lundi 10 octobre 2011

IPv6 tutorial

You still have no clue about IPv6? Read this and get convinced to start learning IPv6 now.

Part 1: Get started now!

You’ve probably heard the news that the Internet is in trouble. The last block of IP addresses has been assigned by the Regional Internet Registries. However, considering that NAT is an efficient mechanism to remedy the shortage of public IP addresses, we won’t really experience problems any time soon.
IPv6 Ready Logo

IPv4 address shortage

But this is only true for the developed countries. Developing countries, especially the emerging markets, are only at the beginning of building up their Internet infrastructure. For them, NAT probably is not really a solution because you need at least a certain number of public IP addresses to be able to communicate efficiently with the rest of the world. Hence, these countries probably will start introducing IPv6 quickly now.
This will also increase the pressure on those countries that already have a developed Internet infrastructure. Although there are ways that IPv4 and IPv6 networks can communicate, the fact that IPv6 introduces quite a few new features will cause problems when IPv6 traffic has to be transferred to IPv4-only networks.

IPv6 complexity

All of these problems are certainly solvable, but there is no doubt that the complexity of the Internet will increase rapidly now, and this won’t make life easier for system administrators. While network engineers will tell you that IPv6 will simplify networking, the truth is that it will only make things easier for computers but not for humans. It is not only that we will have to manage IPv4 AND IPv6 for quite some time, and that during the transition the interoperation of IPv4 and IPv6 will produce countless error messages in our networks, it is also because IPv6 is certainly more complex than IPv4. All of these new features come at a price. Many new organizations will need to hire new network administrators to manage these new complexities.

IPv6 for Windows admins

As a Windows administrator, you probably don’t have to know all the details of IPv6 as long as you are not responsible for your organization’s routers and firewalls. However, since networking issues are often the cause of Windows administration problems, you need at least a basic understanding of IPv6 and, from what I have seen so far, you will have to invest more time than you invested in learning IPv4.
I think now is a good time to start learning IPv6. This will probably be a long process because you also have to do your regular work. As to my experience, you can’t really learn such a technology by just reading some papers or books. You really have to play with IPv6 for some time until you get a feeling for which things you really need to know for your work. Hence, even if you most certainly won’t switch your productive network to IPv6 within the next months, it can’t be wrong to make the transition now in your test network.

In the next two posts of this IPv6 series, I will give an overview of the new features of IPv6.

Part 2: New features: Routing


 The new IPv6 features that are most often discussed are the new large address space, hierarchical addressing, and Quality of Service (QoS).

In the last post of my IPv6 series, I outlined the main reason why you should now get started with IPv6: IPv6 will come soon to your network whether you like it or not. Network engineers have a few other reasons to offer, and this is the topic of the next two articles. The new IPv6 features are not really new because the protocol has already existed for more than 10 years. For this reason, I won’t just repeat the feature descriptions, which you can read on countless other sites, but I will outline my view about the significance of these enhancements.
Cisco Router

Large address space

While the other new IPv6 features are all nice to have, the new large address space is certainly the main (perhaps the only) reason why IPv6 will come. An IPv4 address consists of 32 bits; the IPv4 address space, therefore, allows 232 addresses. An IPv6 address is four times as long and has 128 bits. Thus, in theory, IPv6 allows 2128 = 340,282,366,920,938,463,463,374,607,431,768,211,456 addresses. This corresponds to 655,570,793,348,866,943,898,599 (6.5×1023) addresses for every square meter of the Earth’s surface.
To be honest, I am not really impressed by these numbers. We are now entering the nano technology age, which means that we will have more and more, much smaller, communication devices than the IPv6 inventors have anticipated. Considering that a cubic meter of ideal gas contains around 1025 atoms, the number of 1023 IP addresses per square meter appears to be relatively small. I know this sounds like science fiction, but, for the inventors of IPv4, the Internet as we know it today certainly was science fiction at their time. We needed about 30 years to use up all of the IPv4 addresses. My gut tells me that the IPv6 addresses won’t last that long.

