Interface Fastethernet 0/0 Ipv6 Address 2001:Db8

#CLUS Introduction to IPv6: Connecting to IPv6 access networks

Nicole Wajer, Tim Martin, Christopher Wreny TECRST-1991

#CLUS Agenda

• IPv6 the Protocol

• IPv6 Address Planning

• IPv6 Access Layer Design

• IPv6 Host OS Configurations

• Conclusion

Questions? Use Cisco Webex Teams to chat with the speaker after the session How 1 Find this session in the Cisco Live Mobile App 2 Click “Join the Discussion” 3 Install Webex Teams or go directly to the team space 4 Enter messages/questions in the team space

Webex Teams will be moderated cs.co/ciscolivebot# TECRST-1991 by the speaker until June 16, 2019.

Tim Martin Solutions Specialist TECRST-1991 @bckcntryskr #2020

#CLUS Explaining BIG Numbers With Math

• The LAN size standard has been set at a /64 • 18,446,744,073,709,600,000 IPv6 addresses • Let’s attempt to exhaust all of the available addresses • We will allocate 10,000,000 addresses per second • Hint: there are 31,536,000 seconds per year • 10,000,000 x 31,536,000 = 315,360,000,000,000 18,446,744,073,709,600,000 / 315,360,000,000,000 Source: ©fotofabrika

= 58,494 years Attribution: Ed Horley

IPv6 Address Family

Multicast Unicast Anycast

Assigned Solicited Node Well Temp Known

Unique Local Link Local Global Special Embedded

*IPv6 does not use broadcast addressing

• Full IPv6 address (128 bits represented by 32 Hex characters) • Leading 0’s can be omitted • The double colon (::) can appear only once

Global Prefix (48) Subnet (16) Interface Id (64) 2001:0db8:4646:0001:0000:0000:0000:1e2a

2001:db8:4646:1:0:0:0:1e2a

Link-Local – Non routable exists on single layer 2 domain (fe80::/10) fe80:0000:0000:0000:xxxx:xxxx:xxxx:xxxx

Unique-Local – Routable within administrative domain (fc00::/7) fc00:~~~~:~~~~:****:xxxx:xxxx:xxxx:xxxx fd00:~~~~:~~~~:****:xxxx:xxxx:xxxx:xxxx

Global – Routable across the Internet (2000::/3) 2000:****:****:****:xxxx:xxxx:xxxx:xxxx 3fff:****:****:****:xxxx:xxxx:xxxx:xxxx

Similar to IPv4 New in IPv6

Manually configured State Less Address Auto Configuration SLAAC EUI64

Assigned via DHCPv6 SLAAC Privacy Extensions

*Secure Neighbor Discovery SeND

IPv4 Header (20-60) IPv6 Header (40) Type of Version IHL Total Length Traffic Service Version Flow Label Class Identification Flags Offset Next Payload Length Hop Limit Time to Live Protocol Header Checksum Header Source Address Destination Address Source Address Options Padding

• Length was variable • Fields in green are removed Destination Address • Options appear in extension headers • Upper layer checksums use Pseudo Header format: SRC/DST + Next Header

Extension Header Type • EH are daisy chained, processed in order Hop-by-Hop Options 0 Destination Options 60 • Length is variable, end on 64-bit boundary Routing Header 43 • EHs have a Next Header field Fragment Header 44 Authentication Header 51 • All EHs must be in the initial fragment ESP Header 50 IPv6 Transport Destination Options 60 Data Header Header Mobility Header 135 Experimental 253,254 IPv6 Extension Transport No Next Header 59 Data Header Header Header

IPv6 HBH EH AH EH Transport Data NH = 0 NH = 51 NH = 6 Header

• Neighbor or router discovery (133-137) • Destination Unreachable(1) • Multicast Listener Discovery (130-132, 143) • Packet Too Big (2) • Diagnostics using Ping, Traceroute (128, 129) • Time Exceeded (3) • Parameter Problem (4) IPv6 NH = 58

Type Code Checksum Data • Type – (0-127) = Error messages, 128-255 Informational messages • Code – More granularity within the type • Checksum – Computed over the entire ICMPv6 & pseudo header • Data – Contents of “offending”, filled to 1280B (error) or specific message format (info)

• Similar to IGMP operations

• MLD uses link local (fe80::/10) source addresses • HBH extension header A B • MLDv1 = (*,G) shared tree (RP) MLD Report

• MLDv2 = (S,G) source tree (SSM) (S,G) IPv6 Source fe80::a IPv6 Destination ff0e::246:c001 ICMPv6 Type 131 (MLD report) Group Address ff0e::246:c001

Hop-by-Hop Header Join PIM Router Alert Yes Multicast source ff0e::246:c001 #CLUS TECRST-1991 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 15 IPv6 Neighborhood RA Provisioning Type: 134 (RA) Code: 0 • M-Flag – Stateful DHCPv6 for IPv6 address Checksum: 0xff78 [correct] Cur hop limit: 64 • O-Flag – Stateless DHCPv6, with SLAAC ∞ Flags: 0x84 1… …. = Managed (M flag) • Preference Bits – Low, Med, High .0.. …. = Not other (O flag) ..0. …. = Not Home (H flag) • Router Lifetime – Must be >0 for Default …0 1… = Router pref: High Router lifetime: (s)1800 • Options - Prefix Information, Length, Flags Reachable time: (ms) 3600000 Retrans timer: (ms) 1000 • L bit – Only way a host get a On Link Prefix ICMPv6 Option 3 (Prefix Info) • A bit – Set to 0 for DHCP to work properly Prefix length: 64 ∞ Flags: 0x80 1… …. = On link (L Bit) RA .1.. …. = No Auto (A Bit) Prefix: 2001:0db8:4646:1234::/64

