Pepe

AFRINIC Ltd
Mukom Akong T. | @perfexcellent

Training Manager & Lead Trainer
2
Configure IPv6 on hosts
n
pla
s
res
dd
6a
Agenda es
s s
e
IPv
dr
6 ad
an
IP v
y
te
tif
n
ea
Ide
Cr
IPv4 Exhaustion Implications
Pre-requisite knowledge & skills
① Foundational concepts of networking

§ OSI and TCP/IP networking model
§ IPv4 addressing, subnetting, VLSM, CIDR
§ Routing and forwarding
② Experience configuring and maintaining basic IPv4
§ Host (Windows, Linux, Unix etc)configuration
§ Use of TCP/IP applications: ping, traceroute, telnet
③ Experience using the CLI (Cisco IOS, JUNOS, Linux/Unix)
learn.afrinic.net | slide 3
Understanding
Implications of IPv4 Exhaustion

Section Objectives
⫞ Describe the global situation with respect to IPv4 addresses
⫞ Describe the implications of IPv4 exhaustion
Central IPv4 pool as at 16.06.2010
Used
Free
Unusable
Central IPv4 pool as at 31.01.2011
Used
Free
Unusable
Global IPv4 address distribution is unbalanced
Number of IPv4 addresses per person

Projected RIR depletion dates
RIPE NCC
AFRINIC
LACNIC
APNIC
IANA
ARIN
3 Feb 19 Apr 14 Sep 17 Mar 23 Apr 2 Aug
2011 2011 2012 2014 2014 2020
Exhaustion drives up address costs & NATs
Network complexity
$12
Increase in OPEX
/address
NAT Breaks end-to-end
Cripple innovation
AFRINIC runout no reason for complacence!
No hurry,
AFRINIC still has
IPv4 till 2020
Implications for Africa: ‘Scramble for Africa’
§ African networks
deprived of critical IPv4
needed to facilitate
transition to IPv6
§ We are forced to
deploy greenfield IPv6
§ Use of NAT increases

How will you deal with IPv4 exhaustion?
Stand aside and wait
Deploy IPv6 Deploy NAT on Steroids

A
N
Q U E S T I O N S
W
E
R
S
Working with
IPv6 Addresses
Section Objectives
⫞ Work comfortably with IPv6’s hexadecimal notation
⫞ Identify, write and shorten IPv6 addresses
What’s your current IPv6 configuration?
ipconfig /all
Windows
ipv6 if
Linux/Unix ifconfig
Recall: TCP/IP model (IPv4 – 32 bits)
APPLICATION
DNS HTTP IMAP SMTP POP NFS
TRANSPORT
TCP UDP
NETWORK
IPv4 ICMP IGMP IPSec NAT OSPF IS-IS mob. IP
DATA LINK
Ethernet et al NBMA ATM 3GPP
TCP/IP model (IPv6 – 128 bits)
APPLICATION
DNS HTTP IMAP SMTP POP NFS
TRANSPORT
TCP UDP
NETWORK
IPv6 ICMPv6 MLD IPSec ND OSPFv3 IS-IS mob. IP
DATA LINK
Ethernet et al NBMA ATM 3GPP
IPv6 is a network layer replacement of IPv4
Applications
Transport
IPv4
Network
IPv6
Data Link
The Past (32 bits) The Future (128 bits)

340
trillion trillion trillion
Possible IPv6 Addresses!
How to write IPv6 addresses (1/2)
0010000000000001 0100001010010000
0000000000010000 0000001001001001
1011101011101000 0101011011111111
1111111001001010 1110110011111110
128 bits
How to write IPv6 addresses (2/2)
0010000000000001 0100001010010000 0000000000010000 0000001001001001
2001:4290:0010:0249:bae8:56ff:fe4a:ecfe
1011101011101000 0101011011111111 1111111001001010 1110110011111110
The general form of an IPv6 address
X:X:X:X:X:X:X:X/n
§ X = 4 hexadecimal digits (X = hhhh where h = [0 – 9, a – f]
§ n = prefix length: decimal value
hhhh:hhhh:hhhh:hhhh:hhhh:hhhh:hhhh:hhhh/n
Rules for shortening IPv6 addresses
1
The Zero Suppression rule
Strip off all LEADING zeroes
2 The Zero Compression rule
Replace CONTIGUOUS groups of zeroes with ‘::’
Example: shortening an IPv6 address
2001:0000:0000:0249:0000:0000:0000:ecfe
Zero Compression Zero Suppression
2001::249:0:0:0:ecfe
Example: shortening an IPv6 address
2001:0000:0000:0249:0000:0000:0000:ecfe
Zero Suppression Zero Compression
2001:0:0:0249::ecfe
WRONG! IPv6 address shortening
2001:0000:0000:0249:0000:0000:0000:ecfe
The Zero Compression rule The Zero Compression rule
2001::0249::ecfe
Quiz: Compressing Addresses
① 2001:0db8:0000:0000:0008:0800:200C:417a
② ff01:0000:0000:0000:0000:0000:0000:0101
③ 0000:0000:0000:0000:0000:0000:0000:0001
④ 0000:0000:0000:0000:0000:0000:0000:0000
A
N
Q U E S T I O N S
W
E
R
S
Understanding
IPv6 Address Types

Section Objectives
⫞ Identify different types of IPv6 addresses
⫞ Describe the structure and scopes these addresses
There’re 3 types of IPv6 addresses
1:1 1:n 1:closest
Unicast addresses Multicast addresses Anycast addresses
Rx
Tx Tx
Tx
Rx Rx Rx Rx Rx Rx
There are no broadcast addresses (or communications) in IPv6

An address’s scope = its extent of uniqueness
Global scope Link-local scope
Within the scope, the address can be used as a unique ID of

the interface
Global unicast addresses (GUA)
‘Network’ portion ‘Host’ portion
n bits 64 - n bits 64 bits
Global Routing Prefix SubnetID InterfaceID
Ex: 2001:4290:10:249:bae8:56ff:fe4a:ecfe
§ Starts with 001 i.e. 2000::/3
§ Global Routing Prefix is managed by IANA > RIRs > ISPs
§ SubnetID is hierarchically managed by network engineer
§ InterfaceID uniquely identifies interfaces in a subnet
Link-local addresses (LLA)
10 bits 54 bits 64 bits
1111111010 0 InterfaceID
fe80
Ex: fe80:0000:0000:0000:bae8:56ff:fe4a:ecfe
§ Every working IPv6 interface has at least one LLA
§ Scope = link-local, thus routers never forwarded packets to/from LLA
§ Used for auto-configuration, neighbour discovery, routing updates
Link-local reachability and scopeID
fe80::1 fe80::3
fe80::1a fe80::1b
Fe 0/0 Fe 0/1
fe80::2 fe80::4
ping fe80::1
§ Which interface does the router send out the packet?
§ You must additionally specify the egress interface
ZoneIDs (scopeIDs) – resolve LLA ambiguity
Identifies address Scope
Automatically generated by OS
Typically a +ve integer or interface name
fe80::hhhh:hhhh:hhhh:hhhh%zoneID
§ Example on Mac OS X: fe80::bae8:56ff:fe4a:ecfe%en0
§ Example on Windows: fe80::bae8:56ff:fe4a:ecfe%10
Quiz: Using ScopeIDs correctly
Node B
fe80::a1%10 fe80::b%eth0
Node A
fe80::a2%11 fe80::c%en1 Node C

