Advanced IPv6

Training Course

September 2018
Schedule

09:00 - 09:30 Coffee, Tea

11:00 - 11:15 Break
13:00 - 14:00 Lunch
15:30 - 15:45 Break
17:30 End

!2
Introductions
• Name
• Number on the list
• Experience with:
- IPv6
- Cisco
- OSPF
- BGP

• Goals
!3
Course Overview
1 - Section
Overview Day 1
• Introduction
• IPv6 Routing Basics
• Exercise: Enable IPv6
• OSPFv3
• Exercise: Configuring OSPFv3
• BGP
• Exercise: Configuring BGP
• Content
• Mobile Providers

!5
Overview Day 2
• Transition Mechanisms
• Exercise: NAT64/DNS64
• Host Configuration
• Exercise: SLAAC
• DHCPv6
• Exercise: DHCPv6
• Security
• IP Address Management
• Tips & Tricks

!6
IPv6 Routing Basics
2 - Section
IPv6 Routing Basics
• IPv6 routing is the same as IPv4 routing
- Longest matching prefix
- Same structure and concepts
- Some technical differences

!8
Longest Matching Prefix
• Example routing table:
Route Next-Hop

::/0 2001:db8:aaa:bbb::cdef:1

2001:db8::/32 2001:db8:bcd:aaa::1

2001:db8::/48 2001:db8:cde:bbb::1

2001:db8:1000::/36 2001:db8:ffff:eeee::1

2001:db8:1000::/48 2001:db8:def:bbb::1

2001:db8:2000::/48 2001:db8:def:bbb::2

!9
Longest Matching Prefix
• Matches for a packet with destination:
2001:db8:2000:1a2b:02ab:9eff:fe01:f5b1
Route Next-Hop

::/0 2001:db8:aaa:bbb::cdef:1

2001:db8::/32 2001:db8:bcd:aaa::1

2001:db8::/48 2001:db8:cde:bbb::1

2001:db8:1000::/36 2001:db8:ffff:eeee::1

2001:db8:1000::/48 2001:db8:def:bbb::1

2001:db8:2000::/48 2001:db8:def:bbb::2

!10
Longest Matching Prefix
• Matches for a packet with destination:
2001:db8:2000:1a2b:02ab:9eff:fe01:f5b1
Route Next-Hop

::/0 2001:db8:aaa:bbb::cdef:1

2001:db8::/32 2001:db8:bcd:aaa::1

2001:db8::/48 2001:db8:cde:bbb::1

2001:db8:1000::/36 2001:db8:ffff:eeee::1

2001:db8:1000::/48 2001:db8:def:bbb::1

2001:db8:2000::/48 2001:db8:def:bbb::2

!11
Longest Matching prefix
• Matches for a packet with destination:
2001:db8:2001:1a2b:02ab:9eff:fe01:f8b2
Route Next-Hop

::/0 2001:db8:aaa:bbb::cdef:1

2001:db8::/32 2001:db8:bcd:aaa::1

2001:db8::/48 2001:db8:cde:bbb::1

2001:db8:1000::/36 2001:db8:ffff:eeee::1

2001:db8:1000::/48 2001:db8:def:bbb::1

2001:db8:2000::/48 2001:db8:def:bbb::2

!12
Longest Matching prefix
• Matches for a packet with destination:
2001:db8:2001:1a2b:02ab:9eff:fe01:f8b2
Route Next-Hop

::/0 2001:db8:aaa:bbb::cdef:1

2001:db8::/32 2001:db8:bcd:aaa::1

2001:db8::/48 2001:db8:cde:bbb::1

2001:db8:1000::/36 2001:db8:ffff:eeee::1

2001:db8:1000::/48 2001:db8:def:bbb::1

2001:db8:2000::/48 2001:db8:def:bbb::2

!13
Longest Matching Prefix
• Matches for a packet with destination:
2001:db8:1001:1a2b:02ab:92ff:fe01:f8b2
Route Next-Hop

::/0 2001:db8:aaa:bbb::cdef:1

2001:db8::/32 2001:db8:bcd:aaa::1

2001:db8::/48 2001:db8:cde:bbb::1

2001:db8:1000::/36 2001:db8:ffff:eeee::1

2001:db8:1000::/48 2001:db8:def:bbb::1

2001:db8:2000::/48 2001:db8:def:bbb::2

!14
Longest Matching Prefix
• Matches for a packet with destination:
2001:db8:1001:1a2b:02ab:92ff:fe01:f8b2
Route Next-Hop

::/0 2001:db8:aaa:bbb::cdef:1

2001:db8::/32 2001:db8:bcd:aaa::1

2001:db8::/48 2001:db8:cde:bbb::1

2001:db8:1000::/36 2001:db8:ffff:eeee::1

2001:db8:1000::/48 2001:db8:def:bbb::1

2001:db8:2000::/48 2001:db8:def:bbb::2

!15
Summary
• IPv6 routing uses the same structure as IPv4
routing
- Addresses are longer
- Prefixes are longer

!16
Add IPv6 to Loopback & Links
3 - Exercise
Discover the IPv4 Network
• Make sure you have connectivity
• Go to: workbench.ripe.net
• Your login is your number on the attendee list
• We will provide you with the password

• Read instructions carefully

• First discover, then configure

!18
Discover the IPv4 Network
• Routing Protocol
- IGP (OSPF) is used for loopback addresses and point-to-
point links
- EGP (BGP) is used for the edge core routers

• R1 announces a default route via OSPF

• Keeps routing tables in the area smaller
- All inter-area traffic must pass R1

!19
Network Diagram

R2

CUSTOMER 1 AS66
e0/0 e1/0 e0/0
e0/1

e0/0 e1/0

R1 AS99

e0/1

e0/1

CUSTOMER 2
e0/0 e1/0 e0/0
R3 POP

!20
Adding IPv6 to the Network
• We will now add IPv6 to our existing network
• We will not change the network structure

• First step: Addressing Structure

• Find the addresses on the handout

!21
Addressing with IPv6
• Where X is your number on the attendee list!
• Loopbacks:
- There is a /32 (IPv4): 172.X.255.Y(router number)
- Use a /128 (IPv6) 2001:ffXX::Y(router number)/128

• Point-to-point core:
- There is a /30 (IPv4) from 10.X.0.0/24
- Use a /127 from 2001:ffXX::/60 for core links
- Use a /64 from 2001:ffXX::/60 for the customer links

!22
Interface IPv6 Settings Routers
• Disable Router Advertisements
- On point-to-point interfaces
- On LANs where unprepared devices are connected

• Otherwise they will suddenly be globally

reachable over IPv6 without being configured,
prepared and/or protected

!23
Basic IPv6 Settings
• Before configuring IPv6 on your router interfaces,

the basic IPv6 settings need to be set up on the router

• For R1, R2, R3 and the Customers

ipv6 unicast-routing
ipv6 cef

!24
Interface IPv6 Settings Routers
• Use the information in the handouts

• Give the correct IPv6 addresses to the interfaces

• Start with the loopback interface

• Then configure the point-to-point links

• Fill in the appropriate interface name, IPv6 address and

prefix length
interface xyz
ipv6 address ...
no ipv6 redirects
ipv6 nd ra suppress all

