hardcore ipv6 routing

8/20/2019 HardCore IPv6 Routing

1/139


2/139

HardCore IPv6 Routing - No Fear

BRKCRT-2000

Donnie Moss, Global Solutions Architect

CCIE#14074


3/139

© 2014 Cisco and/or its affiliates. All rights reserved.BRKCRT-2000 Cisco Public

Agenda

• Introduction

• IPv6 Basics

• IPv6 Addressing Best Practices

• IPv6 Network Side

• IPv6 Routing Protocol Configuration

• What Next?

• Conclusion

3


4/139


IPv6 Certification Agenda

• CCNA

• Describe the technological requirements for running IPv6 in conjunIPv4 (including: protocols, dual stack, tunneling, etc.).

• Describe IPv6 addresses


5/139© 2014 Cisco and/or its affiliates. All rights reserved.BRKCRT-2000 Cisco Public


CCNP

• Implement an IPv6 based solution, given a network design and a set of requirem – Determine network resources needed for implementing IPv6 on a network – Create an IPv6 implementation plan – Create an IPv6 verification plan – Configure IPv6 routing – Configure IPv6 interoperation with IPv4 – Verify IPv6 solution was implemented properly using show and debug commands – Document verification results for an IPv6 implementation plan

• Implement an IPv4 or IPv6 based redistribution solution – Create a redistribution implementation plan based upon the results from a redistribu – Create a redistribution verification plan – Configure a redistribution solution – Verify that a redistribution was implemented – Document results of a redistribution implementation and verification plan – Identify the differences between implementing an IPv4 and IPv6 redistribution solut

5




CCIE

• Implement IPv6Implement IP version 6 (IPv6) addressing and different addressingImplement IPv6 neighbor discoveryImplement basic IPv6 functionality protocolsImplement tunneling techniquesImplement OSPF version 3 (OSPFv3)

Implement EIGRP version 6 (EIGRPv6)Implement filtering and route redistribution

• Implement IPv6 multicast, PIM, and related multicast protocols, suMulticast Listener Discovery (MLD)

6


7/139

IPv6 Basics



Short History Of IP

8

1990

19911992

1993

1994

1995

1996

1997

1998

1999

2000

Prediction of the exhaustion of IPv4 Class B by 1994.

ROAD group formed to address routing.Prediction of the exhaustion of IPv4 addresses by 200IPng Proposals solicitation (RFC 1550).

CATNIP, SIPP, TUBA analyzed. SIPP+ chosen. IPng w

First specification: RFC 1883.

First attempt for provider-based address format.First IPv6 exchange: 6tap.

Registries assign IPv6 prefixes. IPv6Forum formed.

Major vendors bundle IPv6 in their mainstream produc

6bone started.



What is an IPv6 address?

• IPv6 Address are 128 Bits (IPv4 was 32)

– Each Address is Broken into 16 Octets – Each Pair of Octets is called a group

• Address numbers are HEX – Valid Characters are 0-9 and A-F

– Lower case is used to avoid confusion – Addresses are 4 Hex Characters per Group

– Each Group is Seperated by a :

• Example: abf1:dc71:0000:0000:0000:8375:7887:1109:0510

10



IPv6 Addresses• IPv6 addresses are 128 bits long

– 8 groups of four HEX characters

– Separated by a colon (:)

– 50% for networks, 50% for interfaces(To support future EUI-64 MAC functionality)

nnnn:nnnn:nnnn: xxxx:xxxx:xxxx:xxxx

Global Routing Prefix

3 bits 48 bitsSubnet ID

48 – 64

bits

Host

ssss:

2400:0000:134A: 0000:0000:0000:8A2100A1:

Network Portion Interface ID

Global Unicast Identifier Example

2400:0:134A:: :8A21A1: Abbreviated Format

11


11/139


What is an IPv6 address?

• When noting an IPv6 Address with a port number [square bracketsaround the address – Example: [d3f1:0071:0000:0000:0000:8375:7887:1109:0510]:80

• Those are long address? – To shorten address the longest run of all zeros can be shorted to ::

• That reduces our example to : d3f1:0071::8375:7887:1109:0510/128

– To shorten more leading “zeros” from each group can be omitted • That reduces our example to: d3f1:0071::8375:7887:1109:510/128

12


12/139


Are all addresses created equal?

• Types of IPv6 Address – Unicast

• One to one communication• Ex: Client to Server

– Multicast• One to many (assigned grouping)• Example: Video Server to a group of clients

– Anycast

• One to many (assigned grouping)• Could be used to find ‘nearest’ service

– NO BROADCAST IN IPv6

14


13/139


Special IPv6 Address

• Default Route – IPv4: 0.0.0.0/0

– IPv6: ::/0

• Loop Back Address – IPv4: 127.0.0.1

– IPv6: ::1/128

Binary Prefix

IPv6 Notation

Unspecified SRC 00 … 0 (128 bits) ::/128

Loopback 00 … 1 (128 bits) ::1/128

Multicast 1111 1111 FF00::/8

Link local unicast 1111 1110 10 FE80::/10

Unique local unicast 1111 110 FC00::/7

Global unicast Everything elseCurrently allocated s

2000::/3

15


14/139


Multiple Addresses Per Interface• An IPv6 host interface requires the following IPv6 addresses for pro

operation:

– A link-local address

– Loopback address

– All-nodes multicast address

– Any additional Global and or ULA unicast and anycast addresses (configautomatically or manually)

– One Solicited-node multicast address for each of its unicast and anycast

addresses

– Multicast addresses of any other groups to which the host belongs

16


15/139


IPv6 Privacy Extensions (RFC 3041/4941)

• IEEE 24 bits OUI can be used to identify hardware

– http://standards.ieee.org/regauth/oui/oui.txt

• Temporary addresses for IPv6 host client application, e.g. web browser

– Inhibit device/user tracking

– Random 64 bit interface ID, then run Duplicate Address Detection

before using it

– Rate of change based on local policy (recommended is 1 day default min is 7 days)

– Now on By default in Win 7/8 and supported in OS X 10.8 Mountain Lion

2400 :0xxx

/32 /48 /64 /12

Interface ID

Recommendation: Use Privacy Extensions forExternal Communication but not for Internal

Networks (Troubleshooting and Attack Trace Back)

RFC4941

:xxxx :ssss

17


16/139


Address Allocation

• ISP are being allocated /32’s

• Customer are being allocated /48’s – Same as /16 in v4 terms

• Residential Customers are being assigned a /56 – 256 networks per home

18


17/139


Allocated Real World Usage2^128 addresses total2000::/3 is actually allocatedThat means 2^125 addresses for Global Unicast Addressing

All networks are at least /64’s per standard 125 – 64 = 61. So 2^61 possible networks in the currently allocaspace.

2^61 = 2,305,843,009,213,693,952 or 2.3 QUINTILLION network

/48 is typical allocation to enterprise customer (-3 for “set” bits) 2^45 = 35,184,372,088,832 or 35 TRILLION enterprises

In comparison, the current IPv4 BGP table is ONLY 400,000 route

people complain! 19


18/139


PA and PI Allocation Process

Registries

Level FourEnterprise

IANA

ISP Org

Provider Assigned

2000::/3

/48

2000::/3

/48

/12

/32

/12

Provider Indepen

20


19/139


IPv6 Aggregation

ASEAN ISP

2401:04A0::/32Customer B

ARegIPv6

242401:04A0:0002:/48

2401:04A0:0001:/48

Customer AOnly

announcthe /32prefix

– Larger address space enables:• Aggregation of prefixes announced in the global rout• Efficient and scalable routing – In theory! (In 1995 Th

21


20/139


IPv6 Multihoming

22


21/139


LIR Allocation Strategies (ISPs)

• Your LIR (ISP) is assigned 2401:04FF::/32

• We wish to allocate /48’s out of the /32.