§ Write down the commands for
§ Node A to telnet to Node B
§ Node A to ping Node C
It’s not good practice to only use LLAs
① Can’t be pinged from off-link

② Traceroute via LLA link will reveal router’s system address
③ Troubleshooting parallel point-to-point links is difficult
④ Swapping out an interface may trigger change of address
⑤ Breaks ability to name interfaces in DNS-style
⑥ Difficult to specify and recognize LLAs
Unique Local Addresses (ULA)
1111 110L 0 InterfaceID
fc00::/7
L=0 fc00::/8 fd00::/8 L=1

Centrally assigned Free use self assignment
IPv4-based IPv6 transition addresses
n bits 32 bits 32 - n bits 64 bits
IPv6 Prefix WWXX:YYZZ SubnetID InterfaceID
IPv4 address: w.x.y.z
§ Most significant example is formation of 6rd addresses.

§ Most common example is 6to4 addresses: 2002:WWXX:YYZZ::/48
Quiz: generate an IPv6 prefix from an IPv4 address
Given the following IPv6 root prefix and IPv4 address,

generate the corresponding IPv6 prefix
① 2002 and 196.1.0.87

② 2001:4290 and 196.1.0.87
Generating the InterfaceID (IID)
64 bits 64 bits
Network Prefix InterfaceID
Static (manual) EUI-64 cryptographically Pseudo-random
Servers
Router interfaces Automatically configured hosts
Reserved InterfaceIDs (RFC 5453)
Subnet router anycast address:
<prefix>::0000:0000:0000:0000
Reserved subnet anycast addresses:

<prefix>::fdff:ffff:ffff:ff80 - fdff:ffff:ffff:ffff
How EUI-64 interfaceIDs are generated
[1] Take MAC address (48 bits) 00 90 27 17 FC 0F
[2] Expand it to 64 bits 00 90 27 FF FE 17 FC 0F

X = 0 if MAC is unique
[3] Set MAC’s uniqueness in U/L bit 0000 00X0 X = 1 otherwise
[4] Viola! your InterfaceID 02 90 27 FF FE 17 FC 0F
IPv6 address = Prefix + IID

EUI-64 addresses pose privacy concerns
§ For a given MAC address

§ The EUI-64 interfaceID is fixed
§ It is re-used with the prefix of any network encountered
§ It is possible to track a user from their interfaceID
§ The prefix says what network a user is on
§ The MAC address can be inferred from the interfaceID
§ Privacy addressing (RFC4941) deals with this issue
Important well-known addresses
Unspecified address: 0:0:0:0:0:0:0:0 or ::

§ Indicates the absence of an IPv6 address
§ Used as src addr of packets when host doesn’t know its addresses
§ Never used as destination address
§ Must never be forwarded by routers
Default IPv6 route: 0:0:0:0:0:0:0:0 /0 or ::/0
Loopback address: 0:0:0:0:0:0:0:1 or ::1
§ Used to send IPv6 packets to itself
§ Must never be forwarded outside the node
IPv4-mapped IPv6 address
0 ffff IPv4 address
Example: ::ff:196.1.0.87
§ Represent an IPv4 address to an IPv6-only application
§ These addresses should not appear in the public Internet
Anycast addresses
§ Same address assigned to multiple interfaces/hosts (yellow)

§ Anycast packets are delivered to topologically closest one
§ Allocated from to unicast addresses space
Multicast addresses
ID of the multicast group within given scope
Prefix of unicast subnet which owns this address

4 4
8 bits bits bits 8 bits 8 bits 64 bits 32 bits
11111111 flags scope reserved p-len network prefix groupID
Number of bits in “network prefix” field

ff
All multicast addresses are in the range ff00::/8
Decoding the flags of a multicast address
RP not embedded 0 0 Permanently assigned (IANA)
RP Embedded 1 1 Dynamically assigned
0 R P T
0 Not based on a network prefix
1 Based on a network prefix
Well-known multicast scopes
4
bits
b b b b Bits Hex Scope

0001 1 Interface-local
0010 2 Link-local
0100 4 Admin-local
0101 5 Site-local
1000 8 Organization-local
1110 e Global
4
bits
0000 1 Reserved
0011 3 Reserved
b b b b 1111 f Reserved
0110 6 Unassigned
0111 7 Unassigned
1001 9 Unassigned
1110 a Unassigned
1011 b Unassigned
Reserved & 1100 c Unassigned
undefined scopes 1101 d Unassigned

Example: groupID with different scopes
If ‘NTP servers’ is assigned a permanent multicast group with ID = 101
FF01::101 All NTP servers on the same interface as sender

FF02::101 All NTP servers on the same link as sender
FF05::101 All NTP servers on the same site as sender
FF08::101 All NTP servers in same organisation as sender
FF0e:101 All NTP servers on the Internet
Reserved multicast addresses
§ FF00:: § FF04:: § FF08:: § FF0C::

§ FF01:: § FF05:: § FF09:: § FF0D::
§ FF02:: § FF06:: § FF0A:: § FF0E::
§ FF03:: § FF07:: § FF0B:: § FF0F::
Some well-known multicast addresses
FF01::1 All IPv6 nodes on the local interface

FF02::1 All nodes on the local link
FF01::2 All IPv6 routers on the local interface
FF02::2 All IPv6 routers on the local link
FF05::2 All IPv6 routers on the local site
RFC 2375 has the complete list

The Solicited-Node multicast address (SNMA)
hhhh:hhhh:hhhh:hhhh:hhhh:hhhh:hhhh:hhhh
24 bits
ff02::1:ffhh:hhhh/104
§ Computed for each unicast/anycast address
§ Different addresses with same lower 24 bits have same SNMA
Example of a Solicited-Node multicast address
4037::01:800:200E:8C6C
24 bits
FF02::1:FF0e:8F6C/104
Example of a Solicited-Node multicast address
#show ipv6 interface g0/0
GigabitEthernet0/0 is up, line protocol is up
IPv6 is enabled, link-local address is FE80::CA9C:1DFF:FE6B:B6A0
No Virtual link-local address(es):
Description: [Link to R1]
Global unicast address(es):
2001:43F8:90:C0::2, subnet is 2001:43F8:90:C0::/64
Joined group address(es):
FF02::1
FF02::2
FF02::1:FF00:2
FF02::1:FF6B:B6A0
MTU is 1500 bytes
What addresses must a node identify itself by?
① [Mandatory] Link-Local address of each interface