!25
Interface IPv6 Settings Customers
• Use the information in the handouts

• Give the correct IPv6 addresses to the interfaces

• We don’t configure loopback interfaces

• Then configure the point-to-point link

• Fill in the appropriate interface name, IPv6 address and

prefix length (/64)

• We don’t disable router advertisements

interface xyz
ipv6 address ...
no ipv6 redirects

!26
Interface IPv6 Settings Customers
• We will set a default route for the customers
• This is a manual configuration
• This is not needed if you use SLAAC
ipv6 route ::/0 2001:ffXX:0:ff01::b (customer 1)
ipv6 route ::/0 2001:ffXX:0:ff02::b (customer 2)

• XX is your number on the list

!27
Checking Your Configuration
• Check your own configuration
- Can you ping your own IPv6 loopback address?
- Can you ping your own side of the point-to-point link?

!28
Questions
OSPFv3
4 - Section
OSPF Characteristics
• OSPF = Open Shortest Path First
• Link State Protocol
• OSPFv3 is an implementation of OSPF for
IPv6
• OSPFv2 (for IPv4) and OSPFv3 run
independently on the router
• Most OSPFv3 functions are the same as
OSPFv2

!31
OSPF Refresher
• Link state protocol
- Every router has full insight into network topology of the
area
- Routes are sent to other routers using Link State
Advertisements (LSAs)

• Role of Area Border Routers:

- Limit the flooding of LSAs to isolate topology changes
within the area

!32
OSPF Refresher

External LSA flooding

across all areas ASBR

External (BGP)

LSA flooding
within the area Area 0

ABR ABR

Area 1 Area 2

!33
OSPF for IPv6
• Multiple instances of OSPFv3 can be run on a
link
- Unlike in OSPFv2

• OSPFv3 still uses 32-bit numbers as a router

ID
- If no IPv4 address is configured on any interface, the router
ID command is required to set the 32-bit router ID (for IPv6-
only networks)

!34
OSPF for IPv6
• Router ID is a unique identifier for the router
- Must be configured in the routing process
- Is still a 32-bit number, written in 4 octets
- It is used to sign routing updates

• But to make your life easy, you can use an

IPv4 loopback address

!35
OSPF for IPv6
• OSPF for IPv4 (OSPFv2) can be configured:
- on each subnet or,
- on each link

• OSPF for IPv6 (OSPFv3) can be configured:

- on each link

• Interface mode configuration will automatically

activate the OSPF process on your running
config

!36
OSPF for IPv6
• LSA types and functions in OSPF are almost
the same as for OSPFv2
- But there is no authentication in OSPFv3

• OSPFv3 uses multicast addresses:

- ff02::5 for All OSPFv3 Routers
- ff02::6 for All OSPFv3 Designated Routers

• All OSPFv3 adjacencies are formed using link-

local addresses
- From fe80::/10 IPv6’s link-local address scope

!37
Configuration of OSPF as IGP

• Example of OSPF for IPv4 per-subnet configuration

router ospf 1
log-adjacency-changes
passive-interface default
network 172.16.1.1 0.0.0.0 area 1
no passive-interface e0/0
network 172.16.11.8 0.0.0.3 area 1
no passive-interface e0/1
network 172.16.11.0 0.0.0.3 area 1

!38
Configuration of OSPF as IGP

• Example of OSPF for IPv4 per-link configuration

router ospf 1
log-adjacency-changes
passive-interface e1/1
passive-interface e1/0
!
interface loopback 0
ip ospf 1 area 1
!
interface e0/0
ip ospf 1 area 1
!
interface e0/1
ip ospf 1 area 1
!

!39
Configuration of OSPF as IGP

• Example of OSPF for IPv6 per-link configuration

ipv6 router ospf 1

log-adjacency-changes
passive-interface e1/1
passive-interface e1/0
!
interface loopback 0
ipv6 ospf 1 area 1
!
interface e0/0
ipv6 ospf 1 area 1
!
interface e0/1
ipv6 ospf 1 area 1
!

!40
Configuring OSPFv3
5 - Exercise
Overview of IGP Configuration
• You have to configure OSPFv3 as IGP for
IPv6
• Dual Stack will be used to ensure both IPv4
and IPv6 operation
• OSPFv2 is already set up

!42
Network Diagram

R2

CUSTOMER 1 AS66
e0/0 e1/0 e0/0
e0/1

e0/0 e1/0

R1 AS99

e0/1

e0/1

CUSTOMER 2
e0/0 e1/0 e0/0
R3 POP

!43
Have a good look…

• At the IPv4 configuration….

show running-config | s router ospf

!44
OSPFv3 Global Settings
• Tell the router to do OSPFv3 and the process-id
• Log adjacency changes
• Set a router ID
• Define passive interface

ipv6 router ospf 1

log-adjacency-changes
router-id 172.X.255.Y (Y is router number)
passive-interface Ethernet1/0
passive-interface Ethernet1/1
redistribute connected

• On router 1 also add:

ipv6 router ospf 1

default-information originate always

!45
OSPFv3 Interface Settings

• OSPFv3 interface settings

interface xyz
ipv6 ospf network point-to-point
ipv6 ospf 1 area 0

• Fill in the appropriate interface names and OSPF area

!46
Checking Your Configuration
• Check your own configuration
- Can you ping the loopback on R3 from C1?
- Can you ping the loopback on R2 from C2?

!47
Checking Your Configuration
• You should now have a running IPv6 core
network!
• For every internal IPv4 route there should be a
corresponding IPv6 route
• Try to ping and traceroute point-to-point
connections and loopback addresses in your
part of the network

!48
 BGP
6 - Section
BGP Overview
• Routing Protocol used to exchange routing
information between networks
- Exterior Gateway Protocol

• It is based on Path Vector Protocol

- Similar to Distance Vector

• Each border router sends to its neigbors the

full route to one destination, not just the
distance

!50
Autonomous System
• Collection of networks with the same routing
policy
• Usually under single ownership and
administrative control
- Single routing policy

• Identified by 16 or 32 bit numbers

- 16bit: 0 - 65,535
- 32bit: 65,536 - 4,294,967,295

!51
AS Path
• Sequence of ASes a route has traversed
- Loop detection
- Path selection ( AS-PATH length )

!52
BGP Modes

• eBGP: Between BGP speakers in a different AS

• iBGP: Between BGP speakers within the same AS

!53
BGP Messages
• OPEN
- opens the tcp session

• KEEPALIVE
- keeps the session running

• NOTIFICATION
- error handling

• UPDATE
- actual route updates (NLRI, AS-path, AS-path attributes)

!54
NLRI
• Network Layer Reachability Information
- Used to advertise feasible routes
- Composed of:
- Network Prefix
- Mask Length