• Which are available:

– 2401:E4FF:0000 through

– 2401:E4FF:f f f f

• Recall the the bit structure is:

– 0010 0100 0000 0001: 1110 0100 1111 1111:| 0000 0000 0000 0000

– 0010 0100 0000 0001: 1110 0100 1111 1111:| 1111 1111 1111 1111

• So there are 65,535 /48’s in a /32

• Same thought process as IPv4 subnetting!

23


22/139


Sub Allocation Strategies (ISPs)

• Some ISPs want to allocate smaller blocks to residential & or SME’s

• We wish to allocate /56’s out of some /48’s.

• What could this look like?

– 2401:E4FF:1xxx to 1fff for residential customers

• Sums to 2401:E4FF:1000 /36 for router advertisement

• Recall the the bit structure is: – 0010 0100 0000 0001: 1110 0100 1111 1111:| 0001 0000 0000 0000

– 0010 0100 0000 0001: 1110 0100 1111 1111:| 0001 1111 1111 1111

• i.e. There are, 65,535/48’s in a /32 and 256/56's in a single /48 – You can sub-allocate some /48's as /56’s for residential use and some full /48’s for co

customer use

• If you only wanted to support residential customers there are aprox.16,7 Millan entire /32 LIR allocation(24 bits)

24


23/139


Enterprise Allocation Strategy

• Suppose you wish to give out /52’s from the /48 for regions

– 2401:04A8:0000 : 0 | 000 : 0000 0000 or 2401:04A8::/52

– 2401:04A8:0000 : F | fff :0000 0000 or 2401:04A8:1f00::/52

• Then you wish to divide out /56’s from the /52 for departments

– 2401:04A8:0000 : 00 | 00 : 0000 0000 or 2401:04A8::/5 – 2401:04A8:0000 : FF | ff : 0000 0000 or 2401:04A8:1f00::/56

• 8 bits for local subnets per department gives 256 networks per de

a nearly unlimited # of hosts (64bits for hosts!)

/48 /32 /52 4096

subnets

/48 /32 /56 256

subnets

25


24/139


Subnets longer then /64

• /126 or /127 for P2P links

– 2401:0468:1FE::1/126 & 2401:0468:1FE::2/126 – 2401:0468:1FE::149/127

• 2401:0468:1FE:1921:6801:5201::/96 for NAT64 Mapping (examp

26


25/139


Address Types Summary (review)

Binary Prefix

IPv6 Nota

Unspecified 00 … 0 (128 bits) ::/12

Loopback 00 … 1 (128 bits) ::1/12

Multicast 1111 1111 FF00::/

Link local unicast 1111 1110 10 FE80::/

Unique local unicast 1111 110 FC00::/

Global unicast Everything elseCurrently allocat

2000::

27


26/139


Required Router Addresses

• An IPv6 router interface is required to identify the following IPv6 a

for proper operation:

– All valid host addresses

– All-Routers multicast addresses

– Subnet-router anycast addresses for all interfaces for which it is configu

a router (prefix:: ; interface id=0)

– Other unicast or anycast configured addresses – All other Anycast addresses with which the router has been configured

– All-Routers Multicast Addresses

– Multicast Addresses of all other groups to which the router belongs.

28


27/139


IPv6 Addresses – Examples

CR-6500-1>sh ipv6 int vlan 200 Vlan200 is up, line protocol is up

IPv6 is enabled, link-local address is FE80::2D0:D3FF:FE81:9000Description: --- To Core ---Global unicast address(es):

2001:DB8:12::1, subnet is 2001:DB8:12::/64Joined group address(es):

FF02::1FF02::2FF02::5

FF02::DFF02::16FF02::1:FF00:1FF02::1:FF81:9000

All nodes

All routers

OSPF Routers

All PIM Routers

All MLDv2 capable RSolicited Node Multicast

29


28/139


IPv6 Interface IdentifierCR-IT-SW3#sh int gi 1/0/3 | in biaGigabitEthernet1/0/3 is up, line protocol is upHardware is Gigabit Ethernet, address is 000c.3a3e.82de (bia

000c.3a3e.82de)

CR-IT-SW3#

CR-IT-SW3#sh ipv6 interface gi 1/0/3GigabitEthernet1/0/3 is up, line protocol is upIPv6 is enabled, link-local address is FE80::20C:3aFF:FE3E:82DE [TEN]Global unicast address(es):2001:DB8:24:0:20C:3aFF:FE3E:82DE, subnet is 2001:DB8:24::/64 [EUI/TE

Joined group address(es):FF02::1FF02::2FF02::1:FF3E:82DE

CR-IT-SW3#

CR-IT-SW3#sh run int gi 1/0/3!interface GigabitEthernet1/0/3no switchportip address 10.149.24.1 255.255.255.0ipv6 address 2001:DB8:24::/64 eui-64

!

30


29/139


Multicast Assigned Addresses

Meaning Scope

FF02::1 All nodes Link-local

FF02::2 All routers Link-local

FF02::9 All RIP routers Link-local

FF02::1:FFXX:XXXX Solicited-node Link-local

FF05::101 All NTP servers Site-local

FF05::1:3 All-DHCP servers Site-local

FF0x:: is reserved (x = 0..F).

Inside this range, the following are assigned:

31

IP 6 M lti t MAC Add C i


30/139


IPv6 Multicast MAC Address Conversion

IPv6 Multicast

AddressCorresponding

Ethernet Address

Multicast Prefixfor Ethernet

Multicast• IPv6 multicast address to MAC addres

– 33:33:(least significant 32 bits from IPv6)

BA

0B A33 33

FF02 0000 0000 0000 0000 0001

32


31/139


Subnetting Techniques

• Similar to IPv4 Subnetting

• Make address meaningful! – Base Address on Location – Type of Service

– User community

• Now we are working with 128 bits instead of 32

• We are also using HEX not BINARY!

33


32/139


Subneting Example

• We are assigned 2011:0524:0000:0000::/48

• Goal: Divide this into eight subnets.

• Solution use bits 49, 50, and 51 as the ‘subnet bits’

– First Three Bits of the first character in the fourth group

– 2011:0524:0000:0000::/48

34


33/139


Subnet

Subnet BinaryGroup

BinaryHEX

1 000 0000 0

2 001 0010 2

3 010 0100 4

4 011 0110 6

5 100 1000 8

35


34/139


Address Break Down

Subnet

2011:0524:0000:0000::/48

2011:0524:0000:2000::/48

2011:0524:0000:4000::/48

2011:0524:0000:6000::/48

2011:0524:0000:8000::/48

2011:0524:0000:A000::/48

2011:0524:0000:C000::/48

2011:0524:0000:E000::/48

36


35/139

Host Focused IPv6


36/139


ICMPv6

• Required for IPv6 to work properly - MUST NOT BE FILTERED

• Completely Changed –

note new header type

• Now includes IGMP

• Types organized as follows 0-127 – error messaging and 128-2

informational messaging

– 1 – 4 Error messages

– 128 – 129 Ping

– 130 – 132 Group membership

– 133 – 137 Neighbor discovery

38

C ( C )


37/139


ICMPv6 (Type Codes)

Type Description

1 Destination Unreachable

2 Packet Too Big3 Time Exceeded

4 Parameter Problem

128 Echo Request

129 Echo Reply

130 Group Membership Query

131 Group Membership Report

132 Group Membership Reduction

133 Router Solicitation

134 Router Advertisement

135 Neighbor Solicitation

136 Neighbor Advertisement

137 Redirect

39

N i hb Di & ICMP 6


38/139


Neighbor Discovery & ICMPv6

Neighbor Discovery

DAD

NUD

Redirects

Address Resolution (equivalent to ARP )

Router Discovery

Neighbor Discovery Types that use ICMPv6

40

N i hb Di & ICMP 6 ( t )


39/139


Neighbor Discovery& ICMPv6 (cont.)• IPv4 uses ARP to resolve local addresses

– Relies on broadcasts

• IPv6 does not have the concept of broadcasts

– Still need a method to resolve local addresses

– Use solicited-node multicast instead

• IPv6 uses ICMPv6 the following types of message:

