Essential IPv6 for the Linux Systems Administrator Owen DeLong owend he net Revised 1 31 2010 Wednesday May 5 2010 Hurricane Electric Why is this important Graph Creation Date 1 31 2010 Wednesday May 5 2010 Hurricane Electric Now Page 2 IPv4 Runout Process IANA runs out first 2011 RIRs start running out probably in 2012 End User providers start running out shortly after RIR runout Most likely the larger ones first After ISPs start running out an increasing number of your customers users will have limited or seriously degraded ability to connect via IPv4 possibly even no ability 1 31 2010 Wednesday May 5 2010 Hurricane Electric Page 3 What we ll cover Basics of IPv6 IPv6 Addressing Methods SLAAC DHCP Static Privacy Linux Configuration for Native Dual Stack IPv6 without a native backbone available Free IPv6 1 31 2010 Wednesday May 5 2010 Hurricane Electric Page 4 Some additional topics Routing Firewalls DNS Reverse DNS Troubleshooting Staff Training 1 31 2010 Wednesday May 5 2010 Hurricane Electric Page 5 Basics IPv4 vs IPv6 Property IPv4 Address IPv6 Address Bits 32 128 Total address space 3 758 096 384 unicast 42 Undecilion assignable1 268 435 456 multicast 297 Undeciliion IANA reserved2 Most prevalent network size 24 254 usable hosts 64 18 446 744 073 709 551 616 host addresses Notation Dotted Decimal Octets Hexidecimal Quads 192 0 2 239 2001 db8 1234 9fef 1 Suppress leading zeroes per octet Suppress leading zeroes per quad longest group of zeroes replaced with Shortening 268 435 456 Experimental other Class E F G 142 535 295 865 117 307 932 921 825 928 971 026 432 assignable unicast 1 8th of total 2297 747 071 055 821 155 530 452 781 502 797 185 024 1 31 2010 Wednesday May 5 2010 Hurricane Electric IANA reserved 7 8th of total Page 6 Relative Address Space Perspective IPv4 24 Each circle is 284 pixels All IPv4 An IPv6 64 Would fill a little more than 1 532 464 screens at 1024x768 pixels A shape to represent the relative number of IPv6 64 networks would require more than 1 532 464 million screens at 1024x768 pixels The IPv6 Address space is not infinite but considering that there are more than 4 billion IPv6 network numbers for every possible IPv4 address it is nearly so for all practical purposes Just in case however all current IPv6 is being issued from 1 8th of the total address space If we need to allocate or assign more conservatively or develop a different assignment strategy that can be deployed to some fraction of the remaining address space 1 31 2010 Wednesday May 5 2010 Hurricane Electric Page 7 Basics IPv4 vs IPv6 thinking Thought IPv4 dogma IPv6 dogma Assignment Unit Address 32 Network 64 Address Optimization Tradeoff Aggregation Scarcity Aggregation At least for this first 1 8th of the address space Address Issue Methodology Sequential Slow Start frequent fragmentation Bisection minimize fragmentation issue large minimal requests for more aggregate expansions NAT Necessary for address conservation Not supported Not needed Breaks more than it solves other than possible NAT64 Address Configuration Static DHCP Stateless Autoconf Static some DHCP needs work DHCP PD NEW 1 31 2010 Wednesday May 5 2010 Hurricane Electric Page 8 Example v6 only clients with v4 only servers IPv6 only Clients 1 31 2010 Wednesday May 5 2010 Hurricane Electric IPv4 Only Server Page 9 Basics Address Scopes Link Local fe80 UUVV WW ff fe XX YYZZ only valid on directly attached subnet Site Local deprecated Only valid within site use ULA or global as substitute Unique Local Addresses ULA Essentially replaces IPv4 RFC 1918 but more theoretical uniqueness Global Pretty much any other address currently issued from 2000 3 globally unique and valid in global routing tables 1 31 2010 Wednesday May 5 2010 Hurricane Electric Page 10 Basics Stateless Autoconfiguration Easiest configuration No host configuration required Provides only Prefix and Router information no services addresses DNS NTP etc Assumes that all advertising routers are created equal rogue RA can be pretty transparent to user RA guard required on switches to avoid 1 31 2010 Wednesday May 5 2010 Hurricane Electric Page 11 Stateless Autoconf Process Host uses MAC address to produce Link Local Address If MAC is EUI 48 convert to EUI 64 per IEEE process invert 0x02 bit of first octet insert 0xFFFE between first 24 bits and last 24 bits fe80 EUI 64 IPv6 shutdown on interface if duplicate detected ICMP6 Router Solicitation sent to All Routers Multicast Group 1 31 2010 Wednesday May 5 2010 Hurricane Electric Page 12 Stateless Autoconfigration Process cont Routers send ICMP6 Router Advertisement to link local unicast in response Also sent to All Hosts Multicast group at regular intervals Router Advertisement includes Prefix es Preference Desired Lifetime Valid Lifetime Host resets applicable Lifetime counters each time valid RA received Address no longer used for new connections after Desired lifetime expires Address removed from interface at end of Valid lifetime Prefix es EUI 64 Host EUI 64 Global Address netmask always 64 for SLAAC 1 31 2010 Wednesday May 5 2010 Hurricane Electric Page 13 If you think Ipv6 is hard wait until you try any of these Dual Stack Lite ISC As yet undefined unimplemented Magic TCP relay could be SSH tunnel Multiple Layer NAT Carrier Grade NAT 1 31 2010 Wednesday May 5 2010 Hurricane Electric Page 14 DHCPv6 Can assign prefixes other than 64 Theoretically to routers which then delegate various networks automatically downstream no known implementations of this feature yet Can not assign addresses to hosts can not assign single network prefixes must use SLAAC for that Can provide additional information about servers DNS Bootfile NTP etc Not much vendor support yet 1 31 2010 Wednesday May 5 2010 Hurricane Electric Page 15 Static Addressing IPv6 can be assigned statically same as IPv4 Common to use one of two techniques for IPv4 overlay networks Prefix addr first 12 bits of 64 bit addr must be 0 Either addr is IPv4 last octet s expressed as BCD or addr is IPv4 last octet s converted to hex e g 192 0 2 154 24 2001 db8 cafe beef 154 64 BCD or 2001 db8 cafe beef 9a 64 Hex These mappings won t conflict with autoconfigured addresses since autoconfigured addresses will never be 000x xxxx xxxx xxxx 1 31 2010 Wednesday May 5 2010 Hurricane Electric Page 16 Privacy Addresses Essentially a special form of Stateless Address Autoconfiguration which uses a new suffix for each flow and obfuscates the MAC address RFC 3041 Uses MD5 Hash with