9 Transition
9 Transition
9 Transition
2
IETF Working Groups
p “6man”
n The group is for the maintenance, upkeep, and
advancement of the IPv6 protocol specifications and
addressing architecture.
n http://datatracker.ietf.org/wg/6man/charter/
p “v6ops”
n Develops guidelines for the operation of a shared IPv4/
IPv6 Internet and provides operational guidance on how
to deploy IPv6 into existing IPv4-only networks, as well
as into new network installations.
n http://datatracker.ietf.org/wg/v6ops/charter/
3
IETF Working Groups
p “behave”
n Creates documents to enable NATs to function in as
deterministic a fashion as possible.
n http://datatracker.ietf.org/wg/behave/charter/
p “softwires”
n Specifies the standardization of discovery, control and
encapsulation methods for connecting IPv4 networks
across IPv6 networks and IPv6 networks across IPv4
networks in a way that will encourage multiple, inter-
operable implementations.
n http://datatracker.ietf.org/wg/softwire/charter/
4
IPv4-IPv6 Co-existence/Transition
p A wide range of techniques have been identified
and implemented, basically falling into three
categories:
n Dual-stack techniques, to allow IPv4 and IPv6 to
co-exist in the same devices and networks
n Tunneling techniques, to avoid order dependencies when
upgrading hosts, routers, or regions
n Translation techniques, to allow IPv6-only devices to
communicate with IPv4-only devices
p All of these will be used, in combination
5
Dual Stack Approach
IPv6-enabled
Application! Application!
www.a.com !
= * ?! IPv4!
2001:db8::1!
DNS 10.1.1.1! IPv6!
Server!
2001:db8:1::1!
8
Example of DNS query
Query=www.example.org Type=AAAA DNS
A! B! server!
Resp=2001:db8:1::10 Type=AAAA
Done!
OR!
Non-existent
Query=www.example.org Type=A
Resp=192.168.30.1 Type=A
10
A Dual Stack Configuration
router#
Dual-Stack ipv6 unicast-routing
Router! interface Ethernet0
IPv6 and IPv4 ip address 192.168.99.1 255.255.255.0
Network! ipv6 address 2001:db8:213:1::1/64
IPv4: 192.168.99.1
IPv6: 2001:db8:213:1::1/64
11
Using Tunnels for IPv6 Deployment
p Manytechniques are available to establish
a tunnel:
n Manually configured
p Manual Tunnel (RFC 2893)
p GRE (RFC 2473)
n Semi-automated
p Tunnel broker
n Automatic
p 6to4 (RFC 3056)
p 6rd
p ISATAP
12
IPv6 over IPv4 Tunnels
Transport
IPv6 Header Data
Header
17
6to4 in the Internet
relay router configuration
interface loopback0
ip address 192.88.99.1 255.255.255.255
ipv6 address 2002:c058:6301::1/128
!
interface tunnel 2002
no ip address
ipv6 unnumbered Loopback0
tunnel source Loopback0
tunnel mode ipv6ip 6to4
tunnel path-mtu-discovery
!
interface FastEthernet0/0
ip address 105.3.37.1 255.255.255.0
ipv6 address 2001:db8::1/64
!
router bgp 100
address-family ipv4
neighbor <v4-transit> remote-as 101
network 192.88.99.0 mask 255.255.255.0.
address-family ipv6
neighbor <v6-transit> remote-as 102
network 2002::/16
!
ip route 192.88.99.0 255.255.255.0 null0 254 18
ipv6 route 2002::/16 tunnel2002
6rd Tunnel
6rd ISP 6rd
ISP IPv4 Relay! IPv6
Router!
Backbone! Internet!
IPv6
Network!
192.168.64.2! IPv4
Network prefix:
Internet!
ISP IPv4 address
2001:db8:4002::/48!
block: 192.168.0.0/16!
Prefix = 2001:db8:ffff::/64
Lifetime, options
A!
2001:db8:ffff::/64!
IPv6 Network"
ISATAP!
fe80::/64!
B!