• Required & special form of multicast used for neighbor resolution

• Every Unicast address must • Create corresponding solicited node multicast (ff02::1:ff00:0/104)

• Any Layer 3 multicast must • Map to corresponding Layer 2 multicast (33-33-xx-xx-xx-xx)

IPv6 Source fe80::04cb:57ff:fe46:d00d IPv6 Destination ff02::1:ff46:d00d Ethernet Destination 33-33-FF-46-D0-0D Ethernet Source 02-CB-57-46-D0-0D

• Node A needs to resolve node B’s link address, Map’s L3 to L2 • Multicast for resolution (new), Unicast for reachability (cache) • Node B will add node A to it’s neighbor cache during this process w/o sending NS A B NS NA DfGW

ICMP Type 135 NS ICMP Type 136 NA IPv6 Source fe80::a IPv6 Source fe80::b IPv6 Destination ff02::1:ff00:b IPv6 Destination fe80::a Hop Limit 255 Target Address 2001:db8:1:46::b Target Address 2001:db8:1:46::b Option 2 TLLA B’s Link Layer Address Query What is B link layer address? *Flags R = Router Opt. 1 SLLA A’s Link Layer Address S = Response to Solicitation O = Override cache information

• Link Local (fe80::/10) is required for any device with IPv6 enabled

• At least 2 addresses per interface for global connectivity

• Majority of access devices will have LL as their Default Gateway

Host Addresses Router Addresses Ethernet B8:E8:56:1A:2B:3C Ethernet 00:00:0C:3A:8B:18 IPv6 Link Local fe80::bae8:56ff:fe1a:2b3c IPv6 Link Local fe80::0200:0cff:fe3a:8b18 IPv6 Global 2001:db8:1:46:1b2:c:3:4e5 IPv6 Global 2001:db8:1:46::1 Default Gwy. fe80::0200:0cff:fe3a:8b18 RA Prefix 2001:db8:1:46::/64

Nicole Wajer Chief Stroopwafel Officer TECRST-1991 @vlinder_nl

#CLUS Global Address Assignment

• Provider Allocated (PA) • From your ISP, single homed PA PI • /48 - /60 2000::/3 2000::/3 IANA • Provider Independent (PI) Registries • Multi home, Multi provider /12 /12 • /32 - /48 RIR /32 • Local Internet Registry (LIR) ISP Org /32 • Regional registry member /48 • Acquire & manage space • /29 - /48 Entity Subordinate /48 /48

• PA or PI from each region you operate in • Coordination of advertised space within each RIR, policy will vary • Most run PI from primary region

• Prefix Generation (RFC 4193) non sequential /48, M&A challenges

• To be avoided in most cases, v6ops-ula-usage-recommendations

• Caution with older OS’s (RFC 3484) using ULA & IPv4

• Multiple policies to maintain (ACL, QoS, Routing, etc..) Global Internet 2001:db8:cafe::/48

Corporate Backbone Branch 2

ULA Space fd9c:58ed:7d73::/48 Global – 2001:db8:cafe::/48 fd9c:58ed:7d73:3000::/64 fd9c:58ed:7d73:2::/64 2001:db8:cafe:3000::/64

• Topology hiding, Interfaces cannot be seen by off link devices

• Reduces routing table prefix count, less configuration

• Need to use ULA or GUA for generating ICMPv6 messages

• What about DNS?, Traceroute, WAN Connections, etc..

• RFC7404 – Details pros and cons Internet fe80::/64 ULA/GUA

fe80::/64 ULA/GUA WAN/MAN ULA/GUA fe80::/64 ULA/GUA

#CLUS TECRST-1991 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 25 Prefix Length Considerations Hosts • Anywhere a host exists /64 /64 Core • RFC 7421, rational for /64 /64 or /127

• Point to Point /127 Pt 2 Pt • Should not use all 0’s or 1’s interface /127 • Nodes 1 & 2, not in the same subnet Servers /64 • Reserve the /64, Loopback configure /127 with :a & :b /128 • RFC 6164: /127 cache exhaust • Reserve a /64, configure a /127 Hosts • Loopback or Anycast /128 /64

• Helps you to get your head around IPv6 deployment • Structure - Services • Hierarchy - Security

• Puts structure in place • Like belts and braces

• First real “toe in the cold water” • In terms of deployment • Makes the “jump” easier

• Well thought-through addressing plan • Think network operations and troubleshooting

• Links can have multiple prefixes: • Every link (point-to-point, VLAN) has link-local addresses • Links can have global addresses • Links can have ULA addresses

• Multiple global and ULA prefixes per link is possible • Can be useful for renumbering to have multiple prefixes active at the same time • But do you really want that during normal operation???

• Keep it simple!

• Links can have multiple prefixes: • Every link (point-to-point, VLAN) has link-local addresses • Links can have global addresses • Links can have ULA addresses

• Keep it simple!