!55
BGP Path Attributes
• Well known
- They are known by all the routers and passed to BGP
neighbors
- Mandatory and are included in the UPDATE messages

• Optional
- May not be supported by all BGP implementations
- The transitive bit determines if an optional attribute is
passed to BGP neighbors

!56
Multiprotocol BGP (MP-BGP)
• Extension to the BGP protocol
• Carries routing information about other
protocols:
- Multicast
- MPLS VPN
- IPv6

• Multi-Protocol NLRI exchange is negotiated at

session set up (OPEN Message)

!57
MP-BGP
• New features in OPEN Message:
- BGP Capabilities Advertisement:
- Address Family Identifier (AFI)
- Subsequent Address Family Identifier (SAFI)
- Multiprotocol Reachable Network Layer Reachability
Information

!58
AFI / SAFI
• Address Family Identifier (AFI)
- Identifies Address Type
- AFI = 1 (IPv4)
- AFI = 2 (IPv6)

• Subsequent Address Family Identifier (SAFI)

- Sub category for AFI Field
- Address Family Identifier (AFI)
• Sub-AFI = 1 (NLRI is used for unicast)
• Sub-AFI = 2 (NLRI is used for multicast RPF check)
• Sub-AFI = 3 (NLRI is used for both unicast and multicast RPF
check)
• Sub-AFI = 4 (label)
• Sub-AFI = 128 (VPN)

!59
MP-BGP Capabilities Negotiation
• BGP routers establish peering sessions through

the OPEN message

• OPEN message contains optional parameters

• BGP session is terminated if OPEN parameters


are not recognised

• A new optional parameter: CAPABILITIES


containing its capabilities:
- Multiprotocol extension (AFI/SAFI)
- Route Refresh
- Outbound Route Filtering

!60
Managing Multiple Protocols
• Independent operation
- One RIB per protocol
- Distinct policies per protocol (IP address specific

route maps and prefix lists must be adjusted)
- Make separate route maps for IPv4 and IPv6
- Prefix lists are always separate
- It is common to use a _v4 and a _v6 suffix to names

!61
Configuring MP-BGP & Customers

7 - Exercise
 eBGP
7.1 - Exercise
BGP Configuration R1
• Cisco defaults to address-family IPv4
• This must be disabled before configuring IPv6
• Your AS Number is 1 + your number on the
participants list (e.g. 109)

router bgp 1XX

no bgp default ipv4-unicast

!64
Network Diagram

R2

CUSTOMER 1 AS66
e0/0 e1/0 e0/0
e0/1

e0/0 e1/0

R1 AS99

e0/1

e0/1

CUSTOMER 2
e0/0 e1/0 e0/0
R3 POP

!65
Set the Route and Prefix list on R1

address-family ipv6
network 2001:ffXX::/32
(exit)
ipv6 route 2001:ffXX::/32 Null0
ipv6 prefix-list filter_v6 seq 5 permit 2001:ffXX::/32

!66
BGP Configuration R1
• Now we are going to set up BGP

to our upstreams
• We use the same settings for IPv6 

as we have for IPv4
• Only configure R1
router bgp 1XX
neighbor 2001:ff69::66 remote-as 66
neighbor 2001:ff69::99 remote-as 99

!67
BGP Configuration R1
• And activate the external session in the
correct address family

address-family ipv6
redistribute static
neighbor 2001:ff69::66 activate
neighbor 2001:ff69::99 activate
neighbor 2001:ff69::66 prefix-list filter_v6 out
neighbor 2001:ff69::99 prefix-list filter_v6 out

!68
Filtering
• We filter the routes we announce
- Why?
- Why in this way?
- What are the differences in IPv4 and IPv6 ?

!69
 iBGP
7.2 - Exercise
Network Diagram

R2

CUSTOMER 1 AS66
e0/0 e1/0 e0/0
e0/1

e0/0 e1/0

R1 AS99

e0/1

e0/1

CUSTOMER 2
e0/0 e1/0 e0/0
R3 POP

!71
BGP Configuration R1
• Now we are going to set up BGP on top of our IPv4 core

• We use the same settings for IPv6 as we have for IPv4

neighbor 2001:ffXX::2 remote-as 1XX

neighbor 2001:ffXX::2 update-source lo0
neighbor 2001:ffXX::3 remote-as 1XX
neighbor 2001:ffXX::3 update-source lo0

address-family ipv6
redistribute static
neighbor 2001:ffXX::2 activate
neighbor 2001:ffXX::3 activate
neighbor 2001:ffXX::2 next-hop-self
neighbor 2001:ffXX::3 next-hop-self

!72
BGP Configuration R2
• Now we are going to set up BGP on top of our IPv4 core

• We use the same settings for IPv6 as we have for IPv4

router bgp 1XX

no bgp default ipv4-unicast

neighbor 2001:ffXX::1 remote-as 1XX

neighbor 2001:ffXX::1 update-source lo0
neighbor 2001:ffXX::3 remote-as 1XX
neighbor 2001:ffXX::3 update-source lo0

address-family ipv6
redistribute static
neighbor 2001:ffXX::1 activate
neighbor 2001:ffXX::3 activate
neighbor 2001:ffXX::1 next-hop-self
neighbor 2001:ffXX::3 next-hop-self

!73
BGP Configuration R3
• Now we are going to set up BGP on top of our IPv4 core

• We use the same settings for IPv6 as we have for IPv4

router bgp 1XX

no bgp default ipv4-unicast

neighbor 2001:ffXX::1 remote-as 1XX

neighbor 2001:ffXX::1 update-source lo0
neighbor 2001:ffXX::2 remote-as 1XX
neighbor 2001:ffXX::2 update-source lo0

address-family ipv6
redistribute static
neighbor 2001:ffXX::1 activate
neighbor 2001:ffXX::2 activate
neighbor 2001:ffXX::1 next-hop-self
neighbor 2001:ffXX::2 next-hop-self
!74
BGP Customer1
7.3 - Exercise
Network Diagram

