Académique Documents
Professionnel Documents
Culture Documents
php
Omnisecu - Limitations of IPv4
The Internet Protocol Version 4 (IPv4) is defined by IETF RFC 791. RFC 791 was published
in 1981. Initial design of IPv4 did not anticipate the growth of internet and this created
many issues, which proved IPv4 need to be changed. The main limitations of IPv4 are
listed below.
Scarcity of IPv4 Addresses: The IPv4 addressing system uses 32-bit address space.
This 32-bit address space is further classified to usable A, B, and C classes. 32-bit
address space allows for 4,294,967,296 IPv4 addresses, but the previous and current
IPv4 address allocation practices limit the number of available public IPv4 addresses.
Many addresses which are allocated to many companies were not used and this created
scarcity of IPv4 addresses.
Because scarcity of IPv4 addresses, many organizations implemented NAT (Network
Address Translation) to map multiple private IPv4 addresses to a single public IPv4
address. By using NAT (Network Address Translation) we can map many internal private
IPV4 addresses to a public IPv4 address, which helped in conserving IPv4 addresses. But
NAT (Network Address Translation) also have many limitations. NAT (Network Address
Translation) do not support network layer security standards and it do not support the
mapping of all upper layer protocols. NAT can also create network problems when two
organizations which use same private IPv4 address ranges communicate. More servers,
workstations and devices which are connected to the internet also demand the need for
more addresses and the current statistics prove that public IPv4 address space will be
depleted soon. The scarcity of IPv4 address is a major limitation of IPv4 addressing
system.
Security Related Issues: As we discussed before, RFC 791 (IPv4) was published in
1981 and the current network security threats were not anticipated that time.
Internet Protocol Security (IPSec) is a protocol suit which enables network security by
protecting the data being sent from being viewed or modified. Internet Protocol Security
(IPSec) provides security for IPv4 packets, but Internet Protocol Security (IPSec) is not
built-in and optional. Many IPSec implementations are proprietary.
Address configuration related issues: Networks and also internet is expanding and
many new computers and devices are using IP. The configuration of IP addresses (static
or dynamic) should be simple.
Quality of service (QoS): Quality of Service (QoS) is available in IPv4 and it relies on
the 8 bits of the IPv4 Type of Service (TOS) field and the identification of the payload.
IPv4 Type of Service (TOS) field has limited functionality and payload identification (uses
a TCP or UDP port) is not possible when the IPv4 datagram packet payload is encrypted.
Ominsecu - IPv6 History and related RFCs
The IPv4 was first developed in the 1970s, and the RFC 791 (IPv4) functionality was
published in 1981. Because of the rapid expansion of the internet, IPv4 address space
has been getting consumed over the years after 1990's.
Internet Engineering Task Force (IETF) started working on a new protocol from 1994,
which is going to replace IPv4.
Following are the major RFCs related with IPv6, which will replace IPv4 in near future.
The Recommendation for the IP Next Generation Protocol (RFC 1752), was published in
1995.
IPv6 Address Allocation Management (RFC 1881) was published in 1995.
A Compact Representation of IPv6 Addresses (RFC 1924) was published in 1996
RIPng for IPv6 (RFC 2080) was published in January 1997.
Internet Protocol, Version 6 (IPv6) Specification (RFC 2460) was published in December
1998.
Basic Socket Interface Extensions for IPv6 (RFC 2553) was published in March 1999.
Dynamic Host Configuration Protocol for IPv6 (DHCPv6) (RFC 3315) was published in
July 2003.
IPv6 Prefix Options for Dynamic Host Configuration Protocol (DHCP) version 6 (RFC
3633) was published in 2003. RFC 3633 was later updated with RFC 6603 in 2012.
Stateless Dynamic Host Configuration Protocol (DHCP) Service for IPv6 (RFC 3736) was
published in April 2004.
Deprecating Site Local Addresses (RFC 3879) was published in September 2004
Mobility Support in IPv6 (RFC 3775) was published in June 2004.
IPv6 Flow Label Specification (RFC 3697) was published in March 2004.
Unique Local IPv6 Unicast Addresses (RFC 4193) was published in October 2005
IP Version 6 Addressing Architecture (RFC 4291) was published in February 2006.
IPv6 Node Requirements (RFC 4294) was published in April 2006.
Multiprotocol Extensions for BGP-4 (RFC 4760) was published in January 2007.
Neighbor Discovery for IP version 6 (RFC 4861) was published in September 2007
Privacy Extensions for Stateless Address Autoconfiguration in IPv6 (RFC 4941) was
published in September 2007.
