Thursday, October 29, 2015

IPv6, Not your grandma's IP

by Craig Miller

Not GrandmaIPv6 is a different networking protocol

The first thing to learn about IPv6, is that it isn't just like your old friend IP(v4). It is a different network protocol which happens to reuse the same layer 4 (UDP and TCP). The two network protocols (IPv4 and IPv6) are not compatible. There is no magic interoperability between them. To access a IPv6 server on the internet from IPv4, there must be a proxy somewhere on the internet which will do the conversion for you. Most implementations, windows, linux, mac, android, use what is called dual stack, this enabling your computer to speak both protocols (kind of like speaking both French and English in Canada).

The separateness of IPv6 is a double edge sword, you can take advantage of it, but so can others. I'll cover this aspect in more detail in a later post.


Quick look at the differences

The obvious and not-so-obvious differences between IPv4 and IPv6 are:
IPv4IPv6
32 bit long address128 bit long address (see Quibbling in IPv6)
thinking: must conserve host addressesthinking: define the networks needed for the job. It is OK to waste a /64 on a point to point link because it will make the entire network simpler.
Variable Subnet Length Mask, subnettting is hardNo VSLM, all user subnets are /64, results in simplified subnetting (see Simplifying Subnetting)
Single IP addressAlways uses multiple IP addresses: one or more global, a temporary (RFC 3041), and a link-local (see What's with all those IPv6 Addresses)

n/aNon-routable address, FE80/10, aka Link-local
Uses BroadcastNo Broadcast, uses Multicast (see Goodbye Broadcast)
Pseudo auto-config (169.254.0.0/16)Stateless Autoconfig (SLAAC)  (RFC 4862) provides a method to automatically obtain a globally routable address (see SLAAC-ing Off)
Client initiates DHCPNetwork controls (via M & O bits in RA) DHCPv6 (RFC 3315)
Net Address Translation, keeping IPv4 alive since 1994 (RFC 1631) as a short-term solutionNo NAT. Restores true any address to any address connectivity.
Uses ARP to resolve MAC addressesUses ICMP to resolve MAC addresses. Blocking ICMP on the firewall, will disconnectyour network (see IPv6 using ICMP)
Private address space (RFC 1918) aka 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12Unique Local Address (ULA) FC00::/7 (RFC 4193). Don't use. This is IPv4 thinking, use Global addresses everywhere, keep the network simple
OSPFv2 routingOSPFv3 routing

Don't turn off IPv6 and miss the opportunity to learn

And that is just the tip of the iceberg. So what is one to do? Stick your head in the sand, and turn off IPv6? I would suggest, no. Start playing with IPv6, either with an extra machine (we all have extra machines laying around, right?), or in a VM, and start learning.

Set up your computer to prefer IPv4, if needed

But what if you don't have an IPv6 connection to the internet, and things are slow

If you are running linux, add this to your /etc/gai.conf file, and restart your web browser. IPv4 (as per RFC 6724) will now be preferred:
precedence ::ffff:0:0/96 100

If you are using Windows, use netsh to raise the IPv4 preference.
netsh int ipv6 set prefix ::ffff:0:0/96 100 4

If you are using a Mac, let me know. I haven't found how to adjust the IPv4/IPv6 preference.

Future Growth of the Internet will be on IPv6

IPv6 isn't going away, and ignoring it won't make it go away either. Your organization may be happy using private IPv4 address space, but your customers will be using IPv6, and if they can't get to your IPv4-only website, you will be losing customers. Now that ARIN has run out of IPv4 addresses, there is no time like the present to learn how the next phase of the Internet will work.

And hopefully, once you learn the benefits of IPv6, you wil take the time to simplify your next generation network. (see IPv6 is not coming, it is here)

Friday, October 23, 2015

IPv6 Simplifying Subnetting


by Craig Miller

Simplifying Subnetting

Network prefix always /64
Another key difference of IPv6 is no more variable length subnetting. There has been an entire industry build up around what address boundaries does a /26 have. Be prepared to file that info away, because IPv6 has a fixed length subnet (or prefix). It is always /64, end of story.

Wasting address space?

The biggest complaint I hear from experienced IPv4-ers is that a /64 is a waste of address space. And in a way it is, but who cares? Part of the mind-shift that needs to happen when working with IPv6 is to shake off the shackles of conserving address space. Allocating 264 addresses per subnet is a lot of addresses. More than the entire IPv4 address space, in each subnet. But remember there are also  264 networks available.

How Big is it?

The best example I have heard to explain just how big the IPv6 address space is, is this:
If the entire IPv4 address is equal to 1 meter (a little longer than a yard), then the entire address space of IPv6 is 18 trillion light-years.

That is a lot of address space. There may come a day when we earthlings will have to move to a different addressing scheme, but it won't be in your life time.

Simplifying with /64

The key advantage of using a /64 everywhere (even point to point links) is that it greatly simplifies your network planning. If everything is a /64, then SLAAC works everywhere! This means everything can acquire a global routable address auto-magically.