② [Mandatory] Loopback address (::1)
③ [Mandatory] All-Nodes multicast addresses (ff0x::1)
④ Any unicast or anycast addresses of each interface
⑤ Solicited-Note multicast addresses for each of (4)
⑥ Multicast addresses of all groups to which it belongs
What addresses must a router identify itself by?
① All addresses by which hosts identify themselves

② The All-Routers multicast addresses (ff0x::1)
③ Subnet-router anycast address for all routed interfaces
④ Any configured anycast addresses
IPv6 address literals in URLs
§ Problem: The colon has another meaning in urls

§ It is a core part of the http://
§ It is also used to specify the port
§ Solution: enclose the IPv6 address in square brackets
§ http://[2001:db8:85a3::7348]/
§ http://[2001:db8:85a3::7348]:80/
IPv6 literals in UNC path names
§ Problem: The colon is illegal character in UNC pathnames

§ The solution:
§ Replace each colon in the address with a dash
§ Replace any “%” in the zoneID with an “s”
§ Append “.ipv6-literal.net” to the address
§ 2001:db8::7348 >> 2001-db8--7348.ipv6-literal.net
Testing basic IPv6 connectivity
ping – 6 <hostname>
ping <address[%scopeID]>
ping6 <hostname> | <address>

ping6 –I <interface> <mcast-addr>
ping <address>
Exercise: test reachability to the following
1. Your neighbor’s link-local address

2. All IPv6 hosts on the subnet
3. All IPv6 routers on the subnet
A
N
Q U E S T I O N S
W
E
R
S
Creating an
IPv6 Address Plan

Section Objectives
⫞ Subnet an IPv6 prefix
⫞ Describe how IPv6 addresses are globally managed
⫞ Estimate the IPv6 addressing needs of your network
⫞ Carve out your allocated addresses and assign them
The faces of a subnetting problem
Break 2001:db8:c001::/48, into

equal 150 blocks You have 125 site each of
which needs a /60, what
prefix size should you reserve
for all your sites?
Break 2001:db8::/32 into /40s
The generic IPv6 subnetting problem
Prefix/L
s-prefix1/L’ s-prefix2/L’ …………………..…… s-prefixn/L’
§ L’ > L in length (in size, shorter is larger)

§ L’ = L + s (s = number of subnet bits)
§ Subnetting is finding ‘s’ and the values s-prefix1 …n
Forsake thy bad IPv4 subnetting habits
§ Why we subnet
§ IPv4: conserve address space
§ IPv6: Optimize for routing or security
§ No VLSM in IPv6 – same prefix length on every LAN
§ Think subnets and not hosts
§ There’ll rarely be a need to expand a /64 subnet!
IPv6 subnetting procedure
Inputs Process Formula
Prefix & lengths L , L’ s = L’- L or
OR no. of subnets
Find no. of subnet bits (s) s = log N/log 2
Prefix & length L

Subnet bits s Find subnet hexits s/4
Sub-prefix length L’ Find subnetID increment (B) B = 216 – (L’%16)
Sub-prefix length L’ Use sipcalc or any

List the subnets online tool (trust me!)
Step #1: How to find the subnet bits (s)
No. of sub-prefixes required
Sub-prefix length
log N
s = L’– L s= log 2
prefix length
Ex: break 2001:db8:c000::/36 to 700 subnets
We know the number sub-prefixes N = 700

① s = log 700 ÷ log 2 = 9.81 ≈ 10 bits
Step #2: How to find the number of subnet hexits
Sub-prefix length L’ = L + s ‘Host’ portion
L bits s bits 64 bits
Original prefix SubnetID InterfaceID
No. of hexits = s ÷ 4
We know number sub-prefixes N = 700

① s = log 700 ÷ log 2 = 9.81 ≈ 10 bits
② No. of hexits = 10 ÷ 4 = 2.5 ≈ 3 hexits
Thus each of the sub-prefixes will have the form
2001:db8:cHHH::/46
Step #3: How to find the increment or Block (B)
Sub-prefix length
B= 2 16 – (L’%16)
We know number sub-prefixes N = 700

① s = log 700 ÷ log 2 = 9.81 ≈ 10 bits
② No. of hexits = 10 ÷ 4 = 2.5 ≈ 3 hexits
③ Each sub-prefix looks like 2001:db8:cHHH::/46
④ ‘HHH’ changes by B = 216 – (46%16) = 216-14 = 22 = 4
Step #4: How to list the subnetIDs
<prefix>:<subnetID0>::/L
subnetID0 + B <prefix>:<subnetID1>::/L’
subnetID1 + B <prefix>:<subnetID2>::/L’
’
subnetIDn-1 + B <prefix>:<subnetIDn>::/L
Step #4: Listing subnetIDs – the NERDY way
The nth subnetID The block you calculated
an = (n-1)B
§ Useful for “what’s the 79th subnet” type questions
Step #4: How to list the subnetIDs with sipcalc
Original prefix & length Sub-prefix length
sipcalc <prefix::/L> --v6split=<L’>

OR
sipcalc <prefix::/L> -S /<L’>
E.g: sipcalc 2001:db8:c000::/36--v6split=46

Step #4: How to find the nth subnet with sipcalc
Original prefix & length Sub-prefix length
sipcalc <prefix::/L> -S /<L’> | grep

Network | nl | grep n
sipcalc 2001:db8:c000::/36 –S /46 | grep Network | nl |grep 975
Step #4: Listing the subnets example
§ Ex: Break 2001:db8:c000::/36 to 700 subnets
§ The nth subnet is an = 4(n-1)
§ 1st subnetID: a1= 4(0) = 0 (0x0)
§ 1st subnet: 2001:db8:c000::/46
§ Last subnet: a1024 = 4(1023) = 4092 (0xFFC)
§ Last subnet: 2001:db8:cffc::/46
§ 264th subnetID: a264 = 4(263) = 1052 (0x41C)
§ 26th subnet: 2001:db8:c41c::/46
Subnetting example : problem
An ISP with operations in 10 cities just got a