• Assess how the existing Better visibility into IPv4 address space is how the existing Can better answer when IPv6 is critical used Address space is used • Useful information for • IPv6 integration • IPv4 address consolidation • Reclaiming unused address space • Use existing tools • IPAM • ARP tables • DHCP logs

• Requirements • Considerations

• Length of prefix and bits to work with • Clear addressing for different parts of

• Enterprises usually multiple /48 the network

• Highly dependent on RIR policy • WAN/Core, Campus, branch, DC, Internet Edge etc. • SPs should get /29 (≥ 35 bits) • Different Locations/Services • Avoid breaking the nibble boundary • Encoding of information • Think of # of prefixes at each level • Ease of aggregation • Templates will be your friends • Leaving space for growth • IP Address Management Tools

• Use only Link-Local on links between routers? • Easy to configure, smaller attack surface, harder to debug

• Use global addresses for systems and ULA for infrastructure? • Smaller attack surface, complex addressing, confusing to ops, ICMP problems

• Use both global addresses and ULA side-by-side for everything? • Complex to configure and maintain, unpredictable behaviour, (almost) no benefits

• Use global addresses everywhere? • Use IPv6 as designed: This is the best choice in most cases!

• Depends on the existing processes and the adaptability of that process • Methods are not mutually exclusive - all three can be used • Must control the stateless address assignment of addresses

Manual Stateless Stateful DHCPv6

Pros Address is stable Scales well Well understood process Controlled assignment Time to deploy Controlled assignment Well understood process Widely implemented Time to deploy

Cons Does not scale No control on assignment process Implementation in OS Time to deploy Not well understood Must design for HA Lack of management Unpredictable (privacy extensions)

• Operations may not understand what you do

• Avoid the zero compression “gotcha” • 2001:db8::/32 • 2001:db8:0000::/48 • 2001:db8:0000::/52 • 2001:db8::

• Same goes for host based subnets • 2001:db8:1020:0000::/64 could look like 2001:db8:1020::

/56 Interconnects 256x /64 P2P links /127 per P2P link

/56 Loopbacks 256x /64 Loopbacks /128 per Loopback

/52 Infrastructure /56 reserve

/48 location /56 reserve

/52 Desktops ...

/52 Wireless • Follow the logical flow – How many subnets in each location? /52 etc. – What does sit under infrastructure? – How many point-to-point links? – Where is the reserve?

• Always/56 Loopbacks make256x /6one4 Loopba cksgroup/1 2for8 per L oinfrastructureopback /52 Infrastructure • /56Easier reserve to protect and monitor

/48 location • /56Using reserve group number 0 gives shorter addresses

/52 Desktops • Other... grouping ideas: • Organizational division (group by responsibility) /52 Wireless • Type of use (group by expected traffic) /52 etc. • Security boundary (group by firewall policy) • Whatever makes sense in your network! • Further reading • https://www.ripe.net/support/training/material/IPv6-for-LIRs-Training-Course/ Preparing-an-IPv6-Addressing-Plan.pdf

#CLUS TECRST-1991 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 37 4 Rules 2001:db8:1234:0100:/56 2001:db8:1234:0200:/56 2001:db8:1234:0300:/56 2001:db8:1234:0400:/56 2001:db8:1234:0500:/56 … 1. Keep it SIMPLE You don’t want to spend weeks explaining it! 2. Embed information to help operations To help troubleshooting and operation of the network 2001:db8:1234::/48 Examples: location, country, firewall zone, VLAN, IPv4 addresses (be careful) 3. Plan for expansion (build in reserve) Cater for future growth, mergers & acquisitions, new locations Reserved vs. assigned 4. Exploit hierarchy / aggregation Good aggregation is essential, just one address block (per location) Ensures scalability and stability

• Food and consumables conglomerate

• Has presence throughout North America • Currently set up in w/ 19 regional offices • Plans are to expand to 37 regional offices

• They also have a sister company (ACME ISP) which is providing telecommunications services throughout North America

• ACME has grown organically through a policy of acquisitions and mergers over the past few years.

• Use of private (RFC 1918) and/or illegal IPv4 address blocks, NAT is widely used. This is negatively impacting the behaviour of some enterprise applications.

• ACME has decided to strategically deploy IPv6 within the ACME enterprise network. This will enable applications and services to be moved from IPv4 to IPv6 on a case-by-case basis

• For its WAN connectivity, ACME enterprise uses the MPLS VPN service offered by ACME ISP.

• ACME ISP is a ARIN member and have been allocated a /19 IPv6 address block. ACME Enterprise has been provided 2001:db8::/32 from its ISP. ACME ISP will be interconnecting all the IPv6 locations of the ACME enterprise network.

• The most important requirements for the IPv6 addressing design are for it to be highly hierarchical, uniform and scalable. This will greatly simplify the design, operation and troubleshooting of the network.

• As a general rule, ACME would like to use byte (8-bit)-boundaries between the different hierarchies of the IPv6 addressing. HINT!!!

• At the first level, the addressing scheme needs to support at least 37 regional offices (HINT!!!). Also some address blocks should be reserved for future growth in the larger countries.

• At the second level (within each region), there are a number of campus locations. It is at this level that connectivity into the ACME ISP network is provided. The largest region has about 40 campus locations (HINT!!!).

• At the third level (within each campus location), the number of buildings within each campus (4-6 maximum). Therefore, allocating these blocks on a byte boundary is deemed as overkill. A nibble (4-bit) boundary will suffice here. HINT!!!