R2

CUSTOMER 1 AS66
e0/0 e1/0 e0/0
e0/1

e0/0 e1/0

R1 AS99

e0/1

e0/1

CUSTOMER 2
e0/0 e1/0 e0/0
R3 POP

!76
BGP Configuration Customer 1
• We will remove the default route for the customers

no ipv6 route ::/0 2001:ffXX:0:ff01::b

!77
BGP Configuration Router 2
• The AS number for customer is 2 + your
number on the participants list (e.g. 209)
• Add BGP session for Customer 1
router bgp 1XX
neighbor 2001:ffXX:0:ff01::a remote-as 2XX

address-family ipv6
neighbor 2001:ffXX:0:ff01::a activate

!78
BGP Configuration Router 2
• Now add customer prefix to the prefix list
- Customer 1 prefix: 2001:ffXX:ff01::/48

ipv6 prefix-list customer1_v6 seq 5 permit 2001:ffXX:ff01::/48

router bgp 1XX

address-family ipv6
neighbor 2001:ffXX:0:ff01::a prefix-list customer1_v6 in

clear bgp ipv6 unicast 2001:ffXX:0:ff01::a soft in

!79
BGP Configuration Customer 1
• The AS number for customer is 2 + your
number on the participants list (e.g. 209)
• Configure BGP session with R2
router bgp 2XX
no bgp default ipv4-unicast
neighbor 2001:ffXX:0:ff01::b remote-as 1XX

address-family ipv6
redistribute static
neighbor 2001:ffXX:0:ff01::b activate

!80
BGP Configuration Customer 1
• Now add the prefix, prefix list and static route
- Customer1 prefix: 2001:ffXX:ff01::/48

address-family ipv6
network 2001:ffXX:ff01::/48
(exit)
ipv6 route 2001:ffXX:ff01::/48 Null0
ipv6 prefix-list my_v6 seq 5 permit 2001:ffXX:ff01::/48

router bgp 2XX

address-family ipv6
neighbor 2001:ffXX:0:ff01::b prefix-list my_v6 out

!81
Challenge: BGP Customer 2
7.4 - Exercise
Network Diagram

R2

CUSTOMER 1 AS66
e0/0 e1/0 e0/0
e0/1

e0/0 e1/0

R1 AS99

e0/1

e0/1

CUSTOMER 2
e0/0 e1/0 e0/0
R3 POP

!83
BGP Configuration Customer 2
• Configure BGP session between Customer 2
router and provider R3
• The AS number for customer is 3 + your
number on the participants list (e.g. 309)
• Add the prefix, prefix list and static route
- Customer2 prefix: 2001:ffXX:ff02::/48

!84
Summary
• We now added IPv6 to…
- Links/interfaces
- IGP (OSPF)
- EGP (BGP)
- Customers

• How difficult was it?

• Any surprises?

!85
Questions
Content
8 - Section
Definition
• This section is mostly about websites but it
can also apply to:
- SMTP
- POP3
- IMAP4
- SSH
- Remote Desktops
- Cloud Services

!88
Options
• Multiple ways to make content dual stack
- Native dual stack
- Dual stack load balancer
- IPv6-to-IPv4 (reverse) proxy
- NAT64

!89
Native Dual Stack
• If possible this is the preferred option
IPv6
IPv4
Web / Application

Server

Web / Application

Load
Server
Service
Router Firewall Balancer
Internet Provider

Web / Application

Server

- Cleanest option: no mixing of IPv4 and IPv6

- Needs a fully dual stacked network
- All addresses fully visible where possible

!90
Load Balancer with NAT or Proxy
• If web servers can’t handle IPv6
IPv6
IPv4
Web / Application

Server

Web / Application

Load
Server
Service
Router Firewall Balancer
Internet Provider

Web / Application

Server

- Needs a fully dual stacked network up to the load balancer

- Web servers might not see IPv6 addresses

!91
IPv6-to-IPv4 Proxy
• If the load balancer or part of the network

can’t handle IPv6
IPv6
IPv4
Web / Application

Server

Web / Application

Load
Server
Service
Router Firewall Balancer
Internet Provider

Proxy
Web / Application

Server Server

- Web servers might not see IPv6 addresses

!92
Proxy Protocol Level
• You can proxy on
- Layer 4 (TCP)
- Layer 7 (HTTP/HTTPS)

• Both have advantages and disadvantages

!93
Proxy on Layer 4
• Very easy to configure
- Doesn’t need to know about the protocol
- Doesn’t need to be configured with host name
- Don’t need SSL/TLS keys on the proxy server

• Just map an IPv6 address+port to an IPv4 address+port

• Cannot provide information to the servers

!94
Proxy on Layer 4
• This example shows haproxy
- Note the confusing notation in the config file
- IPv6 address = 2001:db8:abc:123::cafe port 25

listen smtp1
bind 2001:db8:abc:123::cafe:25
mode tcp
server smtp1 192.0.2.1:25

!95
Proxy on Layer 7
• Bit more work to configure
- Needs to know about the protocol or application
- Might need to be configured with host name
- Needs SSL/TLS keys on the proxy server

• Can provide information to the servers

- Like X-Forwarded-For header

!96
Proxy on Layer 7
• This example shows haproxy
listen website1
bind 2001:db8:abc:123::cafe:80
mode http
option forwardfor
server website1 192.0.2.1:80

• With SSL
listen website1-ssl
bind 2001:db8:abc:123::cafe:443 ssl
crt /etc/haproxy/website-ssl.pem
mode http
option forwardfor
server website1 192.0.2.1:443 ssl

!97
Happy Eyeballs
• Makes dual-stacked websites more
responsive to users
• If there is both A and AAAA
- First IPv6 is used with a 300 ms head start
- If that fails, IPv4 is used

• Implemented by all browsers

• Instable connections can cause problems with
cookies

!98
IPv6 in the Root Servers and TLDs
• All 13 root servers have IPv6 AAAA records

• There are 1530 TLDs

- 1501 of them are IPv6 capable (98.2%)

• Over 9 billion websites have AAAA records

Source: http://bgp.he.net/ipv6-progress-report.cgi

!99
Mobile Providers
9 - Section
IPv6 in Mobile Networks
• IPv4 runout has a high and urgent impact on
mobile internet providers
• Everyone has a smartphone
• Certain apps and protocols have problems
with double NAT

• Do apps support IPv6?

!101
Multiple Solutions
• Dual Stack users:
- Public IPv4 and public IPv6
- Private IPv4 and public IPv6

• IPv6 only users:

- NAT64
- IPv6 only

!102
NAT64/DNS64

IPv6 Internet
DNS64

NAT64 Box
Mobile User

public IPv6 Infrastructure

public IPv6
IPv4 Internet

CUSTOMER PROVIDER INTERNET

!103
464XLAT
• Extension to NAT64 to access IPv4-only
applications (like Skype or Whatsapp)

• Handset pretends there is an IPv4 address

(CLAT) and sends IPv4 packets in UDP over
IPv6
- Support from: Android 4.4 and Samsung Galaxy Note,
Galaxy Light and Google Nexus

!104
464XLAT
IPv6 UDP IPv4 UDP

464XLAT

Client

PLAT Box

Mobile User

IPv6 only GGSN 3G/4G Network

IPv6 only
IPv4 Internet

IPv6 Internet

CUSTOMER PROVIDER INTERNET

!105
Apple Approach
• Apple announced they will not support
464XLAT on the iPhone
• Instead they urge app developers to make
apps work over IPv6-only
• That way, operators can use just NAT64
without 464XLAT

!106
3G
• Works with Packet Data Protocol (PDP)
Contexts
- Initiated by the phone to establish a connection
- IPv4, IPv6 and IPv4v6

• No requirement for always-on connection

• Only works with SLAAC

!107
4G
• Works with Evolved Packet System (EPS)
Bearer
- Initiated by the phone to establish a connection
- IPv4, IPv6 and IPv4v6

• Always-on Packet Data Network (PDN)

Connection
• Due to the need for supporting VoIP

!108
What Needs To Be Done

Source: Cameron Byrne T-Mobile USA

!109
What Needs To Be Done
• Handset:
- IPv6 capable

• Home Location Register (HLR)

- Subscriber management needs to understand

new PDP types (IPv6, IPv4v6)

• Serving GPRS Support Node (SGSN)

- ‘IPv6 on user plane’ needs to be enabled
- Fallback strategy

!110
What Needs To Be Done
• Gateway GPRS Support Node (GGSN)
- New PDP types (IPv6, IPv6v4)
- IPv6 routing
- DHCPv6
- Neighbor Discovery Protocol
- DNS Configuration
- Fallback strategy
- Billing

!111
What Needs To Be Done
• And the usual….
- Firewalls, servers, etc.

