IPv6 for Fun and Profit
“Onions have layers, and Ogres have layers!” I don’t know why, but that’s one of my favorite scenes from Shrek. Of course, Networking has layers as well – and we’ve
come to the biggest and most important of them, from a CCIE candidate’s perspective: Layer 3. Shrek’s struggle to explain the concept of layers is not one that Network Engineers are unfamiliar with. Most of us have at times tried to explain OSI concepts to people, and the fact is simply that while it’s not insanely difficult to understand, it does patience and effort to really wrap your head around the idea of the different layers of the OSI model when you’re first learning networking. IPv6 is like that as well. You may grasp some basic ideas at first, but it takes time, effort, patience and experience to really understand it the way we’ve become intimately familiar with IPv4. So here are the IPv6-focused exam blueprints that we’ll look at today:
3.1 Addressing technologies
3.1.b Identify, implement and troubleshoot IPv6 addressing and subnetting
3.1.b [i] Unicast, multicast
3.1.b [ii] EUI-64 3.1.b [iii] ND, RS/RA
3.1.b [iv] Autoconfig/SLAAC, temporary addresses [RFC4941]
3.1.b [v] Global prefix configuration feature
3.1.b [vi] DHCP protocol operations
3.1.b [vii] SLAAC/DHCPv6 interaction
3.1.b [viii] Stateful, stateless DHCPv6
3.1.b [ix] DHCPv6 prefix delegation
I’m not going to go into detail about IPv4 addressing, subnetting, CIDR, etc… as we’ve talked about before, those are all concepts that we’re very famililiar with by the time we’re here. This isn’t being said to minimize the importance of mastering these concepts by any means, but it is something that most engineers are so overwhelmingly familiar with by the time that they get to this point, that it’s not really worth rehashing, at least not in the IPv4 world. IPv6, on the other hand, is a particular weak spot for me, so I will go into quite a bit of detail on IPv6 operations and addressing. Let’s get started!
One further thing I’ll say before going much further: INE has a few great labs to walk through if you’re interested in a good source for real-world implementation practice. It’s a bit surprising to me how many other resources simply put text in place that can basically be paraphrased as: “IPv4 does it this way… and if you know the IPv4 process, then you pretty much know how it’s done in IPv6, so we’re not going to cover it or give examples.” I haven’t taken the tests yet, so I can’t say for certain how much IPv6 is emphasized, but it really feels like taking this stuff for granted would really be a huge mistake.
Identify, implement and troubleshoot IPv6 addressing and subnetting
I’ll still skip the basic introdution to IPv6 where you would normally cover the advantages of a 128-bit address and what those addresses look like, but that’s about the only knowledge I’ll assume in the IPv6 world.
Let’s quickly revisit the IPv6 shorthand rules. First, leading zeroes within the 16-bit sets can be left off. Second, once per address, consecutive sets of zeroes may be abbreviated with a double-colon “::”. So, an address like FE80:0000:0000:0000:0001:0002:0003:0004 can be shortened to FE80::1:2:3:4.
IP Addresses that begin with 2000-3FFF are known as Aggregatable Global Unicast Addresses… which is a fancy way of saying that they are the routable addresses that will be used on the public internet. That means that, for the time being, we are only reserving one eighth of the address space for the Internet.
Addresses in the FC00 range are Unicast Local addresses. These are the IPv6 equivalent of the RFC1918 addresses in IPv4. If you first studied IPv6 about 4-6 years ago as I did (and got CCNP R/S certified in that time frame), then you may remember the concept of “site local addresses.” Those addresses were in the FEC0 range, but have since been deprecated in favor of Unique Local addresses. The basic idea behind these addresses is that you want them to be routable within your organization, but not on the public internet.
Addresses beginning with FE80 are considered Link Local addresses. There isn’t exactly an IPv4 equivalent for these. Link local addresses are not routable on the LAN, but are reachable on the local segment. These addresses can’t be routed, because EVERY LAN segment uses this same prefix for its link local addresses.. This address range provides devices with a means to communicate with other devices on their subnet instantly, without the need for an address to be assigned first. This is especially necessary in DHCPv6 environments, because there are no broadcasts in IPv6, so a host needs some method of connectivity in order to work through DHCP.
Every IPv6 interface has a Link Local address. Link local addresses can be automatically generated with an interface’s EUI-64 address – a concept that we’ll cover momentarily. Alternatively, you can manually configure these addresses with the interface ipv6 address FE80::XXXX link-local command. The “XXXX” portion can be of any length up to the max size of the IPv6 address, as the double-colons do not need to act as a shorthand for a set number of Hex characters. Link local addressing has many more functions as well, and we’ll cover those as we discuss those topics in detail.
Finally, multicast IPv6 addresses all begin with FF.
IPv6 Unicast and Multicast
IPv6 does away with broadcasts. Unicast and multicast are, by and large, the same concepts in IPv6 that they are in IPv4. Curiously, the CCIE objectives make no mention of another packet type: anycast. Anycast addresses are addresses that are assigned to multiple hosts. A client looking for a resource can direct traffic to an anycast address, and they will be directed to the nearest anycast address host that has that address. “Nearest” in this context is that which the routing protocol sees as being the best metric to that address.
Another concept in which IPv6 varies greatly from IPv4 is in the fact that a link will have multiple addresses by default. We tend to think of an interface as having a single IPv4 address (although secondary addresses are possible, they are not often used), whereas an interface will always have multiple IPv6 addresses.