– Neighbor solicitation

– Neighbor advertisement

– Router solicitation

– Router advertisement

41

A t fi ti


40/139


Autoconfiguration• IPv6 hosts can configure their own addresses automatically

• Similar in function to IPv4 DHCP

• Two methods:

– Stateless autoconfiguration

– Stateful autoconfiguration

• Common ICMPv6 messages to both: – Router advertisements

– Router solicitations

42

R t Ad ti t


41/139


Router Advertisement• Used to configure hosts

• Periodically sent to the all-nodes multicast group

• Also sent in response to a router solicitation message

• Options can contain:

– Layer 2 address of the advertising router

– On-link prefixes and lifetimes

– MTU

32 bits

Type=134 Code Checksu

Reachable TimeHop Limit M O RSV Router life

Retransmit Timer

Options

43

R t S li it ti


42/139


Router Solicitation• Sent by hosts to locate on-link routers

• Usually sent to the all-routers multicast group

• Source address can be:

– Unspecified

– Local address

• Router solicitation message consists of five fields

Type=133 Code Checks

Reserved

Options

32 bits

44

Stateless Autoconfiguration


43/139



Build link-local address

Join all-nodes multicast group

Join solicited node multicast group

Send NS

My address is unique!

Send RS

No routers!

Try stateful configuration

Link-local only

Host 1

45



44/139



Build link-local address

Join all-nodes multicast group


Send NS


Send RS

Build on-link addresses

46

Stateful Autoconfiguration (1 of 2)


45/139



Build link-local addressJoin all-nodes multicast group


Send own NS


Send RS

(M b

Build on-link addresses

47



46/139



Send DHCP request

to FF05::1:3 (All DHCP Servers)

S

Read options and configure

parameters

48

Windows 7


47/139


Windows 7 – Microsoft rebuilt the IPv6 stack for this release

• Supports:

• Selects IPv6 by default• Neighbor discovery

• DHCPv6

• Tunneling: ISATAP, Teredo, 6to4

• Privacy Extensions enabled by default

• Firewall supports statefull IPv6 filtering

• DHCPv6 Client only additional support via external p

For More info please see:

http://technet.microsoft.com/en-us/network/bb53096

49

Windows 7 – Temporary Interface Identifier

• Windows 7 doesn’t use the EUI-64 technique by default when forming its interface

http://technet.microsoft.com/en-us/network/bb530961.aspxhttp://technet.microsoft.com/en-us/network/bb530961.aspxhttp://technet.microsoft.com/en-us/network/bb530961.aspxhttp://technet.microsoft.com/en-us/network/bb530961.aspx


48/139


50

C:\>netsh int ipv6 sh addr

Interface 1: Loopback Pseudo-Interface 1

Addr Type DAD State Valid Life Pref. Life Address

--------- ----------- ---------- ---------- ------------------------Other Preferred infinite infinite ::1

Interface 12: isatap.{7218C71C-E509-4EF9-AB57-C08863056588}

Addr Type DAD State Valid Life Pref. Life Address--------- ----------- ---------- ---------- ------------------------Other Deprecated infinite infinite fe80::5efe:10.109.109.6%12

Interface 13: Local Area Connection* 9

Addr Type DAD State Valid Life Pref. Life Address

--------- ----------- ---------- ---------- ------------------------Public Preferred infinite infinite 2001:0:5ef5:73bc:a2:3ac1:f592:92f9Other Preferred infinite infinite fe80::a2:3ac1:f592:92f9%13

Interface 11: Local Area Connection

Addr Type DAD State Valid Life Pref. Life Address--------- ----------- ---------- ---------- ------------------------Temporary Preferred 6d23h49m31s 6d23h49m31s 2001:db8:9:cafe:a133:5fb8:31df:864aPublic Preferred 29d23h59m49s 6d23h59m49s 2001:db8:9:cafe:b407:e685:fb14:c12dOther Preferred infinite infinite fe80::b407:e685:fb14:c12d%11

Windows 7 doesn t use the EUI 64 technique by default when forming its interfaceuses their randomly-generated interface identifiers

MAC OS X


49/139


Mac OS X 10.7 (supported from 10.4 onwards)

• Mac OS X IPv6 stack is based on the KAME project (http://www.kame

• Supports:

• IPv6 enabled by default• GUI preferences tool or /usr/sbin/ip6 # ip6 –a | # ip6 –x

• To accept Router Advertisementssysctl -w net.inet6.ip6.accept_rtadv=1

• Privacy addresses and EUI-64 Host addresses enabled by

• FreeBSD’s IPFW supports stafeful and stateless filtering # • Mail, Perl, Apache, PHP, BIND,(on Server ver.) all default IP

• Tunnel support for IPIP, 6to4

• DHCPv6 client mode only (hidden behind “automatic” confi

• No Server side direct solutions at this time (FreeBsd port is

51

DUAL STACK (Default) BEHAVIOR

http://www.kame.net/http://www.kame.net/


50/139


DUAL STACK (Default) BEHAVIOR

Unconditional (default) preference of IPv6 over IP

If the local Host client has an active IPv6 Interface• Client Performs both an A and an AAAA record q

• Wait for both to reply or timeout

• If the AAAA query succeeds then initiate the browconnection via IPv6

• If the AAAA query fails or times out then initiate tbrowser connection via IPv4

Sounds perfectly sane right? But,…

52

DUAL STACK BEHAVIOR ISSUES


51/139


DUAL STACK BEHAVIOR ISSUES

• We must accept FOR NOW that the dual stack world is b

• Failure of one or the other protocol to respond causes a

of different broken behaviors• How long will you wait before you fall back to IPv4?

• Windows: 3 SYN Packets= Failure, 19 seconds

• Mac OS X 7: 11 SYN Packets=Failure, 75 Seconds

• Linux: ≥ 11 SYN Packets = Failure, between 75 Seconds and

SecondsThis is BAD! But stack tuning has its own issues…

For a full explanation and lots of options germane to these issues please see:

“Analyzing Dual Stack Behavior and IPv6 Quality”By Geoff Huston & George Michaelson of APNIC

https://ripe64.ripe.net/presentations/78-2012-04-16-ripe64.pd

53

Concluding Thoughts

https://ripe64.ripe.net/presentations/78-2012-04-16-ripe64.pdfhttps://ripe64.ripe.net/presentations/78-2012-04-16-ripe64.pdfhttps://ripe64.ripe.net/presentations/78-2012-04-16-ripe64.pdfhttps://ripe64.ripe.net/presentations/78-2012-04-16-ripe64.pdfhttps://ripe64.ripe.net/presentations/78-2012-04-16-ripe64.pdfhttps://ripe64.ripe.net/presentations/78-2012-04-16-ripe64.pdfhttps://ripe64.ripe.net/presentations/78-2012-04-16-ripe64.pdfhttps://ripe64.ripe.net/presentations/78-2012-04-16-ripe64.pdfhttps://ripe64.ripe.net/presentations/78-2012-04-16-ripe64.pdfhttps://ripe64.ripe.net/presentations/78-2012-04-16-ripe64.pdfhttps://ripe64.ripe.net/presentations/78-2012-04-16-ripe64.pdf


52/139


Concluding Thoughts …

• IPv6 is simply an address change at layer-3. So why is it scomplicated?