• A separate “virtual building” address block needs to be set aside for network infrastructure addressing within that campus location

• At the forth level (within each building), individual IPv6 subnets need to be assigned to individual VLANs

• An additional requirement is to divide up the network infrastructure block in ranges for loopback, link and network services addressing

• Design an IPv6 address plan for ACME enterprise applying with what you have learned in this session and the mentioned HINTS

• Work top-down through the address plan

• Focus first on the end-system addressing

• Think about the network infrastructure addressing

• There are multiple acceptable solutions, it’s more important to think about the problem and apply the methodology

#CLUS TECRST-1991 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 45 ACME Enterprise IPv6 Addressing Exercise Global Prefix: 2001:db8::/32 # of address block First address block allocation w/in allocation w/in Last address block Adress Scope Prefix Length higher level higher level w/in higher level Region Campus Location Building End-System Network Infrastructure Loopbacks Links Network Services

# of address block First address block allocation w/in allocation w/in Last address block Adress Scope Prefix Length higher level higher level w/in higher level Region 2001:db8::/40 256 2001:db8::/40 2001:db8:ff00::/40 Campus Location Building End-System Network Infrastructure Loopbacks Links Network Services

Region 1 2001:db8:1000::/40 -> Reserved 2001:db8:1100::/40 - 2001:db8:1f00::/40 Region 2 2001:db8:2000::/40 -> Reserved 2001:db8:2100::/40 - 2001:db8:2f00::/40

#CLUS TECRST-1991 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 48 For Your ACME Enterprise IPv6 Addressing Exercise Reference # of address block First address block allocation w/in allocation w/in Last address block Adress Scope Prefix Length higher level higher level w/in higher level Region 2001:db8::/40 256 2001:db8::/40 2001:db8:ff00::/40 Campus Location 2001:db8::/48 256 2001:db8::/48 2001:db8:ffff::/48 Building End-System Network Infrastructure Loopbacks Links Network Services

Region 1 Campus 1 2001:db8:1010::/48 -> Reserved 2001:db8:1011::/48 thru 2001:db8:101f::/48

#CLUS TECRST-1991 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 49 For Your ACME Enterprise IPv6 Addressing Exercise Reference # of address block First address block allocation w/in allocation w/in Last address block w/in Adress Scope Prefix Length higher level higher level higher level Region 2001:db8::/40 256 2001:db8::/40 2001:db8:ff00::/40 Campus Location 2001:db8::/48 256 2001:db8::/48 2001:db8:ffff::/48 Building 2001:db8::/52 16 2001:db8::/52 2001:db8:ffff:f000::/48 End-System Network Infrastructure Loopbacks Links Network Services

Region 1 Campus 1 Building 1 2001:db8:1010:1000::/52 Reserved Region 1 Campus 1 Building 22001:db8:1010:7000::/52 - 2001:db8:1010:f000::/52 2001:db8:1010:2000::/52

#CLUS TECRST-1991 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 50 For Your ACME Enterprise IPv6 Addressing Exercise Reference # of address block First address block allocation w/in allocation w/in Last address block w/in Adress Scope Prefix Length higher level higher level higher level Region 2001:db8::/40 256 2001:db8::/40 2001:db8:ff00::/40 Campus Location 2001:db8::/48 256 2001:db8::/48 2001:db8:ffff::/48 Building 2001:db8::/52 16 2001:db8::/52 2001:db8:ffff:f000::/48 End-System 2001:db8::/64 4096 2001:db8::/64 2001:db8:ffff:ffff::/64 Network Infrastructure Loopbacks Links Network Services

Region 1 Campus 1 Building 1 VLAN 100 2001:db8:1010:1100::/64

Region 1 Campus 1 Building 1 VLAN 200 2001:db8:1010:1200::/64

#CLUS TECRST-1991 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 51 For Your ACME Enterprise IPv6 Addressing Exercise Reference # of address block First address block allocation w/in allocation w/in Last address block w/in Adress Scope Prefix Length higher level higher level higher level Region 2001:db8::/40 256 2001:db8::/40 2001:db8:ff00::/40 Campus Location 2001:db8::/48 256 2001:db8::/48 2001:db8:ffff::/48 Building 2001:db8::/52 16 2001:db8::/52 2001:db8:ffff:f000::/48 End-System 2001:db8::/64 4096 2001:db8::/64 2001:db8:ffff:ffff::/64 Network Infrastructure Loopbacks /128 2^128 Specific block chosen in the building prefix Links /127 2^64 Specific block chosen in the building prefix Network Services /56 256 Specific block chosen at a higher level

Region 1 Campus 1 Building 1 Loopbacks Network Services (DNS,DHCP) 2001:db8:1010:11ff::/64 2001:db8:ffff:ff00::/56 Region 1 Campus 1 Building 1 Links 2001:db8:1010:11fe::/64

• Planning and coordination is required • Network engineers & operators • Security engineers • Application developers • Desktop / Server engineers • Web hosting / content developers • Business development managers • …

• Preferred Method, Versatile, Scalable and Highest Performance

• No Dependency on IPv4, runs in parallel on the same HW

• No tunnelling, MTU, NAT or performance degrading technologies

• Does require IPv6 support on all devices Access Distribution Core Aggregation Access Layer Layer Layer Layer (DC) Layer (DC)

IPv6/IPv4 Dual-stack Hosts

IPv6/IPv4 Dual-stack Server

• Should we use both on the same link at Layer 3?

• Routing protocols OSPFv3, EIGRP combined or separate?