The concept of what EUI-64 is doing is very simple and straight-forward. The basic idea here is to take the the host’s MAC address and base its IPv6 address on that. However, MAC addresses are only 48-bits, and most IPv6 implementations use /64 network prefixes with the remaining 64 bits being assigned to hosts. The method in which this isn’t exactly something you would have guessed.
The rule goes like this: split the MAC address into two 24-bit sections and insert 0xFFFE in the middle, then invert the 7th bit. An example seems fitting. Let’s take an example MAC address of 0012:3456:789A. Splitting this into two 24-bit sections gives us 001234 and 56789A. Popping FFFE in the middle then gives us 0012:34FF:FE56:789A. Finally, setting the 7th bit to “1” gives us 0212:34FF:FE56:789A. It may be easier to set that seventh bit if you convert the first two characters of the MAC to binary. We started with 00, whitch is of course 00000000 in binary. Setting the seventh bit to “1” changes that to 00000010, which is 02 in Hex. Thus, you would end up with an IPv6 Link Local address of FE80::212:34FF:FE56:789A.
While this isn’t the most intuitive-looking conversion in the world, it’s actually far easier than it looks at first. After running through it a time or two, it will seem like a breeze.
The actual configuration of these addresses is beyond simple – you merely enter the prefix and add the eui-64 parameter in the command. For example, if the prefix is 2001:1:2:3:4:5::, then you configure the address with the interface ipv6 address 2001:1:2:3:4:5::/64 eui-64 command.
Neighbor Discovery Protocol, sometimes abbreviated either ND or NDP is relatively unique to IPv6. Neighbor Discovery handles a wide range of responsibilities in the
IPv6 world, one of which is serving as a replacement to ARP. Rather than rely on ARP, IPv6 uses Neighbor Solicitation and Neighbor Advertisement messages to discover Link-layer addresses of hosts.
Another part of the NDP suite is to serve as a very lightweight replacement for DHCP. First and foremost, it does this in that it automatically runs on IPv6 hosts and routers, and is intended to give IPv6 devices basic connectivity without the need for DHCP. A host can use discovery to automatically discover routers, prefixes, MTU, hop limits, and a great deal more simply by virtue of running IPv6.
A Router Solicitation is a message that a host sends to discover routers on the local link. Router Advertisements are advertised by the routers and offer information about the local link. ND also takes care of the ICMP same function that an ICMP redirect carries. Cisco routers will begin sending RAs on an interface as soon as the ipv6 unicast-routing command is enabled.
Stateless autoconfiguration combines the RS/RA/ND process with EUI-64 addressing. In a SLAAC (Stateless Address Auto Configuration) environment, a host can automatically generate its own address without a DHCP server on the LAN. The concept works because of the RAs that a router sends on the local LAN. A host can pay attention to the network prefix being advertised by a router and assign itself an address by prepending that /64 prefix to its own EUI-64 address. Note that this concept only works with /64 prefixes.
Temporary addresses [RFC4941]
RFC4941 basically raises the concern that an autoconfigured address gives a potential attacker a fixed target. Once an attacker knows a machine’s MAC address or IPv6 address that is based on its MAC address, they can then know what that host’s IPv6 address will be, even if prefixes were to change. For mobile devices, this is also concerning because an attacker can track a device’s movement based on the prefixes that it has over time.
One of the recommended approaches is to use a DHCPv6 method that breaks the link between a device’s MAC address and its IPv6 address. Interfaces can also generate temporary addresses that are not EUI-64 generated in order to enhance privacy.
Global Prefix Configuration Feature
The IPv6 global prefix feature allows an Engineer to quickly assign prefixes via shorthand. This simplifies IPv6 addressing, and more importantly, makes address migration far simpler.
DHCP protocol operations, SLAAC, and Stateful vs. Stateless DHCPv6
DHCP comes in two flavors in the IPv6 world: stateful and stateless. Stateless addressing basically says “go ahead and figure out your own address using SLAAC, but here are the other DHCP options that you’ll need like DNS servers, TFTP servers, etc. Stateful addressing is almost exactly like the IPv4 DHCP concept, where addresses are assigned and tracked by a DHCP server. DHCPv6 uses multicast rather than broadcast messages. To accomplish this, a client must first use the neighbor discovery process. The router advertisement packets have flags that will tell the host not to use autoconfig and to use DHCP instead if this is the intended operation.
DHCPv6 Prefix Delegation
DHCPv6 prefix delegation allows a single DHCP server to assign prefixes to different DHCPv6 clients, rather than assigning them addresses. There is a great write-up about the idea here: http://www.cisco.com/c/en/us/support/docs/ip/ip-version-6-ipv6/113141-DHCPv6-00.html
Well, we’ve reached the end of our first IPv6 discovery. I’m sure it won’t be our last! Our next topic is a HUGE one: Multicast. As of late March, I already have about two posts worth of material written up, and am nowhere near ready to submit this in print. It’s really going to be an adventure going through all of that, but
I’m looking forward to learning it well enough to share my experiences in the form of coherent thoughts here! I’m stilly planning on taking my written test soon – how soon depends largely on finding out when I can get my training plan in place with my new employer and discussing some timelines with my wife for a couple grueling weekends of hardcore study time. I’ve rescheduled it so many times now, I can’t even count them. But it’s getting closer all the time, of that, I am completely convinced! Thanks for your time and for stopping by!