presented by mark minasi [email protected] copyright 2009 mark minasi svr315
TRANSCRIPT
IPv6 for the reluctant:what to know before you disable itPresented by Mark [email protected] 2009 Mark MinasiSVR315
What this is all about
If you've got a Vista, Win 7 Server 2008 or R2 box, you're probably noticed that you're running a new protocol by default – IPv6If you're like I was, your first thoughts will be "aaaugh!" and "how do I remove it?"There are, however, good reasons to consider IPv6, and there is a certain aspect of inevitability of it… so here's the scoop
Goals of the Talk
Understand why you should give a hoot about IPv6 in the first placeBe able to understand how some very basic IPv4 concepts change in IPv6Understand enough about IPv6 to be able to decipher the new stuff in IPCONFIGBelieve me, that'll all take 75 minutes!
The First Motivatorwhat is all that new stuff in ipconfig, anyway?
Ethernet adapter Ethernet:Connection-specific DNS Suffix . : Description . . . . . . . . . : Broadcom NetLink (TM) Gigabit
Ethernet Physical Address . . . . . . . : 00-17-A4-D3-10-CA DHCP Enabled. . . . . . . . . : Yes Autoconfiguration Enabled . . : Yes
IPv6 Address. . . : 2001:4840:ffff:c01d:38bc:ac80:d925:8f5b(Preferred)
Temporary IPv6 Address. . . . . . : 2001:4840:ffff:c01d:8d99:ac44:b5a0:80a6(Preferred)
Link-local IPv6 Address . . . : fe80::38bc:ac80:d925:8f5b%8(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.1.102(Preferred)
(The rest of ipconfig)Subnet Mask . . . . . : 255.255.255.0Default Gateway . . . :
fe80::212:17ff:fe01:5737%8 192.168.1.1 DHCP Server . . . : 192.168.1.1 DHCPv6 IAID . . . : 201332644 DNS Servers . . . : 24.196.248.4 24.196.248.5 fec0:0:0:ffff::1 NetBIOS over Tcpip. : Enabled
I'll explain all of this and more in this talk
"Eeek! I knew this was a bad idea!"
Honest, it's not that badBut it's always fair to ask, "what's in it for me?"
Easier-to-run networksFewer headaches about subnetting and network layoutRoom for growthIPv6 will be here in a few yearsAnd, most important, the chance to learn a really important technology before all of the other techies!
The Big Motivatorkeeping your job
Believe it or not, IPv6 is on the grow and will hit us soon like an avalanche
China has a national IPv6 network called the Chinese New Generation Internet (CNGI)As of 2009, many European cars run IPv6 networks internallyThink back to "the early Internet"
In 1992, only weirdos like me had Internet-connected netsBy 1995 every US business was on the Net
With IPv6, it's the same story – most folks will ignore it until the "tipping point," and then everyone will scramble to do IPv6
Honest, we ARE running out of IPv4 Addresses!
Visit http://www.potaroo.net/tools/ipv4/index.html for one automatic estimate of when we'll run outIt's sooner than you think!
More Motivatorsthat was the stick, here's the carrot
Never run out of IP addressesSimplified routingBetter automatic configuration – you can get an IP address and more without DHCPNo broadcastsIPSec in all implementationsAnd hey, you know what? I'll bet your existing network hardware already supports IPv6!
IPv4 Concepts, Problems, Solutionsshort review for comparison
Main IPv4 issue:I've got an IP address and I want to communicate with your IP addressIf we're on the same Ethernet segment then I can use IP to communicate directly with you – I can "shout" across the segment to youIn IPv4 terms, we are both in the same "subnet"If we're not on the same subnet, then I can't talk directly to you, I must instead send the IP packet to my local router, who then gets it to youThus, IP's job is to ask, "should I shout or should I route?"
IPv4 Concepts, Problems, Solutions short review for comparison
How'd my IPv4 software know from looking at our addresses whether to shout or route?By looking at something called a "subnet mask"In order, then, to talk on an IPv4 network I need an IP address, subnet mask, and the IP address of a nearby routerWe configure our systems with this information via a DHCP server, or manually
How IPv6 is Different(I'm butchering this a bit, but it's close enough)
We rarely say "subnet" in IPv6If I can shout to you, we're on the same "link"In that case – if I can shout to you – we're "neighbors" on that link
For example, my laptop has both Ethernet and wireless network adapters, so it has two links, and if I VPN-ed into my office, that'd be a thirdYou might get IPv6 addresses from your DHCP server, but it's more likely you'll get that from your routerDetails later on!
