Technology

cu.ipv6tf.org

Technology

OUR 15TH YEARCISCO SYSTEMS USERS MAGAZINE FIRST QUARTER 2003IntegratedSecurity 22Safeguarding theNetwork from Within18 IPv6 AddressingStrategies55 Managed Serviceson the Rise68 From NetworkingAcademy toHot Hires41 Special Report:Build a WinningBusiness Casecisco.com/go/packetReprinted with permission from Packet ® magazine (Volume 15, No. 1), copyright © 2003 by Cisco Systems, Inc. All rights reserved.


TechnologyI P V 6 A D D R E S S I N GIPv6 Time Is NowA Primer on How IPv6 Addresses Are Constructed and the Benefitsof this Next-Generation TechnologyBY RAJ GULANITHE CURRENT INTERNET ADDRESSprotocol has a potential of about 4 billionpublic 32-bit addresses. Shortages, so far causedprimarily by allocation, have already forcedmany Internet users to make do with Network AddressTranslation (NAT) or private addresses piggybacking onpublic ones. What’s more, the number of 32-bit addresses,governed by IP Version 4 (IPv4), is already shortchangingsome areas of the world, particularly the Far East. Itwill be wholly inadequate after devices needing Internetconnectivity are placed in mobile phones, personal digitalassistants (PDAs), vehicles, appliances, and an as-yetunimaginable list of other devices.The solution to the shortage of addresses that hasbeen adopted by IP standards bodies around the worldis a new address format of 128 bits, part of a protocolknown as Internet Protocol Version 6 (IPv6). The 128-bit length was chosen because it creates an optimumnumber of addresses in a header of workable size. Andit will expand the number of public addresses to340,232,366,920,938,463,374,607,431,768,211,456,or 3.4 x 10 38 .Work has been underway for a decade, and IPv6addressing and IPv6 networks are now realities. A numberof academic and government networks alreadycarry IPv6 traffic shifting from the experimental IPv6backbone (also known as 6Bone networks) to productiondual-purpose IPv4 and IPv6 networks now underconstruction. Cisco has been involved in IPv6 developmentsince its inception. In addition to being a foundingmember of the IPv6 Forum and co-chair of theInternet Engineering Task Force (IETF) IPv6 andTransition (NGTrans) Working Group for severalyears, Cisco runs a well-known 6Bone routerthat helps up to 70 other companies make theirfirst IPv6 steps, and acts as an IPv6 to IPv4 relayfor individual users or small companies. And itsimplementation of the protocol on Cisco IOS ®platforms was one of the industry’s first officialIPv6 support in a broad product portfolio.The same registries that now allocateIPv4 addresses—the Asia Pacific NetworkInformation Center (APNIC) for Asia, theAmerican Registry for Internet Numbers (ARIN)for the Americas, and the Reseaux IP Europeens-Network Coordination Center (RIPE-NCC) forEurope and the Middle East—will allocate IPv6addresses to Internet service providers (ISPs) andNational Research Networks (NRN), who will continueto assign them to end users.This article explores the five major areas of changebrought about by IPv6:■ Enhanced address space■ Header format simplification■ Enhanced routing protocol support■ Security and mandated IP Security (IPSec) support■ Enhanced support for Mobile IPEnhanced Address SpaceThe 128 bits in the IPv6 address space are broken downinto eight groups of 16 bits, each of which can be representedin text as a hexadecimal value. The text addressthen reads x:x:x:x:x:x:x:x, where each “x” represents a givenhexadecimal value.Typical addresses would be written as2031:0000:130F:0000:0000:09C0:876A:130B.Because of the methods used for allocating addresses,IPv6 may contain long strings of zeros. It is acceptableto substitute a pair of colons “::” anywhere in theaddress to represent and thus compress two or more 16-bit groups of zeros in a string.The above address wouldthen be written: 2031:0000:130F::09C0:876A:130B. Asa computer expands the “::” with 0 to get 128 bits, anaddress may not contain more than one set of pairedcolons, as it won’t be possible to determine how manyzeros in each segment.RAJ GULANIRAJ GULANI, CCIE ® , is a manager oftechnology marketing at Cisco. He haspresented at Networkers and various othertechnical forums. With a Bachelor’s Degreein Engineering (Electronics) from BombayUniversity, India, Gulani’s networking careerspans more than eight years. In 1997, hestarted his career at Cisco in CustomerAdvocacy as a Technical Assistance Center(TAC) engineer focusing on WAN and broadbandtechnologies, and moved on to leadnetwork design engineer in the AdvancedNetwork Services Group. He can be reachedat rgulani@cisco.com.R O B B R O D M A N18 PACKET FIRST QUARTER 2003 CISCO SYSTEMSReprinted with permission from Packet ® magazine (Volume 15, No. 1), copyright © 2003 by Cisco Systems, Inc. All rights reserved.


