IPv6 Topic Notes

IPv6 Addressing

• Much larger address space than IPv4
  • IPv4 = 32 bit (4 bytes) = 2^32 = 4 billion
  • IPv6 = 128 bits (16 bytes) = 2^128 = 340 undecillion

Addressing Layout

• 128 bit hex addressing
• Uses CIDR notation for prefix length
• Typically uses 64 bit network portion, 64 bit host

• Global Routing Prefix
  • Allows routing to the site on the Internet

• Subnet ID
  • Allows admins to create subnets within a site
• Interface ID
  • Uniquely defines a host

• Globally enable unicast routing
  • Disabled by default
  • Command:
    • (config)#ipv6 unicast-routing
• To enable on the interface
  • Command:
    • (config-if)#ipv6 enable
  • Enable only if using link-local addressing
  • Don’t need to run if configuring a global IPv6 address on the interface
  • If configuring a global address, IPv6 will automatically assign a link-local address
    • Link-local address required for IPv6 to work

• IPv6 can not use secondary addressing
  • All IPv6 addresses are considered primary addresses

Interface Addressing: IPv6 General Prefix

• Used as a shortcut
• If company assigned a /48, all prefixes should be derrived from the /48 space
• Defined globally
  • Command:
    • (config)#ipv6 general-prefix <name of prefix> <prefix>
• Applied to link:
  • Command
    • (config-if)#ipv6 address <name of prefix> ::1/64

[_/su_spoiler]

Interface Addressing: EUI-64 Addressing

• Extended Unique Identifier
• Automatically assigns IPv6 interface address based on interface MAC address
  • Assigns the last 64 bits of IPv6 interface address
  • Adds FF:EE in middle of address
  • Invert U/L bit (universal locator) form whatever it currently is
    • 7th most significant bit

• EUI-64 addressing Example:
  • Interface MAC address = aaaa.bbbb.cccc
  • Add FF:EE in the middle of the address = aaaa:bbff:eebb:cccc
  • Address displayed in binary = 1001 1001 1001 1001 : 1010 1010 1111 1111 : 1110 1110 1010 1010 : 1011 1011 1011 1011
  • Invert the 7th most significant bit (U/L bit) = 1001 1011 1001 1001 :
  • Last 64 bits of new address = acaa:bbff:eebb:cccc

• If you enable EUI-64 on a serial link (as there is no MAC address), it takes the MAC off a different interface
  • On Frame Relay networks, link-local and global unicast addresses must be mapped to DLCI's
  • Can be done statically or dynamically using inverse IPv6 neighbour discovery protocol (similar to inverse ARP)

[_/su_spoiler]

Interface Addressing: Assignment Methods

Assignment Methods - Static

• Same as IPv4 address assignment method
• Command:
  • (config-if)#ipv6 address <IPv6 address/prefix>

[__/su_spoiler]

Assignment Methods - Stateless Address Autoconfiguration (SLAAC)

• See Router NDP: Address Autoconfiguration section
• Command:
  • (config-if)#ipv6 address autoconfig

[__/su_spoiler]

Assignment Methods - Stateful DHCPv6

• See Router NDP: Address Autoconfiguration section
• Combined with SLAAC to obtain address and DHCPv6 options from a DHCPv6 server
• Command:
  • (config-if)#ipv6 address autoconfig
  • (config-if)#ipv6 nd managed-config-flag

[__/su_spoiler]

Assignment Methods - Stateless DHCPv6

• See Router NDP: Address Autoconfiguration section
• Combines with SLAAC to obtain address and use DHCPv6 server to option DHCPv6 options only
• Command:
  • (config-if)#ipv6 address autoconfig
  • (config-if)#ipv6 nd other-config-flag

[__/su_spoiler]

[_/su_spoiler]

Interface Addressing: Types

Global Unicast

• Public addresses
• Unique IPv6 address on the Internet
• Prefix:
  • 2000::/3
  • Binary value 011

[__/su_spoiler]