• Fate sharing between the data and control planes per protocol

Internet IPv4 & IPv6

OSPFv3 IPv4 & IPv6 2001:db8:1:1::/64 2001:db8:6:6::/64 EIGRP 198.51.100.0/24 192.168.4.0/24

• What if you have a server that needs Node1 more than 64k connections? 2001:db8:aa:1::1/64 • Use multiple addresses

• What if multiple apps want the same 2001:db8:aa::/48 Node2 (well-known) port? 2001:db8:aa:2::1/64 • Give each application/container a separate IPv6 address, DNS name

• Possible solution: Assign a /64 to each Node3 server 2001:db8:aa:3::1/64

[email protected] Acct-Session-Id=xyz • Acct-Status-Type=Start Framed-IP-Address=192.0.2.1 SLAAC address tracking Framed-IPv6-Address=fe80::d00d • Radius accounting, CAM table scrapes [email protected] Acct-Session-Id=xyz Acct-Status-Type=Alive Framed-IP- • Microsoft now supports RDNSS in RA’s Address=192.0.2.1 Framed-IPv6-Address=fe80::d00d Framed-IPv6-Address=2001:db8::d00d Framed-IPv6- DHCPv6 challenges Address=2001:db8::d00d • MAC address for reservations, inventory, tracking • Android does not support DHCPv6 DHCPv6 • Understand the implications of switching methods Server Internet • Inconsistent amongst the OS’s A B C RA

• Enable DHCPv6 via the M flag • Disable prefix auto configuration • Enable router preference to high • Enable DHCPv6 relay destination interface fastEthernet 0/0 ipv6 address 2001:db8:4646:acc1::1/64 ipv6 nd managed-config-flag ipv6 nd prefix default no-autoconfig ipv6 nd router-preference high ipv6 dhcp relay destination 2001:db8:4646::café

• FHRPs provide resilient default gateway • First hop address to end-stations

• IPv6 has a “built in” FHRP mechanism Si

• Neighbor Unreachability Detection (NUD) fe80::234 • HSRP, GLBP, and VRRP alternatives • Millisecond timers for fast convergence

• Preempt timers need to be tuned • To avoid black-holed traffic

• Similar to IPv4 from design perspective (odd/even prefix) HSRP HSRP Active Standby • Changes in Neighbour & Router Advertisement, Redirects

• Virtual MAC derived from HSRP group and virtual IPv6 LLA

• Protocol layers: • Layer 2 - 0005.73A0.0000-0F0F  3333.0000.0066 interface FastEthernet0/1 • Layer 3 – fe80::/64  ff02::66 ipv6 address 2001:DB8:66:67::2/64 • Layer 4 – UDP port 2029 (HSRPv6) standby version 2 standby 2 ipv6 autoconfig standby 2 timers msec 250 msec 800 standby 2 preempt Unix Host with GW of VIP standby 2 preempt delay minimum 180 unixhost# route -A inet6 | grep ::/0 | grep eth2 ::/0 fe80::5:73ff:fea0:1 standby 2 authentication cisco

• Modification to NA, default GW is announced via RA using vMAC

• AVG assigns vMAC’s and responds to NDP, directing hosts to the AVF’s interface fastethernet0/0 • Protocol layers: ipv6 address 2001:db8::/64 eui-64 glbp 8 ipv6 2001:db8::D38:C677:2925:8 • Layer 2 – 0007.B4xx.xx08  glbp 8 priority 110 3333.0000.0066 glbp 8 preempt • Layer 3 – fe80::/64  ff02::0100:5e00:66 glbp 8 load-balancing weighted • Layer 4 – UDP port 3222 (GLBPv6) glbp 8 weighting 110 lower 95 upper 105 glbp 8 authentication md5 key-string 7 XYZ

• Sub second failover possible, multi vendor interoperation

• Active/Standby design, Load Balancing via VLAN’s

• Protocol layers: • Layer 2 – 0000.5E00.02xx 3333.0000.0012 • Layer 3 – fe80::/64  ff02::12

• Layer 4 – IP protocol 112 fhrp version vrrp v3 ! interface fastethernet0/0 ipv6 address 2001:db8::/64 eui-64 vrrp 4 address-family ipv6 vrrp 4 address fe80::1 primary

#CLUS TECRST-1991 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 63 class-map match-any Critical_Data match dscp af21 QoS CLI class-map match-any Voice match dscp ef • Class maps can match both IPv4 and class-map match-all Scavenger IPv6 traffic match dscp cs1 class-map match-any Bulk_Data • Can be broken into “ip” and “ipv6” matching match dscp af11 ! • Design principles still the same policy-map DISTRIBUTION class Voice • Mark at the edge priority percent 10 • Trust boundaries still apply class Critical_Data bandwidth percent 25 • Queue sizing random-detect dscp-based Data class Bulk_Data Voice bandwidth percent 4 random-detect dscp-based class Scavenger Video bandwidth percent 1 Internet class class-default bandwidth percent 25 random-detect

• WLC version 8.x increases support of IPv6

• CAPWAP, SNMP, NTP, Radius, Syslog, CDP, WebAuth

• Interface groups, same SSID over multiple VLAN’s

• Radio is a shared media • Hosts must “awaken” to see if Multicast is for them • Multicast packets are not acknowledged or retransmitted • AP transmits bcast/mcast frames at the lowest possible rate