Trying to conserve address space, by using something other than a /64, will break SLAAC, and you will find that your network is still complex, and you have missed a golden opportunity to simplify your network. Remember, a simpler network is easier to troubleshoot, which translates to faster resolution times, and at the end of the day, saving money.

Another advantage of using /64 is that it prevents some of the attacks from the IPv4 days. Try running nmap on your /64 subnet. You will never find all, or even 10% of the hosts on the subnet. You can't just scan every address in the subnet. It will take months, and with Temporary Addresses (RFC 4941) hosts will change addresses before you even scan them.

Land of Plenty

Go ahead and plan your next generation network with /64s. It may seem decadent at first, but it will pay real dividends for the rest of your life.



Thursday, October 22, 2015

What's with all those IPv6 Addresses

by Craig Miller

No longer tied to one address

A key difference of IPv6 is multiple addresses. An interface will have at least two IPv6 addresses, a link-local, and a global address, but there can be more, several more.

All those addresses can mean more complexity, but it can also mean simplicity. Other than a Global address, and a link-local address there is no requirement to have more.

But remember there is usually at least two ways to look at something, and IPv6 is no different. Vase, or Faces?


Address fundamentals

By now you know that an IPv6 address is 128 bits long. And hopefully you know that IPv6 does not have a variable length subnet mask. It is always, always 64 bits long. This simplifies things a lot.

An IPv6 address looks like the following:
 2001:4860:4860:0000:0000:0000:000:8888

An IPv6 address is made up of 8 quartets of 4 hexadecimal digits separated by colons. That is a lot of typing. fortunately RFC 4291 says we can shorten one long string of zeros with a double colon. And the address becomes:
 2001:4860:4860::8888
In the above example1, the network number (the part on the left 64 bits) would be 2001:4860:4860 and the host number (the part on the right 64 bits) would be 8888

The double colons don't have to align with the 64 bit mask, but it is convenient when it does.

Special Addresses

There are special addresses, which are required for IPv6 to work properly. The first is the link-local address, which always starts with FE80:, in fact it is officially (in RFC 4291)
FE80::/10

Because there is no ARP (Address Resolution Protocol) in IPv6, another method had to be utilized to resolve MAC addresses for a given IPv6 address. By having every node create a link-local address, which is only significant on that link, ICMPv6 can be used to resolve MAC addresses through neighbour discovery.

Another set of special addresses are the multicast addresses, which start with FF. (again defined in RFC 4291). One we learned from a previous post was the all nodes address. There is no broadcast in IPv6, but multicasting to all-nodes has a similar result. The all nodes address is:
FF02::1

How to get a Global Address, let me count the ways

Before sending your packets on to the big IPv6 enabled internet, you will first need to get a global IPv6 address. Fortunately, there are several methods to get a global address:
  • SLAAC (Stateless Address Auto-Configuration)
  • DHCPv6
  • Statically defined
The first thing to remember about IPv6, is that the network, not the client controls addressing. There are key advantages to doing it this way. If you have a subnet (in IPv6 it is called a prefix) defined, and 100 host machines on it, you don't want to go to each machine and change the prefix. Using SLAAC, you would just change the advertised prefix on the router, and all of the 100 hosts on the line would acquire a new valid Global Addresses.

But how do the hosts know to select a unique Global address for each host? Because the original standard for SLAAC was to take the ethenet MAC address and modify it a bit (into EUI-64 format) and make that the lower 64 bits (or host part) of the address, and prepend the advertised prefix from the router.

Privacy concerns with SLAAC

However, this caused an unforeseen problem. The host always had the same address, day in and day out. This led to privacy concerns, and via RFC 4941, another global address is created called a Temporary Address. The temporary address is a randomized lower 64 bits, which is re-randomized every day (24 hours). Since this Temporary global address is changed every day, it harder for places outside the local network to track the host.

But there are those who don't like every changing addresses. They are the security people. When analyzing the logs, they want to see a consistent address used day in and day out. After all, this is how IPv4 works.

DHCPv6

Another method used to get a global address is DHCPv6. Again it is controlled by the network, not the client, as defined in RFC 3315. The Router Advertisements (RAs) also include the M & O bits (for managed and other). If either or both of these are set, then the DHCPv6 client should make a multicast request to a DHCPv6 server, and request an address (if the M bit is set) or request other options (such as DNS server settings) if the O bit is set. However the M & O bits are not mutually exclusive to the A bit (which controls SLAAC). So it possible to have a DHCPv6 address, a SLAAC address, Temporary address, and a link-local address all on the same interface.

And if that isn't enough addresses, you can always manually assign an address (statically defined) to an interface.
sudo ip addr add 2001:470:1c:583::1 dev eth0

All those addresses which one is used?

Fortunately, there is RFC 6724, Source Address Selection standard to determine which source address is used when connecting to the internet. This standard supercedes the old RFC 3484, which stated that an IPv6 address is always preferred over an IPv4 address. In this time of transition to IPv6, the user (or IT folks) may want to change this preference, as per RFC 6724 rather than just turning off IPv6. See my previous post, IPv6, not your grandma's IP, for more info on how to adjust your preference.

