Introduction to IPv6

Agenda

• IPv6 Overview
• Addressing
• Header format
• Header extensions
• ICMPv6
• Neighbor discovery
• Autoconfiguration
• Routing IPv6
• Transition to IPv6
• Juniper Networks IPv6 Support
Agenda

• IPv6 Overview
• Addressing
• Header format
• Header extensions
• ICMPv6
• Neighbor discovery
• Autoconfiguration
• Routing IPv6
• Transition to IPv6
• Juniper Networks IPv6 Support
IPv6 Features

• Increased address space

– 128 bits = 340 trillion trillion trillion addresses
– (2128 = 340,282,366,920,938,463,463,374,607,431,768,211,456)
– = 67 billion billion addresses per cm2 of the planet surface
• Hierarchical address architecture
– Improved address aggregation
• More efficient header architecture
– Improved routing efficiency, in some cases
• Neighbor discovery and autoconfiguration
– Improved operational efficiency
– Easier network changes and renumbering
– Simpler network applications (Mobile IP)
• Integrated security features
IPv6 Drivers:
IPv4 Address Exhaustion
• IPv4 addresses particularly scarce in Asia
– Some U.S. universities and corporations have more IPv4
address space than some countries
• Imminent demise of IPv4 address space predicted since
mid 1990’s
• NAT + RFC 1918 has slowed that demise
• 70% of Fortune 1000 companies use NAT*

BUT…

*Source: Center for Next Generation Internet NGI.ORG

NAT Causes Problems
• Breaks globally unique address model
• Breaks address stability
• Breaks always-on model
• Breaks peer-to-peer model
• Breaks some applications
•
NAT
Breaks some security protocols
• Breaks some QoS functions
• Introduces a false sense of security
• Introduces hidden costs

IPv6 = plentiful, global addresses = no NAT

IPv6 Drivers:
Mobile IP
Mobile nodes must be able to move from router to router
without losing end-to-end connection
Home address: Maintains connectivity
Care-of address: Maintains route-ability
IPv6 Drivers:
Mobile IP
Mobile IP Model

Home Network

Correspondent
Home Normal routing
Node
Agent to home network

Mobile
Node

Foreign
Router

Foreign Network
IPv6 Drivers:
Mobile IP
Mobile IP Model
1. Packets sent to home address
Home Network

Correspondent
Home Node
Agent
3. Return packets routed
2. Packets tunneled to directly to correspondent
“care of” address
via foreign router
Foreign
Router

Foreign Network

Mobile
Node
IPv6 Drivers:
Mobile IP

1600
Mobile
1400 Subscriber
s
1200
1000
Millions

800 PCs
Connected
to Web
600
Mobile
400
Internet
Users
200
0
1995 1996 1997 1998 1999 2000 2001 2002 2003 2004

Sources: ABN AMRO/IDC/Ovum

 IPv6 Drivers:
Mobile IP
Current Wireless Subscribers

Region Number Regional

Percentage

North America 156.6 million 50.1%

Europe 366.8 million 57.7%

Japan 72.8 million 57.3%

Asia Pacific 332.2 million 10.9%

Sources: U.S. Census Bureau, International Data Corp.

IPv6 Drivers:
Mobile IP
• Mobile IP will require millions or billions of
care-of addresses
– Potential user base larger than entire IPv4
address space
• Mobile IPv4 solution: Foreign Agent
– Allows multiple mobile nodes to share a care-
of address
– NAT-like function, NAT-like problems
IPv6 Drivers:
Mobile IP
• Mobile IPv6 Advantages:
– More than enough care-of addresses
– Neighbor discovery and autoconfiguration
• Easy discovery of foreign routers
• Easy acquisition of care-of address
– Route optimization
• Binding updates reduce triangle routing
– End-to-end security
• 3GPP standards group pushing for
adoption of IPv6
IPv6 Drivers:
Peer-to-Peer Networking

• “The network is the computer” –Sun Microsystems

• Every host is a client and a server
– That is, a consumer and a producer
• Peer-to-peer decentralizes:
– Network processes and storage
– Network administration
– Network cost
• Assume 100 million PCs, each with:
– 500Mhz processor
– 5GB storage
• The Internet becomes:
– 50 billion megahertz of processing power
– 500,000 terabytes of storage
IPv6 Drivers:
Peer-to-Peer Networking
Napster led the way
User driven
Intelligent application of client/server and peer-to-peer
Simple model made unnecessarily complex by dynamic
IP issues
IPv6 Drivers:
Peer-to-Peer Networking
• But peer-to-peer is about more than
sharing music files (legally or otherwise)
• Peer-to-peer might re-shape the way we
do business
IPv6 Drivers:
Peer-to-Peer Networking
Online gaming will be an early driver
Current gaming market in U.S. $10B
Gamers account for 10% of U.S. broadband market*
Millions of on-line gamers in Japan and Korea
Microsoft investing $2B in XBox Live
Present online gaming mostly client/server
Forced by insufficient IPv4 addresses
Creates bandwidth bottlenecks

*Source: ISP-Planet.com
IPv6 Drivers:
Peer-to-Peer Networking
Content sharing
Napster was a wake-up call
Kazaa
Morpheus, FreeNet, Grokster, Gnutella, many more…

Distributed data processing

SETI@home
Folding@home
Popular Power

Distributed applications
Black-hat hackers already appreciate this (DDoS)
IPv6 Drivers:
Peer-to-Peer Networking

Barriers
• Asymmetric Internet
– Blame Tim Berners-Lee
– Cable modems, ADSL
– Modern ISPs sometimes designed with
client/server assumptions
• “Dumb” firewalls
– Port 80 exploits
– These must become smarter
• NAT and dynamic IP addresses
– Peer-to-Peer needs reachable hosts
IPv6 Drivers:
Internet-Enabled Devices
Internet-enabled appliances
Electrolux Screenfridge
Samsung Digital Network Refrigerator
Internet-enabled automobiles
Already available in many luxury cars
Interesting research being conducted in Japan
IPv6 Drivers:
Internet-Enabled Devices
Internet-enabled ATMs
Fujitsu Series 8000
Infonox, Western Union conducting pilot program
Smart sensors
Bioelectronics
IPv6 Drivers:
Conclusion
• The common factor in all cases is:
MORE IP ADDRESSES
– For billions of new users
– For billions of new devices
– For always-on access
– For transparent Internet connectivity the way
it was meant to be
 IPv6 Around the World:
Address Allocation by Authority

29
62
APNI C
RI PE-NCC
ARI N

63

Unit: /35 Prefixes

 IPv6 Around the World:
APNIC Address Allocation

1
1 J apan
1 3 11 Korea
2 Taiwan
China
Australia
13 Singapore
39 Hong Kong
Malaysia
Thailand