OSPF for IPv6 (RFC 5340) was published in July 2008.
PENDING
Integrated Internet Protocol Security (IPSec): Internet Protocol Security (IPSec) is
a set of Internet standards that uses cryptographic security services to provide
Confidentiality, Authentication, Data integrity. The support for Internet Protocol
Security (IPSec) was optional in IPv4. Internet Protocol Security (IPSec) is an
integral part of the base protocol suite in IPv6. Internet Protocol Security
(IPSec) support is mandatory in IPv6.
Neighbor Discovery Protocol: The Neighbor Discovery Protocol (NDP) is a protocol
available IPv6. The Neighbor Discovery protocol (NDP) is based on Internet Control
Message Protocol Version 6 (ICMPv6) messages that manage the interaction nodes on
the same link. There is no Address Resolution Protocol (ARP) for IPv6 and the role of the
Address Resolution Protocol (ARP) is replaced by Neighbor Discovery Protocol (NDP).
Extensibility: The features of IPv6 can be extended by adding extension headers
after IPv6 header. The size IPv6 extension headers is constrained only by the size of the
IPv6 datagram packet, unlike 40 bytes of options of IPv4.
Jumbograms: Jumbograms is an optional feature of IPv6. Jumbograms allow packets
with payloads 2^32 - 1 (4,294,967,295) bytes by making use of a 32-bit length field.
IPv6
IPv6 addresses are 128 bit length.
IPv6 addresses are binary numbers
represented in hexadecimals.
Inbuilt IPSec support.
Fragmentation is done only by sender.
PENDING
No packet flow identification.
PENDING
Checksum field is available in IPv4
header
Options fields are available in IPv4
header.
PENDING
Manual configuration (Static) of IPv4
addresses or DHCP (Dynamic
configuration) is required to configure
IPv4 addresses.
As you can see from the above picture, different data streams are created for different
clients in IPv6 Unicast type of communication.
What is Multicast?
Multicast is a type of communication where multicast traffic addressed for a group of
devices on the network. IPv6 multicast traffic are sent to a group and only members of
that group receive the Multicast traffic.
Devices which are interested in a particular Multicast traffic must join to that Multicast
group to receive the traffic. IPv6 Multicast Groups are identified by IPv6 Multicast
Addresses.
In Multicast, the sender transmit only one copy of data and it is delivered to many
devices (Not all devices as in IPv4 Broadcast) who are interested in that traffic.
As you can see from the above picture, when multiple clients require same data at the
same instance (for example, online TV) we can use multicast instead of unicast. The
multicast server generate only one stream of data and that stream is replicated to
different devices, who are interested in that data traffic.
Multicast type of network communication can save precious network bandwidth and also
network device processor utilization. Refer the below link to know more about IPv6
multicast addresses.
What is Anycast?
Anycast is a type of IPv6 network communication in which IPv6 datagrams from a source
are routed to the nearest device (in terms of routing distance) from a group servers
which provide the same service. Every nodes which provide the same service are
configured with same Anycast destination address.
PENDING
IPv6 Datagram Packet Structure
IPv6 has a much simpler packet header compared with IPv4, by including only the
information needed for forwarding the IP datagram. IPv6 has a fixed length header of
size 40 bytes. Fixed length IPv6 header allows the routers to process the IPv6 datagram
packets more efficiently. The following figure shows the structure of IPv6 datagram
packet.
Extension Header
IPv6 datagram packet has also extension headers of varying lengths. If extension
headers are present in IPv6 datagram packet, a Next Header field in the IPv6 header
points the first extension header. Each extension header contains another Next Header
field, pointing the next extension header. The last IPv6 datagram packet extension
header points the upper layer protocol header (Transmission Control Protocol (TCP), User
Datagram Protocol (UDP) , or Internet Control Message Protocol (ICMPv6)). There is
Version: The size of the Version field is 4 bits. The Version field shows the version of
IP and is set to 6.
Traffic Class: The size of Traffic Class field is 8 bits. Traffic Class field is similar to the
IPv4 Type of Service (ToS) field. The Traffic Class field indicates the IPv6 packets class or
priority.
Flow Label: The size of Flow Label field is 20 bits. The Flow Label field provide
additional support for real-time datagram delivery and quality of service features. The
purpose of Flow Label field is to indicate that this packet belongs to a specific sequence
of packets between a source and destination and can be used to prioritized delivery of
packets for services like voice.
Payload Length: The size of the Payload Length field is 16 bits. The Payload Length
field shows the length of the IPv6 payload, including the extension headers and the
upper layer protocol data
Next Header: The size of the Next Header field is 8 bits. The Next Header field shows
either the type of the first extension (if any extension header is available) or the protocol
in the upper layer such as TCP, UDP, or ICMPv6.
