Академический Документы
Профессиональный Документы
Культура Документы
Training Course
January 2016
Schedule
09:00 - 09:30
Coffee, Tea
11:00 - 11:15
Break
13:00 - 14:00
Lunch
15:30 - 15:45
Break
17:30
End
Introductions
Name
Number in the list
Experience with IPv6, Cisco, OSPF, BGP
Goals
Overview Day 1
IPv6 Packets
IPv6 Routing Basics
Exercise: Enable IPv6
OSPFv3
Exercise: Configuring OSPFv3
BGP
Exercise: Configuring BGP
Content
4
Overview Day 2
Mobile Providers
Exercise: SLAAC
DHCPv6
Exercise: DHCPv6
Security
Exercise: 6rd
IP Address Management
Tips & Tricks
5
IPv6 Packets
1 - Section
Fixed length
- Optional headers are daisy-chained
IPv6 Header
IPv6 Header
IPv4 Header
Version
Type of
Service
IHL
Identification
Time to Live
Total Length
Flags
Protocol
Fragment Oset
Version
Trac Class
Payload Length
Flow Label
Next Header
Hop Limit
Header Checksum
Source Address
Source Address
Destination Address
Options
LEGEND
Padding
Destination Address
IPv6 Header
TCP Header
Data
IPv6 Header
Routing Header
NextHeader:
Header:TCP
TCP
Next Header: Routing Next
IPv6 Header
Routing Header
TCP Header
Fragment Header
Next Header: TCP
Data
TCP Header
Data
Common Headers
- 6
TCP (payload)
- 17
UDP (payload)
- 43
Routing (extension)
- 44
Fragmentation (extension)
- 50
- 58
ICMPv6
10
Fragmentation
11
MTU
1500
MTU
1492
MTU
1280
MTU
1500
Web Server
12
Ordering of Headers
Order is important:
- Only hop-by-hop header has to be processed by every
node
- Routing header needs to be processed by every router
- Fragmentation has to be processed before others at the
destination
13
Broadcast
Disadvantages of broadcast:
- It wakes up all nodes
- Only a few devices are involved
- Can create broadcast storms
14
Neighbor Discovery
15
Neighbor Discovery
ND is used by nodes:
- For address resolution
- To find neigboring routes
- To track address changes
- To check neighbor reachability
- To do Duplicate Address Detection
Router Solicitation
- When an interface becomes active, the host will send out
Router Solicitations that request routers to send out a
Router Advertisement immediately
Is there a router?
17
Router Advertisement
- Routers advertise their presence periodically or in response
to a Router Solicitation message
- Has a lot of important information for the host
Yes, I am here!
18
Neighbor Solicitation
- Sent by a node to find the MAC-address of the neighbor, or
to check if the neighbor is still reachable
19
Neighbor Advertisement
- A response to a neighbor solicitation message
20
Redirect
- A router points the host to a better first hop router for a
destination
21
Questions
24
Next-Hop
::/0
2001:db8:aaa:bbb::cdef:1
2001:db8::/32
2001:db8:bcd:aaa::1
2001:db8::/48
2001:db8:cde:bbb::1
2001:db8:1000::/36
2001:db8:ffff:eeee::1
2001:db8:1000::/48
2001:db8:def:bbb::1
2001:db8:2000::/48
2001:db8:def:bbb::2
25
Next-Hop
::/0
2001:db8:aaa:bbb::cdef:1
2001:db8::/32
2001:db8:bcd:aaa::1
2001:db8::/48
2001:db8:cde:bbb::1
2001:db8:1000::/36
2001:db8:ffff:eeee::1
2001:db8:1000::/48
2001:db8:def:bbb::1