• This stuff was supposedly finalized in 2000. So why are thRFC’s and working groups forming every day to figure this

• Most OS’s (x)NIX’s implemented SLACC and thought theydone. Not enough great support yet for DHCPv6

• We will have to suffer through behavior changes until the e

IPv4. My prediction is 10 yrs from now we will be about 85converted to IPv6

• BTW we will have another round of issues to fight when wtrying to reach IPv4 legacy resources via IPv6 only hosts aend of this decade of conversion

54


53/139

IPv6 Network Side


54/139

IPv6 Multicast

IPv4 and IPv6 Multicast Comparison


55/139


IPv4 and IPv6 Multicast ComparisonService IPv4 Solution

Addressing Range 32-bit, Class D 128-

RoutingProtocol Independent, All IGPs and

MBGPProtocol In

MBGP

ForwardingPIM-DM, PIM-SM,

PIM-SSM, PIM-bidir, PIM-BSRPIMPIM

Group Management IGMPv1, v2, v3

Domain Control Boundary, Border S

Interdomain SolutionsMSDP across Independent PIM

DomainsSingle RP

Static RP, BSR, No Auto-RP

Embedded RP 57

PIMv6


56/139


PIMv6

58

Ipv6 multicast-routing

Ipv6 pim rp-address (ipv6#)

Ipv6 pim anycast-rp address (anycast#) (peer addr#)


57/139

IPv6 Quality of Service

Quality of Service


58/139


Q y• IPv6 QoS

– Same architectural models as IPv4

– Differentiated Services (Traffic Class field)

– Integrated Services (RSVP)

• IPv6 traffic class – Value defined per applications, same DSCP for

applications over both IPv4 and IPv6 – decision todifferentiate per protocol is an operational one

• IPv6 flow label (RFC 3697) – A new 20-bit field in the IPv6 basic header

– Its value cannot be changed by intermediate devices

– No RFC regarding flow label usage yet

• Transition – Mapping between IPv6 DSCP & IPv4 ToS or MPLS EXP

Version Traffic Class

Payload Length

Source A

Destination

60

Exercise with QoS


59/139


• IPv6 QoS

• This is an excellent opportunity to look at QoS as it stands currentl

network

• What will change with IPv6 deployment?

• What needs to change with IPv6 deployment?

• All of life is merely a matter of perspective!

• Match/set for dscp/precedence now v4/v6 agnostic

• Match ipv6 address is new

61


60/139

IPv6 Security: Access-List Filtering

Cisco IOS IPv6 Extended Access Control Lis


61/139


• Very much like in IPv4 – Filter traffic based on

• Source and destiion addresses

• Next header presence• Layer 4 information – Implicit deny all at the end of ACL – Empty ACL means traffic allowed – Reflexive and time based ACL

• Known extension headers (HbH, AH, RH, MH, destination, fragment) auntil: – Layer 4 header found

– Unknown extension header is found

• Side note for 7600 & other switches: – No VLAN ACL – Port ACL on Nexus-7000, Cat 3750 (12.2(46)SE), Cat 4K (12.2(54)SG), – Cat 6K (12.2(33)SXI4)

63

IOS IPv6 Extended ACL


62/139


• Can match on – Upper layers: TCP, UDP, SCTP port numbers – TCP flags SYN, ACK, FIN, PUSH, URG, RST – ICMPv6 code and type – Traffic class (only six bits/8) = DSCP – Flow label (0-0xFFFFF)

• IPv6 extension header – routing matches any RH, routing-type matches specific RH – mobility matches any MH, mobility-type matches specific MH – dest-option matches any, dest-option-type matches specific destination options – auth matches AH – Can skip AH (but not ESP) since IOS 12.4(20)T

• fragments keyword matches – Non-initial fragments (same as IPv4) – And the first fragment if the L4 protocol cannot be determined

• undetermined-transport keyword matches (only for deny) – Any packet whose L4 protocol cannot be determined: fragmented or unknown extension header

64

Cisco IOS IPv6 ACL


63/139

© 2014 Cisco and/or its affiliates. All rights reserved.BRKCRT-2000 Cisco Public 65

• Filtering Inbound Traffic to one Specific Destination Address

Prefix: 2001:db8:2c80:1000

IP

2001:db8:2c80:1000::1

others

Seria

ipv6 access-list MY_ACLremark basic anti-spoofing permit any 2001:db8:2c80:1000::1/128deny 2001:db8:2c80:1000::/64 any

interface Serial 0

ipv6 traffic-filter MY_ACL in

IPv6 ACL Implicit Rules - RFC 4890


64/139


• Implicit entries exist at the end of each IPv6 ACL to allow neighbor

• Nexus 7000 also allows RS & RA

66

permit icmp any any nd-na permit icmp any any nd-nsdeny ipv6 any any

IPv6 ACL Implicit Rules


65/139


• The beginner’s mistake is to add a deny log at the end of IPv6 ACL

• Solution, explicitly add the implicit ACE

! Now log all denied packets

deny IPv6 any any log! Hey . . . I forget about these implicit li

permit icmp any any nd-na

permit icmp any any nd-ns

deny ipv6 any any

. . .! Now log all denied packets

permit icmp any any nd-na permit icmp any any nd-nsdeny ipv6 any any log

Example: Rogue RA & DHCP Port ACL


66/139


ipv6 access-list ACCESS_PORT

remark Block all traffic DHCP server -> client

deny udp any eq 547 any eq 546remark Block Router Advertisements

deny icmp any any router-advertisement

permit any any

Interface gigabitethernet 1/0/1

switchportipv6 traffic-filter ACCESS_PORT in

Note: Nexus-7000 and Cat 3750 12.2(46)SE,

Catalyst 6500 12.2(33)SXI4, Catalyst 4500 12.2(54)SG


67/139

IPv6 Routing Protocol Configuration

Concept


68/139


• IPv6 uses a separate routing table than IPv4

• Routed –vs- Routing Protocols

– Routed Protocols transmit Payload – Routing Protocols transmit Path

– Routed Protocols do not change• Example: HTTP and SMTP

– Routing Protocols do change!• Some are unique to IPv6 (Ex: RIPMG)

• Some like ISIS are the same

70

Basic IPv6 Commands


69/139


• R1(config)# ipv6 unicast-routing

• R1(config-if)# ipv6 address (#)

– Ipv6 enable Link Local Only – Ipv6 address 3ffe:b00:c18:1:260:3eff:fe47:1500/64 Full Address

– Ipv6 address 3ffe:b00:c18:1::/64 eui-64 Auto

• R1(config)# ipv6 route (net/vlsm) (node#) – Ipv6 route ::/0 3ffe:b00:c18:1:260:3eff:fe47:1530

• Show ipv6 neighbors

• Ping (ipv6-addr)

L2 to L3 Mapping


70/139


• Don’t forget that this is another protocol! – Any interface using manual mapping needs to be updated

– Frame-relay map ipv6 …… – Dialer map ipv6 ……

– Etc.

72

HSRP for v6First Hop Router Redundancy

M difi ti t N i hb Ad ti t


71/139


• Modification to Neighbor Advertisement, Advertisement, and ICMPv6 redirects

• Virtual MAC derived from HSRP group nand virtual IPv6 link-local address

HSRPStandby

HSRP Active

GLBP for v6 Modification to Neighbor Advertisem

Advertisement—GW is announced v

Virtual MAC derived from GLBP grouvirtual IPv6 link-local address

GLBP AVF,SVF

GLBP AVG, AVF

Neighbor Unreachability Detecti For rudimentary HA at the first HOP

Hosts use NUD “reachable time” to cknown default gateway (30s by defa

RA SentReach-time =5,000 msec

Static Name to Host Address Entries


72/139


• Name to address resolution just like IPv4

– Ipv6 host (name) (ipv6-address)

• Can specify up to four addresses

• You can run DHCP server and DNS server in IPv6

• No concept of secondary addresses in IPv6, all are valid options

74

Neighbor Discovery Configuration


73/139


LAN1: 3000:b00:c18:1::/64

LAN2: 3000:b00:c18:2::/64

RA

RA

Fa0/0

Fa0/1

Fa0/0

interface FastEthernet0/0ipv6 nd prefix 3000:b00:c18:1::/64 432ipv6 nd ra-lifetime 0

interface FastEthernet0/1ipv6 nd prefix 3000:b00:c18:2::/64 432

interface FastEthernet0/0ipv6 nd prefix 3000:b00:c18:1::/64 43200 432

R2

R1

IPv6 Internet

75

Prefix Renumbering

Router configuration after renumbering:


74/139


NEW network prefix: 3ffe:b00:c18:2::/64Deprecated prefix: 3ffe:b00:c18:1::/64

Hosts:

AutoconfiguredIPv6 hosts

deprecated address 3ffe:b00:c18:1:260:8preferred address 3ffe:b00:c18:2:260:8f

Router configuration after renumbering:

Router advertiswith expiration

OR:

interface FastEthernet0/0ipv6 nd prefix 3ffe:b00:c18:1::/64 43200 0ipv6 nd prefix 3ffe:b00:c18:2::/64 43200

interface FastEthernet0/0ipv6 nd prefix 3ffe:b00:c18:1::/64 at Sep 1 2012 23:59 Sep 1 2012 23:ipv6 nd prefix 3ffe:b00:c18:2::/64 43200 43200

76

Concluding Thoughts …


75/139


• Subnetting in IPv6 is actually easier than IPv4

• Only a few Bit boundaries to worry about:• /32 – LIR (ISP) allocations

• /48 – Enterprise allocations

• /56 – Residential allocations

• Valid subnet range – /48 - /64

• /126, /127, & /96 – Special Subnets

77

Routing: The IPv4 – IPv6 ParallelRIPv2 for IPv4


76/139


RIPRIPv2 for IPv4RIPng for IPv6Distinct but similar protocols with RIPng taking advantage of IPv6 specificities

OSPF

OSPFv2 for IPv4OSPFv3 for IPv6

Distinct but similar protocols with OSPFv3 being a cleaner implementation that specificities

IS-ISExtended to support IPv6Natural fit to some of the IPv6 foundational conceptsSupports Single and Multi Topology operation

EIGRPExtended to support IPv6

(IPv6_REQUEST_TYPE, IPv6_METRIC_TYPE, IPv6_EXTERIOR_TYPE) Som

IPv6 characteristics

BGPNew MP_REACH_NLRI, MP_UNREACH_NLRI, AFI=2 with SAFI for Unicast//Label/VPNPeering over IPv6 or IPv4 (route maps)

For all intents and purposes, IPv6 IGPs are similar to their IPv4

IPv6 IGPs have additional features that could lead to new desig78

Routing Protocols


77/139


• Static Routes

– BFD

• RIPng

– Graceful Restart and NSR

• OSPFv3

– IPv6 EH authentication

– IPSec encryption (ESP Header)

– Overloading


– BFD (9.3)

– P2P interface (9.4)

– OSPF Rib-group for IPv6

– Realm support (IPv4 support) but without TE support

• IS-IS

– Authentication

– Unicast Mesh Groups

– Multicast Mesh Groups


– BFD for dual stack interface (not for v6-only)

– ISIS Rib-groups for ipv6

• Multitopology IS-IS – Unicast – Multicast

• BGP

– Authentication – BGP peering to IPv6 endpoints – IPv6 routes over IPv4 peering – IPv6 Prefix Limits – Interface counters – Graceful Restart and NSR

• BGPv6 supported families: – family inet6 unicast – family inet6 multicast – family inet6 labeled-unicast – Inet4 unicast (not supported)

• Routing Policy – IPv6 multicast scoping – IPv6 address family – IPv6 prefixes – IPv6 route destination address

79

Routing Protocols


78/139


• IPv6 PIM – Multicast Address Support – PIMv2

– PIM Anycast RP – Statically Defined RP – Embedded RP Addresses – Source-Specific Multicast (SSM) – Multicast Listener Discovery (v1 and

v2) – Bootstrap Router (BSR) for IPv6

– Disable IPv6 PIM independently fromIPv4 (9.6)

• L3VPN Multicast – NG MVPN: IPv6 multicast (2H2009)

• MPLS Protocols

• IPv6 Tunneling over MP

• RSVP-TE for IPv6 (not

• LDP for IPv6 (not sched

• MPLS VPNs

• 6PE, 6VPE

• VRF Table-label

80


79/139

IPv6 Routing Protocols:Static Routes

Static Route Example


80/139


R1(config)# ipv6 route fde7:0e06:ef31::/48 null0 R1#sh ipv6 route static

IPv6 Routing Table - Default - 2 entries

Codes: C - Connected, L - Local, S - Static, U - Per-user Static route

B - BGP, M - MIPv6, R - RIP, I1 - ISIS L1I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary, D - EIGRP

EX - EIGRP external

O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2

ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2

S FDE7:E06:EF31::/48 [1/0]

via Null0, directly connected

R1#

R1(config)# ipv6 route 2300:0106:aa23::/48 fa0/0 R1(config)#do sh ipv6 route static | begin ^S

S 2300:106:AA23::/48 [1/0]

via FastEthernet0/0, directly connectedS FDE7:E06:EF31::/48 [1/0]

via Null0, directly connected

R1(config)#

82

Static OptionsAll static parameters are optional


81/139


All static parameters are optional

Parameters are like any other static route

R1(config)#ipv6 route 2300:0106:aa23::/48 fa0/0 ?

Administrative distance

X:X:X:X::X IPv6 address of next-hop

multicast Route only usable by multicast

nexthop-vrf Nexthop IPv6 VRF

tag Tag value

unicast Route only usable by unicast

83

Routing Policy


82/139


• Configured in the same way as routing policy for IPv4 – Similar match conditions and actions

– Create policy first…

– …then apply to inteface (PBR), neighbor (BGP), or routing protocol

• One new match condition – Match protocol ipv6

• Routing table built the same as always!

• Nothing new to learn for IPv6 though process

84


83/139

IPv6 Routing Protocols:OSPFv3

OSPFv3


84/139


• Changes from OSPFv2 – Per Link Processing

– Addition of flooding scope

– New Link LSA

– Handling of unknown LSA types

– Virtual Link Changes

– Authentication changes

86

OSPFv3


85/139


• Per Link Processing – IPv6 uses the term “link” instead of network or subnet to indicate commu

• Interfaces connect to links

• Adjacencies are formed on link local addresses

– Multiple IPv6 subnets can be assigned to a single link• Two nodes can talk directly over a single link, even if they do not share a commo• Network address and mask do not impact the formation of adjacencies

87

OSPFv3


86/139


• Flooding Scope – Each LSA now contains two bits indicating the flooding scope

• AS scope, LSA is flooded throughout the AS

• Area scope, LSA is flooded only within an area• Link-local scope, LSA is flooded only on the local link

– These changes also impact the names of the LSAs• Type 3 (Summary LSA) is now called the inter-area-prefix-LSA• Type 4 (Autonomous System Border LSA) is now called the inter-area-router-LSA• Other new LSAs have been added

88

OSPFv3

Flooding Scope


87/139


LSA Name LS Type code Flooding scope LSA Function c

Router LSA 0x2001 Area scope 1

Network LSA 0x2002 Area scope 2

Inter-Area-Prefix-LSA 0x2003 Area scope 3

Inter-Area-Router-LSA 0x2004 Area scope 4

AS-External-LSA 0x4005 AS scope 5

Group-membership-LSA 0x2006 Area scope 6

Type-7-LSA 0x2007 Area scope 7

Link-LSA 0x0008 Link-local scope 8

Intra-Area-Prefix-LSA 0x2009 Area scope 9

Flooding Scope

89

OSPFv3


88/139


• Handling Unknown LSA Types – Each LSA now contains an “unknown LSA” bit

• 0: Treat this LSA as a link local

• 1: Store and flood this LSA even if you don’t understand it – This allows the deployment of new features in the future

• Routers that don’t understand the new feature will simply store and forward the L

• Features can be deployed at edges, within a flooding domain, etc., without the neall routers

90

OSPFv3


89/139


• Virtual Link Requirements – At least one global/unique local IPv6 address in the transit area

• OSPFv3 normally sends LSAs with a link local source address

• This won’t work over a virtual link –the packet needs to be forwarded through the – Advertisement of a /128 prefix

• If no /128 is available in the table, a /128 from within an existing prefix space will • This provides most-specific reachability between the endpoints of the virtual link