Hop Limit: The size of the Hop Limit field is 8 bits The Hop Limit field shows the
maximum number of routers the IPv6 packet can travel. This Hop Limit field is similar to
IPv4 Time to Live (TTL) field.
This field is typically used by distance vector routing protocols, like Routing Information
Protocol (RIP) to prevent layer 3 loops (routing loops).
Source Address: The size of the Source Address field is 128 bits. The Source Address
field shows the IPv6 address of the source of the packet.
Destination Address: The size of the Destination Address field is 128 bits. The Destination
Address field shows the IPv6 address of the destination of the packet.
three bits are reserved as "001" for Global unicast IPv6 addresses, the range of Global
Unicast Addresses available now are from 2000 to 3FFF, as shown below.
In Binaries
001000000000
0000
001111111111
1111
In
Hexadecim
als
2000
3FFF
Global Unicast Addresses prefixes: The prefix is the part of the IPv6 address that
indicates the network. Prefixes for IPv6 routes and subnet identifiers are similar to
Classless Inter-Domain Routing (CIDR) notation for IPv4. For the IPv4 network 172.16.0.0
255.255.0.0, we can consider 172.16/16 as the prefix.
Consider an IPv6 example. 21DA:D3::/48 (the first three fixed bits 001 and remaining 45
bits, 45+3 = 48 bits) is a route prefix and 21DA:D3:0:2F3B::/64 is a subnet prefix. Here
the fourth part of the IPv6 address "2F3B" is the subnet part.
Which means that, currently first 48 bits of an IPv6 address are used to identify the
network globally. The next 16 bits are used for subnetting (which makes 48+16=64 bits,
network part) and the remaining 64 bits are used for identifying the hosts (host part),
specifically an Interface of a specific host!
All addresses that are not the unspecified, loopback, link-local, or multicast addresses
are unicast and anycast addresses. Currently IANA has assigned only 2000::/3 addresses
(IPv6 addresses starting from 2000 to 3FFFF)to the global pool. Check the below IANA
link to get more information about IANA IPv6 address allocation.
To explain it in more clear way, 128 bit IPv6 global unicast addresses has two 64-bit
parts. Leftmost 64-bit address defines globally unique prefix. In the leftmost 64 bits, first
48 bits are assigned by ISP to the organization and the remaining 16 bits can be used by
the organization for subnetting. By using 16 bits for subnetting, we will get 65536
subnets (2^16). The remaining 64 bits on the right side of 128 bit IPv6 address is used to
identify the hosts in the subnet.
Omnisecu - Different methods to assign a Global Unicast IPv6 address to an
interface
In IPv6, a network interface must be configured with following important IPv6
configuration settings for internet communication.
A Global Unicast IPv6 Address
IPv6 Address Prefix
IPv6 Address Prefix length
Default Router IPv6 address
DNS Server IPv6 address
In IPv6, we have different methods to assign an IPv6 Global Unicast Address to a network
interface. We can assign Global Unicast IPv6 Address to a network interface using the
following methods.
Configuring IPv6 Global Unicast Address using Stateful DHCPv6
Similar to DHCP in IPv4, IPv6 network interfaces can also be configured with an IPv6
address, Prefix length, IPv6 address of the default gateway, and the DNS IPv6 address
using IPv6 stateful DHCP.
Some important differences between DHCPv4 and DHCPv6 are
1) IPv4 DHCP, DHCP client uses limited broadcast IPv4 address (255.255.255.255) to
discover DHCP Server. DHCPv6 clients uses IPv6 DHCP servers and relay agents IPv6
Multicast Address (ff02::1:2) to discover DHCP Server.
2) IPv4 DHCP provide the default router information the DHCP clients. DHCPv6 does not
provide the default router information. DHCPv6 servers just rely on NDP (Neighbor
Discovery Protocol) messages between DHCPV6 clients and routers.
Note that there are changes in names and formats between DHCPv4 messages and
DHCPv6 messages. But the basic process of leasing an IP address remains the same.
Configuring IPv6 Global Unicast Address using Stateless Autoconfiguration
IPv6 has a new IPv6 address configuration feature called Stateless Auto-configuration.
IPv6 Stateless Autoconfiguration allows a network interface to automatically learn the
IPv6 Network Prefix, IPv6 Prefix Length, default router IPv6 address and DNSv6 server
addresses. There are different processes to obtain all the above mentioned TCP/IPv6
configuration parameters.