Hierarchical addressing

The Internet address classes of IPv4 allow hierarchical addressing to a certain extent. Hierarchical addressing makes routing more efficient because it reduces the size of routing tables. However, considering that the computation power of routers increased at a higher rate than the growth of the Internet, this was not really a problem.
Nevertheless, it is quite likely that the Internet will now grow at a higher rate than ever before, not only because the total population of the emerging markets (especially China and India) far exceeds the population in the developed world but also because the new type of devices (mobile phones, tablets, ebook readers, TV sets, etc.) also require IP addresses. Thus IPv6′s new hierarchical addressing capabilities are certainly important. And here the IPv6 inventors did not really scrimp. Of the 128 bits of an IPv6 address, 64 bits are used for hierarchical addressing, 48 bits for the public topology, and 16 bits for the site topology. The latter means that you can work with hierarchical addresses within your organization.

Better support for Quality of Service (QoS)

IPv4 has limited support for Quality of Service (QoS)—that is, real-time delivery of data through the Type of Service (TOS) field. One problem of QoS in IPv4 pertains to TCP and UDP port identification, which is not possible if the IPv4 packet is encrypted. The other problem is that QoS in IPv4 is not really standardized. The IPv6 header has the Flow Label field, which allows QoS handling that is independent of the payload.
While this new feature is technically interesting, in practice QoS is quite problematic for traffic on the public Internet. You might have heard of the stir that the alleged Google-Verizon deal caused. Google intended to pay Verizon to prioritize their traffic.
The main question is how you decide which traffic has priority. Is it justified that you have to wait for the latest 4sysops article to show up on your screen just because some teens clogged the net with their YouTube videos? And if you pay for QoS, how can you measure that your traffic really has a higher priority? One thing is for sure, if QoS really comes, then the complexity level of the Internet will be raised again by one or two bars, which means more work for IT pros.
In the next post I will talk about IPv6 IPsec and the IPv6 LAN features.



Part 3: New features: IPsec and LAN features

This article discusses the new IPv6 features of IPsec support, automatic address assignment, and the neighbor discovery function of the ICMPv6 protocol that will replace ARP.

In the last post of this series, I discussed the new IPv6 features Quality of Service (QoS), hierarchical addressing, and the new address space. In this post, I talk about some of the new IPv6 features that are most relevant for Windows admins.

Mandatory IPsec support

The IPv6 specification mandates support for IPsec (Internet Protocol security). IPv6 supporters often claim that this will improve overall security on the Internet. Since IPsec for IPv4 is optional, proprietary VPN solutions are ubiquitous. However, I believe, the main reason why IPsec deployments are rare is because configuration is relatively complicated. Thus, I doubt somehow that we will see significantly more IPsec deployments because of IPv6.
But what is most disappointing for me is that IPv6 doesn’t encrypt all kinds of IP traffic. While IPsec implementation is mandatory for IPv6, IPsec deployment is not. Besides, IPsec is essentially a solution for securing connections among sites; it is not a P2P encryption solution.
In my view, it is unbelievable that we are now introducing a new network protocol with a huge amount of effort but will still send data in clear text across the Internet. The inventors of IPv4 couldn’t foresee that secure data transmission would be an issue since their protocol was just intended to allow data transfers between educational institutions. No one really could imagine that the whole planet will use this form of communication in the future.
The IPv6 creators had the chance to correct this shortcoming of the Internet protocol and ensure that any kind of network traffic is encrypted by default. It is really a pity that they didn’t use this once-in-a-lifetime chance.