!112
Tethering & IPv6
• A /64 prefix is received through an RA to the
phone
• An /128 from that /64 is used for the own WAN
• The same /64 is used for the LAN (and for
tethering)
- Tethering is done through RA
- DAD is used to avoid duplicate addresses

!113
Challenges
• Only 1 IPv4 address and 1 IPv6 subnet on a
handset
• Fallback from IPv4v6 to IPv4-only or IPv6-only

is difficult in some cases

!114
Overview Day 2
• Transition Mechanisms
• Exercise: NAT64/DNS64
• Host Configuration
• Exercise: SLAAC
• DHCPv6
• Exercise: DHCPv6
• Security
• IP Address Management
• Tips & Tricks

!115
Transition Mechanisms
Section 10
Transitioning: Solving Two Problems
• Maintaining connectivity to IPv4 hosts by sharing IPv4
addresses between clients
- Extending the address space with NAT/CGN/LSN
- Translating between IPv6 and IPv4

• Provide a mechanism to connect to the emerging

IPv6-only networks
- Tunnelling IPv6 packets over IPv4-only networks

!117
6in4
• Manually configured tunnels towards a fixed tunnel
broker like Hurricane Electric or your own system

• Stable and predictable but not easily deployed to the

huge residential markets

• MTU might cause issues

!118
6in4

Home User

IPv4 Infrastructure
Tunnel

IPv4
Server

Tunnel Broker IPv6 Internet

CUSTOMER PROVIDER INTERNET

!119
6RD
• Encodes the IPv4 address in the IPv6 prefix
• Uses address space assigned to the operator
• The operator has full control over the relay
• Traffic is symmetric across a relay
- Or at least stays in your domain

• Can work with both public and private IPv4 space

• Needs additional software for signalling

!120
6RD

IPv4 Internet

6RD Tunnel
Home User
Server
IPv4 Infrastructure
IPv6 Internet
IPv4

CUSTOMER PROVIDER INTERNET

!121
NAT64 / DNS64
• Single-stack clients will only have IPv6
• Translator box will strip all headers and replace them
with IPv4

• Requires some DNS “magic”

- Capture responses and replace A with AAAA
- Response is crafted based on target IPv4 address

• Usually implies address sharing on IPv4

!122
NAT64 / DNS64

IPv6 Internet
DNS64

NAT64 Box
Home User

public IPv6 Infrastructure

public IPv6
IPv4 Internet

CUSTOMER PROVIDER INTERNET

!123
464XLAT
• Extension to NAT64 to access IPv4-only applications
(like Skype or Whatsapp)

• Handset pretends there is an IPv4 address (CLAT)

and sends IPv4 packets in UDP over IPv6

!124
464XLAT
IPv6 UDP IPv4 UDP

464XLAT

Client

PLAT Box
Mobile User

IPv6 only GGSN 3G/4G Network

IPv6 only
IPv4 Internet

IPv6 Internet

CUSTOMER PROVIDER INTERNET

!125
DS-lite
• Tunnelling IPv4 over IPv6
• Allows clients to use RFC1918 addresses

without doing NAT themselves

• NAT is centrally located at the provider

• Client’s IPv6 address is used to maintain state

and to keep clients apart
- Allows for duplicate IPv4 ranges

!126
DS-lite

Home User
Infrastructure

public IPv6
IPv6

private IPv4 IPv6 Internet

NAT44 Box

Infrastructure

IPv4

IPv4 Internet

CUSTOMER PROVIDER INTERNET

!127
MAP-E / MAP-T
• IPv4 over IPv6 - Encapsulated or Translated
• Clients get private IPv4 and public IPv6
• IPv4 address/port mapped into IPv6 address
• Stateless NAT44 allows traffic to flow asymmetrically
in and out of MAP domain

!128
MAP-E / MAP-T

CE

public IPv6

private IPv4 Border

Router
CE IPv6 Internet

public IPv6

private IPv4

CE

IPv4 Internet
public IPv6
Infrastructure

private IPv4 IPv6

CUSTOMER PROVIDER INTERNET

!129
Best Transition Mechanism?

Dual Stack
IPv6

IPv4

!130
Configuring NAT64
Section 11
NAT64 / DNS64
• Single-stack clients will only have IPv6
• Translator box will strip all headers and
replace them with IPv4
• Requires some DNS “magic”
- Capture responses and replace A with AAAA
- Response is crafted based on target IPv4 address

• Usually implies address sharing on IPv4

!132
NAT64/DNS64

IPv6 Internet
DNS64

NAT64 Box
Mobile User

public IPv6 Infrastructure

public IPv6
IPv4 Internet

CUSTOMER PROVIDER INTERNET

!133
Well Known Prefix
• 64:ff9b::/96
- Algorithmic translation from an IPv4 address to an IPv6
address and vice versa

• Can not be used for private IPv4 addresses

• Only used within the operator, not announced
in global routing table
• Or use your own prefix, but be careful
!134
NAT64 Lab
• The problem is: We will have IPv6-only
customers that cannot reach IPv4-only content
• Step 1: Configure C1 as an IPv6-only customer

• Step 2: Ping from C1 to www.example.com

• Step 3: Ping from C1 to ipv4.example.com

• Step 4: Setup R4 as NAT64 box

• Step 5: Set static route on R2

• Step 6: Ping from customer to dns64.example.com

!135
NAT64 Lab DNS64

R2

CUSTOMER 1
e0/0 e1/0 e0/0 e0/0 e2/0

e0/1 e1/1 R1
e0/1
e1/1 IPv6 Internet
e0/0
e0/1
R4

e0/1 e0/0 e1/0 e2/0

CUSTOMER 2
e0/0 e1/0 e1/1
R3 POP IPv4 Internet

!136
Step 1: Configure C1

• The customer will only have an IPv6 address

ipv6 unicast-routing
ipv6 cef

interface e0/0
ipv6 address 2001:ffXX:0:ff01::a/64
no ipv6 redirects
ipv6 nd ra suppress all
no shut

• Set up a static route to R2

ipv6 route 2000::/3 2001:ffXX:0:ff01::b
ipv6 route 64:ff9b::/96 2001:ffXX:0:ff01::b
• Set up a name server
ip domain lookup
ip name-server 2001:ff53::53
!137
Step 2: Ping from C1 to dual-stack

