w ww .d eep The IPv6s pProtocol ace6.net

Mauro Tortonesi 1 ww Limits of good old IPv4 ● The wcurrent version of IP protocol presents some serious lim.dits: – Address spacee exhaustion – Explosion of routing eptables – Mobility sp – Performance and scalability ace6.net ● These are structural problems and cannot be fixed!!!

2 ww Address space exhaustion ● Extrwemely inefficient address assignment policy ● Until 199.3d address assignment was in fixed­sized blocks: 16.77e6.214 (class A), 65.534 (class B) or 254 (class C) unepits ● These blocks are too bsigp or too small for the effective needs of organizatioance6.nets ● Enormous address waste

● Once there will be no addresses available, the Internet could not grow anymore, except using...

3 wwNetwork Address Translation ● Don'tw do it!!! NAT is plain evil!!! ● Single point .dof failure ● Breaks end­to­end etopology ep of TCP connections ● Problems with Mobile IP, VPN, FTP, TCP TIME_WAIT state etc... sp ● Complicates the use of multi­homaingce6.net ● NATs enable casual use of private addresses

● False sense of security (NAT is not a packet filter)

● And much more!!! (see RFC 2993 ­ Architectural Implications of NATs) 4 ww Explosion of routing tables ● IPv4w address space is not aggregatable ● Size of ro.udting tables depends from the number of networks ceonepnected to the Internet ● As the routing tables grow larger, complexity of routing process increassesp and performance drops ● May lead to routing stabilitya pce6.netroblems (often very hard to fix!!!)

5 wwClassless Inter­Domain Routing ● Morew efficient address assignment: contiguous class C blo.dcks allocated on geographic basis ● Creation of ane aggregatable subspace in the IPv4 address space ep ● Routing decisions are msapde according to “longest matching prefix” rule ace6.net – if packet dest is 5.6.7.8 and router has both 5.6.0.0/16 and 5.6.7.0/24 routes, the packet will be sent to the 2nd one

● Smaller routing tables

● Short­term solution that extends IPv4 lifetime 6 w BGP RT size

w● wPicture taken from http://bgp.potaroo.net .d eep sp ace6.net

(Data Gathered from AS1221 and Route­Views) 7 wPwroblems in Mobility and Scalability ● Mobwile IP is not a good solution for mobile computin.gd – Performancee problems (triangle routing) – Need to deploy epFAs in visited networks – No security sp – Problems with NAT ace6.net ● IPv4 has not been designed to be scalable – Complex header w/o common case optimization – Fragmentation – Inadequate min (576) and max (64KB) packet size 8 ww Future scenario ● Neww markets are developing in the ICT sector: – Persona.l d/ Mobile Devices – Networked Eentertainment – Device Controlep ● IPv4 cannot satisfy thes rpequirements posed by these new markets ace6.net

9 w w The IPv6 solution ● w New vers.ion of the Internet Protocol ● Well­definded eevolution of IPv4 ● Devised by IETF epto replace IPv4

● s It solves many of the propbleams with IPv4 ● It is ready for mainstream adopce6.nettion

10 ww The IPv6 protocol ● Enorwmous address space

● . Aggregatadblee address space ● Mandatory IPSEC epsupport ● Advanced autoconfigusraption functions ● Improved mobile networkinag ce6.net ● High levels of performance and scalability

11 ww Enormous address space ● IPv6w addresses are 128 bits long ● 2^128 (~ .3d40*10^36) possible addresses (340,282,366,920,938,463,463,374,607,431,768,211,456)eep ● Address space 2^96 (~ s79*10^27) times bigger than IPv4 one (79,228,162,514,264,337,593,543,950,336)pa ● 665,570,793,348,866,943,898,ce6.net599 addresses per square meter on Earth!!!