2001:db8:: /32 allocation from AFRINIC,
subnet this prefix equally between the 10
cities.
Sipcalc example and output
sipcalc 2001:db8::/32 –v6split=36 | grep Network
Network - 2001:0db8:0000:0000:0000:0000:0000:0000 -
Network - 2001:0db8: 1000:0000:0000:0000:0000:0000 -
Network - 2001:0db8: 2000:0000:0000:0000:0000:0000 -
Network - 2001:0db8: 3000:0000:0000:0000:0000:0000 -
Network - 2001:0db8: 4000:0000:0000:0000:0000:0000 -
Network - 2001:0db8: 5000:0000:0000:0000:0000:0000 -
Network - 2001:0db8: 6000:0000:0000:0000:0000:0000 -
Network - 2001:0db8: 7000:0000:0000:0000:0000:0000 -
Network - 2001:0db8: 8000:0000:0000:0000:0000:0000 -
Network - 2001:0db8: 9000:0000:0000:0000:0000:0000 -
Network - 2001:0db8: a 000:0000:0000:0000:0000:0000 -
Network - 2001:0db8: b 000:0000:0000:0000:0000:0000 -
Network - 2001:0db8: c000:0000:0000:0000:0000:0000 -
Network - 2001:0db8: d 000:0000:0000:0000:0000:0000 -
Network - 2001:0db8: e000:0000:0000:0000:0000:0000 -
Network - 2001:0db8: f000:0000:0000:0000:0000:0000 -
Solution to subnetting problem
§ Number of subnets: N = 10
§ Subnet bits required: s = log 10 ÷ log 2 = 3.322 ≈ 4
§ 4 bits gives 16 (i.e. 24) subprefixes. 6 spares
§ Length of each sub-prefix L’= 36 (i.e 32 + 4)
§ Number of subnet hexits = s/4 = 1
§ SubnetID increment B = 216-(36%16) = 4096 (0x1000)
Subnetting example : analysis
§ First subnetID
§ a1= 4096(1-1) = 0 (0x0) [from an=(n-1)B]
§ First subnet: 2001:db8:000::/36
§ Last subnetID
§ a16 = 4096(16-1) = 61440 (0xf000)
§ Last subnet: 2001:db8:f000::/36
§ Verify your answer using sipcalc
§ sipcalc 2001:db8::/32 –v6split=36
Some clarifications on address planning
① Don’t fit your network into RIR minimums (/32, /36 & /48)
② Typical prefix lengths
§ Multi-host LAN subnets: /64
§ Inter-router links: /127
§ Loopback addresses: /128
③ Plan a hierarchical scheme to optimize for aggregation
④ Ensure all prefixes fall on nibble (4 bit) boundaries
Best practice: use /127 for inter-router links
<prefix>:<subnetID>::/127
Improves security by eliminating

§ Forwarding loops (ping pong) on some p2p links
§ Neighbour Exhaustion Attacks
Addresses with the following 64 bits must NOT be used
§ 0000:0000:0000:0000
§ ffff:ffff:ffff:ff7f ➠ :ffff
About using only LLA on infrastructure links
Do configure a GUA on a loopback address for
§ Management plane traffic (ssh, telnet, SNMP, etc)
§ Source ICMPv6 error messages destined off-subnet
Advantages
§ Smaller routing tables which leads to
§ less memory consumption
§ faster routing convergence
§ Accelerated forwarding due to smaller RIBs & FIBs
§ Simpler address management
§ Lower configuration complexity (nothing to do)
§ Simpler DNS (you don’t put LLA into zone files)
§ Reduced attack surface
Caveats
§ Router-interfaces not ping-able from off-link (fix: ping the loopback)
§ Traceroutes to these interfaces break
§ Hardware dependency – LLAs change if line cards change
§ NMS functions that are interface-address specific will break
§ MPLS RSVP-TE which creates LSPs with strict sequence of IP addresses
Sample hierarchy for a country ISP network
ASN
Level 1 City #1 City #2 City #n
Level 2 Site #1 Site #2 Site #n
Level 3 (End networks) Client #1 Client #2 Client #n

Sample hierarchy for a university network
ASN
Level 1 Campus #1 Campus #2 Campus #n
Level 2 Building #1 Building #2 Building #n
Level 3 (End networks) Department #1 Department #2 Department #n

Sample hierarchy for an enterprise network
ASN
Level 1 HQ Branch #1 Branch #n
Level 2 Data Voice Video
Level 3 (End networks) Sales Marketing Operations

Estimating total number of prefixes needed| ISP
ASN
City #1 City #2 City #n
Site #1 Site #2 Site #n
Client #1 Client #2 Client #n
N = #Cities x #Sites x Clientsmax

Estimating number of prefixes needed| University
ASN
Campus #1 Campus #2 Campus #n
Building #1 Building #2 Building #n
Department #1 Department #2 Department #n
N = #Campuses x #Buildings x Departmentsmax

Aim for nibble boundaries
/20, /24, /28, /32, /36, /40, /44, /48, /52, /56, /60, /64
16
256
Cities 4096
2
65536
Sites
Campuses
4n 1048576
16777216
Buildings 268435456
etc 4294967296
68719476736
Round up your estimates to the nearest fourth power
Nibble-aligned prefix
2001:db8:3c00::/40 2001:db8:3c00::/42
2001:db8:3c00:: 2001:db8:3c00::
2001:db8:3cff:ffff:ffff:ffff:ffff:ffff 2001:db8:3c3f:ffff:ffff:ffff:ffff:ffff
Calculating how much space to request
① Find number of bits for N prefixes: s = log N ÷ log 2

② Decide how much space you’ll give end-networks (Sn)
§ /64 for multi-user LANs
§ /60 at least for home users
③ Space to request from your RIR = Sn – s e.g.
§ 48 – s [if assigning /48s per end-network]
§ 52 – s [if assigning /52s per end-network]
Don’t worry, there are enough addresses!
2000::/3 World population
35 trillion Year 2050 projections
/48s 9.3 billion

IPv6 address planning | example
An ISP has operations in 10 cities. The largest city has 50

POPs, the largest of which has about 2700 clients. Estimate
the IPv6 addressing needs of this ISP
Address planning example – analysis and solution
§ We know
§ #Cities = 10 [round to 16]
§ #SITEs = 50 [round up to 256]
§ #Clientsmax = 2700 [round up to 4096]
§ Calculate
§ Total number of end-network prefixes required is N
§ N =16 x 256 x 4096 = 16,777,216
§ Number of subnet bits required: s = log16,777,216/log 2 = 24.
§ Allocation size:
§ 48 – 24 = 24 [Assuming /48s to end-sites]
§ 52 – 24 = 28 [Assuming /52s to end-sites]
§ Thus the ISP needs to request a /24 or /28 from AFRINIC.
Considerations for virtualized servers
§ Non-virtualised server environments

§ One physical server needs at least one IP
§ For virtualised environments
§ The hypervisor host needs one or more IPs
§ Each VM needs at least one IP
§ Each hypervisor may hold multiple clients VMs
Address planning considerations for virtualisation
Traditional servers Virtualized servers
§ Management VLAN
§ Management VLAN
§ Storage VLAN
§ Storage VLAN
§ Several data VLANs ()
§ Data VLAN
§ Plan a /64 for each of your
§ One subnet each
data VLANs

The 3 phases of IP address planning
Estimate Apply for Assign sub-

prefixes to
addressing space from different parts of
needs AFRINIC the network

Two approaches to assigning sub-prefixes
Subnet #1 Subnet #1 Subnet #3
Subnet #3
Subnet #5
1 2 3 4 5 6 7 8 9 10 11 12 1 2 3 4 5 6 7 8 9 10 11 12
Subnet #4 Subnet #4 Subnet #5

Subnet #2 Subnet #2
Sequential Bisection
Exercise
Based on last exercise, AFRINIC allocated you 2001:db::/24.