(Simplified) automatic address assignment

This is perhaps one of the features that will affect the work of Windows admins the most. Much of the documentation talks of “simplified” address assignment, but I somehow think this new feature will cause confusion among admins in the beginning. In an IPv4 network, a computer’s automatic address assignment means that a DHCP server is involved.
IPv6 still knows DHCP-based address assignment (also called stateful address configuration), but now hosts can also configure themselves with IPv6 addresses (stateless address configuration). There are two types of stateless configurations. Hosts can derive an IP address from a prefix (the first part of an IPv6 address that belongs to your organization) advertised by a local router, and they can assign themselves so-called link-local addresses (addresses that are not routed), which they can use to communicate with other nodes on the link (local network). Scary, isn’t it?

Neighbor discovery

The Internet Control Message Protocol for IPv6 (ICMPv6) will replace the Address Resolution Protocol (ARP). You probably know that ARP is used to determine the link layer address (MAC address in the case of Ethernet) from the IP address. The main problem of ARP is that it uses broadcasts, which disturbs all hosts on the link (LAN). By contrast, IPv6 uses Neighbor Solicitation multicast messages for neighbor discovery. Instead of sending a broadcast message to all nodes on the link, only the so-called solicited node multicast IPv6 address is contacted. The first 104 bits of the solicited node multicast are fixed (FF02::1:FF00:0/104), and the last 24 bits are equivalent to the last 24 bits of the IP address that has to be resolved. Since only nodes that share the last 24 bits in their IP address will listen to the solicited node address, fewer hosts are disturbed.

Extensibility

This is my favorite new IPv6 feature. While the IPv4 header only supports 40 bytes for options, the size of the IPv6 extensions is only constrained by the size of the IPv6 packet. IPv6 supports multiple so-called extensions headers that can be added after the IPv6 header. These extensions headers have no maximum size, which makes future enhancements of the protocol quite flexible. My hope is that this feature will be used for mandatory encryption of all IP packets.
Next, I will introduce the IPv6 address syntax.

Part 4: IPv6 address syntax

 In this article, you will learn the main concepts of the IPv6 address syntax: colon-hexadecimal representation, leading zero suppression, zero compression, and IPv6 prefix.

Now that you know about the new features of IPv6, it is time to have a closer look at the practical details. In this post, I will give a short summary about the IPv6 address syntax. It is essentially a condensed version of the corresponding part in Microsoft’s white paper “Introduction to IP Version 6.”

Colon-hexadecimal representation

An IPv6 address consists of 128 bits and is presented in eight 16-bit blocks. Each 16-bit block is converted to a four-digit hexadecimal number. Blocks are separated by colons.
Example: 2001:0DB8:0000:2F3B:02AA:00FF:FE28:9C5A

Leading zero suppression

Because IPv6 addresses are quite long, the leading zeroes within a 16-bit block can be removed, but each block must have at least a single digit.
Example: 2001:DB8:0:2F3B:2AA:FF:FE28:9C5A

Zero compression

A contiguous sequence of 16-bit blocks set to 0 can be replaced with the so-called double colon (::). Zero compression can only be applied once in an IP address. To determine how many blocks have been omitted, you just have to count the remaining blocks and subtract this number from 8.
Example: FE80:0:0:0:2AA:FF:FE9A:4CA2 can be zero compressed to FE80::2AA:FF:FE9A:4CA2.

IPv6 prefix

IPv6 prefixes are used to express IPv6 subnets, routes, and address ranges. The syntax of IPv6 prefixes looks like this: address/prefix-length. It is comparable to the Classless Inter-Domain Routing (CIDR) notation for IPv4 (for instance, 192.168.0.0/16 represents a Class B subnet): Subnet masks are no longer used in IPv6.
Example: 21DA:D3:0:2F3B::/64 represents a subnet of 264 addresses, where the first 64 bits are fixed and the last 64 bits are variable.
Admittedly, IPv6 addresses look somewhat complicated compared to the relatively simple IPv4 addresses. Rest assured that typos in IPv6 addresses will knock down quite a few systems once IPv6 starts replacing IPv4. But this is the price of the large address space. I guess, we will get used to it. In my next post, I will discuss the different types of IPv6 addresses. I promise that things won’t get easier. :-)

In the next post of this tutorial I will say some general words about the IPv6 address types and I will introduce the most address type, the global IPv6 unicast address.