● IPv6 allows the Internet to grow with exponential pace for the next 30 years (RFC1715, RFC3194)

12 ww More on IPv6 addresses ­ 1 ● Hexawdecimal packed representation: – FEDC:B.dA98:7654:3210:FEDC:BA98:7654:3210 – Sequences oef zeros are shortened to “::” (e.g. 1080:0:0:0:0:0:200Cep:417A == 1080::200C:417A) – “::” can be used only oncspe for each address ● In mixed IPv4 and IPv6 envaironments it may sometimes be useful an hybridce6.net notation: – ::FFFF:5.6.7.8 (IPv4­mapped address) – ::5.6.7.8 (IPv4­compatible address) – 2002:5.6.7.8::1 (6to4 address) 13 w More on IPv6 addresses ­ 2 ● wIPv6 addresses are assigned to network interfaces

● w Three dif.ferent address tipologies: – d Unicast e – Anycast ep – Multicast sp ● Four addressing scopes: ace6.net – Link local (FE80::/10) – Site local (FEC0::/10) NOW DEPRECATED!!! – Global, Unicast & Routable (2000::/3) – Multicast (FF00::/8) 14 ww More on IPv6 addresses ­ 3 ● 6 (ouwt of 16) multicast scopes: – interface­.dlocal (useful only for loopback) – link­local e – admin­local ep – site­local sp – organization­local ace6.net – global

● Examples – FF05::2 (all routers on site) – FF02::1 (all nodes on link) 15 ww More on IPv6 addresses ­ 4 ● Specwial type addresses: – Unspec.ifdied address (::/128) – Localhost addree ss (::1/128) – IPv4­mapped (:ep:FFFF:V4ADDR/96) – IPv4­compatible (::V4AsDpDR/96) – 6to4 (2002:V4ADDR::/48) ace6.net – Solicited node multicast address (used for DAD) – Subnet­router anycast address – Many, MANY, ***__MANY__*** more...

16 wwAggregatable address space ● Routinwg decisions are made according to the “longest .mdatching prefix” rule – if packet dest eis 2001:abcd::1 and router has both 2001::/16 and 2001:epab::/24 routes the packet will be sent to the 2nd one s ● Routing table size optimpizaation ● Format of global routable unicce6.netast IPv6 address:

17 w Mandatory IPSEC support ww ● Support f.odr authentication and privacy ● IPv6 has nativee IepPSEC support – AH (Authentication Hseader) – ESP (Encapsulated Security paPayload) ● Securing data at network layerce6.net is sometimes better than doing it at transport layer (e.g. SSL)

● Allows the creation of VPNs (Virtual Private Networks)

18 wwAdvanced autoconfiguration w functions ● Two diff.erent kinds of address autoconfiguration for networdkineg interfaces – DHCPv6 ep – Stateless Address Autocsonfigurap tion ● Support for (almost) automaaticce6.net renumbering ● Minimization of human intervention costs

19 wStawteless Address Autoconfiguration ● Prefixw of link is obtained by router advertisement ● Interface. IdD is obtained by MAC address eep sp ace6.net

20 wwImproved mobile networking ­ 1 ● Mobilew IPv6 is more performant than Mobile IP ... – . Route optimdizeation included in the protocol – Use of Routing Hepeader instead of encapsulation – Dynamic Home Addresss Discovery uses anycast and returns a single response to pthea mobile node – Large use of piggybacking thanks ce6.netto Dest. Options ● ... more secure ... – Mandatory use of IPSEC – Packet filtering is easier to perform

21 w Improved mobile networking ­ 2 ww ● ... more robus.d t and flexible – Use of Neighbor eepDiscovery instead of ARP – Better support for multicsast traffic – No more Foreign Agents p – Bidirectional movement detecation ce6.netmechanism – New “Advertisement Interval” option on Router Advertisements

22 wwImproved mobile networking ­ 3 ● Mobiwle IP operations: .d eep sp ace6.net

23 wwImproved mobile networking ­ 4 ● Mobiwle IPv6 operations: .d eep sp ace6.net

24 wwHigh levels of performance and w scalability ­ 1 ● IPv6 hea.ders are only 2 times bigger than IPv4 ones, evend if eIPv6 addresses are 4 times longer ● No more checksepum at network layer

● s Handling IP options is eapsiear ● Fragmentation is made only once6.net source host, not from routers along the communication path

● Lower overhead than IPv4

25 w High levels of performance and w scalability ­ 2 ● IPv4 wheaders are complex (variable length, many fields): .d eep sp ace6.net

