Internet Protocol Version Six

Rafał Maszkowski <rzm@icm.edu.pl>

Budapest, August 2000

why new version

• 2 possible addresses
• header simplification: less limitations, more flexible processing
• packets up to 2+ 40 bytes
• more flexible IP options processing
• more possibilities of streams labeling
• authentication and encryption (also for IPv4)

how and when

• preparing hosts and routers implementations
• need to define additional protocols (key exchange, registration, readdressing) and implement them
• carefully - an assumption of very long coexistence of both versions
• nobody knows when (year 2010?), careful address assignment policy gives more time

IPv4 header (RFC 791)

• header fields

IPv6 definition: RFC 2460

• IP header fields

IPv6 addresses

• types
  • unicast, anycast, multicast
  • global, site-local, link-local
• notation (RFC 1884):

00111111 11111110 00001001 00000010 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000001

= 3F FE 09 02 00 00 00 00 00 00 00 00 00 00 00 01

= 3ffe:902:0:0:0:0:0:0:0:0:0:0:0:0:0:1 = 3ffe:902::1

= tEV9S=Hl@N%k0Cjq-Jsb< (RFC 1924)

headers order

headers: IPv6, Hop-by-Hop Options, Destination Options, Routing, Fragment, Authentication, Encapsulating Security Payload, Destination Options, upper-layer

example:

what stay as it is or changes a little

• TCP, UDP - completely (except pseudoheader and jumbograms)
• BGP i RIPng - similar like for IPv4 only with IPv6 addresses
• Application Programming Interface - big changes

what is changed

• IP
• ICMP - mostly like ICMPv4
• IGMP - now called Multicast Listener Discovery (RFC 2710), logically part of ICMPv6
• ND -some of ARP, some of ICMP Router Discovery and ICM Redirect + more
• automatic readdressing protocol in preparation
• FTP etc. - sending addresses in data problem

Neighbor Discovery

• for negotiating link-layer addresses, configuring them automatically and finding routers
• ICMPv6 packets:
  • Router Solicitation - asking for Router Advertisements
  • Router Advertisement - includes prefixes, suggested hop limit, expiration time, repetition time (necessary for router reachability discovery algorithm)
  • Neighbor Solicitation - being sent to get to know what address the neighbor has, checking if it is reachable and for Duplicate Address Detection
  • Neighbor Advertisement - reply for NS or ll address announcement
  • Redirect - local network routing information

encryption and authentication, IPSec: Authentication Header (RFC 2402)

SPI: Security Parameter Index

SNF: additional securing against false packets

obligatory algorithms: MD5, SHA-1

encryption and authentication, IPSec: Encapsulating Security Payload (RFC 2406)

possible use for both encryption and (optional) authentication

obligatory algorithms: DES CBC, MD5, SHA-1, NULL (encryption), NULL (authentication)

encryption and authentication

• FreeS/WAN: for now only IPv4, uses IKE keys exchange protocol, tunnel/transport mode
• KAME - also for IPv6 (OpenBSD, FreeBSD)
• Cisco, Bay Networks, Contivity
• Raptor 5, F-Secure VPN+ for MS-Windows
• ...

...compression (RFC 2393)

• ipptc (IPComp) - compression (before encryption), separate for every packet (stateless)
• Compression Parameters INdex, negociation via ISAKMP
• algorithms: DEFLATE (pkzip/info-zip, RFC 2394), LZS (RFC 2395)

hosts and routers implementations

• list in http://playground.sun.com/pub/ipng/html/ipng-implementations.html
• my experience: Linux, Solaris
• Linux configuration: http://www.bieringer.de/linux/IPv6/IPv6-HOWTO/IPv6-HOWTO.html

IPv4-IPv6 communication

• tunneling IPv6 in IPv4 i IPv6
• NAT, NAT-PT (with state memory), not translating IPSec and DNSSEC,
  • http://www.cs.washington.edu/research/networking/napt/reports/usenix98/
• SIIT (Stateless IP/ICMP Translator)
  • IPv6-nodes must have an IPv4-translated [to IPv6] address assigned
  • not translating options and hop-by-hop header
  • translating IPSec ESP, could translate AH
• socks-trans: http://www.socks.nec.com/socks-trans/translator.html

IPv6 in practice, 6BONE

• World: http://www.6bone.net/
• In Poland: http://www.6bone.pl/
• At ICM: ftp://ftp.6bone.pl/pub/ipv6/

6BONE maps: the world, Poland

dynamic routing, BGP4 (RFC 1771)

• developed since 1989 (RFC 1105)
• connections: TCP, port 179
• Autonomous System, ASN, assigning subnets to ASN
• AS-path, attributes (ORIGIN, AS_PATH, NEXT_HOP, MED, ...)
• redistribution, policy: attributes, filtering of ASNs and nets

dynamic routing, BGP4+ (RFC 2283)

• not big changes in respect to IPv4 BGP
• specialized routers: Cisco, ...
• UNIX routers: mrt, gated, zebra

BGP4+, example mrtd dialog

Oct 8 20:52:23 [7] BGP4+ 3ffe:902:1::2 recv attribute:
ORIGIN: IGP
ASPATH: 65432 1887 2839
NEXT_HOP: 158.75.63.81
BGP4+ 3ffe:902:1::2 announce family 2 subfamily 1 nhalen 32
NEXT_HOP: 3ffe:902:1::2
NEXT_HOP: fe80::9e4b:3f51
BGP4+ 3ffe:902:1::2 recv announce:
3ffe:200::/24
BGP Add Route Head: 3ffe:200::/24
BGP New Route: 3ffe:200::/24 nh 3ffe:902:1::2 proto bgp
RIB6 update: 3ffe:200::/24 nh 3ffe:902:1::2 proto kernel pref 250 -> 20
RIB6 active: 3ffe:200::/24 nh 3ffe:902:1::2 proto bgp pref 20

BGP4+ example configuration - mrtd.conf

! to SICS
! the one we got from SICS
access-list 5 permit 3ffe:280::/40
! the one we got from CICNET
!access-list 5 deny  3ffe:902::/32
! bogus static temporary fix
access-list 5 deny   3ffe:200::/32
! SICS's net
access-list 5 deny   3ffe:200::/24 refine
! default
access-list 5 deny   3f00::/8
! pass
access-list 5 permit all
!
router bgp 8664
  network 3ffe:902:0::/48      !  CICNET
  network 3ffe:280::/40        ! SICS
  !network 3ffe:200:1:a::/64   ! SICS
  network 3ffe:140f:1::/48    ! UNI-C
  redistribute static
  aggregate-address 3ffe:902::/32 summary-only
  aggregate-address 3ffe:280::/40 summary-only
  aggregate-address 3ffe:140f:1::/48 summary-only
        ! SICS
  neighbor 3ffe:200:1:a::1 remote-as 2839
  neighbor 3ffe:200:1:a::1 bgp4+ 1
  neighbor 3ffe:200:1:a::1 distribute-list 5 out
!

6BONE routing policy

• BGP distribution restrictions and multihomed site problem