Explore how an address plan may look like using the tool:
http://j.mp/v6Planner

A
N
Q U E S T I O N S
W
E
R
S
Understanding
IPv6 from an IPv4 Perspective

Section Objectives
⫞ Describe the IPv6 header & how it differs from the IPv4
⫞ Identify the IPv6 equivalents of key IPv4 protocols
The IPv6 packet structure
Version Traffic Class Flow Label

Payload Length Next Header Hop Limit
Source Address 40
bytes
Destination Address
Next Header Variable

Extension Header Information
length
Data
About IPv6 extension headers
§ Used to encode additional Internet-layer information

§ Placed between base header and upper-layer header
§ A packet may carry 0, 1 or more headers
§ There’s a unique value in “Next Header” for each header
§ Serve similar function as “Protocol” in IPv4 header

IPv6 packet with no extension header

Payload Length Next Header = UL Hop Limit
40
Source Address bytes
Destination Address
Variable
Upper Layer (e.g TCP or UDP) Header
length
Data

IPv6 packet with extension headers
Payload Length Next Header = EH1 Hop Limit
40
Source Address bytes
Destination Address
Next Header = EH2

EH1 Header
Next Header = UL
EH2 Header
Upper Layer (e.g. TCP or UDP) Header
Data
List and order of IPv6 extension headers
Order Header Code Description
1 Basic IPv6 header
2 Hop-by-hop options 0 Examined by all hosts in path
3 Destination options 60 Examined only by destination node
4 Routing 43 Specify the route for a datagram (mobile v6)
5 Fragment 44 Fragmentation parameters

6 Authentication (AH) 51 Verify packet authenticity
7 ESP 50 Encrypted data
8 Destination options 60 Examined only by destination node
9 Mobility 135 Parameters for use with mobile IPv6

Exercise: Examining real IPv6 packets
① Open http://j.mp/v6cap and select packet #67
§ What is the Flow label?
§ What information does this packet carry?
§ How long is the data portion of the packet?
§ How many routers will forward this?
② Open http://j.mp/v6rh
§ List the two extension headers in the packet
§ What information does the packet carry?
Packet header structure changes from IPv4
Version IHL Type of Service Total length

Identification Flags Fragment Offset
Time to Live Protocol Header Checksum
Source Address
Destination Address
Options Padding
Field eliminated from IPv6 Field removed from IPv6 base header
Field renamed in IPv6 header Field maintained
IPv4 vs IPv6 key functionality comparison
IPv4 IPv6
Methods for automatic configuration of hosts & CPEs
§ DHCP § DHCPv6
§ PPPoE § Stateless Address configuration
§ PPPoE
Network to Link-layer Address Resolution
§ ARP § ICMPv6 (NS, NA)
§ Broadcast § Multicasts

IPv4 IPv6
Domain name to address resolution methods
§ DNS § DNS
§ A resource records § AAAA resource records
§ in-addr-arpa reverse zone § ip6.arpa reverse zone
How hosts join a multicast group
§ IGMPv1 and IGMPv2 § MLD
Automatically provisioning default gateway on hosts
§ DHCP , IRD or Passive RIP § RA (ICMPv6)

IPv4 IPv6
Supported Open Dynamic Routing Protocols
§ RIPv1 , RIPv2 § RIPng
§ OSPFv2, IS-IS § OSPFv3 , IS-IS
§ BGPv4 (IPv4 Address Family) § BGPv4 (IPv6 Address Family)
Minimum Supported MTU size
§ 576 bytes § 1280 bytes
Supported Communication Modes
§ Unicast, multicast, broadcast § Unicast, multicast

A
N
Q U E S T I O N S
W
E
R
S
Understanding
IPv6 Neighbor Discovery

Section Objectives
⫞ Describe the importance and functioning of IPv6 ND
⫞ Describe how ND is used in other key IPv6 functions
Functions of IPv6 Neighbor Discovery (ND)
§ Address configuration (SLAAC)
§ Link-layer address resolution
NODE
§ Link-layer address change notification
§ Neighbour Unreachability Detection (NUD)
§ Router discovery
HOST § Parameter discovery (MTU, prefixes, hop limits
etc)
§ Advertise their presence & parameters (MTU,

prefixes, hop limits)
ROUTER § Advertise on-link prefixes
§ Determine next hops
§ Redirect hosts to better next hops
IPv4
ND ≈ ARP + IRDP + Redirect + NUD
New to IPv6
ND defines and uses 5 ICMPv6 messages
Neighbor Router
Solicitation Solicitation
Redirect
Neighbor Router
Advertisement Advertisement

The Router Solicitation (RS)
Sent by Hosts (when an IPv6 interface is enabled)

Purpose Requests routers for network parameters
Source § IP of querying interface if one exist

address § Unspecified address (::) if there is no IP address yet
Destination
FF02::2 (all-routers)
address
Notes ICMP type 133, ICMP code 0

Sample RS packet capture

The Router Advertisement (RA)
Sent by IPv6 router
§ Advertise its presence, prefixes, MTU, hop limits

Purpose
§ Sent periodically or in response to RS
Source
Sending interface’s link local address
address
Destination § [periodic broadcasts] FF02::1

address § [Solicited] Source address of invoking RS

Sample RA (1/2)

Sample RA (2/2)

Configuring RA on Cisco IOS
Set interval of RA retransmission

(config-if)#ipv6 nd ra interval { max [min]}
(config-if)#ipv6 nd ra interval {msec max [min]}
Set the lifetime of RA messages

(config-if)#ipv6 nd ra lifetime <secs>
Suppress RA messages on a LAN interface

(config-if)#[no] ipv6 nd ra suppress [all]

The Neighbour Solicitation (NS)
Sent by IPv6 host
§ Determine a neighbor's L2 address

Purpose § Duplicate address detection
§ Verify that a neighbour is reachable
§ IP of querying interface if one exists

Src address
§ Unspecified address (::) if there is no IP address yet
§ Target neighbour’s address if known

Dst address
§ Solicited node multicast address of target otherwise

The Neighbour Advertisement (NA)
Sent by IPv6 host
§ Response to a neighbour solicitation (NS)

Purpose
§ Announce an L2 address change i.e. unsolicited
Src address Any address on originating interface.
§ IP address of the node which sent the NA.

Dst address
§ FF02::1 for periodic advertisements.