91

OSPFv3


90/139


• Authentication – OSPFv3 currently only supports IPsec for authentication

• Group keying is painful for IPsec

• There is current work in GDOI and other spaces to make group keying work bette – There is current work in the OSPF working group to allow HMAC-SHA a

of “in packet” authentication

92

OSPFv3

Router1#

Configuration & Show Example


91/139


Router1#interface POS1/1

ipv6 address 2001:410:FFFF:1::1/64

ipv6 enableipv6 ospf 100 area 0

interface POS2/0

ipv6 address 2001:B00:FFFF:1::2/64ipv6 enable

ipv6 ospf 100 area 1

ipv6 router ospf 100

router-id 10.1.1.3

Router2#interface POS3/0

ipv6 address 2001:B00:FFFF:1::1/64

ipv6 enableipv6 ospf 100 area 1

ipv6 router ospf 100router-id 10.1.1.4

Area 0

A

B

OSPFv3



92/139


Router2#sh ipv6 ospf int pos 3/0POS3/0 is up, line protocol is up

Link Local Address FE80::290:86FF:FE5D:A000, Interface ID 7

Area 1, Process ID 100, Instance ID 0, Router ID 10.1.1.4Network Type POINT_TO_POINT, Cost: 1

Transmit Delay is 1 sec, State POINT_TO_POINT,

Timer intervals configured, Hello 10, Dead 40, Wait 40,

Retransmit 5Hello due in 00:00:02

Index 1/1/1, flood queue length 0

Next 0x0(0)/0x0(0)/0x0(0)Last flood scan length is 3, maximum is 3

Last flood scan time is 0 msec, maximum is 0 msec

Neighbor Count is 1, Adjacent neighbor count is 1

Adjacent with neighbor 10.1.1.3Suppress hello for 0 neighbor(s)


Area 0

A

B

94

OSPFv3



93/139


Router2#sh ipv6 ospf neighbor detail

Neighbor 10.1.1.3In the area 1 via interface POS3/0

Neighbor: interface-id 8, link-local addressFE80::2D0:FFFF:FE60:DFFF

Neighbor priority is 1, State is FULL, 12 state changes

Options is 0x630C34B9

Dead timer due in 00:00:33

Neighbor is up for 00:49:32Index 1/1/1, retransmission queue length 0, number of

retransmission 1

First 0x0(0)/0x0(0)/0x0(0) Next 0x0(0)/0x0(0)/0x0(0)

Last retransmission scan length is 2, maximum is 2Last retransmission scan time is 0 msec, maximum is 0 msec


Area 0

A

B

95

OSPFv3



94/139


Router2#sh ipv6 route

IPv6 Routing Table - 5 entries

Codes: C - Connected, L - Local, S - Static, R - RIP,B – BGP, U - Per-user Static route

I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea

O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1,OE2 - OSPF ext 2

OI 2001:410:FFFF:1::/64 [110/2]

via FE80::2D0:FFFF:FE60:DFFF, POS3/0

C 2001:B00:FFFF:1::/64 [0/0]via ::, POS3/0

L 2001:B00:FFFF:1::1/128 [0/0]

via ::, POS3/0L FE80::/10 [0/0]

via ::, Null0

L FF00::/8 [0/0]via ::, Null0


Area 0

A

B

Same As OSPFv2

Similarities:


95/139


• Similarities: – One of the similarities is the RID

– OSPFv3 maintains a 32-bit RID that represents the router in the link-stat

– The RID is not related to an IPv6 address like it is in IPv4

– Requires explicit configuration (assuming no IPv4 addresses are presenIPv6 addressing cannot be used

97

Cisco IPv6 and OSPF

• Customized globally


96/139


• Customized globally – R1(config)# ipv6 router ospf (#)

– R1(config-router)# area (#) range ……..

• Enabled on an interface – R1(config-if)# ipv6 ospf (#) area-id (#)

– R1(config-if)# ipv6 ospf (#) neighbor (addr)

98

IPv6 and OSPF

• Authentication is interesting


97/139


• Authentication is interesting – Requires IPSec be used by OSPF

– Authentication fields are no longer part of OSPF packet, but signaled to

99

IPv6 and OSPF - Security

• Two methods AH or ESP


98/139


• Two methods, AH or ESP – Ipv6 ospf authentication

– Ipv6 ospf encryption

• Examples (interface config) – Ipv6 ospf authentication ipsec spi 500 md5 1234567890abcdef12345678

– Ipv6 ospf encryption ipsec spi 1001 esp null sha1123456789A123456789B123456789C123456789D

• Examples (area config – encryption same format)

– Area 0 authentication ipsec spi 422 md5 1234567890abcdef1234567890

100

Router ID Selection

• Router ID selection:


99/139


• Router ID selection: – IPv6 networks preserve the 32-bit router ID

• This is not an IPv4 address, it just looks like one!

– You can set RID manually under routing-options, although an existing IPcan be used• The Junos OS uses the first non-127/8 address it finds as the RID• lo0 is the first interface activated, so a non-127/8 configured here serves as the R• If the Junos software does not find a suitable address on lo0, it examines the nex

activated (normally fxp0)

– IPv6 functionality should not depend on another protocol being configure

manually!

101


100/139

IPv6 Routing Protocols:MBGP

MP-BGP Basics


101/139


• Path Vector Protocol – Carries sequence of AS numbers indicating path

• Ties Autonomous Systems together via Peering

• Multiple address families: ipv4, ipv6, unicast, multicast

SiSiSiSi

SiSi SiSi

SiSi

AS 101 AS

AS 301

Peering

BGP-4 Extensions for IPv6

• TCP Interaction


102/139


TCP Interaction – BGP-4 runs on top of TCP

– This connection could be setup either over IPv4 or IPv6

• Router ID – When no IPv4 is configured, an explicit bgp router-id needs to be configu

– This is needed as a BGP Identifier, this is used as a tie breaker, and is sOPEN message

104

Non Link Local Peering

network 2003:3:2::/6


103/139


Router A

router bgp 1no bgp default ipv4 unicast

bgp router-id 1.1.1.1neighbor 2001:db8:ffff:2::2 remote-as 2address-family ipv6neighbor 2001:db8:ffff:2::2 activatenetwork 2003:3:2::/64network 2003:3:3::/64

AS 1

2001:db8:ffff:2/

:1

network 2003:3:2::/6network 2003:3:3::/6

A

105

BGP-4 Extensions for IPv6 (RFC 2545)

• BGP-4 carries only 3 pieces of information which is truly IPv4 spec


104/139


y p y p – NLRI in the UPDATE message contains an IPv4 prefix

– NEXT_HOP path attribute in the UPDATE message contains a IPv4 add

– BGP Identifier is in the OPEN message & AGGREGATOR attribute

• To make BGP-4 available for other network layer protocols, RFC 2(obsoletes RFC 2283) defines multi-protocol extensions for BGP-4 – Enables BGP-4 to carry information of other protocols e.g MPLS,IPv6

– New BGP-4 optional and non-transitive attributes:• MP_REACH_NLRI• MP_UNREACH_NLRI

– Protocol independent NEXT_HOP attribute

– Protocol independent NLRI attribute

106


• Address Family Information (AFI) for IPv6


105/139


y ( ) – AFI = 2 (RFC 1700)

– Sub-AFI = 1 Unicast

– Sub-AFI = 2 (Multicast for RPF check) – Sub-AFI = 3 for both Unicast and Multicast

– Sub-AFI = 4 Label

– Sub-AFI= 128 VPN

107


• Next-hop contains a global IPv6 address or potentially a link local (


106/139


p g p y (update this has to be changed to global IPv6 address with route-m

• The value of the length of the next hop field on MP_REACH_NLRI set to 16 when only global is present and is set to 32 if link local is well

• Link local address as a next-hop is only set if the BGP peer shareswith both routers (advertising and advertised)

