--------------
RFC 2460 Inter Protocols Version 6
Much larger address space than ipv4
ip v4 uses 4 bytes (32 bit) address
2^32 = 4,294,967.296 addresses
ipv6 uses 16 byte (128 bit) address
2^128 - 340 undecellion address
IPV6 Packet Format
---------------------------
If we take a look the ipv6 header the traffic class is replacement of the TOS so it used for QOS it is defined for dscp rather than ip precendence in the v4 tos bits
Flow label is used for realtime datagram delivery and quality of service a unique label flow is used to identify datagrams in the same flow so routers between the source + destination handles them the same way through the path. So we could have video flow and it labelled with flow label to ensure it is delivered with minimal latency. The flow label is still under development.
Payload lenght is like the total lenght field in ipv4 the big change is we do not account ipv6 header it is just payload that we account for
The next header is replacement for the protocol field in ipv4 it tells what the next protocol is after the ipv6 header typically tcp or header extension . It also used to assist in getting rid of the options field in ipv4. The options field in v4 gave additional information on how the router should process this was a slow down point where all routers had to process the variable lenght options field This was a variable lenght field. In ipv6 options are assigned based on the extension header extension. The next header field is fixed size and it just references the next extension header header extension . The extension header reference will then reference the next esp extension so on. It was way of keeping the main ipv6 packet header fixed rather than a variable size. We only add extension header when required packets we require. In the above we see hop by hop extension header and esp extension header.
The hop limit is replacement for ttl it is value of (0-255) default is 128. It prevents packets looping endless in ip network.
Extension headers
-------------------
There are different types of extension headers
hop by hop extension header which basically means this needs to be processed by each hop
destination extension- need only be examined by destination
Routing Extension Methods to specify the route for a datagram (used with Mobile IPv6).
Fragment Extensions Contains parameters for fragmentation of datagrams.
Authentication Header (AH) 51 Contains information used to verify the authenticity of most parts of the packet.
Encapsulating Security Payload (ESP) 50 Carries encrypted data for secure communication.
Destination Options (before upper-layer header) 60 Options that need to be examined only by the destination of the packet.
Mobility (currently without upper-layer header) 135 Parameters used with Mobile IPv6.
Basically each extension will have a next header field so the main ipv6 packet references the next extension which then references the next extension and so on
Security in IP header
----------------------
The security elements are deal with extensions also
AH extension The purpose of the authentication header is to convey the authentication information in the IP datagram.The authentication information is calculated using all the fields of the datagram that do not change in transit
+---------------+---------------+---------------+---------------+
| Next Header | Length | RESERVED |
+---------------+---------------+---------------+---------------+
| Security Parameters Index |
+---------------+---------------+---------------+---------------+
| |
+ Authentication Data (variable number of 32-bit words) |
| |
+---------------+---------------+---------------+---------------+
1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8
- 8 bits wide next header field identifies the next payload after the Authentication Payload.
- 8 bits wide payload length field indicates the length of the authentication Data field in 32-bit words.
- 16 bits wide reserved field is reserved for future use. It shall be set to all zeros when sent.
- 32 bits wide SPI field identifies the security association for this datagram.
- The authentication data field has a variable length and its contens depend on a specification
I am not really going get into how this calculates as this would be more CCIE security not routing and switching
AH and ESP can be used independtly if used togther AH comes before ESP
ESP- is part of the ipsec protocol suite The purpose of the encapsulated security payload is to convey the encrypted data of the IP datagram. The encrypted data is obtained by applying a specified encryption transform to the data to be protected.
IPV4 vs IPV6 address format
-----------------------------
IPV4 dotted decimal
- d.d.d.d
d= one byte
ipv6 uses hexadecimal
-hhhh:hhhh:hhhh:hhhh:hhhh:hhhh:hhhh:hhhh
hh=one byte
Adress Type Id
---------------
address type binary prefix ipv6 notation
Unspecfied 00..0(128 bits) ::/128
loopback(equivlant 127.0.0.0) 00..1(128 bit) ::1/128
Multicast 11111111 FE00::/8
Link Local unicast(169.254.) 11111111010 FE80::/10
Global unicast is everything else
IPV6 Link Local Address
-----------------------
Address locally significant to link
-FE80::/10 (1111111010)
RFC 4291
Never routable between interfaces
This address are used for
stateless Address Autoconfig
Neighbor Discovery
Router Discovery
So everytime we assign an IPV6 address on a nic it will auto assign link local address this
is derived from the mac address.