Part 5: Address types and global unicast addresses

This part of the IPv6 tutorial discusses the three general IPv6 address types (unicast, multicast, anycast) and introduces the sub type global unicast address.

In my last post in the IPv6 series, you learned the IPv6 address syntax. Today, I will introduce the different types of IPv6 addresses.

IPv6 address types

There are three general types of IPv6 addresses: unicast, multicast, and anycast.

Unicast addresses

You know unicast addresses from IPv4. A unicast address is the most common form of an IP address and is assigned to one network interface.

Multicast addresses

Multicast addresses are also known in IPv4. These addresses identify multiple network interfaces / hosts. A typical use of multicast addresses in a Windows environment is the deployment of OS images to multiple hosts, simultaneously.

Anycast addresses

This is a new address type in IPv6. Like a multicast address, an anycast address identifies multiple interfaces; however, while multicast packets are accepted by multiple machines, anycast packets are delivered only to one interface (host). This address type allows for services that are provided by multiple servers where only one server has to respond. In routing, anycast addresses are used to route packets to the closest routers.
And what about broadcast addresses? They no longer exist in IPv6. Broadcasts are replaced by multicast messages. I will say something about this IPv6 technique in a later post.
IPv6 knows five different unicast address types: global unicast addresses, link-local addresses, site-local addresses, unique local IPv6 unicast addresses, and special addresses.

Global unicast addresses

A global unicast address is simply what we call a public IP address in IPv4—that is, an IP address that is routed across the whole Internet. You can make out a global unicast address easily: The first three bits are set to 001. Thus, the address prefix of a global IPv6 address is 2000::/3 because 0010000000000000 is 2000 in hex. However, in the future, the IANA (Internet Assigned Numbers Authority) might delegate currently unassigned portions of the IPv6 address space. Hence, 2000::/3 won’t always be the prefix for global unicast addresses.
IPv6 - tutorial - Global unicast address
(Note: The diagram is from Microsoft’s “Introduction to IP Version 6.”)
The next 45 bits are the so-called global routing prefix. This is the part that is assigned to organizations. The following 16 bits are for the subnet ID, which you can use for hierarchical addressing in your network. The last 64 bits indicate the interface ID, which is the part of the IPv6 address that must be unique within a subnet. You know what this means, right? You can have 65,536 (=216subnets), and each subnet can have 18446744073709551616 (=264) computers. I hope you have an efficient OS deployment tool. ;-)

In my next post, I will cover the site-local addresses and link-local address.

Part 6: Site-local addresses and link-local addresses

In this article, you will learn about the syntax of IPv6 site-local addresses and link-local addresses, which are so-called local-use, unicast addresses

In the last post of this IPv6 tutorial, you learned about the different address types and the new public IP addresses, the global unicast addresses. Today I will introduce the so-called local-use, unicast addresses, which are those IPv6 addresses that are not routed across the public Internet. There are two types of local-use, unicast addresses: site-local addresses and link-local addresses.

Site-local addresses

Site-local addresses are equivalent to private IP addresses in IPv4. The address space reserved for these addresses, which are only routed within an organization and not on the public Internet, is 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16. In IPv6, the first 10 bits of a site-local address are set to 1111111011, which is why these addresses always begin with FEC0. The following 54 bits are the subnet ID, which you can use in your organization for hierarchical routing, and the last 64 bits are the interface ID, which is the part that has to be unique on a link (local network on which hosts communicate without intervening routers). Thus, the prefix of a site-local address is FEC0::/10.
Note:  Site-local addresses have been deprecated, but existing implementations can still continue use them. Thus, they will probably stay around for a while. The proper way to work with private addresses in IPv6 is the use of unique local addresses which I will discuss in my next post.

