THE HITCHHIKERS’ GUIDE TO IPV6

Jeff Schwab

Don’tPanic!

It’s the End of the World(as we know it)

February 3, 2011 IANA (Internet Assigned Numbers Authority)

hands out the last 5 available /8 address pools to ARIN, LACNIC, AFRINIC, RIPE, and APNIC

Over the next several months these pools will be exhausted

After that, requests will be queued until addresses are returned to the pool

A Little History Address space exhaustion first discussed

in the early 1990s! Three competing proposals:

64 bit SIPP (Simple Internet Protocol Plus) 128 bit SIPP Variable length address “TUBA” (ISO based)

In 1994, at Toronto meeting IETF announced plans to use 128 bit SIPP

How big is it? 2128 = 3.40282367 * 1038

Assuming one address per cubic meter, this gives us a sphere just short of the orbit of Neptune

Certainly, this will be enough After all, a PC only needs 64K of memory

Addressing IPv4 addresses are usually represented as:

Four period separated decimals (0-255) 128.210.11.1 Stored in DNS “A” records

IPv6 addresses are usually represented as: Eight colon separated hex numbers (0-FFFF) 2001:18E8:0800:F4FF:0000:0000:0000:0001 Stored in DNS “AAAA” records Any one group of consecutive zeros can be

replaced by :: 2001:18E8:800:F4FF::1

Unicast IPv6 Addresses Basic Format

Host Part Manually configured Mapped from EUI-48 (MAC address) Mapped rom EUI-64 (Infiniband/Firewire) Concerns about privacy/tracking if MAC

address is used

IPv6 “Network” Addresses Many different proposals floated Two early favorites 1) Provider based addressing

13 bits at top level (8192 top level “routes”) Severely limits number of “Tier-1” providers Good for routing table

2) Geographic addressing Good for routing and aggregation Requires more cooperation among providers

than we can ever expect

The Reality Provider/entity based addressing

Provider part comes from regional registry (ARIN, etc.)

End sites customarily receive a /48 Residential users will get less

But we still may be able to get rid of NAT

More Reality Providers can actually get more than a

/32 Almost any large enterprise can receive a

/32 The current definition of enterprise is

rather loosely interpreted

An Example ARIN allocated 2001:18E8::/32 to the Indiana

Gigapop Indiana Gigapop allocated 2001:18E8:0800/44

to Purdue University Purdue University allocated

2001:18E8:0800/48 to the West Lafayette campus

Initially, West Lafayette campus can allocate 65,536 subnets with 264 potential hosts on each

Other Addresses Multicast

Start with ff00::/8 Scoping rules used to limit propagation

Anycast Highest 128 interface addresses on a subnet

Broadcast Gone. Can use scoped multicast instead

Brief Down and Dirty IPv6 Packet Headers

Fixed length header to simplify processing IPv4 headers had variable length due to

options

Some Comments

Hop Limit – Analogous to IPv4 TTL Next Header – Type of Extension header

(Layer 3 or Layer 4) – can be chained Payload Length – Number of octets

(unless jumbo extension header follows)

Extension Headers Replace (and augment) IPv4 options

Source routing Authentication Encryption

Layer-4 protocols TCP, UDP, ICMP

Layer 4 Protocols TCP and UDP

Bit for bit the same as with IPv4 ICMP

Slightly modified, all IPv4 functionality is there Includes some old IGMP (multicast)

functionality Adds functions for neighbor/router discovery

ARP Gone! Functionality merged into ICMP

Routing RIP

Still there OSPF

Parallel to IPv4, but two do not interact BGP

Can support both IPv4 and IPv6 in same session

Host Configuration Static Manual Configuration

Router gateway, network address/mask, DNS Just like today only numbers are larger

More typing Two Network based options

SLAAC DHCPv6

SLAAC StateLess Automatic Address Configuration IPv6 “Plug and Play” Uses ICMP to find router and local network Host part of address comes from MAC

address Some OS’s (Windows) randomize this for privacy But “Privacy addresses” may break firewalls

But… No DNS info No generally accepted extensions for DNS

DHCPv6 Works similarly to DHCP for IPv4 DHCPv6 servers now available But… Currently not implemented by

Apple

How do we get there from here?

Routers and switches will need to support IPv6

Most current generation hardware does IPv6 to some extent.

Routing protocols are available for IPv6 Older hardware will need to be updated May have enough time to work into LCR

plan Wireless is usually easy if just bridging

Other Network Hardware Firewalls and Load Balancers

Support for IPv6 mostly just starting Some upgraded code for existing hardware May require a forklift upgrade Beating up vendors can help

Hosts IPv6 is supported in most modern OS’s

Generally enabled by default Windows XP does not support DNS over

IPv6 “Privacy addresses” on by default in

Windows Apple does not support DHCPv6

Services Server side

Many critical pieces already have IPv6 aware versions

Apache, Sendmail, Bind, MySQL Client side

Most services just rely on underlying OS support

Major browsers are IPv6 aware Firefox, Opera, Safari

What can we do with IPv6? Many sites are enabling IPv6

Industry does not want to lose IPv6 clientelle Facebook, Netflix, and Google are IPv6

ready Google requires whitelisting currently

Surviving the transition Eventually, IPv6 will be the only protocol Probably after most of us are retired Meanwhile, we need to work in both

worlds We will start with islands of IPv6 in an IPv4

world Will transition to islands of IPv4 in an IPv6

world Tunnels will evolve to carry traffic between the

islands Will need to support both protocols and

forms of tunneling and NAT servers to support access

Best Option - Dual Stack Host supports and talks to both IPv6 and

IPv4 Cleanest answer Future-proof Generally transparent to end user As long as everything is “working

correctly” Difficult to debug when things go wrong

Accessing IPv6 from IPv4 Not enough address bits to be easy “DS-Lite” – Dual Stack Light

NAT based solution Needs to play DNS tricks Rumored Comcast trial

Accessing IPv4 from IPv6 DNS Alg (DNS64)

Special resolver on IPv6-only network If a AAAA record, use it Else put address from A record into bottom 32 bits of

special IPv6 prefix May not work well with DNSSEC

NAT64 Relay router Dual stack on outside, IPv6 only on inside State table to maintain IPv4 pool “Real” IPv6 addresses used unchanged Special addresses from DNS64 mapped back to IPv4

addresses

Alternatives to IPv6 NATs Lots of NATs Lots and lots and lots of NATs Performance suffers End to end applications fail

Consequences of not doing IPv6

Lose access to overseas markets/clients Lose access when travelling New remote sites may not be able to get

IPv4 space Eventually lose access to domestic

markets/clients

Costs of transition to IPv6 “Unfunded Mandate” Replace as much hardware as possible in LCR DO NOT buy any new hardware that isn’t IPv6

ready Routers Firewalls Network Appliances

Pressure your vendors for software upgrades, etc.

Engineering costs to set up new address scheme Cost of running transitional appliances

Where do I start? Work IPv6 into hardware LCR Prepare your networking infrastructure

for IPv6 Your “Internet presence” (servers) will be

most painful conversion Printers and other internal only

appliances are lowest priority

And I Feel Fine… It’s the End of the World as We Know it We can’t ignore the problem We have some time Start experimenting! World IPv6 Day – June 8, 2011

That’s all folks! Questions? Comments? Live Poultry? Acknowledgements:

Michael Lambert, Pittsburg Supercomputing Center

Internet2 IPv6 Working Group