These address are the core of router discovery it would be technically possible to run the entire routing domain on link local addresses.
IPV6 Site Local Address
-----------------------
These are depreciated as no one could agree on the defention of a site
arress is locally significant to a site
-FE0::/0 (11111111011)
RFC 1884
IPV6 Unique Local Address
-------------------------
ULA is private use ipv6 addressing
- FC00::/7 (11111110)
RFC 4193 Unique Local IPV6 unicast Address
Equivlant to RFC 1918
- 10.0.0.0/8 172.16.00/12 192.168.0.0/16
Likely unique as the sheer size of address space but not routable via Global BGP
IPV6 Global Unicast Address
---------------------------
Technically everything else
- IANA currently allocating 2000::/3
Per RFC end hosts must
have a 64 bit interface id
nnnn:nnnn:nnnn:nnnn:hhhh:hhhh:hhhh:hhhh
Uses EUI-64 format for interface id
Modified EUI-64 Addressing
---------------------------
RFC 4291
It use ethernet mac to eui-64 conversion
- inver univestal ul bit (7th most sinificant bit)
- insert passwind of 0xFF 0xFE in the middle
EUI 64 Bit to mac conversion
----------------------------
SO we have a link local address of FE80:20D:BFF:FE1F:8C00
We take the portion
020D
we take the first byte of this
02
0x02 = 0000 0010 i binary
we invert the 7th bit
0000 0000
and we remove the padding
000D:BC1F:8C00
IPV6 ADDRESS RESOLUTION
------------------------
RFC 4861
ICMPv6ND is used for layer 2 resolution
Ethernet
- ICMPv6 ND replaces ARP
NBMA
- Inverse ND this is not in use on cisco ios yet
so we need to use static layer 3 to layer 2 mappings
Ok after we put an ipv6 address on interface the ICMPV6 ND-neighbor discovery protocol will
run DAD (Duplicate Address Detection) this make sure there is no address conflict on the link
if it is not unique it will not allow assignment. Once confirmed unique it sends out NA
(neighbor advertisement) this is sent to the neighbor so it can update it mac to ip cache
effectively arp cache in ipv4 comparison
The link will auto generate a link local address based on the bia of the interface it will
also do DAD and NA for this address
You need to enable IPV6 routing globally
IPV6 unicast-routing command
When you enable this command it starts advertising a RA (router advertisement) on the segment
this contains the prefix the interface is using EUI 64 so that devices on the segment can
auto configure
To enable a interface to auto configure you do the following command
int fa0/1
ipv6 address autoconfig
IPV6 NEIGHBOR DISCOVERY
------------------------------------
Briefly discussed above in ipv6 there are 5 message types for neighbor discovery
1)Router Solicitation (ICMPv6 type 133)
---------------------------------------------
- the purpose of the router solication is to allow host to autodiscover routers without waiting for the RA
The Source Address field is set to the MAC address of the sending network adapter.
The Destination Address field is set to 33-33-00-00-00-02. In the IPv6 header of the Router Solicitation message,
you will find the following settings:
The Source Address field is set to either a link-local IPv6 address assigned to the sending interface or the IPv6 unspecified address (::).
The Destination Address field is set to the link-local scope all-routers multicast address (FF02::2).
The Hop Limit field is set to 255
2)Router Advertisment (ICMPv6 type 134)
----------------------------------------------
Sent intermittenly by the router on the link contains the information required by hosts to determine the link prefixes, the link MTU, specific routes, whether or not to use address autoconfiguration, and the duration for which addresses created through address autoconfiguration are valid and preferred.
In the IPv6 header of the Router Advertisement message, you will find the following settings:
The Source Address field is set to the link-local address assigned to the sending interface.
The Destination Address field is set to either the link-local scope all-nodes multicast address (FF02::1) or the unicast IPv6 address of the host that sent the Router Solicitation message from a unicast address.
The Hop Limit field is set to 255.