• Ping from the customer to a dual-stacked website

ping www.example.com

!138
Step 3: Ping from C1 to IPv4-only

• Ping from the customer to an IPv4-only website

ping ipv4.example.com

!139
Step 4: Setup R4 as NAT64 box

• Enable IPv6
ipv6 unicast-routing
ipv6 cef

• Configure the loopback interface for IPv4 & IPv6

interface lo0
ipv6 address 2001:ffXX::4/128
no ipv6 redirects

!140
Step 4: Setup R4 as NAT64 box

• Configure the 3 internal interfaces

interface e0/0
ipv6 address 2001:ffXX:0:04::a/127
no ipv6 redirects
ipv6 nd ra suppress all

interface e0/1
ipv6 address 2001:ffXX:0:05::a/127
no ipv6 redirects
ipv6 nd ra suppress all

interface e1/0
ipv6 address 2001:ffXX:0:06::a/127
no ipv6 redirects
ipv6 nd ra suppress all
!141
Step 4: Setup R4 as NAT64 box

• Setup OSPFv3 on the router

ipv6 router ospf 1
log-adjacency-changes
router-id 172.X.255.Y (Y is router number)
passive-interface Ethernet2/0
redistribute connected

• Setup OSPFv3 on the three interfaces : (e0/0, e0/1,

e1/0)

interface xyz
ipv6 ospf network point-to-point
ipv6 ospf 1 area 0
no shut
!142
Step 4: Setup R4 as NAT64 box

• Configure the transit interface

(config)# interface Ethernet2/0
(config-if)# ip address 10.132.X.2 255.255.255.252
(config-if)# no shut

• Test if transit provider router is reachable

# ping 10.132.X.1

!143
 Step 4: Setup R4 as NAT64 box

• Create a filter
(config)# ip prefix-list transit-out-v4 seq 5 permit 10.X.0.0/22

• Configure the BGP session

(config)# router bgp 1XX
(config-router)# bgp log-neighbor-changes
(config-router)# neighbor 10.132.X.1 remote-as 44
(config-router)# neighbor 10.132.X.1 prefix-list transit-out-v4 out

• Set the network statement

(config-router)# network 10.X.0.0 mask 255.255.252.0

!144
Step 4: Setup R4 as NAT64 box
• Insert static Null route
- Before BGP advertised its network, it checks for an
exact match of network number and mask on router’s
routing table

(config)# ip route 10.X.0.0 255.255.252.0 null0

!145
Step 4: Setup R4 as NAT64 box
• From R4 ping the IPv4-only host behind the
transit
ping 193.0.21.80

!146
enable NAT64 on the interfaces
• Interface lo0, e0/0, e0/1, e1/0 and e2/0
interface xyz
nat64 enable

• On the router define the prefix used for the

translations

(config)# nat64 prefix stateful 64:ff9b::/96

!147
Step 4: Setup R4 as NAT64 box
• Set up an access list
(config)# ipv6 access-list allow-nat64
(config-acl)# permit ipv6 2001:ffXX::/32 any
(config-acl)# exit

!148
Step 4: Setup R4 as NAT64 box
• Define the pool of IPv4 addresses used for the
translation
(config)# nat64 v4 pool nat64-v4-pool 10.X.3.0 10.X.3.255

• Map pool and access list

(config)#nat64 v6v4 list allow-nat64 pool nat64-v4-pool overload

!149
Step 5: Setup a static route on R2
• We need a static route from R2 to R4

(config)# ipv6 route 64:ff9b::/96 2001:ffXX::4

!150
ping dns64.example.com from C1

# ping dns64.example.com

!151
Questions
Host Configuration
Section 12
Operating Systems
• We will look at Windows, Linux, OSX
• All of them support IPv6 natively

• Good news: it works automatically

• Bad news: it works automatically

!154
Managing clients
• Users might not notice that their computer is
using IPv6

• For management purposes, you want control

over addresses
• Disable SLAAC, Privacy extensions, other

!155
Obtaining addresses
• Disabling SLAAC does not mean disabling
Router Advertisements

• RAs are an important part of address

distribution
• They point clients at a DHCPv6 server

!156
Windows 7
• By default, many services/protocols are
enabled:
• Privacy extensions
• Teredo
• 6to4
• ISATAP

•You might want to disable some/all of them

!157
Windows 7: Before

!158
De-configuring Windows 7

• First, disable all the transition methods

• On the command prompt, as administrator:

netsh interface ipv6 6to4 set state state=disabled

netsh interface ipv6 isatap set state state=disabled

netsh interface ipv6 set teredo disable

!159
Windows 7 Privacy Extensions

• Disable privacy extensions

netsh interface ipv6 set privacy state=disable

netsh interface ipv6 set global randomizeidentifier=disabled

!160
Windows 7:After

!161
Windows 10
• By default, many services/protocols are
disabled:
• Privacy extensions
• Teredo
• 6to4
• ISATAP
• Unfortunately, Windows10 does not do DHCP
out-of-the-box

!162
DHCPv6 client on Windows
• First, get the interface ID:
netsh interface ipv6 show interfaces

!163
DHCPv6 client on Windows

• With the interface ID instead of the red XX, run

the command:
netsh interface ipv6 set interface ipv6 XX
advertise=enabled managed=enabled

• (This has to be run as an Administrator)

!164
Check configuration

• To check the configuration:

netsh interface ipv6 show interface XX

• (This has to be run as an Administrator)

!165
Activating DHCPv6
• Without DHCPv6:

• With DHCPv6:

!166
Windows and DHCPv6
• You can either:
• Configure a router to supply the “M” flag
• But with no prefix announced

• Or disable router discovery

• And let other clients pick up addresses from
SLAAC

!167
OSX
• It will automatically configure IPv6

• It will look in the RA messages to check M flag

• If present, it will check with DHCPv6

!168
OSX Configuration

!169
Linux
• As client, same behaviour as OSX
• Everything works out of the box
• IPv6 is enabled automatically

•As server, static configuration is required

!170
Linux Static configuration
• For CentOS/Red Hat:
• /etc/sysconfig/network

• Add:
NETWORKING_IPV6=yes

!171
Linux Static configuration
• In /etc/sysconfig/network-scripts/ifcfg-ethX
• Add:
IPV6INIT=yes
IPV6ADDR=2001:0db8:aaaa:bbbb:0000:0000:0000:0002/64
IPV6_DEFAULTGW=2001:db8:aaaa:bbbb:0000:0000:0000:0001
IPV6_AUTOCONF=no

• Where X is the number of the interface, then:

service network restart

!172
SLAAC
Section 13
SLAAC
R2

CUSTOMER 1 R66
e0/0 e1/0 e0/0
e0/1

e0/0 e1/0

R1 R99

e0/1
CORE
e0/1

CUSTOMER 2
e0/0 e1/0 e0/0
R3 POP

!174
On C1
• Now we will enable SLAAC
interface e0/0
ipv6 address autoconfig default
no shutdown

• Leave configuration mode

• Enable debug ND
debug ipv6 nd

!175
On R2
• Now we will remove the suppression
interface e1/0
ipv6 address 2001:ffXX:0:ff01::b/64
no ipv6 nd ra suppress all
no shutdown

• Leave configuration mode

• To stop debug messages on C1
undebug all

!176
Debugging SLAAC
• Can you find the new IPv6 address?
• Look at the routing…
• Do you see any interesting debug messages?