Reading IPv6 AddressesIPv4 uses 32 bits, IPv6 uses 128(Why so many? So we can waste them!)IPv6 uses hex digits rather than dotted-quadEach hex digit represents 4 bits, so IPv6 can have 32 hex digits (and case doesn't matter)"To improve readability," put a colon between each four digits, as in 2001:4840:ffff:c01A:85bc:ac80:d295:8e6b Informally called "colon-hexadecimal notation," uses eight "hex quads" – no "RFC" terms here
14
Shortening IP Addresses
Most IPv6 addresses have a lot of zeros in them, likeFD00:0000:0000:0000:B13A:0831:0000:6789 It's okay to trim any leading zeros from each hex quad, so the ":0831:" hex quad can be written simply ":831:"Removing leading zeros goes fromFD00:0000:0000:0000:B13A:0831:0000:6789 to FD00:0:0:0:ABCD:831:0:6789
15
Shortening IP Addressestime for the dual colon
And you can collapse any ONE series of 0's to just ::So FD00:0:0:0:B13A:831:0:6789 becomesFD00::ABCD:831:0:6789(Again, just ONE series of 0's)What's "127.0.0.1" in IPv4?Now "localhost" is 0:0:0:0:0:0:0:1 or ::1(Fun fact: on Vista/2008, you can ping ::1 even if you've killed IPv6!)"Unspecified address" is 0:0:0:0:0:0:0:0 or ::
16
Return to IPv4: Network NumbersIn both IPv4 and IPv6, you can't just make up any IP address that you want, at least if you want to connect to the InternetInstead, you get a range of IPv4/v6 addresses from (I'm simplifying) an ISPFor example, suppose you get the IPv4 range "210.2.3.0 -> 210.2.3.255"The short way to write that range of addresses is 210.2.3.0 – the first address – and it's called your "network number"
Return to IPv4: Network SizesThe network number specifies your first address; how to show your last address?Though your subnet mask; in my example, you control the rightmost eight bits and the ISP controls the leftmost 24 bitsThat's written as 11111111111111111111111100000000Ever since 1993 (RFC 1519), we've written that as " 210.2.3.0/24"Again, "24" is the # of bits the ISP controlsIt is spoken aloud as a "slash 24 network""slash" = "number of bits I don't control"
Network Numbers IPv6 Stylesay goodbye to subnet masks
In IPv6, the part of the IPv6 address to the left, the part that you do not control, is called the "prefix" rather than the "network number"A common way to write a network uses CIDR like "21FB:540A::/48," which would mean
"We do not control the leftmost 48 bits""All of our addresses start with 21FB:540A:0000:" (You'll see why in the next slide)
IPv6 never writes old-style subnet masks
How Did I Get "21FB:540A:0000?"
An important IPv6 skillWe know 21Fb:540A::/48"/48" means "we don't control the leftmost 48 bits, just the remaining 128-48=80 bits"48 bits = 48/4 = 12 hex digitsBut we only have eight in 21FB:540ASo we must be missing four zerosResult: all addresses start with 21FB:540A:0000 on this particular network
Carving up IPv6's 128 bits
In IPv4, big companies control more bits (maybe 24 out of 32) and smaller companies might only control 3 out of 32That makes building routers more complexIPv6 is deliberately a lot less flexible in its "slash options" and most of the world gets a /48Yes, you heard that right
Carving up IPv6's 128 bitsIPv6's simpler model basically says "the ISPs control the leftmost 48 bits, and the customer controls the rightmost 80 bits"
IANA, RIRs, ISPs
Subnet ID (16 bits)
Host address (64 bits)
Authorities control 48 bits, pieces of which go to ISPs
Customer organization gets 80 bits, divided into subnet IDs and host addresses
Notice that the customer use is also a bit inflexible: 16 bits identify the sites, 64 bits identify the host within the subnet, and no shifting the bits around!