26 w High levels of performance and w scalability ­ 3

● w IPv6 heade.rs dare simpler and have 64­bit aligned fields: eep sp ace6.net

27 wwHigh levels of performance and w scalability ­ 4 ● IPv6 outp.edrforms IPv4 ● Protocol impleementation is easier and cheaper (especially on smepall battery­operated devices)

● s IPv6 can make full use opf a – High bandwidth/performance nece6.nettworks – Computational capabilities of supercomputers in highly­distributed computation environments

28 w The transition to IPv6 ­ 1

● w All nwodes (hosts, routers, firewalls, L3 switches, etc...) mu.st be upgraded in order to support IPv6 ● d IPv6 connectiveity must be provided to LANs and WANs ep ● All applications must sbep ported to IPv6 ● IPv6 nodes and applicationsa should preserve compatibility with IPv4 ce6.net

● Very difficult task!!!

29 w The transition to IPv6 ­ 2

● w The trwansition will be a long and delicate process ● It must be. cdompleted before the total collapse of IPv4 routing aend addressing capabilities ● To have a succesepsful (or not too painful) transition we need: sp – High interoperability between aIPv4 ce6.netand IPv6 host – Maximum flexibility in the deployment of an IPv6 node in an IPv4 network – Easy migration from IPv4 to IPv6 services

30 ww The transition scenario ­ 1 ● Durinwg the transition phase we'll have mixed IPv4 and IPv6 e.ndvironments ● Many networkes wepon't have native IPv6 connectivity ● Transition tools and mechanisms will be deployed to provide IPv6 connecstivpity to hosts and LANs (6TO4, NAT­PT, etc...) ace6.net ● The network scenarios will be very complex

● Applications must be designed to work in all possible environments

31 w The transition scenario ­ 2

● w Durinwg the transition we'll have: – nodes w.ith IPv4 connectivity but no IPv6 connectivity de(or support) – nodes with IPv6 epconnectivity but no IPv4 connectivity (or supposrt) – nodes with both IPv4 and pIPv6 aconnectivity ● IPv4 connectivity may be prefce6.neterred to IPv6 connectivity or viceversa (cost, reliability, etc...)

● There may be problems with DNS resolution

32 w Towards the IPv6 Internet

● w So fawr the native IPv6 routing infrastructure is not very exte.nded ● d There may noet be a native routing path between two IPv6 peers ep ● A possible solution is sto puse the existing IPv4 infrastructure to route IPv6 apace6.netckets ● We can build virtual IPv6 links with IPv6­in­IPv4 tunnels

33 w IPv6­in­IPv4 tunnels ­ 1

● w IPv6 packetw s are encapsulated in IPv4 packets and t. hen routed to destination via the IPv4 Intdernete inftastructure ● Once they arrive tepo destination, IPv6 packets are first decapsspulated and then processed by IPv6 stackace6.net

34 ww IPv6­in­IPv4 tunnels ­ 2 ● Typiwcal LAN­to­LAN tunnel usage: .d eep sp ace6.net

35 ww Transition techniques ­ 1 ● Connectw ion between IPv6 native “islands”: – Manual.dly configured tunnels – Automatic etunepnels – Tunnel Brokers s – BGP Tunnels pa – 6TO4 ce6.net

36 ww Transition techniques ­ 2 ● Connectw ion between IPv6 hosts inside an IPv4­onl.y LdAN: – ISATAP eep – 6OVER4 sp ace6.net

37 ww Transition techniques ­ 3a ● Comwmunication between IPv4­only and IPv6­onl.y nodesd : – Dual stack emoepdel / Limited Dual stack model – SOCKS64 s – NAT­PT pa – SIIT ce6.net

38 ww Transition techniques ­ 3b ● Comwmunication between IPv4­only and IPv6­onl.y nodesd : – BIS (Bump­In­eThe­Stack) / BIA (Bump­In­The­API) – Transport Relay Tepranslator – DSTM (Dual Stack Transsitiopn Mechanism) – Shipworm/Teredo ace6.net