108

AS1 AS2

B A C

BGP Overview

• Path-vector EGP that uses multiple path attributes to select the act


107/139


p p – Originally designed for IPv4

– Extended to carry additional information

• Multicast• VPNs• IPv6

• MBGP specifications – Multiprotocol extensions for BGP-4

• RFC 4760—January 2007

– Use of BGP-4 multiprotocol extensions for IPv6 interdomain routing• RFC 2545

109

MP-BGP and IPv6

• Multiprotocol extensions for BGP4:


108/139


– Adds new fields to identified the type of route being advertised

– Make it possible to carry IPv6 routes on top of IPv4 BGP sessions

• IPv6-specific extensions: – Scoped addresses: NEXT_HOP contains a global IPv6 address and pote

local address (only when there is link-local reachability with the peer)

– NEXT_HOP and NLRI are expressed as IPv6 addresses and prefixes in multiprotocol attributes

110

Address-Families are new RIBs

• Address families began with MBGP to separate RIB entries


109/139


• Common address-families are

– IPv6 (unicast | multicast) – Nsap

– IPv4 Multicast

– Vpnv4

– Vpnv6

– Ipv4 unicast vrf (name)

• Default is IPv4 Unicast

111

Prior to Address Families

• Router bgp 1001


110/139


– Neighbor 10.1.1.4 remote-as 1001

– Neighbor 10.1.1.4 update-source loopback 0

– Neighbor 10.1.1.4 route-map Bob in

– Neighbor 10.1.1.4 send-community

– Network 10.1.100.0 mask 255.255.255.0

– Network 10.1.101.0 mask 255.255.255.0 – Redistribute static

112

Way to Think About the “Old” Way

• Router bgp 1001


111/139


– [Connections]

– Neighbor 10.1.1.4 remote-as 1001

– Neighbor 10.1.1.4 update-source loopback 0 – address-family ipv4

– Neighbor 10.1.1.4 route-map Bob in

– Neighbor 10.1.1.4 activate

– Neighbor 10.1.1.4 send-community

– Network 10.1.100.0 mask 255.255.255.0

– Network 10.1.101.0 mask 255.255.255.0 – Redistribute static

113

Activate Each Neighbor

• Multiple neighbors can carry some or all of the supported families


112/139


• Activate each one

• Each RIB filters separately

• Each RIB name is important for NLRI information to be kept correc

• Each RIB/Family information is separate

• Useful for running separate info over separate links/peering inform

114

MBGP Configuration

AS 65001 AS 6Router2Router1


113/139


Router1#interface FastEthernet0/0ipv6 address 3FFE:B00:C18:2:1::F/64router bgp 65001no bgp default ipv4-unicastneighbor 3FFE:B00:C18:2:1::1 remote-as 65002

address-family ipv6neighbor 3FFE:B00:C18:2:1::1 activateneighbor 3FFE:B00:C18:2:1::1 prefix-list bgp65002in inneighbor 3FFE:B00:C18:2:1::1 prefix-list bgp65002out outexit-address-family

3ffe:b00:c18:2:1::F 3ffe:b00:c18:2:1::1

MBGP Prefix Bidirectional Filtering – Filtering BGP routing updates

3FFE:0B00:0001::/48 Router2Router1


114/139


3FFE:0300::/32

3FFE:0B00::/24

Router2

3ffe:b00:c18:2:1::F 3ffe:b00:c18

Router1#router bgp 65001no bgp default ipv4-unicastneighbor 3FFE:B00:C18:2:1::1 remote-as 65002address-family ipv6neighbor 3FFE:B00:C18:2:1::1 activateneighbor 3FFE:B00:C18:2:1::1 prefix-list bgp65002in inneighbor 3FFE:B00:C18:2:1::1 prefix-list bgp65002out outnetwork 3FFE:B00::/24exit-address-family

ipv6 prefix-list bgp65002in seq 5 permit 3FFE::/16 le 24ipv6 prefix-list bgp65002out seq 5 permit 3FFE::/16 le 24

3ffe:b00::/24

MBGP Config with Inbound Filtering

• Configure BGP to accept legal prefixes only (prefix-list)

3ffe:b00:c18:2:1::f

3ffe:b00:c


115/139


3ffe:b00:c18:2:1::f

AS 65001

3ffe

router bgp 65001

no bgp default ipv4-unicastneighbor 3FFE:B00:C18:2:1::1 remote-as 65002neighbor 3FFE:B00:C18:2:1::2 remote-as 65003address-family ipv6neighbor 3FFE:B00:C18:2:1::1 activateneighbor 3FFE:B00:C18:2:1::2 activateneighbor 3FFE:B00:C18:2:1::1 prefix-list Legal inneighbor 3FFE:B00:C18:2:1::2 prefix-list Legal in

network 3FFE:B00::/24exit-address-family

ipv6 prefix-list Legal seq 5 permit 2001::/16 le 35ipv6 prefix-list Legal seq 10 permit 3FFE::/17 ge 24 le 24ipv6 prefix-list Legal seq 15 permit 3FFE:8000::/17 ge 28 le 28ipv6 prefix-list Legal seq 20 permit 2002::/16

Configuration – EIGRP

hostname R1

!


116/139


!

ipv6 unicast-routing

!interface Loopback0

no ip address

ipv6 address 1010:AB8::/64 eui-64

ipv6 enable

ipv6 eigrp 1

!ipv6 router eigrp 1

router-id 2.2.2.2

no shutdown

!

118

Troubleshooting

• show ipv6 eigrp events


117/139


• show ipv6 eigrp interfaces

• show ipv6 eigrp neighbors• show ipv6 interface

• show ipv6 ospf

• show ipv6 route

• show ipv6 route bgp

119


118/139

IPv6 Whats Next?

IPv4 to IPv6 Transition Challenges

• 16+ methods, possibly in combination


119/139


• Dual stack – Consider security for both protocols

– Cross v4/v6 abuse

– Resiliency (shared resources)

• Tunnels – Bypass firewalls (protocol 41 or UDP)

– Can cause asymmetric traffic (hence breaking stateful firewalls)

121

Dual Stack Host Considerations

• Host security on a dual-stack deviceApplications can be subject to attack on both IPv6 and IPv4


120/139


– Applications can be subject to attack on both IPv6 and IPv4

– Fate sharing: as secure as the least secure stack...

• Host security controls should block and inspect traffic from both IP – Host intrusion prevention, personal firewalls, VPN

clients, etc.

122

Dual Stack Client

IPv4 IPsecVPN with No

Split Tunneling

Does the IPsec Client Stop an

Inbound IPv6 Exploit?

IPv6 HDR IPv6 Explo

IPv6 Tunneling Summary

• RFC 1933/2893 configuredand automatic tunnels

• Only allow authorized endto establish tunnels


121/139


• RFC 2401 IPSec tunnel

• RFC 2473 IPv6 genericpacket tunnel

• RFC 2529 6over4 tunnel

• RFC 3056 6to4 tunnel

• RFC 5214 ISATAP tunnel

• MobileIPv6 (uses RFC2473)

• RFC 4380 Teredo tunnels

• RFC5569 6RD

• Static tunnels are deeme

secure,” but less scalable

• Automatic tunneling mecare susceptible to packetand DoS attacks

• These tools have the samas IPv4, just new avenue

• Automatic IPv6 over IPv4be secured by IPv4 IPSe

123

DNS: Basic Ideas

• DNS in IPv6 is much like DNS in IPv4


122/139


• Keep files and delegations as simple as possible.

• Can use IPv4 as transport for DNS for now.• Modern versions of Bind will work – Bind9 is stable and works wit

• There is work on dynamic DNS in progress, but we don’t need to that for now.

124

IPv4 IPv6

IPv6 and DNS


123/139


IPv4 IPv6

Hostname

to

IP address

A record:

www.abc.test. A192.168.30.1

AAAA reco

www.abc.test. 2001:db8:C18

IP address

to

hostname

PTR reco2.0.0.0.0.0.0.0.0.0.0.0.0

1.c.0.8.b.d.0.1.0.0.2.ip6

www.abc.t

PTR record:

1.30.168.192.in-addr.arpa.