Everyone Gets A /48 Network(almost everybody)
Everybody? Both Exxon-Mobil Corporation and Wally's Exxon station on Maple Avenue?Each organization gets
65,536 sites (16 bits)18 quintillion (18,000,000,000,000,000,000) hosts per site (64 bits)
IPv6 supports enough bits to allow for 137 billion organizations (and can grow to 250 trillion)Small orgs can opt for just one subnet (18 quintillion addresses)
Reviewing…So far, we've seen that at least at present, IPv6 addresses have lots of bits so that they can keep routing simple
IANA, RIRs, ISPs
Subnet ID (16 bits)
Host address (64 bits)
•When you get a block of IP addresses from your ISP, your ISP either fixes the leftmost 48 bits (normally) or leftmost 64 bits (if you're a small outfit)•If you have 80 bits to play with, you must identify your subnets with 16 bits•The last 64 bits always identifies a host in a subnet; only 64 bits from your ISP = only one subnet
IPv6 Address Types… and a multitude of addresses
Paradigm Shifter: Multiple IPs
In IPv4, one NIC having multiple IP addresses is unusualNot true in IPv6 – it's the norm, as you'll see, and sometimes you'll even have multiple routable addresses on the same NIC!
Big Picture on IPv6 addresses
One way to think about IPv6 addresses is that they (basically) get their 128 bits in two pieces:
the top 64 bits tell you what kind of address it isthe bottom 64 identify the system within a network
There are exceptions, but that's basically how it works
Three Types of IPv6 AddressesUnicast: like a host address; addresses aimed at a single interface on a single machine; a "one to one" connectionMulticast: like multicast in IPv4, a message aimed at multiple interfaces; unlike IPv4, however, IPv6 uses multicasts to accomplish whatever broadcasts do in IPv4; a "one to many" connectionAnycast: used to find routers and IPTV mostly (time doesn't allow me to cover these) a "one to any of a group of systems" connection
Four Types of Unicast Addresses
Global unicast: routable across the InternetLink-local unicast: like APIPA, only useful in a subnet linkSite-local unicast: can be routed within a physical location within your organization but not across the Internet or to other physical locations in your organizationUnique local unicast, like a private (10.x.x.x or 192.168.x.x address
Address Types and Subtypes
Unicast Addresses
transient multicast addresses
Anycast Addresses
global unicast
link-local unicast
site-local unicast
unique local unicast
well-known multicast addressesMulticast
Addresses
different scopes (link-local, global, etc)
"Hey, what about broadcasts?"
IPv6 doesn't include them as a transmission type explicitlyMulticasts are intended to handle that(And as we'll see, there's a predefined multicast address that acts as a local broadcast)The intention is that multicasts create chatter, but it’s more specific chatter than broadcastsAs we'll see, multicasts are used to find your default gateway, other members of your subnet link and more
What's a Multicast?
IPv6 is a big user of multicasts rather than broadcastsMulticasts are like broadcasts, but they go to machines that have asked to get them – they are like broadcasts you "subscribe" toIPv4 uses them as well, including the "Network Discovery" tool that Vista and later supportYour existing network hardware almost certainly supports multicasts
How Multicasts Work
Machines join a multicast group, and routers/switches/NICs remember thatThen you send a message to a multicast group just as you would a directed communication one-to-one ("unicast") and the network hardware gets it just to the membersMulticast addresses have a distinctive look – start with FF0 or FF1 in IPv6, or range “224.0.0.0 - 239.255.255.255 " in IPv4Send a single message to a "magic" multicast address, and all members get the message
Well-Known Multicast Addressesthe keys to getting the word out!
Some multicast addresses are "well-known" for convenience within a networkBest example: sending a message to FF02::2 will go to every router on your link (subnet)FF02::2 is, then, "well-known" but also link-local -- any message to FF02::2 stays within your link
Global Unicast Addressesglobal unicast address = routable addresses
Global unicast addresses are like routable IPv4 addresses – they're the "pedestrian" IPv6 addressesTop three bits must be "001" and since 0010=2 and 0011=3, global unicast addresses always start with 2 or 3Internet-connected routers will forward global unicast addresses, and will ignore others – if you don't start with 2 or 3, your unicast message gets dropped on the floor
Link-Local Unicast Addresseslink-local addresses = "APIPAv6" addresses
Link local unicast addresses or "link-locals"Only work locally within a subnet link – all routers drop 'em on the floorLike APIPA's 169.254.x.x addresses, intended for "plug and play"Top 64 bits are FE80:0000:0000:0000(that’s FE80::/64, remember?)Rest was the MAC address, now it's random Every interface ("link") gets a link-local
Site-Local Unicast Addressesnew to IPv6, but going soon
Like link-locals in that they're not routed to the Internet, but can be routed across different subnets in a given "site"Top 64 bits are FEC0:0:0:FFFFIntended to be associated with a physical site (similar to an AD site)Deprecated in 2004 (RFC 3879) in favor of "scopes" or "zones" because of programming difficultyBut there's at least one valuable remaining point
You May See This…
Site-Local Unicast AddressesFinding DNS!