TechnologyI P V 6 A D D R E S S I N GAn alternative form (nearly deprecated) for theaddress is x:x:x:x:x:x:d:d:d:d, in which the “x’s” are hexadecimalvalues of the six higher-order 16-bit piecesand the “d’s” represent the decimal values of the fourlower-order 8-bit pieces. The latter portion is thestandard IPv4 address, and this form would be usedwhen configuring automatic IPv6 tunnels through anIPv4 network. This particular format has shown someoperational challenges, so its use is discouraged.An IPv6 address typically has two major 64-bitparts: the network prefix, which contains the registry,provider, subscriber ID, and subnet, and occupies thehigher order groups of bits; and the interface ID, whichoccupies the lower ones. Bits within these groupings areallocated according to the specific requirements of varioustypes of addresses. An IPv6 address prefix is representedas ipv6-address/prefix-length, similar to IPv4address prefixes written in IPv4 Classless InterdomainRouting (CIDR).There are three major types of addresses: unicast,anycast, and multicast. Addresses are assigned to interfaces.A unicast address governs one-to-one transmission.It identifies a single interface and is the equivalentof an IPv4 unicast address. A transmission is deliveredonly to that address. There are, however, several typesof unicast addresses, including the global, link-local,and site-local.The global unicast address is the equivalent of theIPv4 global unicast address, used on links that areaggregated upwards though an organization and eventuallyto the ISP. The structure of this type of addressenables policies that allow aggregation of routing prefixesso as to limit the number of entries in the globalrouting table. The address consists of a 48-bit routingprefix managed by the provider and a 16-bit subnet IDmanaged by the local site.AGGREGATABLE GLOBAL UNICAST ADDRESSusing the link-local prefix FE80::/10(1111 1110 10)and the interface identifier in the IEEE EUI-64 format(an EUI-64 may be derived from an EUI-48).LINK-LOCAL ADDRESS1111111010FE80::/1010 Bits0128 BitsA site-local unicast address is similar to a private addressin IPv4 format (for example, 172.16.0.0/12). Because theprefix is not propagated between routing domains, thisrestricts communication to a specific domain.SITE-LOCAL ADDRESS1111111011FEC0::/1010 Bits0128 BitsSite LinkAddressSubnet ID16 BitsInterface ID64 BitsInterface ID64 BitsThe unicast address 0:0:0:0:0:0:0:1 or ::1 is theloopback address, which should never be assigned toany interface. It performs the same function as inIPv4—identifying a transmission sent by a nodeback to itself.An anycast address directs one-to-any transmission.Examples are the use of anycast addresses to reach aDNS server or a 6to4 Relay or Intra-Site AutomaticTunnel Addressing Protocol (ISATAP) routers (seenext page for more on 6to4 and ISATAP).ANYCAST ADDRESS128 BitsProvider Site HostPrefix111111x111111...1113 Bits 45 Bits 16 Bits 64 Bits0 if EUI-64 Globally Administeredx={1 if EUI-64 Locally AdministeredAnycast ID7 Bits001Global Routing PrefixSite LinkAddressInterface IDA link-local unicast address is used to communicateamong nodes on a local link, in the neighbor discoveryprotocol, and in the stateless autoconfiguration process.It can be automatically configured on any interface byAn IPv4-mapped IPv6 address is used to identifyan IPv4-only node to an IPv6 node. The 16 bits ofzeros before the IPv4 decimal representation in theaddress should be replaced with four F’s. An IPv4-mapped address should never be used as an “Src” or“Dst” on the wire.A multicast address governs one-to-many transmission.The address subsumes a set of interfaces, usuallyCISCO SYSTEMS FIRST QUARTER 2003 PACKET 19Reprinted with permission from Packet ® magazine (Volume 15, No. 1), copyright © 2003 by Cisco Systems, Inc. All rights reserved.