2001:db8:2000::/48
2001:db8:def:bbb::2
26
Next-Hop
::/0
2001:db8:aaa:bbb::cdef:1
2001:db8::/32
2001:db8:bcd:aaa::1
2001:db8::/48
2001:db8:cde:bbb::1
2001:db8:1000::/36
2001:db8:ffff:eeee::1
2001:db8:1000::/48
2001:db8:def:bbb::1
2001:db8:2000::/48
2001:db8:def:bbb::2
27
Next-Hop
::/0
2001:db8:aaa:bbb::cdef:1
2001:db8::/32
2001:db8:bcd:aaa::1
2001:db8::/48
2001:db8:cde:bbb::1
2001:db8:1000::/36
2001:db8:ffff:eeee::1
2001:db8:1000::/48
2001:db8:def:bbb::1
2001:db8:2000::/48
2001:db8:def:bbb::2
28
Summary
29
Questions
32
Routing Protocol
- IGP (OSPF) is used for loopback addresses and point-topoint links
- EGP (BGP) is used for the edge core routers
33
Network Diagram
R2
CUSTOMER 1
AS66
f0/0
f1/0
f0/0
f0/1
f0/0
f1/0
R1
AS99
f0/1
f0/1
CUSTOMER 2
f0/0
f1/0
f0/0
R3
POP
34
35
Point-to-point core:
- There is a /30 (IPv4) from 10.X.0.0/24
- Use a /127 from 2001:ffXX::/60 for core links
- Use a /64 from 2001:ffXX::/60 for the customer links
36
37
ipv6 unicast-routing
ipv6 cef
38
interface xyz
ipv6 address ...
no ipv6 redirects
ipv6 nd ra suppress all
39
interface xyz
ipv6 address ...
no ipv6 redirects
40
41
42
Questions
OSPFv3
4 - Section
OSPF Characteristics
45
OSPF Refresher
46
OSPF Refresher
ASBR
External (BGP)
LSA flooding
within the area
Area 0
ABR
Area 1
ABR
Area 2
47
48
49
50
51
router ospf 1
log-adjacency-changes
passive-interface default
network 172.16.1.1 0.0.0.0 area 1
no passive-interface f0/0
network 172.16.11.8 0.0.0.3 area 1
no passive-interface f0/1
network 172.16.11.0 0.0.0.3 area 1
52
53
54
Questions
Configuring OSPFv3
5 - Exercise
57
58
interface xyz
ipv6 ospf network point-to-point
ipv6 ospf 1 area 0
60
61
62
Questions
BGP
6 - Section
BGP Overview
65
Autonomous System
66
AS Path
67
BGP Modes
68
BGP Messages
OPEN
- opens the tcp session
KEEPALIVE
- keeps the session running
NOTIFICATION
- error handling
UPDATE
- actual route updates (NLRI)
69
NLRI
70
Well known
- They are known by all the routers and passed to BGP
neighbors
- Mandatory and are included in the UPDATE messages
Optional
- May not be supported by all BGP implementations
- The transitive bit determines if an optional attribute is
passed to BGP neighbors
71
72
MP-BGP
New features:
- Address Family Identifier (AFI)
- Subsequent Address Family Identifier (SAFI)
- Multiprotocol Reachable Network Layer Reachability
Information
- BGP Capabilities Advertisement
73
74
AFI / SAFI
Next-hop information
- Next-hop address must be of the same family
76
77
Scoped addresses
NEXT_HOP, AGGREGATOR and NLRI
Address Family Identifier (AFI) = 2 (IPv6)
- Sub-AFI = 1 (NLRI is used for unicast)
78
Independent operation
- One RIB per protocol
- Distinct policies per protocol (IP address specific
route maps and prefix lists must be adjusted)
- Make separate route maps for IPv4 and IPv6
- Prefix lists are always separate
- It is common to use a _v4 and a _v6 suffix to names
79
Questions
7 - Exercise
eBGP
7.1 - Exercise
BGP Configuration R1
83
BGP Configuration R1
Only configure R1