Sample solicited NA from a router

Sample solicited NA from a host

The Redirect message
Sent by IPv6 router
Purpose Informs node of a better next-hop for the destination
Src address Link local address of router
Dst address IP address of requesting node
Sample packet at http://j.mp/v6redirect

Duplicate Address Detection
2001:db8:c001::10
ICMPv6 Type I35 (NS) N2

source ::
destination ff02::1:ff00:0010
target 2001:db8:c001::10
ICMPv6 Type I36 (NA)

source 2001:db8:c001::10
N1 destination ff02::1
target 2001:db8:c001::10
2001:db8:c001::10
Duplicate Address Detection II
① Host N1 is going to assign address “A” on its interface “I”
② Interface “I” joins multicast groups:
§ ff02::1 -- “All IPv6 nodes”
§ ff02::ff00:0:a – solicited node multicast address for “A”
③ N1 sends NS message to ff02::ff:0:a sourced from “::”
④ N1 listens for any NS messages to ff02::ff00:0:a from “::”
⑤ DAD fails under any of the following circumstances
§ N1 receives an NS for a tentative address prior to sending
one.
§ More NSs are received than those expected based on
loopback semantics
Further DAD details
§ Done for ALL unicast addresses before assignment

§ NEVER done for the following:
§ Anycast addresses
§ Interfaces specifically thus configured
§ If DAD fails for an address
§ It can’t be assigned to the interface
§ All addresses with same IID are also not unique
§ A system management error must be logged
Sample NS packet for DAD

Tweaking DAD on Cisco IOS
Set no. of NS sent during DAD

(config-if)#[no]ipv6 nd dad attempts <value>
Set NS retransmit interval for DAD

(config-if)#[no] ipv6 nd dad time [millisecs]

States of every IPv6 address
pltime yes
Valid >0 Preferred
TX RX
pass no NEW
vltime yes
Tentative DAD >0 Deprecated
TX RX TX RX
fail no EXISTING
Duplicate Invalid
TX RX TX RX
Exercise: Examine http://j.mp/v6dad
① For what address is DAD being done?

② What’s the SNMA for the address in question?
③ Write down the the following MAC addresses
§ The device with duplicate IP
§ The device which already owns that IP

Resolving link-layer addresses
2001:db8:c001::10
N1
source 2001:db8c001::10
NS
destination ff02::1:ff00:0020
target 2001:db8:c001::20
source 2001:db8:c001::20
destination 2001:db8:c001::10
NA
N2 target 2001:db8:c001::20
target L2 addr b8:e8:56:4a:fe:ac
2001:db8:c001::20
[b8:e8:56:4a:fe:ac]
Quiz: visit j.mp/v6-MAC-addr-resolv
① What’s the IP of the host with unknown MAC address?

② Which node (IP address) is looking for the MAC address?
③ What is destination address of packet #1
④ What is the MAC address of node in (2)?
⑤ What is the MAC address of node in (1)?

Neighbour Unreachability Detection (NUD)
§ Nodes actively track state of neigbours they are talking to:

§ Determine if the neigbour has failed
§ Determine if forward path to neighbor has failed
§ Neighbour must confirm it’s getting and treating IP packets by
① Get a hint from upper layer protocol e.g TCP ACK
② Solicit a NA from the neighbour using a unicast probe (NS)

Configuring NUD on Cisco IOS
Set no. of times NUD re-sends NS messages

(config-if)#ipv6 nd nud retry <base> <interval> <max-attempts>
Set the length of time before an ND cache entry expires

(config-if)#ipv6 nd cache expire <time> [refresh]
Let ND glean an entry from an unsolicited NA

(config-if)#ipv6 nd na glean

NS packet capture for NUD

A
N
Q U E S T I O N S
W
E
R
S
Performing
Basic IPv6 Host Configuration

Section Objectives
⫞ Configure and verify IPv6 on Windows operating systems
⫞ Configure and verify IPv6 on Linux operating systems
⫞ Configure and verify IPv6 on the MAC OS X operating system
⫞ Configure and verify IPv6 on Cisco IOS
⫞ Configure and verify IPv6 on Junos
Most desktop OSes support & enable IPv6
http://j.mp/OSv6-support
Host Configuration: Windows Vista/7

Host configuration: Mac OS X

Host Configuration: Linux
(/etc/network/interfaces)
Configure static address
auto eth0
iface eth0 inet6 static
address 2001:db8:fedc:abcd::1/64
Stateless Address configuration DHCPv6 client
auto eth0 auto eth0

iface eth0 inet6 auto iface eth0 inet6 dhcp
Configure DNS server (/etc/resolv.conf)
nameserver 2001:db8:c001::53a
nameserver 2001:db8:c001::53b
Using privacy addresses
§ Recall – EUI-64 addresses makes facilitates host tracking

§ For privacy reasons, hosts can use random IIDs instead
§ Status of privacy extensions by OS
§ Windows Vista/7/8: enabled by default
§ OS X 10.8+ : enabled by default
§ Linux - not enabled by default

Disabling privacy addressing
Windows
c:\netsh interface ipv6 set privacy state=enabled

c:\netsh interface ipv6 set global randomizeidentifiers=enabled
Mac OS X (/etc/sysctl.conf)
net.inet6.ip6.use_tempaddr=1
net.inet6.ip6.temppltime=XX
Linux (/etc/sysctl.conf)
$echo "1" > /proc/sys/net/ipv6/conf/default/use_tempaddr

Configuring basic IPv6 on Cisco IOS
Enable IPv6 on an Interface
(config)#ipv6 enable
Assign an IPv6 address with automatic interfaceID
#ipv6 address <prefix/length> eui-64
Assign a static IPv6 address
#ipv6 address <address/length> [link-local | anycast]
Enable IPv6 routing and CEF
(config)#ipv6 unicast-routing
(config)#ipv6 cef

Configuring basic IPv6 on Junos
Enable IPv6 on an Interface

#edit interfaces <interfacename> unit <unit_no>
Assign an IPv6 address with automatic interfaceID
#set family inet6 address <prefix/prefix-length> eui-64
Assign a static IPv6 address
#set family inet6 address <ipv6address/prefix-length>

A
N
Q U E S T I O N S
W
E
R
S
Provisioning IPv6 Configuration
Section Objectives
⫞ Describe IPv6 parameter provisioning in IPv6
⫞ Describe, and verify how SLAAC works
⫞ Describe and verify how DHCPv6 works
⫞ Describe how DHCPv6-PD works
Base address provisioning requirements
① IPv6 address(es)
① IPv6 address(es)
② IPv6 default router(s)
② IPv6 default router(s)
③ DNS server(s)
③ DNS server(s)
④ Delegated prefix(es)
There’re 2 key provisioning mechanisms
DNS config. Address DNS config.
RA-based (SLAAC) DHCPv6
Address Default gateway Delegated prefix Others
DNS via RAs recently added, no global support yet

Comparing the capabilities of the methods
Default Delegated
Addresses DNS info.
Gateway Prefix
SLAAC Yes Yes No No
Stateful DHCPv6 Yes No Yes Yes
Stateless DHCPv6 No No Yes No

RDNSS RA option No No Yes No

Flags in RAs
Managed Other Address

On-Link
configuration configuration configuration
M O L A
In Prefix Information
In RA messages
option within an RA
Use the ‘M’ & ‘A’ flags determine how hosts get addresses
M A Resulting non-Link Local addresses on client