TechnologyI P V 6 A D D R E S S I N GMULTICAST ADDRESS1111 1111F FoLifetime Scope8 Bits 8 Bits128 BitsInterface IDbelonging to different nodes, and orders delivery of thepacket to all of them. IPv6 does not include anybroadcast addresses, their function being taken over bythe multicast address.6to4 and ISATAP AddressesTo ease the IPv6 integration on the campus andWAN, the IETF NGTrans Working Group hasbeen working on several tunneling mechanisms thatcan be set when native IPv6 or dual-stack are not asolution. Automatic IPv6 over IPv4 tunnels requirethat an IPv4 address be extracted from the IPv6address to establish a tunnel on request. Thisapproach leads to a particular IPv6 unicast addresscalled 6to4 (RFC 3056) on the WAN and ISATAP(draft-ietf-ngtrans-isatap) on campus.■ The payload length indicates the length of the dataportion of the packet.■ The “next header” field determines the type of informationfollowing this packet—perhaps a TCP orUDP packet or extension header.■ The hop limit specifies the maximum number ofrouters the packet can pass through before being consideredinvalid.■ The “source address” and “destination address” containthe appropriate IPv6 128-bit addresses.Neighbor discovery provisions are built on top of InternetControl Message Protocol for IPv6 (ICMPv6) and are acombination of IPv4 protocols. They enable router discovery,parameters discovery, address autoconfiguration,next-hop determination, neighbor unreachability detection,and other functions, as well as determine the linklayeraddress of a neighbor on the same link, andidentification and tracking of neighboring routers.Stateless autoconfiguration (see Figure 1) is a keyfeature of IPv6.Enhanced Routing Protocol SupportIPv6 headers have been designed to be as compatible aspossible with current standards and protocols. For example:■ They use the same “longest-prefix match” routing asIPv4 CIDR.■ The changes to existing IPv4 routing protocols for6TO46TO4 ANDANDISATAPISATAPADDRESSESADDRESSES6to4 (RFC 3056)—WAN Tunneling/16 /48 /64Public IPv4 Site Link2002 Address Address Interface IDISATAP (Draft)—Campus Tunneling/23 /32 /48 /642001 0410Site Link 00 00 5E FE IPv4 HostAddressAddressRegistryISP PrefixSite Prefix32 bits32 bitsIPv6 AUTOCONFIGURATIONRA IndicatesSubnet PrefixSubnet Prefix +MAC AddressSimplified Header FormatAn IPv4 header contains at least 12 different fields: version,header length, type of service, total length, identification,flags, fragment offset, time to live, protocol,header checksum, source address, destination address,and possible options. The simpler IPv6 header has onlyeight: version, traffic class, flow label, payload length,next header, hop limit, source address, and destinationaddress. They are used as follows:■ The field specifies 6 for IPv6.■ The traffic class identifies differentiated services.■ The flow label tags packets with a specific flow thatdifferentiates packets at the network layer.Subnet Prefix +Interface IDAt Boot Time, an IPv6 HostBuilds a Link-Local Address,Then Its Global IPv6 Address(es)From RAFIGURE 1: With IPv6 stateless autoconfiguration, the hostautonomously configures its own link-local address. Bootingnodes request router addresses (RAs) to help in configuringthe interfaces.20 PACKET FIRST QUARTER 2003 CISCO SYSTEMSReprinted with permission from Packet ® magazine (Volume 15, No. 1), copyright © 2003 by Cisco Systems, Inc. All rights reserved.