redistribute static
neighbor 2001:ff69::66 remote-as 66
neighbor 2001:ff69::99 remote-as 99
84
BGP Configuration R1
address-family ipv6
neighbor 2001:ff69::66 activate
neighbor 2001:ff69::99 activate
85
BGP Configuration R1
86
Filtering
87
iBGP
7.2 - Exercise
BGP Configuration R1
remote-as 1XX
update-source lo0
remote-as 1XX
update-source lo0
address-family ipv6
neighbor 2001:ffXX::2
neighbor 2001:ffXX::3
neighbor 2001:ffXX::2
neighbor 2001:ffXX::3
activate
activate
next-hop-self
next-hop-self
89
BGP Configuration R2
remote-as 1XX
update-source lo0
remote-as 1XX
update-source lo0
address-family ipv6
neighbor 2001:ffXX::1
neighbor 2001:ffXX::3
neighbor 2001:ffXX::1
neighbor 2001:ffXX::3
activate
activate
next-hop-self
next-hop-self
90
BGP Configuration R3
remote-as 1XX
update-source lo0
remote-as 1XX
update-source lo0
address-family ipv6
neighbor 2001:ffXX::1
neighbor 2001:ffXX::2
neighbor 2001:ffXX::1
neighbor 2001:ffXX::2
activate
activate
next-hop-self
next-hop-self
91
BGP Customer1
7.3 - Exercise
93
94
95
96
97
99
Summary
100
Questions
Content
8 - Section
Definition
103
Options
104
IPv6
IPv4
Internet
Web / Application
Server
Service
Provider
Router
Firewall
Load
Balancer
Web / Application
Server
Web / Application
Server
IPv6
IPv4
Web / Application
Server
Internet
Service
Provider
Router
Firewall
Load
Balancer
Web / Application
Server
Web / Application
Server
IPv6-to-IPv4 Proxy
IPv6
IPv4
Internet
Web / Application
Server
Service
Provider
Router
Load
Balancer
Firewall
Proxy
Server
Web / Application
Server
Web / Application
Server
108
Proxy on Layer 4
109
Proxy on Layer 4
listen smtp1
bind 2001:db8:abc:123::cafe:25
mode tcp
server smtp1 192.0.2.1:25
110
Proxy on Layer 7
111
Proxy on Layer 7
With SSL
listen website1-ssl
bind 2001:db8:abc:123::cafe:443 ssl
crt /etc/haproxy/website-ssl.pem
mode http
option forwardfor
server website1 192.0.2.1:443 ssl
112
Questions
Overview Day 2
Mobile Providers
Exercise: SLAAC
DHCPv6
Exercise: DHCPv6
Security
Exercise: 6rd
IP Address Management
Tips & Tricks
115
Mobile Providers
9 - Section
117
Multiple Solutions
118
NAT64/DNS64
IPv6 Internet
DNS64
Mobile User
public IPv6
NAT64 Box
Infrastructure
public IPv6
CUSTOMER
PROVIDER
IPv4 Internet
INTERNET
119
464XLAT
120
464XLAT
IPv6 UDP
IPv4 UDP
464XLAT
Client
PLAT Box
Mobile User
IPv6 only
GGSN
3G/4G Network
IPv6 only
IPv4 Internet
IPv6 Internet
CUSTOMER
PROVIDER
INTERNET
121
Apple Approach
122
3G
123
4G
124
125
Handset:
- IPv6 capable
126
127
128
Challenges
129
Questions
SLAAC
10 - Exercise
SLAAC
R2
CUSTOMER 1
R66
f0/0
f1/0
f0/0
f0/1
f0/0
f1/0
R1
R99
f0/1
CORE
f0/1
CUSTOMER 2
f0/0
f1/0
f0/0
R3
POP
132
On C1
133
On R2
134
Debugging SLAAC
135
Multicast Address
FF02::2
NA
RA
NA
RA
RA
RA
FF02::1
FF02::1:FF14:3F0F
NS
NS
FF02::1:FF00:1
FF02::1:FF05:1C9E
Time
Link-local: fe80::ba8d:12:fe05:1c9e
136
Multicast Address
RS
NA
RA
NA
FF02::1
FF02::1:FF14:3F0F
FF02::1:FF00:1
NS
FF02::1:FF05:1C9E
NS
Time
Link-local: fe80::ba8d:12:fe05:1c9e
137
Questions
DHCPv6
11 - Section
About DHCPv6