Link-local addresses

From IPv4, you might know APIPA (Automatic Private IP Addressing) or AutoNet. Whenever automatic IP configuration through DHCP fails, Windows automatically assigns an autoconfiguration address in the range 169.254.0.1 to 169.254.255.254, which allows the computer to communicate with other machines on the link. In IPv6, link-local addresses always begin with 1111111010 (FE80).
Unlike site-local addresses, link-local addresses are never forwarded by routers and therefore can only be reached on the link. This is the reason why the next 54 bits are set to 0. The last 64 bits are set randomly by the operating system.
There is an important difference between IPv6 link-local addresses and IPv4 APIPA addresses. Once a PC receives an IPv4 address from a DHCP server, the APIPA address is no longer reachable. However, with IPv6, a network interface always has a link-local address even if you assign another IPv6 address manually or if the NIC receives an IPv6 address from a DHCP server. This means that computers on a link can always communicate through IPv6 using link-local addresses, which is not the case in IPv4 because APIPA addresses are not in the same subnet as private or public IPv4 addresses. Thus, if the local DHCP is unavailable, the computers can still access local services through IPv6 but won’t be able to reach the Internet or services in other links.
In the next post of this IPv6 tutorial, I will talk a little about the zone ID and unique local IPv6 unicast addresses.

Part 7: Zone ID and unique local IPv6 unicast  addresses

 The zone ID is used to distinguish ambiguous link-local and site-local addresses. Unique local IPv6 unicast addresses are another way to address the problem of ambiguous IPv6 addresses.

In the last post of this IPv6 tutorial, I introduced link-local and site-local IPv6 addresses. The problem with local-use unicast addresses is that they are not unique because they can be reused. Everything is fine as long as duplicate addresses are in networks of different organizations (sites). However, within in an organization, local-use addresses can also be assigned multiple times.

IPv6 zone ID

The purpose of zone IDs is to distinguish these addresses. For instance, if host A has two NICs that are connected to two different links (subnets), the same local-link address could have been used for NIC 1 on host A and on host B that is on the link of host A’s NIC 2. To distinguish this ambiguous link-local address, host A uses the interface index of NIC 1 as the zone ID for the local IP address.
For site-local addresses, the operating system uses the site ID (also called the scope ID). If a host is only connected to one site, this ID is always 1.
You can display the interface indexes on a host with the command “netsh interface ipv6 show address level=verbose”. If you launch the ipconfig command, you can see the local-link and site-local addresses with their zone IDs. The syntax for identifying the zone is address%zone_ID. This is an example of a link-local IP address with zone ID 11: fe80::bd0f:a8bc:6480:238b%11.
Note that the zone ID is only known at the local host that assigned it. I think in practice you will seldom be bothered with zone IDs as you don’t have to configure them manually.

Unique local IPv6 unicast address

Even with the use of zone IDs, you should probably avoid having ambiguous IP addresses in your network. Instead of site-local addresses, you can work with unique local IPv6 unicast addresses. These local-use addresses are also not routed across the Internet; however, like global IPv6 addresses, they are unique. Well, more or less, as you will soon see.
The prefix of unique local IPv6 unicast addresses is FC00::/7. The eighth bit is the Local flag and is set to 1 for local addresses. A Local flag with 0 has not yet been defined. Perhaps this could be a way to make local IPv6 addresses global? Anyway, until IPv6, creators have made up their mind, the prefix of unique local IPv6 unicast addresses is FD00::/8. Don’t worry if you don’t really understand this; all you really have to know about unique local IPv6 unicast addresses is this:
The next 40 bits are for the global ID and are randomly set. The following 16 bits are the subnet ID, which you can use for hierarchical addresses within your organization. As usual, the last 64 bits are the interface ID.
The trick with the random global ID is that it makes it somewhat unlikely for duplicate local addresses to occur on a site or even in the networks of two merging organizations. Actually, the probability that two organizations use the same global ID for their unique local IPv6 addresses is 1/240=9.1 10-13. Winning the Lotto jackpot is a few magnitudes more likely. However, what the IPv6 creators didn’t take into account is that Murphy’s Law rules in all networks. Hence, “relatively unique local IPv6 unicast addresses” would probably have been a better name. ;-)
In the next post in this IPv6 tutorial, I will discuss the special IPv6 addresses: unspecified address, IPv4-mapped address, 6to4 addresses, IPv6 multicast address, and solicited-node address.