3)Neighbor Solicitation (ICMPv6 type 135)
IPv6 nodes send the Neighbor Solicitation message to discover the link-layer address of an on-link IPv6 node or to confirm a previously determined link-layer address. It typically includes the link-layer address of the sender. Typical Neighbor Solicitation messages are multicast for address resolution and unicast when the reach ability of a neighboring node is being verified
4)Neighbor Adveristment (ICMPv6 type 136)
--------------------------------------------------
An IPv6 node sends the Neighbor Advertisement message in response to a Neighbor Solicitation message. An IPv6 node also sends unsolicited Neighbor Advertisements to inform neighboring nodes of changes in link-layer addresses or the node’s role. The Neighbor Advertisement contains information required by nodes to determine the type of Neighbor Advertisement message, the sender’s role on the network, and typically the link-layer address of the sender
5) Redirect (ICMPv6 type 137)
-----------------------------------
The Redirect message is sent by an IPv6 router to inform an originating host of a better first hop address for a specific destination. Redirect messages are sent only by routers for unicast traffic, are unicast only to originating hosts, and are processed only by hosts.
LAB
----
---
r5#debug ipv6 packet detail
IPv6 unicast packet debugging is on (detailed)
r5#debug ipv6 nd
ICMP Neighbor Discovery events debugging is on
I will enable ipv6 globally
r5(config)#ipv6 unicast-routing
Then on interface i will use my fa0/0 connecting to s2
r5(config)#int fa0/0
r5(config-if)#ipv6 address 2001:155:00:58::5/64
r5(config-if)#
*Feb 6 00:30:14.311: IPv6: Sending on FastEthernet0/0
*Feb 6 00:30:14.559: ICMPv6-ND: DAD: FE80::213:19FF:FED6:F4D2 is unique.
*Feb 6 00:30:14.559: ICMPv6-ND: Sending NA for FE80::213:19FF:FED6:F4D2 on FastEthernet0/0
*Feb 6 00:30:14.559: IPV6: source FE80::213:19FF:FED6:F4D2 (local)
*Feb 6 00:30:14.559: dest FF02::1 (FastEthernet0/0)
*Feb 6 00:30:14.559: traffic class 224, flow 0x0, len 72+8, prot 58, hops 255,
originating
*Feb 6 00:30:14.559: IPv6: Sending on FastEthernet0/0
*Feb 6 00:30:14.559: ICMPv6-ND: Linklocal FE80::213:19FF:FED6:F4D2 on FastEthernet0/0, Up
*Feb 6 00:30:14.559: ICMPv6-ND: Request to send RA for FE80::213:19FF:FED6:F4D2
*Feb 6 00:30:14.559: ICMPv6-ND: Sending RA from FE80::213:19FF:FED6:F4D2 to FF02::1 on
FastEthernet0/0
Feb 6 00:30:15.559: IPv6: Sending on FastEthernet0/0
*Feb 6 00:30:15.563: ICMPv6-ND: DAD: 2001:155:0:58::5 is unique.
*Feb 6 00:30:15.563: ICMPv6-ND: Sending NA for 2001:155:0:58::5 on FastEthernet0/0
*Feb 6 00:30:15.563: IPV6: source 2001:155:0:58::5 (local)
*Feb 6 00:30:15.563: dest FF02::1 (FastEthernet0/0)
*Feb 6 00:30:15.563: traffic class 224, flow 0x0, len 72+8, prot 58, hops 255,
originating
*Feb 6 00:30:15.563: IPv6: Sending on FastEthernet0/0
*Feb 6 00:30:15.563: ICMPv6-ND: Address 2001:155:0:58::5/64 is up on FastEthernet0/0
*Feb 6 00:30:15.811: IPV6: source FE80::213:19FF:FED6:F4D2 (local)
*Feb 6 00:30:15.811: dest FF02::16 (FastEthernet0/0)
*Feb 6 00:30:15.811: traffic class 224, flow 0x0, len 76+0, prot 0, hops 1,
originating
*Feb 6 00:30:15.811: IPv6: Sending on FastEthernet0/0
*Feb 6 00:30:30.655: ICMPv6-ND: Request to send RA for FE80::213:19FF:FED6:F4D2
*Feb 6 00:30:30.655: ICMPv6-ND: Sending RA from FE80::213:19FF:FED6:F4D2 to FF02::1 on
FastEthernet0/0
*Feb 6 00:30:30.655: ICMPv6-ND: MTU = 1500
*Feb 6 00:30:30.655: ICMPv6-ND: prefix = 2001:155:0:58::/64 onlink autocon
ok so we can see that icmpv6-nd run for the two address the link local address which was self
generated based on bia of the interface and the global address that i assigned both were
found unique and nd was sent out. ALso an ra was sent on the segment adverting the prefix for
auto config
*Feb 6 00:30:30.655: ICMPv6-ND: prefix = 2001:155:0:58::/64 onlink autoconfig
On s2
--------
it is not recognising the ipv6 command
s2(config)#ipv6 ?