Link-Local Unicast

• Address on a single link
• Not routable outside of local interface segment
• Automatically generated by default when Global address configured
• Prefix:
  • FE80::/10
  • Binary value 1111 1110 10
  • The other 54 bits all '0'
• Prefix + Interface ID = link local address
• Used for
  • Neighbor Solicitation (NS)
  • Router Solicitation (RS)
  • SLACC - Stateless Address Auto Configuration

[__/su_spoiler]

Unique Local Address

• ULA - DEPRECIATED
• RFC4193
• Equivalent to RFC1918 IPv4 private addressing
• Can be assigned along with a Global Unicast and Link local address at the same time
• Don't need to specify outgoing interface
• Address made up of the following:
  •  FC00::/7
    • 7 Bits
    • • Binary value 1111 110
  • Unique ID
    • 41 bits
  • Link ID
    • 16 Bits
  • Interface ID
    • 64 Bits

[__/su_spoiler]

Site-local Unicast

• Local address for a site
• Deprecated address type - RFC 3879
  • Replaced by ULC (Unique Local Addresses)
• Prefix:
  • FEC0::/10
  • Binary value 1111 1110 11

[__/su_spoiler]

Multicast Reserved Addresses

• FF00::/8
  • 8 bits
  • Binary value 1111 1111

• FF02::1
  • All Nodes
  • Link Local
• FF02::2
  • All Routers
  • Link Local
• FF02::9
  • All RIP Routers
  • Link Local
• FF02::16
  • All MLDv2 Routers
  • Multicast Listener Discover
• FF05::101
  • All NTP Server
  • Site Local
• FF02::1:FFXX:XXXX/104
  • Solicited Node Multicast address
    • Low-order 24 bits replaced by low-order 24 bits of interface address
  • Link Local
  • All hosts on local segment required to join group
    • Example:
      • Link-local address of FE80::AA:1111
      • Solicited node multicast address becomes FF02:0:0:0:0:1:FFAA:1111
        • FF02::1:FFAA:11111

[__/su_spoiler]

[_/su_spoiler]

IPv6 Neighbour Table

• Holds state information on IPv6 neighbors
  • IPv6 to MAC address information
• Times out after 60 seconds (default)
• Static entries have no age value
• Static entries will always be in REACH state

• Command:
  • #show ipv6 neighbors
  • #show ipv6 routers

Neighbor States

ICMPv6 Neighbor Discovery Protocol (NDP)

• A suite of IPv6 tools used for link-local Host-to-Host and Host-Router discovery
  • Host-to-Host Communications
    • Address Resolution
    • Next-Hop Determination
    • Neighbor Unreachability Detection
    • Duplicate Address Detection (DAD)
  • Host-Router Discovery
    • Router Discovery
    • Prefix Discovery
    • Parameter Discovery
    • Address Autoconfiguration (SLACC)
  • Redirect Function

• 5 different ICMPv6 packet types are defined:
  • Router Solicitation (Type 133)
  • Router Advertisement (Type 134)
  • Neighbor Solicitation (Type 135)
  • Neighbor Advertisement (Type 136)
  • Redirect (Type 137)

Host-to-Host NDP: Address Resolution

• IPv6 doesn't use ARP
  • Uses ICMPv6 NS and NA to provide a Layer 3 to Layer 2 mapping
• Sent by nodes attempting to discover other nodes on the link-local segment
• Uses the following ICMPv6 Message types:
  • Neighbor Solicitation (NS)
    • IPv4 ARP Request equivalent
  • Neighbor Advertisement (NA)
    • IPv4 ARP Reply equivalent

Figure 1 - Address Resolution process

• Address Resolution Process:
  • 1. Host A sends an ICMPv6 Neighbor Solicitation packet to the Solicited Multicast* address of Host B, querying what Host B's link-local address is
  • 2. Host B receives NS and installs information in IPv6 binding table
  • 3. Host B sends an ICMPv6 Neighbor Advertisement reply to Host A containing the link local address of Host B
  • 4. Host A receives NA and installs information in IPv6 binding table.
  • Both devices are now able to talk via their link-local addresses