PTRwww.abc.test.

125

DNS Example (IPv4-Only)

IPv4-Only Host


124/139


DNS Request (h.root-servers.net) (QTYPE=A)

IPv4 A Response (128.63.2.53)

H.ROOT-SERVERS.NET. 210892 IN A 128.63.2.

Sample DNS Response

y

126

DNS Example (IPv6-Only)

IPv4-Only Host


125/139


DNS Request (h.root-servers.net) (QTYPE=AAAA)

IPv6 AAAA Response (2001:500:1::803f:235 )

H.ROOT-SERVERS.NET. 210892 IN AAAA 2001:500:

Sample DNS Response

127

DNS Example (Dual-Stack)

DNS R (h ) (QTYPE AAAA A)


126/139


Dual-Stack Host

DNS Request (h.root-servers.net) (QTYPE=AAAA, A)

I prefer IPv6addresses

IPv6 AAAA Response (2001:500:1::803f:235 )

IPv4 A Response (128.63.2.53)

H.ROOT-SERVERS.NET. 210892 IN AAAA 2001:500:1::803f:235

H.ROOT-SERVERS.NET. 210892 IN A 128.63.2.53

Sample DNS Response

128

DNS Capture – Default IPv6 init


127/139


A and AA

for www.

IPv6 Transport Preferre

ResponsIPv6 Add

129

DNS Enhancements for IPv6

• RFC 3596

– DNS extensions to support IP version 6


128/139


• Name to address records

– AAAA record type (equivalent to IPv4 A record)

– Example recordhost1.microsoft.com IN AAAA 2001:DB8::1:DD48:AB34:D07C:3

• Address to name records

– New reverse domain called IP6.ARPA.

– Example record for 2001:DB8::1:DD48:AB34:D07C:3914 (o2001:0DB8:0000:0001:DD48:AB34:D07C:3914)4.1.9.3.C.7.0.D.4.3.B.A.8.4.D.D.1.0.0.0.0.0.0.0.8.B.D.0.1.0.0.2.Ihost1.microsoft.com

130

Name Resolution Support in Windows• Resolution Options:


129/139


1. Entries in the Hosts file

2. DNS resolver support3. DNS Server service support

4. DNS dynamic update

5. DNS zone transfers

6. Source and destination address selection

7. LLMNR support

8. Support for ipv6-literal.net names

9. Peer Name Resolution Protocol

10. Name Resolution Policy Table

11. DNS Security Extensions (DNSSEC)

131

DNS Issues

• Upgrade DNS servers to support IPv6


130/139


• Adding AAAA record for a specific server to the DNS Server req

services to be IPv6 aware – LDAP or AD IPv6 Aware

– All Services running on the Server

• Interim solution is to use a temporary name (see Google IPv6 sta

2008)

– ipv6.google.com vs. www.google.com – This practice helps reduce the issue of unhappy dual-stack hosts by el

the multiprotocol response to DNS requests

132

Forward Lookups

• Uses AAAA records for assign IPv6 addresses to names.

http://www.google.com/http://www.google.com/


131/139


• Multiple addresses possible for any given name – for example, in a

homed situation.

• Can assign A records and AAAA records to a given name/domain.• (Once IPv6 is more stable globally)

• Can also assign separate domains for IPv6 and IPv4.

– BCP today.

• Don’t be afraid to experiment!

133

Upstream Support

• How to get IPv6? – Tunnel Brokers

H i El t i


132/139


• Hurricane Electric• RoutintHouse.com

• SixXS• Others: http://en.wikipedia.org/wiki/List_of_IPv6_tunnel_brokers

– 6 to 4 Gateway

134

Participate in the “My Favorite Speaker” Con

• Promote your favorite speaker through Twitter and you could win $Press products (@CiscoPress)

Promote Your Favorite Speaker and You Could be a Winner

http://en.wikipedia.org/wiki/List_of_IPv6_tunnel_brokershttp://en.wikipedia.org/wiki/List_of_IPv6_tunnel_brokershttp://en.wikipedia.org/wiki/List_of_IPv6_tunnel_brokers


133/139


Press products (@CiscoPress)

• Send a tweet and include – Your favorite speaker’s Twitter handle @CiscoKid14074 – Two hashtags: #CLUS #MyFavoriteSpeaker

• You can submit an entry for more than one of your “favorite” speak

• Don’t forget to follow @CiscoLive and @CiscoPress

• View the official rules at http://bit.ly/CLUSwin

135

SP Related Official Cisco Training OfferingsCourse Description C

Building Cisco Service ProviderNext-Generation Networks, Part 1(SPNGN1), and Part 2 (SPNGN2)

These courses introduce Cisco SP IP Next-Generation Networktechnologies and solutions, including OSI and TCP/IP models, IPv4/v6addressing, switching, routing, transport types, security, network

t d Ci ti t

CC

http://bit.ly/CLUSwinhttp://bit.ly/CLUSwin


134/139


management, and Cisco operating systems.

Deploying Cisco Service Provider

Network Routing (SPROUTE)

This course covers the implementation of routing protocols (OSPF, IS-

IS, BGP), route manipulations, and high availability routing featureswithin SP IP NGN environments.

CC

Deploying Cisco Service Provider Advanced Network Routing(SPADVROUTE)

This course covers advanced routing topics in BGP, as well asmulticast services including PIM-SM, and IPv6 within SP IP NGNenvironments.

CC

Implementing Cisco ServiceProvider Next-Generation CoreNetwork Services (SPCORE)

This course covers core network services, including MPLS-LDPfeatures, MPLS traffic engineering, QoS queuing mechanisms, andtransport technologies within SP IP NGN environments.

CC

Implementing Cisco ServiceProvider Next-Generation EdgeNetwork Services (SPEDGE)

This course covers edge network services, including MPLS Layer 3VPNs, Layer 2 VPNs, and Carrier Ethernet services within SP IP NGNenvironments.

CC

For more details please visit : http://learningnetwork.cisco.com

Questions: Visit the Learning@Cisco Booth

136

R&S Related Official Cisco Training OfferingCourse Description Cis

CCIE R&S Advanced Workshops(CIERS-1 & CIERS-2) plusSelf Assessments, Workbooks & Labs

Expert level trainings including: instructor led workshops,self assessments, and practice labs to prepare candidatesfor the CCIE R&S practical exam.

CCIE® R

http://learningnetwork.cisco.com/http://learningnetwork.cisco.com/


135/139


• Implementing Cisco IP Routing• Implementing Cisco IP Switched

Networks• Troubleshooting and Maintaining

Cisco IP Networks

Professional level instructor led trainings to preparecandidates for the CCNP R&S exams (ROUTE, SWITCHand TSHOOT). Also available in self study eLearningformats with Cisco Learning Labs.

CCNP®

Interconnecting Cisco NetworkingDevices: Part 2 (or combined)

Configure, implement and troubleshoot local and wide-area IPv4 and IPv6 networks. Also available in self studyeLearning format with Cisco Learning Lab.

CCNA®

Interconnecting Cisco NetworkingDevices: Part 1

Installation, configuration, and basic support of a branchnetwork. Also available in self study eLearning format with

Cisco Learning Lab.

CCENT®

For more details please visit : http://learningnetwork.cisco.com

Questions: Visit the Learning@Cisco Booth

137

Complete Your Online Session Evaluation

• Give us your feedback and you couldwin fabulous prizes. Winnersannounced daily

http://learningnetwork.cisco.com/http://learningnetwork.cisco.com/


136/139


announced daily.

• Complete your session evaluationthrough the Cisco Live mobile app orvisit one of the interactive kioskslocated throughout the conventioncenter.

• Don’t forget: Cisco Live sessions will

be available for viewing on-demandafter the event at ciscolive.com/online

138

Continue Your Education

• Demos in the Cisco Campus

• Walk-in Self-Paced Labs


137/139


• Table Topics• Meet the Engineer 1:1 meetings

139


138/139


139/139

hardcore ipv6 routing

Documents