39 w IPv6 and DNS ww ● Name to a.dddress resolution – AAAA records e(simple extension of IPv4 A records) – A6 records (expeeprimental, supports multihoming and renumbering but is a potesntiapl security threat) ● Address to name resolution ace6.net – IN6.INT domain (deprecated but still used) – IN6.ARPA domain

40 w Backward compatibility ww ● To suppo.rt the new protocol, all existing TCP/IP software mduset be modified ● Many operating epsystems already offer a rather advanced IPv6 supporst p ● Many applications altrady saupce6.netport IPv6 ● Commercial routers (Cisco, Juniper) already offer (at least partial or experimental) IPv6 support

● There is still a lot of work to do

41 ww Linux & IPv6 ­ Status ● The wLinux kernel has IPv6 support since 1998 ● . All the madjor edistros have an IPv6­enabled kernel ● Glibc is IPv6­enepabled (apart from RPC) ● Most of the applicatiosns pare IPv6­enabled (see the IPv6 Status Page for appalicce6.netations at DS6) ● USAGI project (http://www.linux­ipv6.org) distributes a patch for both userspace applications and kernel

42 wwLinux & IPv6 ­ Basic setup ­ 1 ● Checwk if your distro has IPv6 support – test ­f /pr.ocd/net/if_inet6 && echo “IPv6 support” ● If IPv6 suppoert hepas been compiled as a module – modprobe ipv6 s – echo “alias net­pf­10 ipv6” p>> moa dprobe.conf ● You may need to recompile yoce6.netur kernel http://www.deepspace6.net/docs/best_ipv6_support.html

43 wwLinux & IPv6 ­ Configuration ­ 1 ● Use ip waddr for manual configuration of IPv6 addressess: – ip ­6 ad.ddr add 2001:dead:beef::1/64 dev eth0 – ip ­6 addr deel 2001:deepad:beef::1/64 dev eth0 ● Use ip route for manual csonfiguration of IPv6 routes: – ip ­6 route add 2000::/3 viap 2001:dea ad:beef::1 – ip ­6 route del 2000::/3 via 2001ce6.net:dead:beef::1 ● Use ip neigh for manual configuration of neighbours (just like static ARP cache in IPv4)

44 wwLinux & IPv6 ­ Configuration ­ 2 ● Use ip wtunnel for manual configuration of IPv6 tunnels ip tunnel add s.dit1 mode sit ttl default_ttl remote ipv4_remote_endpointe local ipv4_local_endpoint ip link set dev sit1 upep ip ­6 route add ipv6_prefix sdev psit1 metric 1 ● To manually delete a tunnel ace6.net ip ­6 route del ipv6_prefix dev sit1 ip link set sit1 down ip tunnel del sit1

45 ww Linux & IPv6 ­ Testing ● Manwy testing and debugging tools are available – netstat .fromd net­tools – ping6 from ieputiepls – traceroute6 and tracepasth6 from iputils – nmap pa – tcpdump and/or ethereal ce6.net ● nc6 from netcat6 can be very useful for testing applications & services – echo “GET http://myhost” | nc6 myhost 80

46 ww Linux & IPv6 ­ DNS ­ 1 ● BINwD supports IPv6 options { .d # to listen alsoe on IPv6 listen­on­v6 { nonepe; }; }; s acl example­acl { p 127.0.0.1; a 172.24.0.0/16; ce6.net 2001:dead:beef::/64; ::1/128; ::ffff:172.24.0.104/128; }; 47 ww Linux & IPv6 ­ DNS ­ 2 ● Direwct resolution $ORIGIN myn.detwork.org. myhost IN AAAA e2001ep:dead:beef::1 ● Inverse resolution usinsg IP6.INT (nibble based) $ORIGIN 0.0.0.0.f.e.e.b.d.a.e.d.1.p0.0.2.ip6.int. 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTaR mce6.netyhost.mynetwork.org ● Inverse resolution using IP6.ARPA (bitstring based) $ORIGIN \[x2001deadbeef0000/64].ip6.arpa. \[0000000000000001/64] IN PTR myhost.mynetwork.org