[_/su_spoiler]

Host-to-Host NDP: Next-Hop Determination

•  RA messages sent to advertise the router as a default gateway
  • RA lifetime needs to be higher than 0
  • Command:
    • (config-if)#ipv6 nd ra lifetime <0 - 9000 seconds>

[_/su_spoiler]

Host-to-Host NDP: Neighbor Unreachable Detection

•  Performs active neighbor resolution to confirm reachability
  • Sends Solicited Advertisements (NS -> NA process)
  • Sent periodically when timers are reached
• Neighbors are deemed reachable once replied to NS
• Neighbor state is stored in the IPv6 Neighbor table (See IPv6 Neighbor Table)

[_/su_spoiler]

Host-to-Host NDP: Duplicate Address Detection (DAD)

• Used to detect if address is already in use on link

Figure 2 - Duplicate Address Detection process

• Duplicate Address Detection (DAD) Process:
  • 1. IPv6 address configured on interface
  • 2. Host joins the All nodes multicast group and the Solicited Node Multicast address group for the proposed address (FF02::1:FF00:1111)
  • 3. Host sends a Neighbor Solicitation to the Solicited Node Multicast address from the IPv6 Unspecified address. Payload of the NS contains the proposed address for the interface
  • 4. If the host receives a Neighbor Advertisement (NA), it means the address isn't unique. If it doesn't receive an NA the address is unique on segment.

• Once address is confirmed no one else is listening
  • Sends a message to Multicast Listener Discover v2 address (FF02::16)

[_/su_spoiler]

Host-Router NDP: Router Discovery

• Sent by nodes to discover routers on the segment
• Uses the following ICMPv6 Message types:
  • ICMPv6 Router Advertisement (RA)
    • Sent every 200 seconds by default
    • Used to advertise IPv6 first-hop on local segment
    • Sent by first-hop devices periodically with IPv6 routing enabled
      • Can be disabled manually
        • Periodic RAs, not Solicited RAs
          • Command:
            • (config-if)#ipv6 nd ra suppress
        • All RAs including solicited
          • Command:
            • (config-if)#ipv6 nd ra suppress all
    • Sent in response to RS messages
    • Has a priority value to help determine if this device should be used as the default gateway
      • Setting is pre-emptive meaning if higher value received, that immediately takes preference
      • If values are the same, default gateway is first router to respond
      • Can be set manually
      • Default set to medium
        • Command:
          • (config-if)#ipv6 nd router-preference <high | medium | low>
• ICMPv6 Router Solicitation (RS)
  • Sent by hosts on system startup so device can autoconfigure without waiting for the next RA to be advertised
    • Usually sent by host from IPv6 Unspecified address (0:0:0:0:0:0:0:0)
    • If IPv6 address configured on interface, source becomes this address
  • Used to request Router Advertisements for configuring interfaces

Figure 3 - Router Discovery process

• Router Discovery process:
  • 1. All routers send Router Advertisements periodically out all IPv6 enabled interfaces to the All Nodes Multicast address (FF02::1) containing the information described in RA_DATA information box.
  • 2. A Host sends a Router Solicitation to the All Routers Multicast address (FF02::2) on startup, to avoid having to wait for the next RA.
  • 3. All routers on the local segment respond with a Router Advertisement (RA) to the destination address of the RS source address, containing information described in RA_DATA information box.
  • 4. Host A receives the RA messages and processes the information for address autoconfiguration

[_/su_spoiler]

Host-Router NDP: Prefix Discovery

• Prefix information is carried in the Router Advertisements
  • Contains information about different prefixes available on the link
• Used for SLAAC and EUI-64
• By default RA messages will carry information on all prefixes available on the link
  • Can be configured manually to only carry a small set of prefixes
  • Command:
    • (config-if)#ipv6 nd prefix <prefix> [<lifetime secs>]

[_/su_spoiler]

Host-Router NDP: Parameter Discovery

• MTU size carried in Router Advertisements
  • Typically set to 1500 for Ethernet
• Hop count for hosts to use also carried in RAs

