IPv6

• better scalability

  • larger address space size

• easier deployment

  • simplified header, easier implementation

  • better auto-configuration (SLAAC)

  • updated stateful configuration (DHCPv6)

• easier analysis

  • better flow associativity

• [IP] : Port

• first n bits: global routing prefix

• next 64-n bits: subnet ID

• last 64 bits: interface ID

• unicast

• multicast

• anycast

• broadcast

• 8 bit set to 1

• 4 bit as flag (permanent or transient address)

• 4 bit as scope

• last 112 bit -> group id

• 0000 reserved

• 0001 interface local

• 0010 link local

• 1000 organization local

• 1110 global

• 1111 reserved

all nodes multicast

• ff01::1 -> interface local

• ff02::1 -> link local

• IPv4 -> 224.0.0.1

all roiuters multicast

• ff01::2 -> interface local

• ff02::2 -> link local

• IPv4 -> 224.0.0.2

• 20 bit to specify flows needing special QoS

• Traditional IPv4 way of specifying flows:

  • 5-tuple: source and destination IP addresses, source and destination port numbers, and protocol type

• Some of these fields may be unavailable due to fragmentation, encryption, or locating them past extension headers

• With flow labels, each source chooses its own flow label value. Routers use IPv6 source address + flow label to identify distinct flows

• Hop-by-hop Options header

• Routing header

• Fragment header

• Authentication header (IPSEC)

  • To validate the message sender and ensure integrity of data

• Encapsulated Security Payload header (IPSEC)

  • To provide confidentiality and guard against eavesdropping

• Destination Options header

• Mobility header

• Host Identity Protocol (HIP)

  • To provide confidentiality and guard against eavesdropping

• Shim6 Protocol

• IPv4 ARP equivalent

• resolve IPv6 addresses to MAC

• add parts form information about routers

• it is part of ICMPv6

• -> split into neighbor solicitation and neighbor advertisement

• ask for MAC address of inerface configured for given IPv6 address

• Uses solicited node address as destination

  • -> ff02::1:ffXX:XXXX

  • where X are the lowest 24 bits of the given IPv6 address at the end of the destinatio IPv6 address

• Destination MAC -> 33:33:XX:XX:XX:XX

• insert lowest 32 bits of the solicited node address…

• answer neighbor solicitation

• -> use MAC and IPv6 address of destinatino host

• Prompt all routers on this segment to send a Router Advertisement

• Normally sent when interface comes up

• Sent to the all-nodes multicast address in fixed intervals by all routers

• Contains Information about the network segment:

  • Autoconfiguration methods (SLAAC, DHCPv6)

  • Prefix Information

  • Route Information

  • MTU on link

  • Link-Layer address of the router

• Secure Neighbor Discovery (SEND) is an extension of NDP with extra security

• Multicast Listener Discovery (MLD) is used by IPv6 routers for discovering multicast listeners on a directly attached link

• Multicast Router Discovery (MRD) allows discovery of multicast routers

• Everybody can claim to be a router

  • Use RA Guard to filter unauthorized RAs (RFC 6105)

  • Secure Neighbor Discovery (SEND) is an extension of NDP with extra security (RFC 3971)

• Automatic configuration of link-local addresses on system startup

1. Create EUI-64 Address

   1. Always in subnet fe80/64

   2. First 24 Bit of Interface Identifier: First 24 Bit of MAC address (flip second bit of the first octet)

   3. “Middle” 16 Bit: Always ff:fe

   4. Last 24 Bit: Last 24 Bit of MAC address

2. Perform Duplicate Address Detection (DAD)

3. Configure Address to interface

• Use link-local address and interface ID

• Hosts join all-nodes multicast address (ff02::1)

• Hosts do DAD with all nodes based on multicast address

• Hosts communicate to routers using all-routers multicast address (ff02::2)

• ICMPv6 router solicitation sent by host to request additional information

• ICMPv6 router advertisement sent by router to inform host about prefixes for site and global addresses

• SLAAC uses modified MAC address -> makes it possible to trace a device…

  • => there exist privacy extensinos

  • make use of random 64 bit for host part

  • changes the number regularily

stateful configuration

• DHCPv6

• => Flag in router advertisement tells wether to rely on SLAAC or to use DHCPv6

• Can be used to provide prefix information

• Can be used to provide fixed addresses to device identifiers

• Can be used to provide DNS information

• Has to be used to provide boot information for Netboot

• Yes! -> Transistion not easy doe to large number of systems and actors on the internet…

• Solutino Approaches:

  • Dual Stack

    • All hosts have dual IPv4 and IPv6 stack of protocols until all of the Internet runs IPv6

    • Avoids the complexities of tunneling, such as security, increased latency, management overhead

  • Tunneling

    • Encapsulation of IPv6 packets in IPv4

    • Some automatic tunneling techniques: 6to4, Teredo, ISATAP

  • Header Translation

• Assign each end-user one public IPv4 address and one public IPv6 subnet

• End device chooses to use IPv4 or IPv6

• Both networks are directly accessible

Problems:

• IPv4 addresses might already be exhausted

• Supporting IPv4 and IPv6 inside the ISP network at the same time is expensive and complex

Solutions:

• No solution for address exhaustion in full Dual Stack (see DS Lite)

• ISPs can transparently tunnel IPv4 in IPv6 (or the other way round), and only setup one network, which provides IPv4 and IPv6

• Same as full Dual Stack, but private instead of public IPv4 address

• Deployment of a Carrier-Grade-NAT

Problems:

• Peer-to-peer communication almost impossible

• Mostly affects VoIP and gaming

• => No real solutions for this problem…

• encapsulate IPv6 packets in IPv4 packets

• Implementable in a variety of forms

• Any general purpose VPN service, with an IPv6 overlay and IPv4 underlay network (IPsec, OpenVPN, Cisco AnyConnect, ...)

• Teredo: Tunneling IPv6 over UDP through Network Address Translations (NATs) [5]

  • Developed by Microsoft

  • Components: Client, Server, Relay

  • Client: Has only IPv4 and is possibly behind a NAT

  • Server: Help client to set itself up, and establish the tunnel

  • Relay: Forward traffic from and to client

  • IPv4 client and server addresses are embedded in IPv6 address

  • Teredo prefix: 2001::/32

  • Based on NAT UDP hole punching

• Local router encapsulates IPv6 in IPv4

• IPv4 packet gets transmitted to the “nearest” relay

• Source IPv4 address is embedded in the IPv6 address

• 6to4 prefix: 2002::/16, append public IPv4 address to get /48 IPv6 subnet

• Address IPv4 packets to 192.88.99.1 (IPv4 Anycast)

• Deploy dual stack 6to4 relays, and 6to4 routers as NAT router

Building an IPv6 address from an IPv4 address

• IPv4 address (dotted decimal): 131.159.255.1 (Gateway/Router)

• IPv4 address (hexadecimal): 0x83 0x9F 0xFF 0x01

• IPv6 6to4 prefix: 2002::/16

• Resulting gateway IPv6 prefix: 2002:839f:ff01::/48

• Devices behind the gateway can configure an address inside the 2002:839f:ff01::/48 subnet

• Gateway encapsulates all IPv6 packets inside IPv4 packets

• All IPv6 packets destined to 2002:839f:ff01::/48 reach the gateway in an encapsulating IPv4 packet

• Completely transparent to clients

• Stateless IP/ICMP Translation (SIIT)

• Defines a class of IPv6 addresses called IPv4-translated addresses

• Use the ::ffff:0:0:0/96 subnet and may be written as ::ffff:0:a.b.c.d

• Allows IPv6-only hosts to communicate with IPv4-only hosts