Site-local addresses all start with FEC0Microsoft defined a "well-known" address clients can use to locate DNS serversBy default, Windows systems look for a DNS server on FEC0:0:0:FFFF::1, 2, and 3Just add one of those site addresses to your DNS server, and local clients will be able to find a DNS server without any further configuration
Unique Local Unicast Addressesfor those who can't handle routability
We're used to building enterprises with addresses like "10.x.x.x," as they route across our enterprises but not on the global internetIPv6 lacked that until 2005's RFC 4193Create networks that start with "FD00::/8"
Summary: Field Guide to AddressesStarts with…
FE80: unicast link-local (like 169.254 addrs)FEC0: unicast site-local (going away…)FD00: "private" addresses (10.x.x.x-like addresses)FF0 or FF1: multicast addresses2 or 3: global unicast addresses ("routable")0, 1, 4->E: huh?
But enough about that top 48 and 64 bits; now let's see about the bottom 64 bits – I mean, do we really need 264 or 18 quintillion hosts per subnet?
Why 64 bits for the host?It was a MAC thing, originally
The top 64 bits, as you've seen, distinguishes your subnet from every other one on the planetSo there remain 64 bits to play with to identify any given host within a subnetWhat unique identifier comes with every NIC?Its 48-bit "media access control" or MAC addressBy using a NIC's MAC address, we're certain we won't collide with another NIC's MAC address, ensuring unique link-local and global unicast addresses!
"But MACs are 48 bits, not 64!"Right, but according to the networking Powers That Be, we're going to run out of the 281 trillion possible MAC addresses around 2100So MAC addresses are becoming 64-bit "Extended Unique Identifiers" or "EUI-64" addressesSo the original plan was to take your 48-bit MAC address, run it through an algorithm, make it an EUI-64 address, and that's your bottom 64 IPv6 bits and, when 64-bit MAC addresses appear, use those
Oh, sorry, bad idea…2001's RFC 3041 (written by a Microsoft employee and an IBM employee) notes that if IPv6 were always to use the MAC address from your NIC, then you could be identified anywhere on the NetThis could enable "the Doubleclick.com from Hell!"Answer? Use random EUI-64 codesSo we get privacy back… but now we've lost guaranteed unique link-local and global unicasts
Configuring IPv6Now we're ready to see how IPv6 hosts get their IPv6 addresses
Configuring IPv6 Clients (Overview)In IPv6, we tend to get useful IP addresses in two stages"Stage 1" either comes from
Manual configuration (the GUI, netsh etc static addresses, orLink-local configuration (unique-to-link FE80 addresses)
Then more configuration information (and perhaps more addresses) come from
Multicasts from routers ("stateless" configuration)DHCPv6 ("stateful" configuration)Or some combination of the two
Acquiring a Link-Local AddressStart with FE80::/64 (FE80:0000:0000:0000, recall) and then create the rightmost 64 bits like so:Pre-RFC 3041, just
Convert your 48 bit MAC address to a 64-bit EUI addressUse that as your bottom 64 bits
Post-RFC 3041 (appeared 2001), youGenerate a random 64-bit addressCheck that no one else is using that numberIf good, keep using it for a few hoursAfter that time or if it's a duplicate address, generate another random number and start againVista and later use this approach; such addresses are called "temporary" addresses
Avoiding Duplicate Addresses"tentative" becomes "preferred"
Pick a random number for the addressMethod is called "duplicate address detection" or DADGiven that there's about a one in 18 quintillion chance of a a collision, Windows starts actually using the address as it is checking for a duplication – this is called "optimistic DAD"Before DAD, the address gets "(tentative)" next to it in ipconfig; afterwards it becomes "(preferred)"
Remember This?note the "(preferred)"
Ethernet adapter Ethernet:Connection-specific DNS Suffix . : Description . . . . . . . . . : Broadcom NetLink (TM) Gigabit
Ethernet Physical Address . . . . . . . : 00-17-A4-D3-10-CA DHCP Enabled. . . . . . . . . : Yes Autoconfiguration Enabled . . : Yes
IPv6 Address. . . : 2001:4840:ffff:c01d:38bc:ac80:d925:8f5b(Preferred)
Temporary IPv6 Address. . . . . . : 2001:4840:ffff:c01d:8d99:ac44:b5a0:80a6(Preferred)
Link-local IPv6 Address . . . : fe80::38bc:ac80:d925:8f5b%8(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.1.102(Preferred)
Acquiring a Global Address(simplified)
Very much like getting a link-local unicast address, but we need to find a router firstStep one is… get a link-local address, FE80…Immediately send out three Router Solicitation packetsEventually you hear a Router Advertisement packet (or several)Includes your "prefix" (the top 48 bits of your organization and the 16 subnet bits)
Building a Global Unicast AddressFrom the router, we've got the top part:
Our org's identifier
Our subnet
All that's left is the bottom 64 bits
(top 48 bits) (next 16 bits)
o How to get the bottom 64 bits? You already know: randomly
o Note we have now created a globally unique – and routable! – address called a temporary address
o Oh, and while we're at it, we'll create two of these addresses
Acquiring a Global Addresswhy two?