24
NAT-PT for IPv6
p NAT-PT
n (Network Address Translation – Protocol
Translation)
n RFC 2766 & RFC 3152
n Obsoleted by IETF (RFC4966) but
implementations still in use
p Allows native IPv6 hosts and applications
to communicate with native IPv4 hosts
and applications, and vice versa
p Easy-to-use transition and co-existence
solution
25
NAT-PT Concept
IPv4 IPv6
Interface
NAT-PT Interface
172.16.1.1 2001:db8:1987:0:2E0:B0FF:FE6A:412C
p prefix
is a 96-bit field that allows routing
back to the NAT-PT device
26
NAT-PT packet flow
IPv4 IPv6
Interface
NAT-PT Interface
3 4
DNS v4!
Ethernet-2!
DNS query!
Ethernet-1!
DNS query!
31
Configuring NAT-PT (2)
p Configuring dynamic address mappings
[no] ipv6 nat v6v4 source <list,route-map> <ipv6
list, route-map> pool <v4pool>
[no] ipv6 nat v6v4 pool <v4pool> <ipv4 addr>
<ipv4addr> prefix-length <n>
p Configure Translation Entry Limit
n [no] ipv6 nat translation max-entries <n>
p Debug commands
n debug ipv6 nat
n debug ipv6 nat detailed
32
Cisco IOS NAT-PT configuration
example
interface ethernet-1
ipv6 address 2001:db8::10/64
ipv6 nat
.200! LAN2: 192.168.1.0/24! !
interface ethernet-2
Ethernet-2! ip address 192.168.1.1 255.255.255.0
ipv6 nat prefix 2010::/96
ipv6 nat
!
ipv6 nat v6v4 source 2001:db8::1 192.168.2.1
Ethernet-1! ipv6 nat v4v6 source 192.168.1.200 2001:db8::60
NATed prefix 2010::/96! !
LAN1: 2001:db8::/64!
2001:db8::1!
33
Cisco IOS NAT-PT w/ DNS ALG
Configuration
DNS!
interface ethernet-1
ipv6 address 2001:db8:1::10/64
ipv6 nat
.200! .100! !
interface ethernet-2
Ethernet-2! ip address 192.168.1.1 255.255.255.0
ipv6 nat
!
ipv6 nat v4v6 source 192.168.1.100 2010::1
!
Ethernet-1! ipv6 nat v6v4 source list v6-list map1 pool v4pool1
NATed prefix 2001:db8::/96!
ipv6 nat v6v4 pool v4pool1 192.168.2.1 192.168.2.10
prefix-length 24
ipv6 nat service dns
ipv6 nat prefix 2001:db8::/96
LAN1: 2001:db8:1::/64! !
ipv6 access-list v6-list
permit 2001:db8:1::/64 any
2001:db8:1::1! LAN2: 192.168.1.0/24!
34
Cisco IOS NAT-PT display (1)
Router1 #show ipv6 nat translations
Ethernet-2!
Router1!
Ethernet-1! NATed prefix 2001:db8::/96!
LAN1: 2001:db8:1::/64!
2001:db8:1::1!
35
Cisco IOS NAT-PT display (2)
LAN1: 2001:db8:1::/64!
2001:db8:1::1!
36
NAT-PT Summary
p Points of note:
n ALG per application carrying IP address
n No End to End security
n No DNSsec
n No IPsec because different address realms
p Conclusion
n Easy IPv6 / IPv4 co-existence mechanism
n Enable applications to cross the protocol
barrier
37
IPv6 Servers and Services
38
Unix
Webserver
p Apache 2.x supports IPv6 by default
p Simply edit the httpd.conf file
n HTTPD listens on all IPv4 interfaces on port 80
by default
n For IPv6 add:
Listen [2001:db8:10::1]:80
p So that the webserver will listen to requests coming
on the interface configured with 2001:db8:10::1/64
39
Unix
Nameserver
p BIND 9 supports IPv6 by default
p To enable IPv6 nameservice, edit /etc/
named.conf:
options { Tells bind to listen
on IPv6 ports
listen-on-v6 { any; };
};
zone “workshop.net" { Forward zone contains
type master; v4 and v6 information
file “workshop.net.zone";
};
zone “8.b.d.0.1.0.0.2.ip6.arpa" { Sets up reverse
type master; zone for IPv6 hosts
file “workshop.net.rev-zone";
}; 40
Unix
Sendmail
p Sendmail 8 as part of a distribution is usually
built with IPv6 enabled
n But the configuration file needs to be modified
p If compiling from scratch, make sure NETINET6 is
defined
p Then edit /etc/mail/sendmail.mc thus:
n Remove the line which is for IPv4 only and enable the
IPv6 line thus (to support both IPv4 and IPv6):
n DAEMON_OPTIONS(`Port=smtp, Addr::, Name=MTA-v6,
Family=inet6')
n Remake sendmail.cf, then restart sendmail
41
Unix
FTP Server
p Vsftpd is covered here
n Standard part of many Linux distributions now
p IPv6 is supported, but not enable by default
n Need to run two vsftpd servers, one for IPv4, the other
for IPv6
p IPv4 configuration file: /etc/vsftpd/vsftpd.conf
listen=YES
listen_address=<ipv4 addr>
p IPv6 configuration file: /etc/vsftpd/vsftpdv6.conf
listen=NO
listen_ipv6=YES
listen_address6=<ipv6 addr>
42
Unix Applications
p OpenSSH
n Uses IPv6 transport before IPv4 transport if
IPv6 address available
p Firefox/Thunderbird
n Supports IPv6, but still hampered by broken
IPv6 nameservers and IPv6 connectivity
n In about:config the value
network.dns.disableIPv6 is set to true by
default
p Change to false to enable IPv6
43
MacOS X
p IPv6 installed
p IPv6 enabled by default
n Will use autoconfiguration by default
n Enter System Preferences and then Network to
enter static IPv6 addresses (depends on
MacOS X version)
p Applications
will use IPv6 transport if IPv6
address offered in name lookups
44
FreeBSD – client
p IPv6 installed, but disabled by default
p To enable using autoconfiguration:
n Simply edit /etc/rc.conf to include these lines
ipv6_enable="YES"
ipv6_network_interfaces="em0"
n Where
p em0 should be replaced with the name of the Ethernet
interface on the device
p And then reboot the system
45
FreeBSD – server
p IPv6 installed, but disabled by default
p To enable using static configuration:
n Edit /etc/rc.conf to include these lines
ipv6_enable="YES"
ipv6_network_interfaces="em0"
ipv6_ifconfig_em0=”2001:db8::1 prefixlen 64"
ipv6_defaultrouter="fe80::30%em0”
n Where
p em0 should be replaced with the name of the Ethernet
interface on the device
p 2001:db8::1 should be replaced with the IPv6 address
p fe80::30 should be replaced with the default gateway
p And then reboot the system
46
RedHat/Fedora/CentOS Linux –
client
p IPv6 installed, but disabled by default
p To enable:
n Edit /etc/sysconfig/network to include the line
NETWORKING_IPV6=yes
n Edit /etc/sysconfig/network-scripts/ifcfg-eth0
to include:
IPV6INIT=yes
n And then /sbin/service network restart or
reboot
p Other
Linux distributions will use similar
techniques
47
RedHat/Fedora/CentOS Linux –
server
p To enable:
n Edit /etc/sysconfig/network to include:
NETWORKING_IPV6=yes
IPV6_DEFAULTGW=FE80::30
IPV6_DEFAULTDEV=eth0
n Edit /etc/sysconfig/network-scripts/ifcfg-eth0 to include:
IPV6ADDR=2001:db8::1/64
IPV6INIT=yes
IPV6_AUTOCONF=no
n Where
p eth0 should be replaced with the name of the Ethernet
interface on the device
p 2001:db8::1 should be replaced with the IPv6 address
p fe80::30 should be replaced with the default gateway
n And then /sbin/service network restart or reboot
48
Windows XP & Vista
p XP
n IPv6 installed, but disabled by default
n To enable, start command prompt and run
“ipv6 install”
p Vista
n IPv6 installed, enabled by default
p Most
apps (including IE) will use IPv6
transport if IPv6 address offered in name
lookups
49
Other IOS Features
Redundancy, Radius, DHCP,…
50
First-Hop Redundancy
p When HSRP,GLBP and VRRP for IPv6 are not available
p NUD can be used for rudimentary HA at the first-hop (today
this only applies to the Campus/DC…HSRP is available on
routers)
(config-if)#ipv6 nd reachable-time 5000
p Hosts use NUD “reachable time” to cycle to next known