• Scaling 802.11 multicast reliability issues

• NDP process is multicast “chatty”, Unicasting reduces the effect

• Caching allows the Controller to “proxy” the NA, based on gleaning

00:24:56:75:44:33 2001:db8:0:20::2 (NS) 00:24:56:11:93:28 2001:db8:0:20::4 2

(Unicast NA) 4

• Rate limit RA’s from the legitimate router

• Inspect the RS, convert the responding RA to L2 Unicast

Periodic (RA’s)

Triggered (RA)

Router Solicitation (RS) #CLUS TECRST-1991 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 68 Is IPv6 more secure at the access layer? Neighbor Discovery Issue#1 StateLess Address Auto Configuration SLAAC Rogue Router Advertisement

RA w/o Any Authentication • Router Advertisements (RA) contains: Gives Exactly Same Level of Security as DHCPv4 - Prefix to be used by hosts (None) - Data-link layer address of the router - Miscellaneous options: MTU, DHCPv6 use, … MITM DoS

1. RS 2. RA 2. RA

1. RS: 2. RA: •Data = Query: please send RA •Data= options, prefix, lifetime, A+M+O flags

#CLUS TECRST-1991 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 70 Neighbor Discovery Issue#2 Neighbor Solicitation Security Mechanisms Built into Discovery Protocol = None A B Last Come is Used

=> Very similar to ARP Src = A Dst = Solicited-node multicast of B Attack Tool from THC: ICMP type = 135 Parasite6 Data = link-layer address of A Answer to all NS, Claiming Query: what is your link address? to Be All Systems in the Src = B LAN... Dst = A ICMP type = 136 A and B Can Now Exchange Data = link-layer address of B Packets on This Link

• GOOD NEWS: First-Hop-Security for IPv6 is available • First phase (Port ACL & RA Guard) available since Summer 2010 • Second phase (NDP & DHCP snooping) available since Summer 2011 • Third phase (Source Guard, Destination Guard) available since Summer 2013 • http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6- first_hop_security.html • Other GOOD NEWS: • Private VLAN works with IPv6 • Port security works with IPv6 • IEEE 801.X works with IPv6 (except downloadable ACL)

Mitigating Rogue RA: Host Isolation RA • Prevent Node-Node Layer-2 Promiscuous communication by using: Port

• Private VLANs (PVLAN) where nodes (isolated RA port) can only contact the official router (promiscuous port) Isolated Port • WLAN in ‘AP Isolation Mode’

• 1 VLAN per host (SP access network with RA Broadband Network Gateway) RA

• Link-local multicast (RA, DHCP) sent

only to the local official router: good RA • Effect: breaks Duplicate Address Detection

• Port ACL RA blocks all ICMPv6 RA from hosts ROUTER interface FastEthernet0/2 Device-role

ipv6 traffic-filter ACCESS_PORT in RA access-group mode prefer port

HOST • RAguard (12.2(50)SY, 15.0(2)SE) Device-role ipv6 nd raguard policy HOST device-role host

ipv6 nd raguard policy ROUTER device-role router RA ipv6 nd raguard attach-policy HOST vlan 100 RA interface FastEthernet0/0 ipv6 nd raguard attach-policy ROUTER RA

ND RA DHCPv6 Destination RA Source/Prefix Multicast Guard Guard Guard Throttle Guard Suppress

Protection: Protection: Protection: Protection: Facilitates: Reduces: • Invalid source • Rogue or • Invalid DHCP • DoS attacks • Scale • Control traffic address malicious RA Offers • Scanning converting necessary for • Invalid prefix • MiM attacks • DoS attacks • Invalid multicast proper link • MiM attacks • Source address destination traffic to operations to spoofing address unicast improve performance

Core Features Advance Features Scalability & Performance IPv6 Snooping

• Add an IPv6 address to a host, create AAAA record in DNS zone

• Only global or unique local,IPv4 do not use link local addressesIPv6

• Uses PTR records in “ip6.arpa” for reverse mapping

• External servers/services should have PTR records configured

• FunctionClients recieve DNS IPv4info from manual configuration, IPv6DHCPv6, RAs Hostname A Record AAAA Record (Quad A) to www.example.com. A 192.168.30.1 www.example.com AAAA 2001:db8:c18:1::2 IP Address IP Address PTR Record PTR Record To 1.30.168.192.in-addr.arpa. PTR 2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.0.0.8.1.c. Hostname www.example.com. 0.8.b.d.0.1.0.0.2.ip6.arpa PTR www.example.com.

• IPv6 only networks require IPv6 DNS servers • Each DNS server shouldIPv4 have its own /64 (2001:db8:4646::53)IPv6 • Dual stack networks can use either protocol as transport • IPv6 results can be carried over IPv4

• Successful DNS lookups over IPv6 require: • Each zone provide at least one name server with an IPv6IPv6 address • Clients accessing your site often do so via recursive servers • RS request your DNS info on behalf of the client

• Glue records bind the name server (NS1.example.com) NS1.example.com example.com • To the parent zone (example.com) Government Agencies recursive server A 198.51.100.10 AAAA 2001:db8:4646:1::a

example.com Internet

Who is www.example.com? www.example.com

Christopher Werny TECRST-1991

@bcp38_ Make the world a safer place

#CLUS IPv6 Support on the OS-Level IPv6 Privacy Extensions (RFC 4941)

• Enabled by default in Windows, Android, iOS, Mac OS/X, Linux • Retrieve previously stored value • Generate a new unique 64 bit id using MD5 hash operation • Ensure that the U/L bit is (0), Store the result for the next iteration /32 /48 /64 2001 DB8 0000 1234 Random Generated Interface ID

Recommendation: Good for the mobile user Lacks accountability in corporate networks Value changes with reboot or expiration of valid lifetime

• RID = hash (Prefix, Net_Iface, DAD_Counter, secret_key) • Generate IIDs that are stable/constant for each network interface. • IID’s change as hosts move from one network to another.