The idea is that you register one address in DNS so that people can find you, and folks use it to initiate communications with you… but when you're surfing the Internet, you do it with your other address (it's an RFC 3041 thing)Even if you have a static address, you still create a temporary address
Static address = "public address"Other address is, again, a "temporary" address created randomly that starts out as "tentative" and eventually becomes "preferred"
Reviewtentative, preferred, temporary, public
Tentative = random address that you haven't DAD-ed yetPreferred = random address that's been DADedPublic = IPv6 address found in DNS, an address that a server makes known, often a static addressTemporary = IPv6 address created for systems (including servers) that systems can use when acting as a client; preserves privacy
Again…note the "Temporary"; the first is "Public" although it doesn't say it
Ethernet adapter Ethernet:Connection-specific DNS Suffix . : Description . . . . . . . . . : Broadcom NetLink (TM) Gigabit
Ethernet Physical Address . . . . . . . : 00-17-A4-D3-10-CA DHCP Enabled. . . . . . . . . : Yes Autoconfiguration Enabled . . : Yes
IPv6 Address. . . : 2001:4840:ffff:c01d:38bc:ac80:d925:8f5b(Preferred)
Temporary IPv6 Address. . . . . . : 2001:4840:ffff:c01d:8d99:ac44:b5a0:80a6(Preferred)
Link-local IPv6 Address . . . : fe80::38bc:ac80:d925:8f5b%8(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.1.102(Preferred)
What's the Percent Sign ("%")?the price we pay for RFC 3041
Note the "%8" on the FE80 link-local addressIt's there to remove ambiguityHere's an example
Here's the initial setup. We've got two different networks that are not directly connected to each other –segment1 and segment2 – and three systems. Each of the four NICs gets a link-local address that looks like FE80:: followed by some random 64-bit number.
segment 1
segment 2
Server1
Client1
Connection from NIC 1 of Server1 to segment 1
Connection from NIC 2 of Server1 to segment 2 Client2
segment 1
segment 2
Server1
Client1
Client2
FE80::17
FE80::88
FE80::2
FE80::2
It's a bit pathological, I'll agree, but it is both possible and within the RFCs for this set of addresses to appear:
segment 1
segment 2
Server1
Client1
Client2
FE80::17
FE80::88
FE80::2
FE80::2
Thus, there are two FE80::2's from Server1's point of view. Server1 solves that by randomly assigning numbers to the two subnets and adding those numbers at the end, like this:
segment 1
segment 2
Server1
Client1
Client2
FE80::17
FE80::88
FE80::2%7
FE80::2%3
The "%7" is only used internally by Server1 – no other system knows or cares about it. It's just a way to keep FE80 addresses from different links separate
Name Resolution in IPv6just a few words for a big topic
No NetBIOS support at allIPv6 doesn't use or understand WINSIPv6-aware DNS supports an "AAAA" record, where you supply DNS a name and it returns the IPv6 addressWindows DNS handles AAAAs fine
IPv6 Name Resolutionlocal name resolution
Name resolution on a link happens through multicasts "link local multicast name resolution" (LLMNR)Documented in RFC 4795Requester multicasts to address FF02::1:3 on UDP port 5335Answerer unicasts to requester on UDP 5335Can query for any DNS record typeDoes not need any DNS servers, however
Lots More To LearnBut that's all we've got time for; other topics include
anycast addressestransition technologies: Teredo, 6to4, etccontrolling how temporary "temporary" addresses arerouter designlots more…
I hope this has gotten you started on IPv6!
Thank You For Attending!
Please don't forget to fill out an evaluation(Please!)Find me at [email protected] technical newsletter and online forum at www.minasi.com
Complete an evaluation on CommNet and enter to win an Xbox 360 Elite!
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS,
IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.