TechnologyI P V 6 A D D R E S S I N Ghandling longer addresses are done through newIETF documents.■ Use of Routing Information Protocol (RIP) isachieved with RIPng similar to RIPv2 on IPv4.■ A new version of Open Shortest Path First (OSPF)—OSPFv3—is defined for IPv6.■ IPv6 address family in now in Intermediate System toIntermediate System (IS-IS) and Multiprotocol BorderGateway Protocol v4 (MP-BGP4).■ Headers with anycast destination addresses can beused to route packets through particular regions forprovider selection and performance, compliance withpolicies, among other reasons.Mandated IPSec, Enhanced Support for Mobile IPCompliance with the IPSec standard is mandatory inIPv6, not optional as in IPv4, and is part of the IPv6protocol suite. Network administrators could enableIPSec in every node, if desired, potentially making networksmore secure, but IPv6 does not specify how thekey can be distributed. IPv6 provides security headerextensions that make it easy to implement encryption,authentication, and virtual private networks (VPNs).The security extensions help to prevent hacking andensure data integrity. Nevertheless, when a centralizedThe IPv4 to IPv6TransitionA number of techniques have been identifiedand developed to make the transition fromIPv4 to IPv6. They fall into three categories:■■■Dual-stack techniques, which allow bothprotocols to coexist in the same devicesand networksTunneling techniques, to avoid orderdependencies when upgrading hosts,routers, or regionsTranslation techniques, to allow IPv6-only devices to communicate with IPv4-only devicesThese three techniques, which probably will beused in various combinations, also lay thefoundation for IPv6 deployment scenarios. Toview a dual-stack IPv4/IPv6 campus and ISPdeployment scenario, go to cisco.com/go/packet/dual-stack at Packet Online.ENHANCED SUPPORT FOR MOBILITY WITH IPv6Home AgentHome3ffe:0b00:c18::1 =Home AddressMobileNodeDirect RoamingNot Possiblein IPv4security mechanism (for example, firewalls) is preferred,there is no definition—yet—on how to make bothIPSec and firewalls coexist on the network.IPv6 also offers other features that facilitate mobility.Mobility is essentially built in, and any node can supportit as needed, in contrast to IPv4, in which mobility mustbe specifically provided for.IPv6 packets addressed to the home address of amobile node are transparently and automatically routedto its care-of address because both addresses are boundand cached together. On Mobile IPv4, a correspondentnode can’t talk directly with a mobile node; it has to gothrough the home agent. But a mobile node can talkdirectly with a correspondent node. This is called triangularrouting. On Mobile IPv6 (see Figure 2), a correspondentnode can talk directly with a mobile node aftera binding update process.◆ ◆ ◆Growth in mobile and fixed applications that requireInternet-connected devices is just one factor putting astrain on the current IPv4 32-bit address pool.The timefor IPv6 has come, and IT professionals need to beginfamiliarizing themselves now with IPv6 addresses andtheir benefits.FURTHER READING■ Cisco IPv6:cisco.com/ipv6■ IPv6 Forum:ipv6forum.org■ IPv6 Information Page:ipv6.org■ IETF IPv6 Working Group:ietf.org/html.charters/ipv6-charter.htmlRoaming2001:2:a010::5 =Care of AddressDestinationNodeFIGURE 2: With IPv6,use of the routingheader for Mobile IPenables the service toavoid “triangle routing,”making the servicemuch more efficientthan in IPv4.CISCO SYSTEMS FIRST QUARTER 2003 PACKET 21Reprinted with permission from Packet ® magazine (Volume 15, No. 1), copyright © 2003 by Cisco Systems, Inc. All rights reserved.

More magazines by this user
Similar magazines