Unit: /35 Prefixes

IPv6 Around the World:
RIPE Address Allocation

3 2 2 2 11 11
11
3 11
3

4
14
4
8

DE GB SE FI NL IT FR RU PL AT PT
NO LT IE HU GR EU ES
 IPv6 Around the World:
Global Advanced Research Networks

CA*net 2

APAN 6Bone European

national networks Regional networks

Internet2 (vBNS, Abilene)

IPv6 Around the World:
Japan

• Government mandates that IPv6 be implemented by

2005
– eJapan Initiative
• IPv6 Promotion Council of Japan
– ¥8B (US$70M) for IPv6 R&D
• 2002-2003 Tax Incentive Program
– ISPs can get reduced corporate and fixed property tax for newly
acquired IPv6 ready routers
• NTT is worldwide provider of commercial IPv6
– APAC, US, and Europe
 IPv6 Around the World:
Japan

 Commercial IPv6 ISPs:

– NTT – KDDI
– IIJ – Global Crossing
– Powered.com – Chita Medias
– Japan Telecom – MIS

 Research & Initiatives:

 Japan Gigabit Network (JGN)
 KAME
 BSD IPv6
 USAGI
 IPv6 for Linux
 TAHI
 IPv6 verification technology
 Widely Integrated Distributed
Environment (WIDE)
IPv6 Around the World:
South Korea

• Currently the leader in broadband use

– 45% of households
• Government-mandated transition roadmap
– Phase I (~2001): IPv6 research
– Phase II(2002-2005): IPv6/IPv4 interworking
– Phase III(2006-2010): Commercial IPv6 service
– Phase IV(2011): Native IPv6
IPv6 Around the World:
South Korea

• Research and Development

– KRv6 Project
• Developing transition strategies
• Developing IPv6 infrastructure and NGI applications
– KOREN (Korea Research and Education Network)
• Native IPv6 network connectivity
• TransEurasia Information Network (TEIN)
– Continental network between Korea and Europe
• Network Trials and Services
– 6NGIX (IPv6 Next Generation Internet eXchange)
• First IPv6 exchange point in Korea
– 6KANet (IPv6 Korea Advanced Network)
IPv6 Around the World:
Taiwan

• Research and Development

– NBEN (National Broadband Experimental
Network)
• Commercial Trial
– HiNet
• Important for gaining experience with transition
mechanisms
• Government initiative expected soon
– eTaiwan Initiative
IPv6 Around the World:
People’s Republic of China

• Colossal potential market

– 1.3 billion people
– IPv4 = 3.7 billion usable global addresses
– IPv4 will not serve this market
• Building world’s largest wireless system
• Soon will have the most PCs in the world
• Will exceed Japan in number of Internet users in 2002
• Major IPv6 R&D centers in China:
– Nokia China R&D Center
– Tsinghua University (CERnet)
– Beijing University of Post and Telecommunication
– Beijing Internet Institute
IPv6 Around the World:
Europe
• 6INIT
– EU funded
– First phase toward large-scale IPv6 deployment
• 6NET
– High-capacity IPv6 research network
• Euro6IX
– Pan-European native IPv6 R&D backbone
– Consortium of telcos, industries, universities
– IPv6 PKI (Public Key Infrastructure) service
• Eurov6
– Permanent IPv6 multi-vendor showcase and testbed
• 6LINK
– IPv6 project clusters
– Consensus building for IPv6 development and deployment
• 6POWER
– IPv6 over power lines
• 6QM
– IPv6 QoS measurement
IPv6 Around the World:
Europe

• Research and Educational Networks:

– SURFnet (Netherlands)
– Renater (France)
– JANET (UK)
– B-WIN (Germany)
– NORDUNet (Denmark, Finland, Iceland,
Norway, Sweden)
• Commercial Network:
– NTT Europe
IPv6 Around the World:
United States

• Early adoption slower than Asia and

Europe
– Less IPv4 address depletion
– Wireless is behind the times
– Everyone wants to see the business case first
– No government mandates
“Compounding the problem, carriers have cut spending
amid a weak U.S. economy and tight capital supply. North
America, which has 74 percent of the world's Internet
Protocol addresses, has little incentive to make the change.
Europe has 17 percent of the addresses while Asia has 9
percent. “
–Wired.com
 IPv6 Around the World:
United States

• Research and Development:

– 6Bone
• IPv6 testbed
– Star Tap
• International High Performance
• Funded by National Science Foundation (NSF)
– vBNS
• Funded by NSF and Worldcom
– 6REN
• Research and Education Network
• Established by ESnet (Energy and Sciences Network)
– Internet2
• Partnership of government, academia, and industry
• Applications
• Middleware
• Advanced network infrastructure (Abilene)
• Commercial IPv6 Offerings:
– Mostly trial networks
– Worldcom, Cable&Wireless, Qwest, NTT, others
Agenda

• IPv6 Overview
• Addressing
• Header format
• Header extensions
• ICMPv6
• Neighbor discovery
• Autoconfiguration
• Routing IPv6
• Transition to IPv6
• Juniper Networks IPv6 Support
IPv6 Address Representation
• 128 bits
• Represented by 8 colon-separated
segments
• Each 16-bit segment written in
hexadecimal

Example:

3ffe:3700:1100:0001:d9e6:0b9d:14c6:45ee
IPv6 Address Compaction
• Leading zeroes in a 16-bit segment can be
compacted
Example:

fe80:0210:1100:0006:0030:a4ff:000c:0
097

Becomes:

fe80:210:1100:6:30:a4ff:c:97
IPv6 Address Compaction
• All zeroes in one or more contiguous 16-
bit segments can be represented with a
double colon (::)
Example:
ff02:0000:0000:0000:0000:0000:0000:0
001
Becomes:
ff02::1
BUT…
IPv6 Address Compaction
• Double colons can only be used once
Example:
2001:0000:0000:0013:0000:0000:0b0c:3
701
Can be:
2001::13:0:0:b0c:3701
Or:
2001:0:0:13::b0c:3701
But not:
2001::13::b0c:3701
Imbedded IPv4 Addresses
• Some transition mechanisms imbed IPv4
addresses in IPv6 addresses
• Imbedded IPv4 addresses are represented
with dotted decimal
Examples:
::13.1.68.3
::ffff:129.144.52.38
fe08::5efe:172.24.240.30
IPv6 Prefix Representation
• CIDR-like notation used to specify prefix
length
Examples:
3ffe:0:0:2300:ce21:233:fea0:bc94/60

201:468:1102:1::1/64
 IPv6 Prefix Compaction

2002:0000:0000:18d0:0000:0000:0000:0000/60

Can be represented as:

2002::18d0:0:0:0:0/60
2002:0:0:18d0::/60
IPv6 Address Types

• Unicast
– Identifies a single interface
– Packet sent to a unicast address is delivered to the interface
identified by that address
• Anycast
– Identifies a set of interfaces
– Packet sent to an anycast address is delivered to the nearest
interface identified by that address (as defined by the routing
protocol)
• Multicast
– Identifies a set of interfaces
– Packet sent to a multicast address is delivered to all interfaces
identified by that address
• IPv6 has no broadcast addresses
– IPv6 uses "all-nodes" multicast instead
IPv6 Address Scope
• Link-Local
– Used on a single link
– Packets with link-local source or destination addresses are not
forwarded to other links
• Site-Local
– Used for a single site
– Packets with site-local source or destination addresses are not
forwarded to other sites
– Applications similar to RFC 1918
• Global
– A globally unique address
– Packets with global addresses can be forwarded to any part of
the global network
Identifying Address Types

Type IPv6 Prefix

Unspecified ::/128

Loopback ::1/128

Multicast ff00::/8

Link-Local Unicast
fe80::/10

Site-Local Unicast
fec0::/10

Global Unicast/Anycast everything

else
Global Unicast Addresses:
TLA/NLA Format (Being Obsoleted)

128 bits

≥3 ≤13 8 24 16 64

FP TLA-ID Res NLA-ID SLA-ID Interface-ID

Site
Public Topology Topology Interface Identifier

Network Portion Node Portion

FP = Format Prefix (= 001 for globally aggregated unicast addresses)

TLA-ID = Top-level aggreation identifier
RES = Reserverd for future use
NLA = Next-level aggregation identifier
SLA-ID = Site-level aggregation identifier
Interface ID = Interface identifier
 Global Unicast Addresses:
New Format

128 bits

3 45 16 64

001 Global Routing Prefix Subnet Interface-ID

Site
Public Topology Topology Interface Identifier

Network Portion Node Portion

lobal Routing Prefix uses CIDR-like hierarchy

veryone (from corporations to residences) gets 48-bit prefix
veryone gets 16-bit subnet space
here are some exceptions (very large subscribers, mobile nodes
Global Unicast Addresses:
Why Fixed Prefix and Subnet Lengths?

• Changing ISPs becomes simpler

• Eliminates need to justify address space
• Plenty of room to grow
– 001 is only 1/8th of total address space
– 16-bit subnet field sufficient for most
subscribers
• Can simplify multihoming

• See RFC 3177 for more information

Interface ID
• Unique to the link
• Identifies interface on a specific link
• Can be automatically derived
– IEEE addresses use MAC-to-EUI-64
conversion
– Other addresses use other automatic
means
• Can be used to form link-local address
• Can be used to form global address with
stateless autoconfiguration
Multicast Address Format
128 bit

8 4 4 112

11111111 flgs scop Group-ID

Defines address scope

0 Reserved
1 Node-local scope
2 Link-local scope
5 Site-local scope
8 Organization local scope
E Global scope
F Reserved

First 3 bits set to 0

Last bit defines address type:
0 = Permanent (or well-known)
1 = Locally assigned (or transient)
A Few Well-known Multicast Addresses

IPv6 Well-known IPv4 Well-known Multicast Group

multicast address multicast address
Node-local scope
FF01::1 224.0.0.1 All-nodes address
FF01::2 224.0.0.2 All-routers address
Link-local scope
FF02::1 224.0.0.1 All-nodes address
FF02::2 224.0.0.2 All-routers address
FF02::5 224.0.0.5 OSPFIGP
FF02::6 224.0.0.6 OSPFIGP-DR‘s
FF02::9 224.0.0.9 RIP routers
FF02::D 224.0.0.13 All PIM routers
Site-local scope
FF05::2 224.0.0.2 All-routers address
Any valid scope
FF0X::101 224.0.1.1 Network time protocol
NTP
Configuration Example:
JUNOS Router Interface

[edit]
lab@Juniper5# show interfaces fe-0/1/1
unit 0 {
family inet {
address 206.196.180.113/28;
}
family inet6 {
address 3FFE:3700:1102:1::1/64;
address 201:468:1102:1::1/64;
}
}
Configuration Example:
IOS Router Interface

interface Ethernet2
ip address 206.196.180.113 255.255.255.240
ipv6 address 3FFE:3700:1102:1::1/64
ipv6 address 201:468:1102:1::1/64
 IPv6 Addresses

You have not seen everything yet…

• MAC-to-EUI-64 conversion for Interface ID
• Solicited-node multicast
• IPv6 with imbedded IPv4 addresses
• IPv4 compatible IPv6 addresses

…will be presented in context

Agenda

• IPv6 Overview
• Addressing
• Header format
• Header extensions
• ICMPv6
• Neighbor discovery
• Autoconfiguration
• Routing IPv6
• Transition to IPv6
• Juniper Networks IPv6 Support
 IPv4 vs. IPv6 Header Formats
32 bits 32 bits

Ver.
Ver. HL Ver.
Ver. Traffic
Traffic class
class Flow
Flow label
label
HL TOS Datagram
Datagram Length
Length
44 6
6 8
8 bits
bits 20
20 bits
bits
Payload
Payload Length
Length Next
Next Hdr.
Hdr. Hop
Hop Limit
Limit
Datagram-ID
Datagram-ID Flags
Flags Flag
Flag Offset
Offset 16
16 bits
bits 88 bits
bits 88 bits
bits

TTL
TTL Protocol
Protocol Header
Header Checksum
Checksum

Source
Source IP
IP Address
Address Source
Source Address
Address
128
128 bits
bits
Destination
Destination IP
IP Address
Address

IP
IP Options
Options (with
(with padding
padding if
if necessary)
necessary)

Destination
Destination Address
Address
128 bits
128 bits
IPv4 header

IPv6 header
 IPv4 vs. IPv6 Header Formats
32 bits 32 bits

Ver.
Ver. HL Ver.
Ver. Traffic
Traffic class
class Flow
Flow label
label
HL TOS Datagram
Datagram Length
Length
44 6
6 8
8 bits
bits 20
20 bits
bits
Payload
Payload Length
Length Next
Next Hdr.
Hdr. Hop
Hop Limit
Limit
Datagram-ID
Datagram-ID Flags
Flags Flag
Flag Offset
Offset 16
16 bits
bits 88 bits
bits 88 bits
bits

TTL
TTL Protocol
Protocol Header
Header Checksum
Checksum

Source
Source IP
IP Address
Address Source
Source Address
Address
128
128 bits
bits
Destination
Destination IP
IP Address
Address

IP
IP Options
Options (with
(with padding
padding if
if necessary)
necessary)

Destination
Destination Address
Address
128 bits
128 bits
IPv4 header

IPv6 header
 IPv4 vs. IPv6 Header Formats
32 bits 32 bits

Ver.
Ver. HL Ver.
Ver. Traffic
Traffic class
class Flow
Flow label
label
HL TOS Datagram
Datagram Length
Length
44 6
6 8
8 bits
bits 20
20 bits
bits
Payload
Payload Length
Length Next
Next Hdr.
Hdr. Hop
Hop Limit
Limit
Datagram-ID
Datagram-ID Flags
Flags Flag
Flag Offset
Offset 16
16 bits
bits 88 bits
bits 88 bits
bits

TTL
TTL Protocol
Protocol Header
Header Checksum
Checksum

Source
Source IP
IP Address
Address Source
Source Address
Address
128
128 bits
bits
Destination
Destination IP
IP Address
Address

IP
IP Options
Options (with
(with padding
padding if
if necessary)
necessary)

Destination
Destination Address
Address
128 bits
128 bits
IPv4 header

IPv6 header
IPv6 Header Format

Where did all the IP fields go?