/32 /48 /64 2001 DB8 0000 1234 Random ID

Implementation of the RID is left to the OS Vendor and MAY differ between client and server.

• IPv6 is enabled by default and is preferred in Windows • Since Windows Vista and Server 2008

• Microsoft considers turning off IPv6 an unsupported configuration

• All current software solutions from Microsoft can run on IPv6 only • With little to no modification Application Layer

Transport Layer (TCP/UDP)

IPv6 IPv4

Network Interface Layer

• Windows supports SLAAC and DHCPv6 for address assignment

• These mechanisms are NOT mutually exclusive.

• SLAAC mechanism uses privacy extensions for address generation (see next slide).

• As of June 2019, Windows 10 (1809) does not support RFC 7217 style IID generation.

C:\Documents and Settings\>netsh netsh>interface ipv6 netsh interface ipv6>show address Querying active state... Interface 5: Local Area Connection Addr Type DAD State Valid Life Pref. Life Address ------Public Preferred 29d23h58m25s 6d23h58m25s 2001:db8:4646:1:4f02:8a49:41ad:a136 Temporary Preferred 6d21h48m47s 21h46m 2001:db8:4646:1:bd86:eac2:f5f1:39c1 Link Preferred infinite infinite fe80::4f02:8a49:41ad:a136

netsh interface ipv6>show route Querying active state... Publish Type Met Prefix Idx Gateway/Interface Name ------no Autoconf 8 2001:db8:4646:1::/64 5 Local Area Connection no Autoconf 256 ::/0 5 fe80::20d:bdff:fe87:f6f9

• For a long time, Windows did not support RDNSS Option with RAs.

• Things have changed starting in early 2017 when Microsoft released Windows 10 Creators Update (1703). • See https://insinuator.net/2017/05/one-step-closer-rdnss-rfc-8106-support-in- windows-10-creators-update/

• Beware: Windows Server 2016 still does NOT support RFC 8106.

• Linux has had IPv6 support since Kernel version 2.6.12 (2005) • Older versions will likely have unpredictable behavior

• DHCPv6 client support is version dependent • Edit /etc/dhcp/dhclient.conf to modify DHCPv6 client

• Client support for RDNSS not always enabled by default • Load and install rdnssd daemon

• IPv6 support in some form in the OSX v10.2 • Older versions likely unpredictable behavior

Source: Apple

• IPv6 support was “limited” until OSX 10.7 • DHCPv6 client • RDNSS Support Source: Apple • SLAAC private addressing

El Capitan • Since macOS Sierra – RFC 7217 support Source: Apple

• As of iOS 9, all iPhone/iPad apps will/must support native IPv6!

• Use the networking frameworks (i.e. “NSURLSession”)

• Avoid use of IPv4-specific APIs

• Avoid hard-coded IP addresses “If your application doesn’t work properly with IPv6, it will simply not function on those networks, those carriers and for those customers.”

Source: Apple - Sebastien Marineau VP Core OS

• On Wi-Fi networks, SLAAC must be enabled for an Android handset or tablet to obtain an IPv6 address

• Android supports RFC 8106 so it can learn the IPv6 address of the DNS resolver via an RA

• Supports 464xlat since 4.3

• Some limitations due to lack of support for DHCPv6 client • Fair phone being the exception

• IPv6 provides two mechanisms for one task, that is provisioning of IP parameters to nodes.

• They are independent. • Well, mostly.

• In many environments both of them are needed, in some combination. • In particular this applies in (wrt OSs, devices) heterogeneous environments. Read: probably in pretty much all of your environments.

• In some environments different groups might be responsible for operating them. • Why did you add this to the “problem statement“? Well...

• There‘s differences as for the degree of vendor support & their strategies.

https://www.ernw.de/download/ERNW_Whitepaper_IPv6_RAs_RDNSS_Conflicting_Parameters_2nd_Iteration_July_2017_v1.1.pdf

• Some IPv6 RFCs merely serve as an indication & inspiration how things could be implemented.

• In complex & heterogeneous network you may expect surprises when it comes to the actual behavior of IPv6 nodes.

• Get your hands dirty, and (re-) read RFC 3439.

• Fully Static Configuration

• “Hybrid” with Static Address but Default Route via RA

• Stable Addresses [RFC 7217] with Dynamic DNS Updates

• DHCPv6 with Reservations

• All parameters are configured in a static manner.

• Disable dynamic IPv6 mechanisms on the local system • e.g. processing of router advertisements • DHCPv6 client.

• Results in a “deviation from default”

• Might pose operational challenges • Keep system state over the whole lifecycle

• Advantages • Accommodates human desire to be in control • High level of predictability and traceability if properly applied • Good resistance against RA-related attacks

• Disadvantages • Requires significant operations effort to be configured • Networks dynamics might lead to the need to renumber which still needs work (RFC 5887). • Violates core IPv6 principles (RAs being the “source of life” for an IPv6 stack).