default gateway (30 seconds by default)
Default Gateway . . . . . . . . . : 10.121.10.1
fe80::211:bcff:fec0:d000%4
fe80::211:bcff:fec0:c800%4
RA sent RA sent
reach-time = 5000msec reach-time = 5000msec
51
Reachable Time : 6s
Base Reachable Time : 5s
HSRP for IPv6
p Many similarities with HSRP for IPv4
p Changes occur in Neighbor
HSRP HSRP
Advertisement, Router Advertisement,
Active Standby
and ICMPv6 redirects
p No need to configure GW on hosts (RAs
are sent from HSRP Active router)
p Virtual MAC derived from HSRP group
number and virtual IPv6 Link-local interface FastEthernet0/1
address ipv6 address 2001:DB8:66:67::2/64
p IPv6 Virtual MAC range: ipv6 cef
n 0005.73A0.0000 - 0005.73A0.0FFF standby version 2
(4096 addresses) standby 1 ipv6 autoconfig
p HSRP IPv6 UDP Port Number 2029 (IANA standby 1 timers msec 250 msec 800
Assigned) standby 1 preempt
p No HSRP IPv6 secondary address standby 1 preempt delay minimum 180
p No HSRP IPv6 specific debug standby 1 authentication md5 key-string cisco
standby 1 track FastEthernet0/0
Host with GW of Virtual IP
#route -A inet6 | grep ::/0 | grep eth2
::/0 fe80::207:85ff:fef3:2f60 UGDA 1024 3 0 eth2
::/0 fe80::205:9bff:febf:5ce0 UGDA 1024 0 0 eth2
::/0 fe80::5:73ff:fea0:1 UGDA 1024 0 0 eth2
52
GLBP for IPv6
p Many similarities with
GLBP for IPv4 (CLI, GLBP
GLBP
Load-balancing) AVG, AVF AVF, SVF
p Modification to Neighbor
Advertisement, Router
Advertisement
p GW is announced via
interface FastEthernet0/0
RAs ipv6 address 2001:DB8:1::1/64
p Virtual MAC derived ipv6 cef
from GLBP group glbp 1 ipv6 autoconfig
number and virtual IPv6 glbp 1 timers msec 250 msec 750
Link-local address glbp 1 preempt delay minimum 180
glbp 1 authentication md5 key-string cisco
AVG=Active Virtual Gateway
AVF=Active Virtual Forwarder
SVF=Standby Virtual Forwarder
53
IPv6 General Prefix
p Provides an easy/fast way to deploy prefix changes
p Example:2001:db8:cafe::/48 = General Prefix
p Fill in interface specific fields after prefix
n “office ::11:0:0:0:1” = 2001:db8:cafe:11::1/64
ipv6 unicast-routing interface Vlan11
ipv6 cef ipv6 address office ::11:0:0:0:1/64
ipv6 general-prefix office ipv6 cef
2001:DB8:CAFE::/48 !
! interface Vlan12
interface GigabitEthernet3/2 ipv6 address office ::12:0:0:0:1/64
ipv6 address office ::2/127 ipv6 cef
ipv6 cef
!
interface GigabitEthernet1/2
ipv6 address office ::E/127
ipv6 cef
6k-agg-1#sh ipv6 int vlan 11 | i Global|2001
Global unicast address(es):
54
2001:DB8:CAFE:11::1, subnet is 2001:DB8:CAFE:11::/64
AAA/RADIUS
p RADIUS attributes and IPv6 (RFC3162)
p RADIUS Server support requires an upgrade (supporting
RFC3162)
n Few RADIUS solutions support RFC3162 functionality today
p IPv6 AAA/RADIUS Configuration www.cisco.com/warp/public/
cc/pd/iosw/prodlit/ipv6a_wp.htm
56
DHCPv6 Overview (2)
p Allows both stateful and stateless
configuration
p RFC 3315 (DHCPv6) has additional
options:
n DNS configuration—RFC 3646
n Prefix delegation—RFC 3633
n NTP servers
n Stateless DHCP for IPv6—RFC 3736
57
DHCPv6 PD: RFC 3633
FTTH
p Media independence DHCPv6 Server(s)
n e.g., ADSL, FTTH
n Only knows identity of
requesting router
ADSL
p Leases for prefixes
p Flexible deployments
n Client/Relay/Server model
p Requesting router includes
request for prefixes in DHCPv6
DHCP configuration Client
/48
request
p Delegating router assigns /64
prefixes in response along
with other DHCP
configuration information
DHCPv6 Relay
58
Prefix/Options Assignment Host
CPE
PE
ISP
61