Agenda

• IPv6 Overview
• Addressing
• Header format
• Header extensions
• ICMPv6
• Neighbor discovery
• Autoconfiguration
• Routing IPv6
• Transition to IPv6
• Juniper Networks IPv6 Support
 IPv6 extension headers

IPv6 header TCP header + data

NH=TCP

IPv6 header Routing header TCP header + data

NH=Routing NH=TCP

IPv6 header Routing header Fragment header TCP header + data

NH=Routing NH=Fragment NH=TCP
Benefits of IPv6 extension headers

IPv4 options drawbacks

• IPv4 options required special treatment in routers
• Options had negative impact on forwarding performance
• Rarely used

Benefits of IPv6 extension headers

• Extension headers are external to IPv6 header
• Routers do not look at these options except for Hop-by-hop options
• No negative impact on routers forwarding performance
• Easy to extend with new headers and option
IPv6 extension headers

Previous
Header header‘s NH-
value
Hop-by-hop options 0
Destination options 60
Routing 43
Fragment 44
Authentication 51
Encapsulating Security Payload 50
(ESP)
Destination options 60
OSPF for IPv6 89
IPv6 extension header processing

• Extension headers are NOT examined or

processed by any node along a packets
delivery path
• ONLY hop-by-hop extension header is
processed by every node along a packet's
delivery path (including source and
destination)
• Hop-by-hop header (if present) must
immediately follow IPv6 header
• Extension headers are processed strictly
in order they appear in the packet
IPv6 extension header orders

RFC 2460 recommends following order:

1. IPv6 header
2. Hop-by-hop options header
3. Destination options header
4. Routing header
5. Fragment header
6. Authentication header
7. ESP header
8. Destination options header
9. Upper-layer header
Currently available IPv6 options
• Hop-by-hop
– Must be processed by every node on the packet‘s path
– Must always appear immediately after IPv6 header
– Two Hop-by-hop options already defined:
1. Router alert option
2. Jumbo payload option
• Destination
– Meant to carry information intended to be examined by the
destination node
– Only options currently defined are padding options to fill out
header on a 64-bit boundary if (future) options require it
Routing header

• Next header value: 43

• Provides "source-routing" functionality
• Format:
32 bits

Next header Hdr. Ext. Len Routing TypeSegments left

Type-specific data
Fragment header

• Next header value: 44

• Used to provide datagram fragmentation
• Format:
32 bits

Next header Reserved Fragment offset Res M

Identification
Authentication

• Next header value: 51

• Provides data integrity and authentication
• Format:
32 bits

Next header Payload Len. RESERVED

Security Parameters Index (SPI)

Sequence Number Field

Authentication data
Encapsulating Security Payload (ESP)

• Next header value: 50

• Provides confidentiality, data origin authentication,
connectionless integrity, and anti-replay service
• Format:
32 bits

Security Parameters Index (SPI)

Sequence Number

Payload data

Payload data Padding

Padding Pad length Next header

Authentication data
Agenda

• IPv6 Overview
• Addressing
• Header format
• Header extensions
• ICMPv6
• Neighbor discovery
• Autoconfiguration
• Routing IPv6
• Transition to IPv6
• Juniper Networks IPv6 Support
ICMPv6
• Many of the same functions as ICMPv4
– ICMPv4 Protocol Number = 1
– ICMPv6 Next Header Number = 58
• Adds new messages and functions
– Neighbor discovery
– Stateless autoconfiguration
– Mobile IPv6
ICMPv6 Message Types

• Defined in RFC 2463

Type Message

1 Destination
Unreachable

2 Packet Too Big

3 Time Exceeded

4 Parameter Problem

128 Echo Request

129 Echo Reply

ICMPv6 New Message Types

• Defined in RFC 2461

• Used for Neighbor Discovery protocol

Type Message

133 Router Solicitation (RS)

134 Router Advertisement

(RA)

135 Neighbor Solicitation

(NS)

136 Neighbor
Advertisement (NA)

137 Redirect
Agenda

• IPv6 Overview
• Addressing
• Header format
• Header extensions
• ICMPv6
• Neighbor discovery
• Autoconfiguration
• Routing IPv6
• Transition to IPv6
• Juniper Networks IPv6 Support
IPv6 Neighbor Discovery
• RFC 2461
• Neighbor can be router or host
• Performs several functions
– Link-layer address resolution
– Router discovery
– Local prefix discovery
– Address autoconfiguration
– Parameter discovery
– Next-hop determination
– Tracks neighbor and router reachability
– Duplicate address detection
– Redirects
 Comparison to IPv4 Functions

• Similar IPv4 functions

– ARP
– ICMP Router Discovery
– ICMP Redirect
• IPv4 has no agreed-upon mechanism for
neighbor unreachability detection
– Detects failing routers and links
– Detects nodes that change their link-layer
address
– Unlike ARP, detects half-link failures
Improvements over IPv4

• Router discovery part of base protocol

– Hosts do not need to “snoop” routing protocols
• RAs and redirects carry link-layer addresses
– No additional packet exchange needed
• RAs carry link prefixes
– No separate mechanism to configure “netmasks”
– Enables address autoconfiguration
– Multiple prefixes can be associated with same link
• RAs can advertise link MTUs
– Ensures all nodes on link use same MTU value
• Immune to reception of off-link ND messages
– Hop limit always set to 255
– IPv4 ICMP Redirects and Router Discovery messages can be sent from
off-link
 Router Discovery