0 0 No addresses will be auto-configured
0 1 Address(es) generated from prefix(es) in RAs
Address(es) generated from prefix(es) in RAs
1 1
Full address(es) from DHCP server
1 0 Full address(es) from DHCP server
§ The hosts must be set to obtain IP address ‘automatically’

§ All hosts always generate and use a Link Local address
Use the ‘L’ flag to indicate on-link neigbours
L How to treat other addresses in the prefix

1 On-link: transmit directly, no need for router
0 Off-link: use default gateway to get to them
§ Setting L = 0 enforces PVLAN-like behavior on the subnet

§ There’s no way to indicate on-link status via DHCP
§ Hosts don’t perform L2 address resolution for off-link addresses
Provisioning DNS information
§ Key DNS information required
1) One or more Recursive DNS Servers (RDNSS)
2) Domain Search List
§ If using DHCPv6
§ Configure the options on DHCP server
§ Set the ‘M’ flag to 1
§ If using SLAAC
§ Configure the options on the router
§ If client supports RFC 6106, it will get the DNS information
§ If client doesn’t support RFC 6106, set ‘O’ flag to 1

Provisioning DNS information
Recursive DNS Servers
Domain Search list
DHCPv6 server First hop router
[RA] M = 1 [RA] O = 1
DHCPv6 DHCPv6 No
RFC 6106
client client RFC 6106

How Stateless Address Auto-Configuration (SLAAC) works
Address: 2001:db8:c001:<EUI-64>/64
DNS: 2001:db8:cafe::53 2001:db8:c001::1/64
RS
RA
[PIO] 2001:db8:c001::/64 {A=1}
[RDNSO] 2001:db8:cafe::53

How Stateless Address Auto-Configuration (SLAAC) works
① Host generates an interfaceID and a link-local address

② Perform DAD on generated address
③ Query all routers (via RS messages) for additional information
④ Router responds with RA which contain
§ Allocated prefixes for the subnet
§ Indication if source router can be used as default router
§ DNS information (if RFC 6106 is supported)
⑤ For each prefix received,
§ Create an address by appending IID
§ Configure the address to the interface
§ Perform DAD
⑥ Host builds list of 'default routers' from RAs.

Other quirks on the effect of flags
① Setting O when M is set is redundant

② In practice, different DNS capabilities might require you to use both
③ Setting both A & L = 0 for a prefix is meaningless
④ DHCPv6 doesn’t carry prefix length, so you’ll need a L=1 to avoid
PVLAN-like behavior
⑤ SLAAC only works with /64, no point setting A on longer prefixes

Configuring a Cisco router for SLAAC
(config)#interface fastethernet 0/1

(config-if)#ipv6 address 2001:db8:c001::1/64
(config-if)#ipv6 nd prefix 2001:db8:a::/64 no-advertise

Quiz: visit j.mp/SLAAC-1
① What’s the MAC of the host which wants an address?

② What’s the MAC of the responding router?
③ What IPv6 prefix did the router offer the host?
④ How long are addresses obtained from this prefix valid?
⑤ Write down one possible IPv6 address the host can have

How stateful DHCPv6 works (1/2)
1 [ND]RS
M = 1 [RA] 2
[DHCP6] Solicit
3
Option Request Option
Advertise[DHCP6]
4
2001:db8:c001::face
{DNS} 2001:db8:cafe::53
How stateful DHCPv6 works (2/2)
Address: 2001:db8:c001::face
DNS: 2001:db8:cafe::53
[DHCP6] Request
5
2001:db8:c001::face
Reply [DHCP6]
6
2001:db8:c001::face
Pros & cons of stateful DHCPv6
§ DHCP is a mature, familiar protocol
§ More options to control how addresses are allocated e.g.
§ Restrict assignments to a small range of addresses
§ Map IP addresses to specific clients
§ Support for Dynamic DNS updates
§ Other parameters can be passed using options
§ Centralised accounting logs (troubleshooting and forensics)
§ Some OSes don’t have built-in DHCPv6 clients (e.g, Android)
§ Cannot give default gateway to clients
Quiz: visit j.mp/DHCPv6-1
① What’s the IPv6 address of the DHCPv6 server?

② From what protocol & port was the request sent from?
③ To what protocol & port was the request sent?
④ What is the client’s unique identifier for this session?
⑤ What parameters is the client requesting?
⑥ What IPv6 address did the server offer the host?
⑦ How long are addresses obtained from this prefix valid?
⑧ Write down the full DNS parameters offered the client
How stateless DHCPv6 works (1/2)
3
Address: 2001:db8:c001:<EUI-64>/64
1 [ND]RS
O = 1 [RA]
[PIO] 2001:db8:c001::/64 {A=1}
2

How stateless DHCPv6 works (2/2)
Address: 2001:db8:c001:<EUI-64>/64
DNS: 2001:db8:c001::53 6
4 [DHCP6] Solicit
Option Request Option
Advertise[DHCP6]
5
{DNS} 2001:db8:c001::53

Stateless DHCPv6 Pros and Cons
§ Advantages:
§ Support for SLAAC is ubiquitous.
§ Non-DHCPv6 hosts will still be able to get basic connectivity.
(the DNS resolvers can be manually configured )
§ Other options possible (e.g NTP, NIS, SIP etc)
§ Disadvantages:
§ Zero control over how addresses are allocated
§ If using DDNS, permitting DDNS updates from all clients is
insecure.
§ Privacy concerns if EUI-64 method is used for interfaceID
§ No centralized log for forensics
IOS examples on setting ‘M’ and ‘O’ flags
(config)# interface FastEthernet0/0

(config-if)#ipv6 address 2001:db8:c001::a/64
(config-if)#ipv6 nd managed-config-flag
(config-if)#ipv6 nd other-config-flag
(config-if)#ipv6 nd prefix default no-advertise

Stateless DHCPv6 configuration example
(config)# ipv6 dhcp pool dhcp-pool
(config-dhcp)#dns server 2001:db8:face::53
(config-dhcp)#domain-name 6lab.afrinic.net
(config-dhcp)#exit
(config-dhcp)#interface fastethernet 0/1
(config-if)#ipv6 nd other-config-flag

JUNOS examples on setting ‘M’ and ‘O’ flags
protocols {
router-advertisement {
interface ge-0/1/0.0 {
managed-configuration;
other-stateful-configuration;
prefix 2001:db8:c00l::/64 {
no-autonomous;
}
}
}
}
Quiz: visit j.mp/SL-DHCPv6
① What’s the IPv6 address of the DHCPv6 server?