[_/su_spoiler]

Host-Router NDP: Address Autoconfiguration

• Stateless Autoconfiguration (SLAAC)
• Sends local interface address network segment in RA to host to assign IPv6 address
  • Only works with /64 addresses
• Command:
  • (config-if)#ipv6 address autoconfig

• Uses ICMPv6 with multicast addresses
  • Takes ICMPv6 Router Advertisement and includes the network prefix for that router
  • Uses DAD process to confirm address is unique on segment

• SLACC doesn't include any DHCPv6 options
  • Best method is to use SLACC with a DHCPv6 server
  • Uses 2 flags for different SLAAC address configuration:
    • other-config-flag
      • Indicates to host where it can obtain DHCP options other than address
      • Command:
        • (config-if)#ipv6 nd other-config-flag
    • managed-config-flag
      • Tells the host that router sending RA will manage
        • Don't use SLAAC, and ask this router for address information
      • Command:
        • (config-if)#ipv6 nd managed-config-flag

[_/su_spoiler]

NDP: Redirection

•  Redirect messages (Type 137) sent by routers to inform hosts they should use a different router to get to their destination
• Similar to IPv4 redirect messages

Figure 4 - Redirect process

• Redirect Process:
  • 1.  Host A sends a packet to a destination IPv6 address via its default gateway router R1
  • 2. Router R1 sends an ICMPv6 Redirect (Type 137) message telling Host A to use R2 as the next-hop to reach that destination
  • 3. Host A sends all further communication to that destination to R2 (until cache timers expire)

[_/su_spoiler]

IPv6 Routing Overview

•  Supported by all protocols
• Global routing can recurse to a link-local address on the same segment
• Also need to specify outgoing interface to determine which interface Link Local address belongs to

• Static Routing
  • Routing to next hop
    • Resolve L2 address of next-hop
  • Routing to multipoint interface
    • Resolve L2 address of final destination
    • Proxy ND and Proxy IND design issues
    • Not recommended
  • Routing to a point to point
    • No L2 resolution required

IPv6 over DMVPN

• Same configuration and design as IPv4 here

• Can have the following 2 scenarios
  • IPv6 over IPv4
    • IPv4 is the underlay/DMVPN tunnel
    • Use IPv6 NHRP to resolve routing information
  • IPv6 over IPv6
    • IPv6 is the underlay/DMVPN
    • If using IPSec for encryption, need to use IKEv2 (FlexVPN)

• It is recommended to configure the link-local address statically
  • Tunnel interface doesn’t have a MAC address associated, so will take MAC from another interface
  • If that interface fails, may need to reacquire another MAC
    • Will cause a routing protocol reconvergence event
  • Command:
    • (config-if)#ipv6 address FE80::XXXX link-local

• Configuration
  • IPv6 over IPv4
    • (config-if)#ip nhrp nhs <IPv6 address> nbma <nbma IPv4 address> multicast
  • IPv6 over IPv6
    • (config)#int tun 0
    • (config-if)#ipv6 nhrp authentication <password>
    • (config-if)#ipv6 nhrp map multicast dynamic
    • (config-if)#ipv6 nhrp network-id <network-ID>
    • (config-if)#ipv6 mtu <mtu>
    • (config-if)#ipv6 address <IP address>
    • (config-if)#ipv6 nhrp shortcut
    • (config-if)#ipv6 nhrp redirect

IPv6 Tunnelling

• Tunnelling methods to transport IPv6 over an IPv4 carrier network
  • Manually configured tunnels
  • Automatic 6to4
  • IPv6 over IPv4 GRE
  • ISATAP
  • Automatic IPv4-compatible

Manual IPv6 Tunnels

• Point-to-point connection
• Requires Dual-Stack tunnel devices each end
• Similar configuration as IPv4 GRE tunnel
  • Tunnel source and destination is an IPv4 address
  • Tunnel address is IPv6 address

• Configuration Example:
  • (config)#interface tunnel <tunnel ID>
  • (config-if)#tunnel source <ipv4 addressed interface>
  • (config-if)#tunnel destination <ipv4 address>
  • (config-if)#tunnel mode ipv6ip
  • (config-if)#ipv6 address <ipv6 interface address>

