv6 Security Considerations
• Most host OS implementations have IPv6
on by default
– Devices can communicate using the link-local
addresses
– Autoconfiguration means no administrative
involvement necessary to have “live” IPv6
hosts on your network
IPv6 DNS
• Similar to IPv4
• It is impossible to remember IPv6 addresses
and DNS is the only way to remain sane.
• Forward Lookups use AAAA to assign
addresses to names.
• Can advertise both A and AAAA in the same
the same domain.
• Host OS’s prefer IPv6 responses by default.
It will first use IPv6 before IPv4
IPv6 Planning
• IPv6 requires some thoughtful planning to
help address future growth and grouping of
subnets
• Perform an assessment of existing
infrastructure
– Get all swtiches, software versions, end of
service dates and validate if they support IPv6.
Check to see what features are supported since
IPv6 can mean many things.
• Access applications and validate if they are
IPv6 ready.
IPv6 Planning: Subnetting
• Each “site” should receive a /48. This will leave 16
bits left for subnetting (0000 – FFFF). So what do you
do with it?
Network address (48 bits)
16 bits
EUI host address (64 bits)
• Subnets or combinations of nets & subnets, or VLANs,
etc., e.g.
– 192.168.129.0/24
– 172.16.32.0/24
– 10.0.164.0/24
2001:DB8:C0A8:0081::/64
2001:DB8:AC10:0020::/64
2001:DB8:0A00:00A4::/64
• /64 is what a subnet SHOULD BE!!!!! DON'T
CHANGE IT. THIS MAY BREAK SOME SERVICES
IPv6 Planning: Subnetting
• A site is /48
• First level subnetting (i.e. districts for
ISD’s) would be /52 top level subnets (16
subnets)
• Second level is usually /56 or /60
• Third level usually /60
• /64 is the host/user level.
IPv6 Planning: Subnetting
New Subnet Concepts
• You can use “all 0s” and “all 1s”! (0000, ffff)
• You’re not limited to 254 hosts per subnet!
• Switch-rich LANs allow for larger broadcast domains
(with tiny collision domains), perhaps thousands of
hosts/LAN…
• No “secondary subnets” (though >1 address/interface)
• Every /64 subnet has far more than enough addresses
to contain all of the computers on the planet, and with
a /48 you have 65536 of those subnets - use this
power wisely!
IPv6 Planning
• Develop a plan once you get your address
space subnets developed
– Will probably run in Dual Stack mode rather than
just IPv4 or IPv6. Both will run side by side.
– Get IPv6 address space
– Work with ISP to advertise IPv6 range
– Set up router/firewall
– Configure other network switches with IPv6
– Configure IPv6 on servers and other devices
– Clients
IPv6 Tools
• UK CPNI Toolkit
– Provides assessment tools to discover known ipv6
exploits - icmp, na/nd, ra/rs, etc.
– http://www.si6networks.com/tools/ipv6toolkit/
• THC-ipv6
– Scans for IPv6 vulnerabilities
– www.thc.org/thc-ipv6
• Ipv6mon
– Active probes to discover IP addresses in use.
– http://www.si6networks.com/tools/ipv6mon
• Chrome Plugin to detect IPv4 or IPv6 website
– IPvFoo
Dual Stack
• This will be for many organizations that will
allow you to run IPv4 and IPv6 together
and makes migration painless since clients
can use both.
Securing your Current Network
• http://blogs.cisco.com/security/securingipv6/
• RA (Router Advertisement) Guard
– ipv6 nd suppress-ra
– This will ensure that a device that is plugged
into your network can’t hijack traffic by
advertising it’s route since IPv6 routes take
priority over IPv4.
Sample Network Diagram
Our IPv6 Space
• We have approx. 20 districts and over 100
buildings. We are looking to tread each
district as a “site” that get’s a /48.
Our IPv6 Space
• 2620:11B:1000::/48
– 2620:11B:1000:00::/56
• 2620:11B:1000:0000::/64
• 2620:11B:1000:0001::/64
District 1
Building 1 (up to 256)
network a (up to 256)
network b
– Could do a /60 and /64 to segment network rather than /56
and /64 to further identify equipment
» Ex: one nibble could be an identifier if the network is
wireless, wired, staff, students, printers, etc.
– Each /64 network can have up to
18,446,744,073,709,551,616 IP addresses!
– 2620:11B:1000:0f::/56
• 2620:11B:1001::/48
Building 15
District 2
Related documents
Assignment - Staffordshire University
Assignment - Staffordshire University
APNIC Focus Group and Survey Action Plan
APNIC Focus Group and Survey Action Plan
bsys 1000 FMGT 1C ELLA HUANG
bsys 1000 FMGT 1C ELLA HUANG
Chapter 9b IPv6 Subnetting
Chapter 9b IPv6 Subnetting
Download
advertisement