% Unrecognized command
s2(config)#
I need to change the sdm profile
s2(config)#sdm prefer dual-ipv4-and-ipv6 routing
OK now i enable ipv6 routing and i have changed the int vlan 58 interface to auto config
s2(config)#ipv6 unicast-routing
s2(config)#int vlan 58
s2(config-if)#ipv6 address autoconfig
i am getting an address
s2#sh ipv6 int brief
Vlan1 [administratively down/down]
Vlan58 [up/up]
FE80::21B:2BFF:FEEC:83C4
2001:155:0:58:21B:2BFF:FEEC:83C4
and i can ping r5 successifully
s2#ping ipv6 2001:155:0:058::5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:155:0:58::5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/0 ms
R5
---
OK on r5 i am now going enable ipv6 addres son the frame-relay interface
r5(config)#ipv6 unicast-routing
r5(config)#int s0/0/0
r5(config-if)#ipv6 address 2001:155::5/64
r5(config-if)#no shut
r5(config-if)#exit
r5(config)#
R1
---
r1(config)#ipv6 unicast-routing
r1(config)#int s0/0
r1(config-if)#ipv6 address 2001:155::1/64
r1(config-if)#no shut
r1(config-if)#exit
r1#sh ipv6 route
IPv6 Routing Table - 4 entries
Codes: C - Connected, L - Local, S - Static, R - RIP, B - BGP
U - Per-user Static route
I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary
O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
D - EIGRP, EX - EIGRP external
C 2001:155::/64 [0/0]
via ::, Serial0/0
L 2001:155::1/128 [0/0]
via ::, Serial0/0
L FE80::/10 [0/0]
via ::, Null0
L FF00::/8 [0/0]
via ::, Null0
r1#
r1#ping 2001:155::5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:155::5, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
r1#
r5
--
r5#ping ipv6 2001:155::1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:155::1, timeout is 2 seconds:
*Feb 6 19:35:54.859: Serial0/0/0:Encaps failed--no map entry link 79(IPV6).
*Feb 6 19:35:55.959: Serial0/0/0(i): dlci 503(0x7C71), pkt type 0x800, datagramsize 64
*Feb 6 19:35:56.455: Serial0/0/0(i): dlci 502(0x7C61), pkt type 0x800, datagramsize 64
*Feb 6 19:35:56.859: Serial0/0/0:Encaps failed--no map entry link 79(IPV6)
*Feb 6 19:35:57.251: Serial0/0/0: broadcast search
*Feb 6 19:35:57.251: Serial0/0/0: Broadcast on DLCI 501 link 7
*Feb 6 19:35:57.251: Serial0/0/0(o): dlci 501(0x7C51), pkt type 0x800(IP), datagramsize 64
it is failing on r5 and we were getting encap failed so it can not recurse the address layer
2 to layer 3
r5(config-if)#frame-relay map ipv6 2001:155::1 501
r1
--
r1(config)#int s0/0
r1(config-if)#frame-relay map ipv6 2001:155::5 105
r1(config-if)#
r1#ping 2001:155::5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:155::5, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 64/64/68 ms
r1#
now that we can recurse it we are able to ping
r1#sh frame-relay map
Serial0/0 (up): ip 155.0.0.2 dlci 102(0x66,0x1860), dynamic,
broadcast,, status defined, active
Serial0/0 (up): ip 155.0.0.3 dlci 103(0x67,0x1870), dynamic,
broadcast,, status defined, active
Serial0/0 (up): ip 155.0.0.4 dlci 104(0x68,0x1880), dynamic,
broadcast,, status defined, active
Serial0/0 (up): ipv6 2001:155::5 dlci 105(0x69,0x1890), static,
CISCO, status defined, active
Serial0/0 (up): ip 155.0.0.5 dlci 105(0x69,0x1890), static,
broadcast,
CISCO, status defined, active
r1#
No comments:
Post a Comment