!177
SLAAC: Router Messages
Link-local: fe80::a390:45ff:fe14:3f0f
Global unicast: 2001:db8:a:b::1

1 2 3 4 5 6 7 8

FF02::2
Multicast Address

NA RA NA RA RA RA
FF02::1
NS FF02::1:FF14:3F0F
NS FF02::1:FF00:1
FF02::1:FF05:1C9E

Time

Link-local: fe80::ba8d:12ff:fe05:1c9e
Global unicast: 2001:db8:a:b:ba8d:12ff:fe05:1c9e

!178
SLAAC: Client Messages
Link-local: fe80::a390:45ff:fe14:3f0f
Global unicast: 2001:db8:a:b::1
4

RS
FF02::2
Multicast Address

NA RA NA FF02::1
FF02::1:FF14:3F0F
FF02::1:FF00:1
NS NS FF02::1:FF05:1C9E

Time

1 2 3 5 6

Link-local: fe80::ba8d:12ff:fe05:1c9e
Global unicast: 2001:db8:a:b:ba8d:12ff:fe05:1c9e

!179
Questions
DHCPv6
Section 14
About DHCPv6
• New protocol
• Requires IPv6 transport
• Offer similar functionality to DHCPv4 but for
IPv6
• Allows more control than SLAAC
- Routers and servers can have static or dynamic
assignments

• Is supported by Cisco IOS, Microsoft, etc.

!182
Information provided by DHCPv6
• No routing information is distributed
- no default route (routers in IPv6 have different roles

in the network)

• Only host configuration protocol

• Other configuration parameters
- includes DNS, NTP etc

!183
DHCPv6 Fundamentals
• Client driven via DHCPv6 request message

• Solely layer 3 protocol unlike DHCPv4:

- port 546 for clients
- port 547 for server

• DHCPv6 options are similar to those in

DHCPv4

!184
DHCPv6 Operation
• Client first detects the presence of routers on
link
• Client examines router advertisements to
check

if DHCP can be used (managed flag)
• If no router is found or if DHCP can be used,

the client:
- sends DHCP solicit message to “all-DHCP-agents”
multicast address (ff02::1:2)
- uses link-local address as source address

!185
DUID
• DHCP Unique IDentifier
• A globally unique identifier used to identify the
single machine/device
- One DUID per DHCPv6 client

• DHCPv6 does not use only MAC address as

identifier
• Variable length between 96 - 160 bits
- Example Client DUID:

00030001001A2F875602

!186
DHCPv6 Modes
• Stateful
- Also requesting an address
- M flag

• Stateless
- Only other configuration parameters
- O flag

• Prefix Delegation
!187
Stateful DHCPv6
• Similar to DHCPv4 today
• A router can act as a DHCP server
• Configuration parameters include:
- DHCP pool name
- Prefix information
- List of DNS servers
- Addresses for clients

!188
Stateful DHCPv6 Server
• Responds to requests from clients to:
- Offer IPv6 addresses
- Other configuration parameters (DNS servers...)

• Listens on the following multicast addresses:

- All_DHCP_Relay_Agents_and_Servers (FF02::1:2)
- All_DHCP_Servers (FF05::1:3)

• Usually stores client’s state

!189
Stateful DHCPv6 Client and Relay
• Client
- Initiates requests on a link to obtain configuration
- Uses its link local address to connect the server
- Sends requests to FF02::1:2 multicast address

• Relay agent
- A node that acts as an intermediary to deliver DHCP
messages between clients and servers
- On the same link as the client
- Listens on FF02::1:2 multicast address

!190
Stateful DHCPv6 Messages

SERVER CLIENT

SOLICIT

ADVERTISE

REQUEST

REPLY

!191
Stateless DHCPv6
• Complements SLAAC configuration:
- I.e: host obtain the address using SLAAC and the DNS
server address from DHCPv6
- In dual-stack networks we can obtain IPv4 DNS server
addresses from DHCPv4

• Configure a DHCP pool with additional parameters:

- DNS Server
- Domain name
- NTP

• Activated by “other configuration” flag in ND

!192
Stateless DHCPv6 Messages

SERVER CLIENT

INFORMATION-REQUEST

REPLY

!193
IPv6 Prefix Delegation
• IPv4 deployments:
- ISP only has to deliver a public IPv4 address
- NAT is used for translation using RFC1918

• IPv6 deployments:
- IPv6 end-to-end reachability:
- Home network gets its own IPv6 prefix (public address)
- No NAT

!194
DHCPv6 Prefix Delegation
• ISP assigns a block of addresses for
delegation to customers (e.g. /48)
• Customer assigns /64 prefixes to LAN
interfaces

RA
DHCP

ISP Network
and Internet

!195
DHCPv6 Prefix Delegation
• Provider edge as delegating DHCP server
• CPE as DHCP client and IPv6 router
DHCP DHCP SLAAC
Server Client Server

RA
DHCP

ISP Network
and Internet

!196
DHCPv6 PD Messages

SERVER CLIENT

SOLICIT

ADVERTISE

REQUEST

REPLY

!197
Questions
DHCPv6-PD
Exercise 15
 DHCPv6
R2

CUSTOMER 1 R66
e0/0 e1/0 e0/0
e0/1

e0/0 e1/0

R1 R99

e0/1
CORE
f0/1
e0/0
Host 1 CUSTOMER 2
e0/1 e0/0 e1/0 e0/0
R3 POP

!200
DHCPv6-PD Router Configuration
• DHCP pool named “DHCP_CUSTOMERS”
references local pool “DHCP_POOL”
• DHCP_POOL details about the address pool
ipv6 dhcp pool DHCP_CUSTOMERS
prefix-delegation pool DHCP_POOL
!
interface e1/0
ipv6 address 2001:ffXX:0:ff02::b/64
ipv6 dhcp server DHCP_CUSTOMERS
no shutdown
!
ipv6 local pool DHCP_POOL 2001:ffXX:ff02::/48 56

!201
DHCPv6-PD C2 Configuration
• ISP facing interface is the DHCP client
• LAN facing interface is the IPv6 router sending

RA message

interface e0/0
ipv6 address 2001:ffXX:0:ff02::a/64
ipv6 dhcp client pd PREFIX
no shutdown
!
interface e0/1
ipv6 address PREFIX ::1:b00c:caf3:bab3:1/64
no ipv6 redirects
no shutdown

!202
On H1
• Enable IPv6 on the router
- You know how

• And enable SLAAC

interface e0/0
ipv6 address autoconfig default
no shutdown

!203
Summary
• We have now distributed an IPv6 prefix to
Customer 2
• Customer has distributed prefixes to LAN
interfaces automatically and distributed
SLAAC to the host

• Can you find the DUID address of C2 ?