Part 8: Special addresses

The special IPv6 addresses discussed in this part of the IPv6 tutorial are the unspecified address, the loopback address, IPv4-mapped addresses, 6to4 addresses, multicast addresses, and the

solicited-node address.


Last time, I talked about zone IDs and unique local IPv6 unicast addresses. Today, I will introduce some special addresses. In practice, usually only the networking guys really have to deal with these addresses. But as a Windows admin, you should have at least heard of the terms.

Unspecified address

The IPv6 unspecified address is specified as “0:0:0:0:0:0:0:0″ (or “::” if you have a sense for mathematical beauty). I think, this naming convention is somewhat funny. It reminds me of the “unspeakable word.” But there is also some sense in this because applications use the unspecified address as a variable for, well, an unspecified address. I guess, you won’t see this address often, just like you didn’t have many encounters with the unspecified IPv4 address 0.0.0.0. Note that you can’t assign this address to an interface, which also makes sense because then you would specify it, which is strictly forbidden. ;-)

Loopback address

The IPv6 loopback address is almost as beautiful as the unspecified address: ::1. The loopback address for IPv4 127.0.0.1 is comparably ugly and, like its predecessor, is assigned to every host interface and used by applications to communicate with local services via TCP/IP. Packets addressed to the loopback interface must never leave the host.

IPv4-mapped address

Like the loopback address, IPv4-mapped addresses are only used for internal representation on a host. They allow developers to use one API for both IPv4 and IPv6 calls. The syntax of IPv4-mapped addresses looks like this: :FFFF:w.x.y.z, where “w.x.y.z” is the IPv4 address that is represented in the IPv6 address.

6to4 addresses

6to4 is a tunneling technique that allows two IPv6 cable systems to communicate over an IPv4 network (usually the Internet). For this, at least one of the IPv6 systems needs an IPv4 address and a special IPv6 address, the so-called 6to4 address. A computer that has a 6to4 address is called “6to4 host.” This transition technology will mostly likely be used by computers in IPv4 networks to reach IPv6-only hosts. Essentially, the 6to4 address makes the 6to4 host appear on the “IPv6 landscape” even if it is not directly reachable through IPv6 by encapsulating IPv6 packets in IPv4 packets. The IPv4 packets are converted to IPv6 packets and vice versa by a 6to4 gateway. 6to4 addresses have the prefix 2002::/16. The next 32 bits are the IPv4 address of the 6to4 host converted into hex. Since a 6to4 address can only be created by using a unique public IPv4 address, the correspondingIPv6 address is also unique. The last 80 bits are for the local network and the host.

IPv6 multicast addresses

Like in IPv4, IPv6 multicast addresses are used to send the same data to multiple hosts simultaneously. Since multicast-capable software, such as OS imaging tools, typically do all the IP configuration, Windows admins usually are not bothered with the networking details. But if you ever stumble across an IPv6 address that begins with FF, you know what you are dealing with.

Solicited-node address

A special type of multicast address are the solicited-node addresses, which have the prefix FF02::1:FF00:0/104. Solicited-node addresses are used for neighbor discovery, which I already discussed in my article about the new IPv6 features. If a host needs to know the MAC address that belongs to a certain IP address, it won’t use an ARP broadcast like in IPv4. Instead, it would use multicast to contact only those hosts that listen to the solicited-node addresses where the last 24 bits are identical to the ones in the IP address that has to be resolved.


Aucun commentaire:

Enregistrer un commentaire