② To what L4 protocol & port was the request sent?
③ What is the client’s unique identifier for this session?
④ What parameters is the client requesting?
⑤ What IPv6 address did the router offer the host?
⑥ How long are addresses obtained from this prefix valid?
⑦ Write down the full DNS parameters offered the client

How DHCPv6 Prefix Delegation works (1/2)
Address: 2001:db8:face:<EUI-64>/64
DNS: 2001:db8:c001::53
2
1 Provision WAN addr & DNS
[DHCP6] Solicit
3 Option IA_PD
Advertise[DHCP6] 4

How DHCPv6 Prefix Delegation works (2/2)
Address: 2001:db8:face:<EUI-64>/64
DNS: 2001:db8:c001::53
Prefix: 2001:db8:dad:c000::/60 7
[DHCP6] Request
5 Option IA_PD
Reply[DHCP6]
6
{IA-PD} 2001:db8:dad:c000::/60

Sample DHCPv6-PD configuration [Server]
(config)#ipv6 dhcp pool dhcpv6
(config-dhcp)#prefix-delegation pool v6pool lifetime 1800 600
(config-dhcp)#dns-server 2001:db8:face::53
(config-dhcp)#domain-name 6lab.afrinic.net
(config-dhcp)#ipv6 local pool v6pool 2001:db8:c000::/40 48
(config-if)#ipv6 address 2010:db8:f00d::a/64

(config-if)#ipv6 dhcp server dhcpv6
Sample DHCPv6-PD configuration [Client]
(config-if)#ipv6 address autoconfig default

(config-if)#ipv6 enable
(config-if)#ipv6 dhcp client pd DelegatedPrefix

DHCPv4 vs DHCPv6 comparison
DHCPv4 DHCPv6
Use of ‘Managed Configuration’ flag
Not applicable Used by router to control host configuration
Source and destination addresses of initial DHCP message
src: 0.0.0.0 src: Link-Local address
dst: broadcast dst: ff02::1:2 (more efficient link utilization)
How server identifies clients
MAC address DHCP Unique Id (DUID)
Reconfiguration message
Not applicable Servers can ask clients to update their config
Identify Association
Not applicable Clients can deal with multiple servers (redundancy)
Some DHCPv6 servers & their capabilities
Software Some key options supported
ISC DNS, NTP, NIS, SIP, Lifetime, Prefix Delegation, Relay IDs, FQDN
WIDE DNS, NTP, NIS, SIP, Lifetime, Prefix delegation
Dibbler DNS, NTP, NIS, SIP, Lifetime, Timezone, Prefix delegation, FQDN,
Windows DNS, NIS, SIP, NTP, Lifetime, User class
Cisco IOS DNS, NTP, NIS, SIP, Lifetime, Relay IDs, Prefix Delegation
Source: http://ipv6int.net/software/index.html
RADIUS & IPv6: how the pieces work
CPE NAS RADIUS

RADIUS attributes for IPv6 (ala RFC 3162)
NAS-IPv6-Address Address of requesting NAS

Framed-Interface-Id IID for the user
Framed-IPv6-Prefix Delegated prefix for the user
Framed-IPv6-Route Route for user (configured on the NAS)
Login-IPv6-Host System with which to connect user
Framed-IPv6-Pool Pool from which to assign user prefix

Which packets use what attributes?
ACCOUNTING
REQUEST ACCEPT
REQUEST
NAS-IPv6-Address 0-1 0 0-1

Framed-Interface-Id 0-1 0-1 0-1
Framed-IPv6-Prefix 0+ 0+ 0+
Framed-IPv6-Route 0+ 0+ 0+
Login-IPv6-Host 0 0+ 0+
Framed-IPv6-Pool 0 0-1 0-1

Sample DHCPv6 with RADIUS (Cisco)
1/2: Configure DHCPv6 to use RADIUS for pool
aaa authorization configuration IA_PD group radius

!
ipv6 dhcp pool PPP-Radius
prefix-delegation aaa method-list IA_PD lifetime 7200 300
dns-server 2001:db8:c001::53
domain-name 6lab.afrinic.net

Sample DHCPv6 with RADIUS (Cisco)
2/2: Configure virtual template interface
interface Virtual-Template01
ipv6 enable
ipv6 nd other-config-flag
no ipv6 nd ra suppress
ipv6 dhcp server PPP-Radius
Sample RADIUS user definition (FreeRADIUS)
Client-777 Cleartext-Password := ”Client-777"

Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-IPv6-Prefix = ”2001:db8:f00d:100::/64",
Delegated-IPv6-Prefix = ”2001:db8:dead:bad0::/60"
A
N
Q U E S T I O N S
W
E
R
S

Pepe

Uploaded by

Copyright:

Available Formats

Pepe

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Pepe

Uploaded by

Copyright:

Available Formats

AFRINIC Ltd

Mukom Akong T. | @perfexcellent

① Foundational concepts of networking

Implications of IPv4 Exhaustion

Number of IPv4 addresses per person

§ Use of NAT increases

Stand aside and wait

Deploy IPv6 Deploy NAT on Steroids

The Past (32 bits) The Future (128 bits)

1011101011101000 0101011011111111 1111111001001010 1110110011111110

Strip off all LEADING zeroes

2 The Zero Compression rule

Replace CONTIGUOUS groups of zeroes with ‘::’

Zero Compression Zero Suppression

Zero Suppression Zero Compression

The Zero Compression rule The Zero Compression rule

IPv6 Address Types

There are no broadcast addresses (or communications) in IPv6

Within the scope, the address can be used as a unique ID of

n bits 64 - n bits 64 bits

Global Routing Prefix SubnetID InterfaceID

fe80::a2%11 fe80::c%en1 Node C

① Can’t be pinged from off-link

1111 110L 0 InterfaceID

L=0 fc00::/8 fd00::/8 L=1

‘Network’ portion ‘Host’ portion

n bits 32 bits 32 - n bits 64 bits

IPv6 Prefix WWXX:YYZZ SubnetID InterfaceID

IPv4 address: w.x.y.z

§ Most significant example is formation of 6rd addresses.

Given the following IPv6 root prefix and IPv4 address,

① 2002 and 196.1.0.87

‘Network’ portion ‘Host’ portion

Network Prefix InterfaceID

Static (manual) EUI-64 cryptographically Pseudo-random

Subnet router anycast address:

Reserved subnet anycast addresses:

[2] Expand it to 64 bits 00 90 27 FF FE 17 FC 0F

[4] Viola! your InterfaceID 02 90 27 FF FE 17 FC 0F

IPv6 address = Prefix + IID

§ For a given MAC address

Unspecified address: 0:0:0:0:0:0:0:0 or ::

80 bits 16 bits 32 bits

0 ffff IPv4 address

§ Same address assigned to multiple interfaces/hosts (yellow)

Prefix of unicast subnet which owns this address

11111111 flags scope reserved p-len network prefix groupID

Number of bits in “network prefix” field

RP Embedded 1 1 Dynamically assigned

1 Based on a network prefix

b b b b Bits Hex Scope

Reserved & 1100 c Unassigned

undefined scopes 1101 d Unassigned

If ‘NTP servers’ is assigned a permanent multicast group with ID = 101

FF01::101 All NTP servers on the same interface as sender

§ FF00:: § FF04:: § FF08:: § FF0C::

FF01::1 All IPv6 nodes on the local interface

RFC 2375 has the complete list