• Router Advertisements sent periodically

– Interval randomized to prevent synchronization
– Configurable range defined by:
• MaxRtrAdvInterval (default 600 seconds)
• MinRtrAdvInterval (default 200 seconds)
– RAs sent to All-Nodes multicast address (ff01::1)
• RAs sent in response to Router Solicitations
– RS sent to All-Routers multicast address (ff01::2)
– RA unicast to soliciting node
Router Advertisement Information
• Current hop limit
– Value to be used by outgoing IP packets
• Address configuration flags
– “M” and “O” bits
• Router lifetime
– Lifetime for default router
• Reachable time/ Retrans timer
– Used for router unreachability detection
• Source link-layer address (optional)
– Can be omitted for in-bound load balancing
• MTU (optional)
– If AdvLinkMTU is configured
• Prefix information (optional)
– Used for address autoconfiguration
Unsolicited Router Advertisement

Default GW- E
List
A
B
C

C A

B F G
RA
Solicited Router Advertisement

Default GW- E
List
A
B
C

C A

RS B F G
RA
 Choosing a Default Gateway

Default GW-
List
A
B
C

• Implementations may randomly select a default router

• Implementations may cycle through default list round-
robin
• What happens when default router is the wrong router?
 Redirect

Default GW- E
List ICMP Redirect
A to Router B
B
C

D
Sent data to Host 3
using Default GW
"A" C A

Path used with

Default Gateway
"A"
Redirect
traffic via B F G
Router B

Host 3
Neighbor Cache

C:\Documents and Settings\Jeff Doyle>ipv6 nc

5: fe80::202:2dff:fe25:5e4c 00-02-2d-25-5e-4c permanent
4: fe80::260:83ff:fe7b:2df3 00-60-83-7b-2d-f3 stale (router)
4: fe80::210:a4ff:fea0:bc97 00-10-a4-a0-bc-97 permanent
4: 3ffe:3700:1100:1:210:a4ff:fea0:bc97 00-10-a4-a0-bc-97
permanent
4: 3ffe:3700:1100:1:d9e6:b9d:14c6:45ee 00-10-a4-a0-bc-97
permanent
4: 2001:468:1100:1:210:a4ff:fea0:bc97 00-10-a4-a0-bc-97
permanent
4: 2001:468:1100:1:d9e6:b9d:14c6:45ee 00-10-a4-a0-bc-97
permanent
3: 2002:c058:6301::c058:6301 192.88.99.1 permanent
3: 2002:836b:213c::836b:213c 131.107.33.60 permanent
3: 2002:4172:a85b::4172:a85b 127.0.0.1 permanent
3: 2002:836b:213c:1:e0:8f08:f020:6 131.107.33.60 permanent
3: 2001:708:0:1::624 incomplete
2: ::65.114.168.91 127.0.0.1 permanent
2: fe80::5efe:65.114.168.91 127.0.0.1 permanent
2: fe80::5efe:169.254.113.126 127.0.0.1 permanent
1: fe80::1 permanent
Neighbor Address Resolution
• Equivalent function to IPv4 ARP
– But multicast instead of broadcast
1. Check Neighbor Cache for address
2. If no address, create an Incomplete entry for target
address
3. Send Neighbor Solicitation to Solicited-Node Multicast
address
4. Target node sends Neighbor Advertisement with link-
layer address
5. Soliciting node changes Incomplete entry to Reachable
 Solicited-Node Multicast Address
• All multicast-capable interfaces required to listen
• Formed by appending low-order 24 bits of target IPv6 address to
prefix ff02:0:0:0:0:1:ff00::/104
• Addresses differing only in high-order bits will map to same
solicited-node multicast
– Useful when multiple addresses assigned to interface
– Reduces number of multicast addresses a node must listen for

Example:

Interface Address #1 = 3ffe:3700:1100:1:200:bff:fec6:45ee

Interface Address #2 = 2001:468:1100:1:200:bff:fec6:45ee

Solicited-Node Multicast Address = ff02::1:ffc6:45ee

Next-Hop Discovery
Check neighbor cache for existing next-
hop entry for particular destination
Check whether destination is on- or off-link
On-link: Sent directly to destination
Off-link: Sent to default router
Identify link-layer address of next-hop
Neighbor Unreachability Detection
2 ways to verify neighbor reachability:
– Using hints from upper-layer protocols
– From responses to neighbor solicitations
Forward direction communication (FDC)
must be possible for a neighbor to be
REACHABLE
FDC is verified if forward progress is being
made by an upper-layer protocol (i.e. TCP,
receiption of TCP acks)
Neighbor Unreachability Detection
• Neighbor cache stores information about neighbors
– IP address
– Link-layer address
– Reachability state
• Neighbor reachability states
– INCOMPLETE
– REACHABLE
– STALE
– DELAY
– PROBE
Agenda

• IPv6 Overview
• Addressing
• Header format
• Header extensions
• ICMPv6
• Neighbor discovery
• Autoconfiguration
• Routing IPv6
• Transition to IPv6
• Juniper Networks IPv6 Support
Address Autoconfiguration
• Stateless autoconfiguration
– Requires only a router
– Key advantage for applications such as Mobile IP
• Stateful autoconfiguration
– When more control is desired
– DHCPv6
• Stateless and stateful can be combined
– “M” and “O” flags in RA
• M flag: Stateless Address Autoconfiguration Y/N
• O flag: Stateless Autoconfigure Other Parameters Y/N
Stateless Autoconfiguration

1. Interface ID automatically derived

 IEEE addresses use MAC-to-EUI-64 conversion
 Other addresses use other means, such as random number
generation
2. Host creates a link-local address
3. Host performs duplicate address check
4. Host sends RS to the all-routers multicast address
(ff01::2)
5. Router unicasts RA with prefix information
6. Host adds prefix to Interface ID to form global unicast
address
 MAC-to-EUI-64 Conversion

1. First three octets of MAC becomes Company-ID

2. Last three octets of MAC becomes Node-ID
3. 0xfffe inserted between Company-ID and Node-ID
4. Universal/Local-Bit (U/L-bit) is set to 1 for global scope
 MAC-to-EUI-64 Conversion Example

MAC Address: 0000:0b0a:2d51

• In binary:
00000000 00000000 00001011 00001010 00101101 01010001
U/L Bit

Company-ID Individual Node-ID

 Insert fffe between Company-ID and Node-ID
00000000 00000000 00001011 11111111 11111110 00001010 00101101
01010001
= fffe
 Set U/L bit to 1
00000010 00000000 00001011 11111111 11111110 00001010 00101101
U/L Bit
01010001

 Resulting EUI-64 Address:

Using the EUI-64 Interface ID

EUI-64 Address:
200:bff:fe0a:2d51

Link-Local Address:
fe80::200:bff:fe0a:2d51

Global Unicast Address:

3ffe:3700:1100:1:200:bff:fe0a:2d51
 Solicited-Node Multicast Revisited

Interface Address #1 = 3ffe:3700:1100:1:200:bff:fec6:45ee

Interface Address #2 = 2001:468:1100:1:200:bff:fec6:45ee

Solicited-Node Multicast Address = ff02::1:ffc6:45ee

• Last 24 bits are not changed by

autoconfiguration or by solicited node
multicast
Address Autoconfiguration:
A Security Problem?