IPv6 uses the Router Solicitation and Router Advertisement messages to learn the IPv6
Network Prefix, IPv6 Prefix Length, default router IPv6 address from network routers.
After obtaining the IPv6 Network Prefix, IPv6 Prefix Length, default router IPv6 address
from network routers, IPv6 network interfaces can automatically derive a Global Unicast
IPv6 Address using EUI-64 method. IPv6 can use Stateless DHCPv6 to learn the DNS
Omnisecu - What are IEEE EUI-64 based Global Unicast IPv6 addresses
When an interface generate an autoconfigured Global Unicast IPv6 Address, there should
be some mechanism to guarantee the uniqueness of autoconfigured Global Unicast IPv6
Addresses.
IPv6 has a method (as defined in RFC 4291) to generate a 64 bit interface part (host
part) of the Global Unicast IPv6 Address from the interface MAC address. MAC Addresses
are considered as Globally Unique addresses and therefore the IPv6 address derived from
MAC address also should be Globally Unique. The EUI-64 method of generating an Global
Unicast IPv6 Address involves selecting the 6 byte (48 bit) interface MAC address and
then generating a Global Unicast IPv6 Address by expanding it into a 64 bit interface part
(host part).
EUI Extended Unique Identifier [Wiki Organizationally Unique Identifier]
To make a Global Unicast IPv6 Address unique, IPv6 insert 2 bytes (16 bits) into the
middle of the MAC address. The 48 bit MAC address is divided into two 3 byte parts, a
binary number 1111111111111110 (0xFFFE in hexadecimals) is inserted in between
them to make complete 64 bits.
Also the 7th bit (from left) in the MAC address is flipped. Which means, if the 7th bit in
the MAC address (from left) is 1, change it to 0 or if the 7th bit (from left) in the MAC
address is 0, change it to 1.
The 7th bit (from left) in the MAC address is called as Universal/Local (U/L) bit.
Universal/Local (U/L) bit is used to indicate whether the address is universally assigned
or locally assigned. The Universal/Local (U/L) bit set to 0 means that it is IEEE assigned
MAC address. The Universal/Local (U/L) bit set to 1, means that the MAC address is
locally assigned.
7th Bit dejavu - Todd Lamlle CCNA sixth edition 1st or 2nd Chapter
The reason behind flipping the Universal/Local (U/L) bit is for better compressibility of
IPv6 addresses.
Refer the screen shot given below.
00:AB:29:8C:3E:00
00:AB:29:FF:FE:8C:3E:00
00AB:29FF:FE8C:3E00
0000000010101011:0010100111111111:1111111010001100:00
11111000000000
0000001010101011:0010100111111111:1111111010001100:00
11111000000000
After configuring the IPv6 address, you can view the interface status using the Cisco IOS
show command "show ipv6 interface brief" as shown below.
OmniSecuR1#show ipv6 interface brief
FastEthernet0/0
[up/up]
FE80::C800:DFF:FE80:8
2001:DB8:AAAA:1::1
FastEthernet0/1
[administratively down/down]
unassigned
Serial1/0
[administratively down/down]
unassigned
Serial1/1
[administratively down/down]
unassigned
Serial1/2
unassigned
Serial1/3
[administratively down/down]
[administratively down/down]
After configuring the EUI-64 based Global Unicast IPv6 address, you can view the
interface status using the Cisco IOS show command "show ipv6 interface brief" as shown
below.
OmniSecuR1#show ipv6 interface brief
FastEthernet0/0
[up/up]
FE80::C800:CFF:FEF0:8
2001:DB8:AAAA:1:C800:CFF:FEF0:8
FastEthernet0/1
[administratively down/down]
The MAC address of the interface is "ca00.0cf0.0008". Visit the following lesson EUI-64
based Global Unicast IPv6 and calculate yourself how the IPv6 address
2001:DB8:AAAA:1:C800:CFF:FEF0:8 is autoconfigured.
xxxx1010 flip the seventh bit xxxx1000 xxxx 1000 A xxxxA
Omnisecu - Link Local IPv6 Addresses, How Link Local IPv6 addresses are
generated
The IPv6 addresses starting with FE in hexadecimals represent link local IPv6 addresses.
Link-local addresses cannot be routed to public networks and limited to the local
network. Link-local addresses are auto-configured (or auto-generated plug-and-play)
addresses (Stateless addresses) similar to IPv4 APIPA addresses (169.254.0.0/16).
Typically, getting an APIPA IPv4 address in an IPv4 network is because of some network
error, but a Link local addresses are IPv6 addresses which can be used for local
communication. A link-local address is for use on a single link and should never be
routed.