!204
 DHCPv6-PD

with static assignment
12 - Exercise
DHCPv6-PD with Static Assignment
• Assign to Customer 2 static prefix:
- 2001:ffXX:ff02:AB00::/56

!206
 On R3
• Find the DUID of the customer
#show ipv6 dhcp binding

• We have to create a pool, set-up prefix

delegation and specify the DUID

(config)#ipv6 dhcp pool DHCP_CUSTOMERS

(config-dhcpv6)#prefix-delegation 2001:ffXX:ff02:AB00::/56 DUID

!207
On C2
• To make sure the changes we made are
propagated, we shut and no shut the interface
towards R2
(config)# interface e0/0
(config-if) shut
(config-if) no shut

• It can take some time to propagate, up to 4

minutes
# show ipv6 interface brief

!208
Security
13 - Section
IPv6 Security - Why Does It Matter?
• Most operating systems have IPv6 enabled by
default nowadays
• IPv6 is present in your IPv4-only networks
- tunnels
- autoconfiguration on hosts

• The default IPv6 policies will not be what you

need
• Often everything open
!210
Subnet Scanning
• In IPv6, scanning the whole address space is
not possible anymore, but people use:
- words (dead, beef, babe, cafe)
- lower numbers (::1, ::2, ::3)
- IPv4 based addresses (2001:db8::192:168:1:1/128)

!211
Subnet Scanning
• Scanning multicast addresses
- ff02::1 - all hosts
- ff05::5 - all DHCP servers
- ff05::2 - all routers

• You can use easy to remember addresses,


but remember that scanning will work the
same as in IPv4

!212
ICMPv6
• ICMPv6 is used to report errors, ping and

discover others (Neighbor Discovery)

• ICMPv6 is an integral part of IPv6

• Disabling ICMPv6 will break your network

!213
Firewall Filtering and ICMPv6
• IPv6 border filter example
ICMPv6 ICMPv6
Action Src Dst Name
type Code
Permit Any A 128 0 echo reply

Permit Any A 129 0 echo request

Permit Any A 1 0 no route to dest

Permit Any A 2 0 packet too big

Permit Any A 3 0 TTL exceded

Permit Any A 4 0 parameter problem

!214
IPv6 Headers
• In IPv6, the header of a packet can be
extended
• Extension headers are used for routing,
fragmentation, IPSEC, etc.
• Some Intrusion Detection Systems find it hard
to figure out where layer 4 starts and the
extension header ends

!215
IPSec
• IPSec in IPv6 is the same as in IPv4
• There is nothing automatically secure in IPv6
• IPSec should be supported in IPv6
- PKI infrastructure costs time and money

!216
RA Guard
• RFC6105
• Implement on a L2 switch, so they can filter
out rogue or misconfigured routers sending
router advertisements
• Filtering based on:
- MAC address
- Port where the RA was received
- IP source address

!217
Hosts
• Hosts can get an IPv6 address unnoticed
• Hosts can set up tunnels
• Keep software up-to-date
• Host security controls should inspect IPv4 and
IPv6
- Firewalls
- VPN clients

!218
Routers
• Protect vty lines
ipv6 access-list line-vty-in
remark company management prefix
permit ipv6 2001:db8:0:1::/64 any

line vty 0 15
ipv6 access-class line-vty-in in

• Use a /127 for point-to-point links if possible

!219
IPv6 Bogons
• Documentation prefix
- 2001:db8::/32

• 6bone
- 3ffe::/16
- Returned to the IANA pool

• Cymru bogon list (very long!)

- Also available as BGP feed
- https://www.team-cymru.org/Services/Bogons/fullbogons-
ipv6.txt

!220
Questions
IP Address Management
Section 16
Why IP Address Management?
• How do you currently keep track?
- There are many subnets in IPv6
- Your spreadsheet might not scale
- And you want to take care of DNS/reverse DNS

• There are 524288 /48s in a /29

• That is 34359738368 /64s!

!223
Address Management
• There are many open source IPv6 IPAM tools
- NetDot
- GestióIP
- phpIPAM
- Netbox
- NIPAP
- NOCProject

• And of course our own IP Analyser

!224
NetDot
• Device discovery via SNMP
• DNS and DHCP config management
• MAC address tracking
• BGP and AS Number tracking
• Export scripts for
- Nagios
- Smokeping
- Cacti
- RANCID

!225
NetDot

!226
GestióIP
• Web based IPAM software
• Structure based on Surfnet document
• Shows free ranges
• Incorporated VLAN management system
• Host discovery via SNMP and DNS
• Multi lingual (Russian, Italian, French, Catalan, etc….)
• DNS zone file generator for forward and reverse zones
- Supporting BIND and tinydns zone files

!227
GestióIP

!228
phpIPAM
• AJAX based using jQuery libraries
- PHP script, javascript and some HTML5/CSS3
- Modern browser is preferred

• E-mail notifications
• Displays free ranges and numbers of clients
• Import and export to XLS files
• Can pull info from the RIPE DB
• Does not update DNS server
!229
phpIPAM

!230
Netbox
• Written in Python
• Web application with PostgreSQL database
• Also a Datacenter Infrastructure Management Tool
• No network monitoring, DNS, RADIUS, Config
management

!231
Netbox

!232
NIPAP
• Written in Python
• Web and CLI
• Integrated audit log
• IP request system
• XML-RPC middleware
- Easy integration with other applications

!233
NIPAP

!234
NOC Project (mostly CIS region)
• BSD licensed
• Complete OSS system
• Clean web interface
• DNS integration
• Reporting tools
• Quick view options (free space)
• Hierarchical user groups
• Large developer team
!235
NOC Project

!236
IP Analyser
• Available through the LIR Portal

• Get a visual insight into your RIPE Database objects

- Hierarchical view of used address space

• Create new objects using an easy to use wizard

- Interface seamlessly with the RIPE Database
- Explain the different options well
- Use sensible defaults
- Delete redundant objects directly from the UI

!237
IP Analyser

!238
Tips and Tools
Section 17
Graduate to the next level!

http://academy.ripe.net

!240
Feedback!

https://www.ripe.net/training/advanced-ipv6/survey
!241
Follow us!

@TrainingRIPENCC

!242
Questions
Email address
@Twitter handle
 The End!
Title Text Kрай Y Diwedd
Fí
Соңы Finis
Liðugt
Ende Finvezh Kiнець
Konec Kraj Ënn Fund
Beigas Son Kpaj
Lõpp Vége
An Críoch
‫הסוף‬
Fine Endir
Sfârşit Fin Τέλος
Einde
Конeц Slut Slutt
Pabaiga
Amaia Loppu Tmiem Koniec
Fim
!244