• Interface ID remains constant for a host

– Even when prefix information changes
– Unlike IPv4, where entire address changes
• Mobile users can be tracked
• Usage from always-on addresses can be
tracked
• This is a concern for some, not for others
• Two solutions:
– Always use stateful autoconfiguration
(DHCPv6)
– Use privacy addresses for outgoing
Privacy Addresses

• RFC 3041
• A new Interface ID is randomly generated
– Whenever a new public address is
autoconfigured
– Periodically (period is configurable)
• Both autoconfigured public and private
addresses are used
– Public for incoming connections (DNS registered)
– Private for outgoing connections
Stateful Autoconfiguration:
DHCPv6

• Currently in Internet-draft
• Many changes from DHCPv4:
– Configuration of dynamic updates to DNS
– Address deprecation for dynamic renumbering
– Authentication
– Clients can ask for multiple IP addresses
– Addresses can be reclaimed
– Integration between stateful and stateless autoconfiguration
• Uses multicasting
– All_DHCP_Agents: ff02::1:2
– All_DHCP_Servers: ff05::1:3
Duplicate Address Detection
 Must be performed by all nodes
 Performed with both stateless and stateful
autoconfiguration
 Performed before assigning a unicast address to an
interface
 Performed on interface initialization
 Not performed for anycast addresses
 Link must be multicast capable
 New address is called "tentative" as long as duplicate
address detection takes place
Duplicate Address Detection

1. Interface joins all-nodes multicast group

2. Interface joins solicited-node multicast
group
3. Node sends one NS with
– Target address = tentative IP address
– Source address = unspecified (::)
– Destination address = tentative solicited-
node address
Duplicate Address Detection
• If address already exists, the particular
node sends a NA with
– Target address = tentative IP address
– Destination address = tentative solicited-node
address
• If soliciting node receives NA with target
address set to the tentative IP address,
the address must be duplicate
Configuration Example:
Router Discovery

[edit]
lab@Juniper5# show interfaces fe-2/1/0
unit 0 {
family inet6 {
address 2001:468:1100:1::1/64;
address 3ffe:3700:1100:1::1/64;
}
}

[edit]
lab@Juniper5# show protocols router-advertisement
interface fe-2/1/0.0 {
other-stateful-configuration;
prefix 3ffe:3700:1100:1::/64;
prefix 2001:468:1100:1::/64;
}
 Configuration Example:
Windows XP Host

C:\Documents and Settings\Jeff Doyle>ipv6 if 4

Interface 4: Ethernet: Local Area Connection 2
uses Neighbor Discovery
uses Router Discovery
link-layer address: 00-10-a4-a0-bc-97
preferred global 2001:468:1100:1:d9e6:b9d:14c6:45ee, life 6d21h14m26s/21h12m4s (anonymous)
preferred global 2001:468:1100:1:210:a4ff:fea0:bc97, life 29d23h59m25s/6d23h59m25s (public)
preferred global 3ffe:3700:1100:1:d9e6:b9d:14c6:45ee, life 6d21h14m26s/21h12m4s (anonymous)
preferred global 3ffe:3700:1100:1:210:a4ff:fea0:bc97, life 29d23h59m25s/6d23h59m25s (public)
preferred link-local fe80::210:a4ff:fea0:bc97, life infinite
multicast interface-local ff01::1, 1 refs, not reportable
multicast link-local ff02::1, 1 refs, not reportable
multicast link-local ff02::1:ffa0:bc97, 3 refs, last reporter
multicast link-local ff02::1:ffc6:45ee, 2 refs, last reporter
link MTU 1500 (true link MTU 1500)
current hop limit 64
reachable time 22000ms (base 30000ms)
retransmission interval 1000ms
DAD transmits 1
Agenda

• IPv6 Overview
• Addressing
• Header format
• Header extensions
• ICMPv6
• Neighbor discovery
• Autoconfiguration
• Routing IPv6
• Transition to IPv6
• Juniper Networks IPv6 Support
MTU path discovery
• IPv6 routers do not fragment packets
• Minimum MTU for IPv6: 1280 bytes
• Recommended MTU: 1500 bytes
• Nodes should implement MTU PD
• Otherwise they must use minimum MTU
• MTU path discovery works for unicast &
multicast
• MTU path discovery uses ICMP "packet
too big" error messages
Configuration Example:
Static Route

[edit routing-options]
ps@R1# show
rib inet6.0 {
static {
route abcd::/48 next-hop 8:3::1;
}
}
RIPng
• RFC 2080 describes RIPngv1, not to be confused with
RIPv1
• Based on RIP Version 2 (RIPv2)
• Uses UDP port 521
• Operational procedures, timers and stability functions
remain unchanged
• RIPng is not backward compatible to RIPv2
• Message format changed to carry larger IPv6 addresses
Configuration Example:
RIPng

[edit protocols]
lab@Juniper5# show
ripng {
group external_neighbors {
export default_route;
neighbor ge-0/0/0.0;
neighbor ge-0/0/1.0;
neighbor ge-0/0/2.0;
}
group internal_neighbors {
export external_routes;
neighbor ge-1/0/0.0;
}
}
IS-IS
• draft-ietf-isis-ipv6-02.txt, Routing IPv6 with
IS-IS
• 2 new TLVs are defined:
– IPv6 Reachability (TLV type 236)
– IPv6 Interface Address (TLV type 232)
• IPv6 NLPID = 142
Configuration Example:
IS-IS for IPv6 Only

• By default, IS-IS routes both IPv4 and IPv6

lab@Juniper5# show
isis {
no-ipv4-routing;
interface ge-0/0/1.0;
interface ge-0/0/2.0;
}
OSPFv3

 Unlike IS-IS, entirely new version

required
 RFC 2740
 Fundamental OSPF mechanisms and
algorithms unchanged
 Packet and LSA formats are different
OSPFv3 Differences from OSPFv2

 Runs per-link rather than per-subnet

 Multiple instances on a single link
 More flexible handling of unknown LSA
types
 Link-local flooding scope added
 Similar to flooding scope of type 9 Opaque LSAs
 Area and AS flooding remain unchanged
 Authentication removed
 Neighboring routers always identified by
RID
 Removal of addressing semantics
 IPv6 addresses not present in most OSPF packets
 RIDs, AIDs, and LSA IDs remain 32 bits
OSPFv3 LSAs