• Accompanying Configuration of (L3) Devices • No RAs needed at all. • e.g. “ipv6 nd suppress all” on Cisco IOS • Occurrence of RAs in the local subnet would raise suspicion • Combination of RA guard and “ipv6 snooping logging packet drop”

• Configure IP address and NTP server(s) in a static manner.

• Configure DNS server(s) in a static manner or learn them from RAs (currently not supported on Windows OS).

• Get default gateway from Ras.

• Advantages • Does not require disabling of local RA processing • Higher degree of flexibility (e.g. changing DNS resolvers) • Local system interaction with FHRP protocols may work more smoothly (mentioned by some people, but not confirmed yet!)

• Disadvantages • Reasonable RA-related security only with RA guard AND RFC 6980 support on the server OSs • RFC 6980 support on Linux systems by default, but “it depends” for Windows OS. • Alternatively Port- or VLAN-based ACLs • ACLs potentially not being desirable option from operations perspective ;-)

• Accompanying Configuration of (L3) Devices • Clear prefix information option (PIO) in RAs • e.g. “ipv6 nd prefix 2001:db8:1:1::/64 no-advertise” on Cisco IOS • Add option 25 (RDNSS) and potentially option 31 (DNSSL) to RAs • e.g. “ipv6 nd ra dns server 2001:db8:1:1::53” on Cisco IOS

• Generate a static SLAAC address • As long as the system is in the same subnet

• Populate DNS with this address • Assuming communication only via systems DNS name

• NTP servers have to be distributed by other means.

• Also: RFC 8064 Recommendation on Stable IPv6 Interface Identifiers

• Advantages • Doesn’t need much tweaking of router advertisements • Serves objectives predictability and traceability • Low renumbering effort in case of network changes (system moves to another subnet)

• Disadvantages • Involved systems must support RFC 7217 • Unauthenticated DNS updates will be required • Windows systems currently not fulfill the requirements (RFC 6106 and 7217) • Protection from rogue RAs requires RA Guard AND RFC 6980 (or Port- /VLAN-based ACLs) • Distribution of NTP servers to be done by some other means.

• Accompanying Configuration of (L3) Devices • Default, but RDNSS must be distributed via RAs • Optionally clear L-flag in PIO for PVLAN-like behavior. • This type of isolation can easily be circumvented by an attacker with high privileges on local system by adding host routes [for systems to-be-attacked] or a “network“ route for the local subnet)

• To some extent familiar from the IPv4 world.

• Reservations needed on $DHCP_SERVER. • Initial DHCPv6 procedure might require somewhat manual interaction • Or heavy configuration tweaking

• Support of RFC 6939 is usually necessary.

• Advantages • The closest you can come to centralized IP parameter provisioning (and administration). • Supports predictability and traceability. • IPv6 Addresses, DNS resolver(s) and NTP server(s) can all be distributed.

• Disadvantages • DHCPv6 often turns out to be a somewhat unreliable/immature beast. • Need of RFC 6939 support might be a show-stopper. • To the best of our knowledge it’s not supported in Cisco IOS so far. • But available (and even enabled by default) in IOS-XE.

• Accompanying Configuration of (L3) Devices • Configure everything that’s needed to operate DHCPv6 (m-flag in RAs et al.)… • Optional L-flag in the PIO if needed.

• In the IPv6 world there‘s several options to configure systems with a “proper set of IP parameters“ • Carefully consider advantages/disadvantages. • Going with “fully static“ usually *not* a good option. • Several parameters have to be considered.

• The task is hindered by inconsisted support of parameters by different OSs. • As so often in IPv6 thorough testing is key.

9 June 2019 / 9:00 TECRST-1991 Introduction to IPv6: Connecting nodes to the IPv6 access network 9 June 2019 / 14:00 TECRST-2001 Designing and deploying a security IPv6 network 10 June 2019/ 8:00 BRKRST-2619 IPv6 Deployment: Developing an IPv6 Addressing Plan and Developing IPv6 10 June 2019/ 8:00 BRKSPG-3001 Introduction to SRv6 technology 10 June 2019 / 13:00 BRKSPG-2602 IPv4 Exhaustion: IPv6 Transition and NAT Architectures

11 June 2019 / 8:00 BRKSEC-3018 IPv6 AAA, Port-Based auth and Security Implementation

11 June 2019/ 13:00 LTRRST-2016 IPv6 in the Enterprise for Fun and (fake) Profit: A Hands-On Lab

12 June / 8:00 BRKSEC-3200 Advanced IPv6 Security Threat and Mitigation

12 June / 8:00 BRKMPL-2132 Designing and deploying SRv6 networking

12 June / 13:00 BRKRST-3304 Hitchhiker's Guide to Troubleshooting IPv6

LABRST-2261 IPv6 planning, deployment and transition LABRST-1000 Intro IPv6 Addressing and Routing Lab LABSPG-1327 Introduction to Segment Routing v6 (SRv6) with IOS-XR

#CLUS BRKRST-3304 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 123 Complete your online session • Please complete your session survey after each session. Your feedback evaluation is very important.

• Complete a minimum of 4 session surveys and the Overall Conference survey (starting on Thursday) to receive your Cisco Live water bottle.

• All surveys can be taken in the Cisco Live Mobile App or by logging in to the Session Catalog on ciscolive.cisco.com/us.

Cisco Live sessions will be available for viewing on demand after the event at ciscolive.cisco.com.

Demos in the Walk-in labs Cisco campus

Meet the engineer Related sessions 1:1 meetings

#CLUS #CLUS