The rules governing Source address selection are a bit complex. To understand them best, one should refer to section 5 of RFC 6724. Here are the rules (as specified in the RFC) to give you a overview:
   Rule 1: Prefer same address.
   Rule 2: Prefer appropriate scope.
   Rule 3: Avoid deprecated addresses.
   Rule 4: Prefer home addresses.
   Rule 5: Prefer outgoing interface.
   Rule 5.5: Prefer addresses in a prefix advertised by the next-hop.
   Rule 6: Prefer matching label.
   Rule 7: Prefer temporary addresses.
   Rule 8: Use longest matching prefix.

Old Protocol, still evolving

As I write this there is a new RFC on the books, Distributing Address Selection Policy Using DHCPv6    (RFC 7078). Again, the idea is make it easier to roll out changes to your hosts (whether it is changing the prefix, or how host select addresses). IPv6 continues to evolve. Learning IPv6 now will help you for the rest of your career.

1) Just like Google has IPv4 DNS servers at 8.8.8.8, and 8.8.4.4, Google also has IPv6 accessible DNS servers at 2001:4860:4860::8888 and 2001:4860:4860::8844

Wednesday, October 21, 2015

IPv6, not the same path

by Craig Miller

Subway

IPv6 is still a different networking protocol

Last post I mentioned how IPv6 is a double edge sword, you can take advantage of it, and that so can others.

Because IPv6 is a new (widely used) protocol, subnets may not be aligned with existing IPv4 . In fact, implementing IPv6 in your network is an excellent time to rethink your network topology and simplify it. Therefore, there is a good chance that the path to a distant server does not take the same path using IPv6.

Think of it like the subway, there is usually more than one way to arrive at your destination. And they don't all arrive at the same time.


A different path, a different set of rules

There can be local advantages as well, for example, what if there is a firewall in the way of getting to the server down the hall. Depending on how new the IPv6 network is, there may not be firewall rules yet applied, and the path is wide open. Of course, if this is your network, you should not leave the network in this state for long. It isn't only the good guys trying to get to your server down the hall.

Networking Old School, firewalls

Just like the old days, before there was NAT (Net Address Translation), there were firewalls with ACLs (Access Control Lists), which controlled the flow of traffic. Contrary to popular belief, NAT is not a firewall. Sure, when done cleanly, NAT only allows traffic to be initiated in one direction. But because NAT munges things up so bad, most NATs have one or more static port forwards configured (think: holes in your firewall). And that is just the explicit forwarding. UPnP (Universal Plug and Play) is a protocol which allows any host on the inside of NAT to open holes (reverse port forwards). Suddenly your clean NAT implementation is as good as Swiss Cheese.

Before there was NAT there were firewalls, and they are just as good at IPv6 as they were for IPv4. IPv6 is a different protocol, it requires a different set of rules. And because the addresses are different, you can't just cut and paste the IPv4 rules. Be thoughtful when setting up firewall rules.

IPv6 Goodness, using the auto-generated link-local address

But there are other good reasons to use the separateness of IPv6. Say for example, you turn up a new server, but for what ever reason it didn't pick up an IPv4 address from your DHCP server. You could spend a couple of weeks trolling around for the IPv4 auto-configuration address (one of 65,000) in 169.254.0.0/16.

But with IPv6, every interface is assigned a link-local address. This starts with FE80::/10 (RFC 2462) And every IPv6 node registers for the all-nodes multicast address FF02::1. So if you have another machine on the same link (think: subnet), you can ping the all-nodes multicast address, and watch the multiple returns. Because the link-local address is significant on each link, one must append the interface using the %interface scope notation (RFC 4007).
~$ ping6 ff02::1%eth0 -c 2
PING ff02::1%eth0(ff02::1) 56 data bytes
64 bytes from fe80::211:24ff:fee1:ebc8: icmp_seq=1 ttl=64 time=0.116 ms
64 bytes from fe80::224:a5ff:fef1:7ca: icmp_seq=1 ttl=64 time=0.459 ms (DUP!)
64 bytes from fe80::203:93ff:fe67:6362: icmp_seq=1 ttl=64 time=3.17 ms (DUP!)
64 bytes from fe80::225:31ff:fe02:cecb: icmp_seq=1 ttl=64 time=6.01 ms (DUP!)
64 bytes from fe80::211:24ff:fee1:ebc8: icmp_seq=2 ttl=64 time=0.061 ms
You did note the MAC address of that new server, right? The IPv6 link-local address is formed from the MAC address, which should be unique on the link. And because you did note the MAC address, you can now just ssh to the server using its link-local address.
:~$ ssh fe80::203:93ff:fe67:6362%eth0
cvmiller@fe80::203:93ff:fe67:6362%eth0's password:

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
cvmiller@myserver:~$ 


No IPv4 needed!

New Protocol, new tricks

Remember that IPv6 is a separate networking protocol (just like Appletalk, Vines, Novel/IPX, DECnet, etc were in the 90s). There are new tricks to learn with this new protocol1.  Now is a good time to start learning IPv6.