Type Description
0x2001 Router-LSA
0x2002 Network-LSA
0x2003 Inter-Area-Prefix-LSA
0x2004 Inter-Area-Router-LSA
0x2005 AS-External-LSA
0x2006 Group-Membership-LSA
0x2007 Type-7-LSA (NSSA)
0x2008 Link-LSA
0x2009 Intra-Area-Prefix-LSA
Configuration Example:
OSPFv3

[edit protocols]
lab@Juniper5# show
ospf3 {
area 0.0.0.0 {
interface ge-1/1/0.0;
}
area 192.168.1.2 {
interface ge-0/0/1.0;
interface ge-0/0/2.0;
}
}
Multiprocotol BGP-4
Two new attributes support multiprotocol BGP-4 (aka BGP+)
– Multiprotocol reachable NLRI (MP_REACH_NLRI)
– Multiprotocol unreachable NLRI (MP_UNREACH_NLRI)
• MBGP extensions use for IPv6 is described in RFC 2545
• MP_REACH_NLRI attribute describes reachable destinations
• Attribute contains information about
– Network layer protocol (i.e. IPv6)
– Prefixes
– Next-hop to reach prefixes
• MP_REACH_NLRI updates include
– One next-hop address
– List of associated NLRI‘s
• Follows BGP-4 rules for next-hop attribute
• IPv6 BGP routers advertise global address of NH-router
Example Configuration:
BGP

[edit protocols]
lab@Juniper5# show
bgp {
group IPv6_external {
type external;
import v6_externals;
family inet6 {
unicast;
}
export v6_routes;
peer-as 65502;
neighbor 3ffe:1100:1::b5;
}
group IPv6_internal {
type internal;
local-interface lo0.0;
family inet6 {
unicast;
}
neighbor 2001:88:ac3::51;
neighbor 2001:88:ac3::75;
}
}
The Multihoming Problem

207.17/16
207.17.137/24 207.17.137/24

SP 1
207.17/16

Customer
207.17.137/24 198.133/16
207.17.137/24
207.17.137/24

SP 2
198.133/16
“The World”
• ISP1 must “punch a hole” in its CIDR block
• ISP2 must advertise additional prefix
• Contributes to routing table explosion
• Contributes to Internet instability
– Due to increased convergence time
• Same problem applies to provider-independent (PI)
addresses
Possible IPv6 Multihoming Solutions
• IPv6 provides opportunities to fix multihoming problem
– Multiple unicast addresses per interface
• How does DNS work in this environment?
• How is source address chosen?
– Exchange-based addressing
• One TLA assigned to multiple metro ISPs
• How do ISPs negotiate and manage interconnects?
– Router Renumbering Protocol
– Globally unique node IDs
• Work has only begun in this area
– IETF multi6 WG
– Various R&D bodies
– LIN6 (Location-Independent Networking for IPv6)
Agenda

• IPv6 Overview
• Addressing
• Header format
• Header extensions
• ICMPv6
• Neighbor discovery
• Autoconfiguration
• Routing IPv6
• Transition to IPv6
• Juniper Networks IPv6 Support
Transition Assumptions
• No “Flag Day”
– Last Internet transition was 1983 (NCP  TCP)
• Transition will be incremental
– Possibly over several years
• No IPv4/IPv6 barriers at any time
• No transition dependencies
– No requirement of node X before node Y
• Must be easy for end user
– Transition from IPv4 to dual stack must not break anything
• Transition will be from edge inward
– Driven by customer demand
– Except for new networks
• IPv6 is designed with transition in mind
– Assumption of IPv4/IPv6 coexistence
• Many different transition technologies are A Good Thing™
– “Transition toolbox” to apply to myriad unique situations
Types of Transition Mechanisms

• Dual Stacks
– IPv4/IPv6 coexistence on one device
• Tunnels
– For tunneling IPv6 across IPv4 clouds
– Later, for tunneling IPv4 across IPv6 clouds
– IPv6 <-> IPv6 and IPv4 <-> IPv4
• Translators
– IPv6 <-> IPv4
Dual Stacks
• Usually just “dual layer,” not entire stack

Applications

TCP/UDP TCP/UDP

IPv6 IPv4
0x0800 0x86dd

Physical/Data Link
Tunnel Applications

IPv6 IPv6 IPv6

IPv4

Router to Router

IPv6
IPv4
Host to Host

IPv6 IPv6
IPv4
Host to Router
Router to Host
 Tunnel Types
• Configured tunnels
– Router to router
• Automatic tunnels
– Tunnel Brokers (RFC 3053)
• Server-based automatic tunneling
– 6to4 (RFC 3056)
• Router to router
– ISATAP (Intra-Site Automatic Tunnel Addressing Protocol)
• Host to host, host to router, router to host
– 6over4 (RFC 2529)
• Host to host, host to router, router to router
• Requires IPv4 multicast network
– Teredo
• aka Shipworm
• For tunneling through IPv4 NAT
• Uses UDP
– DSTM (Dual Stack Transition Mechanism)
• aka 4over6
• IPv4 in IPv6 tunnels
– IPv64
 Configuration Example:
Configured GRE Tunnel

IPv6 IPv6 IPv6

IPv4

gr-0/0/0 { gr-1/0/0 {
unit 0 { unit 0 {
tunnel { tunnel {
source 172.16.1.1; source 192.168.2.3;
destination 192.168.2.3; destination 172.16.1.1;
} }
family inet6 { family inet6 {
address 2001:240:13::1/126; address 2001:240:13::2/126;
} }
} }
} }
 Configuration Example:
Configured MPLS Tunnel

PE Router: IPv6
mpls { CE
ipv6-tunneling;
label-switched-path v6-tunnel1 {
to 192.168.2.3;
PE
no-cspf;
}
IPv6 LSP
} PE IPv4
bgp {
group IPv6-neighbors { MPLS
type internal; CE
family inet6 {
labeled-unicast {
explicit-null;
} IPv6
}
neighbor 192.168.2.3;
}
}
6to4

• Site must have at least one globally-unique IPv4 address

• Uses IPv4 embedded address

Example:

Reserved 6to4 TLA-ID: 2002::/16

IPv4 address: 138.14.85.210 = 8a0e:55d2
Resulting 6to4 prefix: 2002:8a0e:55d2::/48

• Router advertises 6to4 prefix to hosts

 6to4

IPv6
Public Internet
IPv4 address: 65.114.168.91
IPv4 address: 138.14.85.210
6to4 prefix: 2002:4172:a85b::/48
6to4 prefix: 2002:8a0e:55d2::/48
6to4
relay router
6to4 router
6 IPv4
IPv 6to4 router
IPv6 IPv6
IPv6 site
site

6to4 address: 6to4 address:

2002:8a0e:55d2::10 2002:4172:a85b::d37c
Configuration Example:
Windows XP 6to4 Interface