IPv6 Link Local addresses are identified among IPv6 addresses by reserving the left most
64 bits as 1111111010000000 0000000000000000 0000000000000000
0000000000000000 | 1111=F | 1110=E | 1000=8 | 0000=0 (translates to FE80 in
hexadecimals). IPv6 Link Local addresses are used by devices for communicating with
other nodes on the same link. The scope of an IPv6 Link Local address is the local link.
IPv6 Link Local addresses are auto-generated and many international technology leaders
generate IPv6 Link Local addresses from MAC Address of the interface.
View the following output of show command "show ipv6 interface gigabitEthernet 0/0", in
a Cisco router.
OmniSecuR1#show ipv6 interface gigabitEthernet 0/0
GigabitEthernet0/0 is up, line protocol is up
IPv6 is enabled, link-local address is FE80::C800:EFF:FE74:8
No Virtual link-local address(es):
Global unicast address(es):
2001:4AF1::28, subnet is 2001:4AF1::/64
Joined group address(es):
FF02::1
FF02::2
FF02::1:FF00:28
FF02::1:FF74:8
MTU is 1500 bytes
ICMP error messages limited to one every 100 milliseconds
ICMP redirects are enabled
ICMP unreachables are sent
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds (using 26049)
ND advertised reachable time is 0 (unspecified)
ND advertised retransmit interval is 0 (unspecified)
ND router advertisements are sent every 200 seconds
ND router advertisements live for 1800 seconds
ND advertised default router preference is Medium
Hosts use stateless autoconfig for addresses.
The output shows the IPv6 Link Local address as FE80::C800:EFF:FE74:8, for interface
gigabitEthernet 0/0. How this IPv6 Link Local address as FE80::C800:EFF:FE74:8 is auto
generated by the router? Read below.
We already know the first 64 binary bits of IPv6 Link Local addresses are reserved as
1111111010000000 0000000000000000 0000000000000000 0000000000000000
(FE80::/64 in hexadecimals, is the link local IPv6 address prefix).
Next, view the interface information of the same interface mentioned above using the
IOS command "show interfaces gigabitEthernet 0/0". The MAC address of interface
gigabitEthernet 0/0 is ca00.0e74.0008.
OmniSecuR1#show interfaces gigabitEthernet 0/0
GigabitEthernet0/0 is up, line protocol is up
Hardware is i82543 (Livengood), address is ca00.0e74.0008 (bia ca00.0e74.0008)
MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255
<output omitted>
Now we have the IPv6 Link local address of interface gigabitEthernet 0/0 as
FE80::C800:EFF:FE74:8 and MAC address as ca00.0e74.0008.
The IPv6 Link Local addresses are made from the first 64-bit reservation (FE80::/64) and
remaining bits are taken from the MAC address of the interface. But, MAC addresses are
48 bit numbers. 64+48 is only 112bits to form IPv6 address (IPv6 addresses are 128 bit
in length). What about the remaining 16 bits (128-112=16)?
The answer is, an hexadecimal number "FF:FE" is added in between the MAC address of
the related interface to form the complete 128 bit IPv6 Link Local addresses. Also the 7th
bit (from left) in the MAC address is flipped. Which means, if the 7th bit in the MAC
address (from left) is 1, change it to 0 or if the 7th bit (from left) in the MAC address is 0,
change it to 1. Refer the following table.
MAC Address
MAC Address
(FF:FE added to make it
64 bit Host Part)
64 bit Host Part
64 bit Host Part (in
binaries)
64 bit Host Part (in
binaries and 7th bit
flipped)
64 bit Host Part (in
hexadecimals and 7th bit
flipped)
IPv6 Link local IPv6
address
(Combining Link local
IPv6 address prefix
FE80:0000:0000:0000
with derived host part)
CA00.0E74.0008
CA00.0EFF:FE74.0008
CA00.0EFF:FE74.0008
1100101000000000:0000111011111111:1111111001110100:00
00000000001000
1100100000000000:0000111011111111:1111111001110100:00
00000000001000
C800:0EFF:FE74:0008
FE80:0000:0000:0000:C800:0EFF:FE74:0008
The above IPv6 Link local address we got from combining FE80::/64 prefix and MAC
Address part can be further simplified as FE80::C800:EFF:FE74:8.
Note that I had noticed by default some Microsoft Operating Systems are not following
the above method for auto generating the IPv6 Link Local addresses (for network
security). Cisco IOS, GNU/Linux Operating Systems and Unix Operating Systems are
following the above method by default for auto generating IPv6 Link Local addresses.