48 ww Linux & IPv6 ­ Radvd ● Use wradvd to advertise network prefix interface eth.0 d{ AdvSendAdveert on; MinRtrAdvInterepval 3; MaxRtrAdvInterval 10s; prefix 2001:dead:beef::/64p AdvOnLink on; a AdvAutonomous on; ce6.net AdvRouterAddr on; }; };

49 wwLinux & IPv6 ­ Web Servers ● Apacwhe 2 supports IPv6 ● . Works withd VeirtualHost, too! Listen [2001:dead:beeepf::1]:80 Listen 5.6.7.8:80 ServerName myhost.mynetwork.aorg ... ce6.net

● Many other HTTP server support IPv6 (boa, thttpd, webfs, bozohttpd, etc...)

50 wwLinux & IPv6 ­ Web Clients ● Manwy web browsers/clients support IPv6 – Mozilla.d – Konqueror eep – Opera s – lynx, elinks pa – wget, httrack, cURL, etc... ce6.net ● IPv6 address can be used on URLs (RFC2372) – http://[2001:dead:beef::1]/path

● Not all web proxies are IPv6 enabled 51 ww Linux & IPv6 ­ FTP ● Moswt FTP server support IPv6 – vsftpd .d – pure­ftpd eep – proftpd s – oftpd, etc... pa ● Many FTP clients support IPvce6.net6 – lftp – ncftp – wget, etc...

52 ww Linux & IPv6 ­ Email ­ 1 ● Manwy SMTP servers natively support IPv6 – Sendma.idl – Exim eep – Courier s ● Patches to add IPv6 suppport ato many SMTP servers are available ce6.net – Postfix – Qmail

53 ww Linux & IPv6 ­ Email ­ 2 ● Manwy IMAP/POP servers natively support IPv6 – dovecot.d – courier eep ● Most email clients supspoprt IPv6 – mutt a – kmail ce6.net – sylpheed (also sylpheed­claws) – mozilla­mail – fetchmail

54 wLwinux & IPv6 ­ Programming Languages ● Linuwx supports the Extended BSD Socket API for socket­ba.sded applications written in C ● Perl supports eIPvep6 – NET::Socket6 s – IO::INET6 pa ● Python supports IPv6 ce6.net

● Ruby supports IPv6

● Java supports IPv6

55 wwLinux & IPv6 ­ Misc services ● Othewr famous IPv6 enabled packages: – . openssh de – openldap ep – xinetd s – netkit­inetd+tcpd pa – xntpd ce6.net – X Windows (both XFree86 and X.org)

56 w So, when will IPv4 die?

● w Alwways too late ;­) ● There are. adreas in which the shortage of IPv4 addresses is really dramatic (especially Asia) ● ep However, IPv4 is not gsoing to disappear soon: – http://potaroo.net/2003­08/pale.html ● NAT, private networks and aRece6.netalm IP will extend lifetime of IPv4

● The transition to IPv6 will be probably very long

57 w Conclusions ww ● IPv6 is g.oing to mainstream, so consider starting the migratiodne of your network, applications and services to IPv6 epRIGHT NOW!!! sp ace6.net

58 ww Suggestions ● Readw the Linux IPv6 HOWTO ● Visit http.://wdww.deepspace6.net – read the documeepentation – subscribe to the ds6 msailing list – maybe subscribe to the ds6­depavel mailing list ● Start the migration to IPv6 ce6.net – ask your ISP for IPv6 connectivity – subscribe to a free tunnel broker service – setup 6to4 on your network

59 ww Acknowledgements ● Simowne Piunno (co­founder of Deep Space 6) ● . Peter Bierindgeer (co­founder of Deep Space 6) ● Chris Leisham (epco­author of netcat6) ● Filippo Natali (co­authsorp of netcat6) ace6.net

60 w ww .d eep sp ace6.net

http://www.deepspace6.net 61 w ww .d eep Quesstionsp ? ace6.net

62 ww IPv6 FAQs ● Whawt happened to IP version 5? ● . Weren't 64d bitse enough for IPv6 addresses? ● Do the USA neeepd IPv6 too? ● Will you put this slidess opn the web? ace6.net

63