C:\Documents and Settings\Jeff Doyle>ipv6 if 3

Interface 3: 6to4 Tunneling Pseudo-Interface
does not use Neighbor Discovery
does not use Router Discovery
preferred global 2002:4172:a85b::4172:a85b, life infinite
link MTU 1280 (true link MTU 65515)
current hop limit 128
reachable time 23000ms (base 30000ms)
retransmission interval 1000ms
DAD transmits 0

6to4 Prefix
= 65.114.168.91
 ISATAP

• Uses IPv4 compatible IPv6 address

– Format: ::5efe:W.X.Y.Z
– W.X.Y.Z = IPv4 address mapped to last 32 bits
– 5efe = IANA-reserved identifier
Example:

IPv4 address: 65.114.168.91

Global IPv6 prefix: 2001:468:1100:1/64

Link-local address: fe80::5efe:65.114.168.91

Global IPv6 address: 2001:468:1100:1::5efe:65.114.168.91
ISATAP

IPv4/IPv6 router IPv6

6v
IP

IPv6
IPv6
IPv4
IPv4 6to4 router
Configuration Example:
Windows XP ISATAP Interface

C:\Documents and Settings\Jeff Doyle>ipv6 if 2

Interface 2: Automatic Tunneling Pseudo-Interface
does not use Neighbor Discovery
does not use Router Discovery
router link-layer address: 0.0.0.0
EUI-64 embedded IPv4 address: 0.0.0.0
preferred link-local fe80::5efe:169.254.113.126, life infinite
preferred link-local fe80::5efe:65.114.168.91, life infinite
preferred global ::65.114.168.91, life infinite
link MTU 1280 (true link MTU 65515)
current hop limit 128
reachable time 24000ms (base 30000ms)
retransmission interval 1000ms
DAD transmits 0

Link-Local ISATAP IPv4

IPv6 Address Identifier Address
Translators

• Network level translators

– NAT-PT (RFC 2766)
– Stateless IP/ICMP Translation Algorithm (SIIT)(RFC 2765)
– Bump in the Stack (BIS/mBIS) (RFC2747)
• Transport level translators
– Transport Relay Translator (RFC 3142)
• Application level translators
– Application Level Gateway (ALG)
– Bump in the API (BIA)
– SOCKS64 (RFC 3089)
Transition Issues:
DNS

• Namespace fragmentation
– Some names on IPv4 DNS, others on IPv6 DNS
– How does an IPv4-only host resolve a name in the IPv6
namespace, and vice versa?
– How does a dual-stack host know which server to query?
– How do root servers share records?
• MX records
– How does an IPv4 user send mail to an IPv6 user and vice versa?
• Solutions:
– Dual stacked resolvers
– Every zone must be served by at least one IPv4 DNS server
– Use translators (NAT-PT does not work for this)
 DNS AAAA Records

• RFC 1886
• BIND 4.9.4 and up; BIND 8 is recommended
• Simple extension of A records
• ipv6.int analogous to in-addr.arpa for reverse mapping
• Difficult network renumbering
– New TLA, NLA, or SLA means changing all AAAA records in zone

AAAA record:
omer IN AAAA 2001:4210:3:ce7:8:0:abcd:1234

PTR record:
4.3.2.1.d.c.b.a.0.0.0.0.8.0.0.0.7.e.c.0.3.0.0.0.0.1.2.4.1.0.0.2.ip6.int IN PTR
homer.simpson.net
DNS A6 Records and DNAME

• A6 records replace AAAA records

– RFC 2874
• DNAME and bitstring labels for reverse mapping
– RFC 2672 and RFC 2673
– DNAME not much more complex than CNAME
• BIND 9
• More complicated records , but easier renumbering
– Segments of IPv6 address specified in chain of records
– Only relevant records must be changed when renumbering
– Separate records can reflect addressing topology
• See RFC 3364 for a discussion of AAAA vs A6
A6 Record Chain

Address: 2001:4210:3:ce7:8:0:abcd:1234

$ORIGIN simpson.net
homer IN A6 64 ::8:0:abcd.1234 sla5.subnets.simpson.net

$ORIGIN subnets.simpson.net
sla5 IN A6 48 0:0:0:ce7:: site3.sites.net

$ORIGIN sites.net
site3 IN A6 32 0:0:3:: area10.areas.net

$ORIGIN areas.net
area10 IN A6 24 0:10:: tla1.tlas.net

$ORIGIN tlas.net
Tla1 IN A6 0 2001:4200::
Transition Issues:
Security

• Many transition technologies open security

risks such as DoS attacks
• Examples:
– Abuse of IPv4 compatible addresses
– Abuse of 6to4 addresses
– Abuse of IPv4 mapped addresses
– Attacks by combining different address
formats
Transition Security Guidelines
• Allow only explicitly configured tunnels
– Manual configuration
– Automatic tunnels with proper authentication
• Do not embed IPv4 addresses in IPv6
addresses
• Do not define IPv6 address formats that
do not appear on the wire
• Filter carefully to block spoofed packets
Transition Planning
• Assumption: Existing IPv4 network
• Easy Does It
– Deploy IPv6 incrementally, carefully
• Have a master plan
• Think IPv4/IPv6 interoperability, not
migration
• Evaluate hardware support
• Evaluate application porting
• Monitor IETF ngtrans WG
Transition Strategies
• Edge-to-core
– The edge is the killer app!
– When services are important
– When addresses are scarce
– User (customer) driven
• Core-to-edge
– Good ISP strategy
• By routing protocol area
– When areas are small enough
• By subnet
– Probably too incremental
Agenda

• IPv6 Overview
• Addressing
• Header format
• Header extensions
• ICMPv6
• Neighbor discovery
• Autoconfiguration
• Routing IPv6
• Transition to IPv6
• Juniper Networks IPv6 Support
IPv6 Available Features
Now

Available on all M- and T-series platforms

Addressing Routing Operations

& Protocols & Transition
Forwarding
 Forwarding  IS-IS  Common support
in hardware   ICMPv6
 Addressing MP-BGP  IP applications
 Link, site,  RIPng  Ping, telnet,
global  etc.
 Stateless
Static
 Transition
autoconfigurati  OSPFv3 
on Configured
tunnels
 Neighbor  Dual stack
discovery

147
IPv6 Support

IPv6 Support Across All Platforms, Interfaces

IP2 Services
Filtering & Policing Now

 Packet filtering
 DoS attack prevention
 Comprehensive security
 Packet Forwarding
E.g. Source Address 120 %
Filters 100 %
80 %
 Policing 60 %
 Interface-level rate 40 %
limiting 20 %

 E.g. Bandwidth - limits bps 0%

Increasing Number of Packet Filters

 E.g. Maximum burst size
Internet Processor II ASIC
 Predictable performance CPU-based router

with rich IPv6 services

149
Thank you!

http://www.juniper.net