[_/su_spoiler]

IPv6 over IPv4 GRE Tunnels

• Point-to-point connection
• Requires Dual-Stack tunnel devices each end
• Offers IPSec tunnel encryption
• Similar to Manual tunnels
  • Tunnel mode is gre ipv6

• Configuration Example:
  • (config)#interface tunnel <tunnel ID>
  • (config-if)#tunnel source <ipv4 addressed interface>
  • (config-if)#tunnel destination <ipv4 address>
  • (config-if)#ipv6 address <ipv6 interface address>
  • (config-if)#tunnel mode gre ipv6

[_/su_spoiler]

Automatic 6to4 Tunnels

Figure 5 - IPv6 Automatic 6to4 Tunnelling

• Point-to-multipoint connection
• IPv4 network treated as NBMA cloud
• Allows automatic IPv6 to IPv4 translation
• Supports only 1 Auto 6to4 tunnel per router
• Only static routing supported
• Operates on a per-packet basis to encapsulate traffic to the correct destination
  • Tunnel destination isn't configured
  • Tunnel mode is ipv6ip 6to4
• Tunnel address derived from the following:
  • IPv6 prefix: 2002::/16
  • IPv4 address public address converted to hex: /32 - Address must be publicly routable for tunnel destination
  • Subnet ID: /16 bits - Used to identify different subnets at a site or organisation
• IPv4 address is extracted from IPv6 address and is used to build the IPv4 tunnel destination

• Configuration Example:
  • (config)#interface tunnel <tunnel-ID>
  • (config-if)#no ip address
  • (config-if)#ipv6 address 2002:<public IPv4 address>:<Subnet-IP>:<Interface-ID>/64
  • (config-if)#tunnel source <ipv4 addressed interface>
  • (config-if)#tunnel mode ipv6ip 6to4

[_/su_spoiler]

ISATAP Tunnels

Figure 6 - IPv6 ISATAP Tunnelling

• Intra-Site Automatic Tunnel Addressing Protocol (ISATAP)
• RFC4214
• Point-to-multipoint connection
• IPv4 network treated as NBMA cloud
• Similar to Automatic 6to4 tunnels
  • Tunnel mode is ipv6ip isatap
  • Interfaces disable ICMP Router Advertisements
  • Only static routing supported

• Requires EUI-64 configured addressing on tunnel interface
  • ISATAP tunnel address derived from IPv4 address formatted as follows:
    • 64 bit Global Routing Prefix/Link local prefix
      • Manually set in address command
    • 32 bit ISATAP interface identifier (0000:5EFE)
    • 32 bit IPv4 address converted to Hex

• Configuration Example:
  • (config)#interface tunnel <tunnel-ID>
  • (config-if)#tunnel source <ipv4 addressed interface>
  • (config-if)#tunnel mode ipv6ip isatap
  • (config-if)#ipv6 address <unique prefix> ::/64 eui-64
  • (config-)#ipv6 route <unique prefix>:0000:5EFE:<IPv4 Hex address>/64 eui-64

[_/su_spoiler]

IPv4-compatible Tunnels

•  Depreciated method
• Use ISATAP instead
• Tunnel uses IPv4 compatible IPv6 addresses for tunnel interface
• First 96 bits of tunnel are all 0's
• Remaining 32 bits are derived from IPv4 address
• Tunnel destination not manually configured
  • Determined from IPv4 encoded IPv6 address
• Tunnel mode set to ipv6ip auto-tunnel

• Configuration Example:
  • (config)#interface tunnel <tunnel-ID>
  • (config-if)#tunnel source <ipv4 addressed interface>
  • (config-if)#tunnel mode ipv6ip auto-tunnel
  • (config-if)#ipv6 address 0:0:0:0:0:0:A.A.A.A/96

[_/su_spoiler]

Troubleshooting Commands

• #show ipv6 binding table
• #show ipv6 neighbors