New protocol
Requires IPv6 transport
Offer similar functionality to DHCPv4 but for IPv6
Allows more control than SLAAC
- Routers and servers can have static or dynamic
assignments
141
DHCPv6 Fundamentals
142
DHCPv6 Operation
143
DUID
144
DHCPv6 Modes
Stateful
- Also requesting an address
- M flag
Stateless
- Only other configuration parameters
- O flag
Prefix Delegation
145
Stateful DHCPv6
146
Client
- Initiates requests on a link to obtain configuration
- Uses its link local address to connect the server
- Sends requests to FF02::1:2 multicast address
Relay agent
- A node that acts as an intermediary to deliver DHCP
messages between clients and servers
- On the same link as the client
- Listens on FF02::1:2 multicast address
148
SERVER
CLIENT
SOLICIT
ADVERTISE
REQUEST
REPLY
149
Stateless DHCPv6
150
SERVER
CLIENT
INFORMATION-REQUEST
REPLY
151
IPv4 deployments:
- ISP only has to deliver a public IPv4 address
- NAT is used for translation using RFC1918
IPv6 deployments:
- IPv6 end-to-end reachability:
- Home network gets its own IPv6 prefix (public address)
- No NAT
152
DHCP
RA
ISP Network
and Internet
153
DHCP
Server
DHCP
SLAAC
Server
RA
ISP Network
and Internet
154
DHCPv6 PD Messages
SERVER
CLIENT
SOLICIT
ADVERTISE
REQUEST
REPLY
155
Questions
DHCPv6-PD
12 - Exercise
DHCPv6
R2
CUSTOMER 1
R66
f0/0
f1/0
f0/0
f0/1
f0/0
f1/0
R1
R99
f0/1
CORE
f0/1
CUSTOMER 2
f0/0
f1/0
f0/0
R3
POP
158
159
interface f0/0
ipv6 address 2001:ffXX:0:ff02::a/64
ipv6 dhcp client pd PREFIX
no shutdown
!
interface f0/1
ipv6 address PREFIX ::1:0:0:0:1/64
no shutdown
160
Summary
161
Challenge: DHCPv6-PD
with static assignment
12 - Exercise
163
Questions
Security
13 - Section
Subnet Scanning
167
Subnet Scanning
168
ICMPv6
169
Src
Dst
ICMPv6
type
ICMPv6
Code
Name
Permit
Any
128
echo reply
Permit
Any
129
echo request
Permit
Any
no route to dest
Permit
Any
Permit
Any
TTL exceded
Permit
Any
parameter problem
170
IPv6 Headers
171
IPSec
172
RA Guard
RFC6105
Implement on a L2 switch, so they can filter out
rogue or misconfigured routers sending router
advertisements
173
Hosts
- Firewalls
- VPN clients
174
Routers
line vty 0 15
ipv6 access-class line-vty-in in
175
IPv6 Bogons
Documentation prefix
- 2001:db8::/32
6bone
- 3ffe::/16
- Returned to the IANA pool
176
Questions
Configuring 6rd
14 - Section
6rd
Quite similar to 6to4
- Encodes the IPv4 address in the IPv6 prefix
6rd
IPv4 Internet
6RD Tunnel
Server
Home User
IPv4
Infrastructure
IPv4
CUSTOMER
PROVIDER
IPv6 Internet
INTERNET
180
6rd Lab
181
6rd Lab
182
6rd Lab
R2
CUSTOMER 1
R66
f0/0
f1/0
f0/0
f0/1
f0/0
f1/0
R1
R99
f0/1
CORE
f0/1
CUSTOMER 2
f0/0
f1/0
f0/0
R3
POP
183
184
185
2001:ffXX:ff00::/42
186
interface loopback6
ip address 10.X.3.255 255.255.255.255
no shutdown
187
interface tunnel6
tunnel source loopback6
tunnel mode ipv6ip 6rd
tunnel 6rd ipv4 prefix-len 22
tunnel 6rd prefix 2001:ffXX:ff00::/42
ipv6 address 2001:ffXX:ff3f:f000::/128 anycast
188
189
190
ipv6 unicast-routing
ipv6 cef
191
192
193
Set up interfaces
interface loopback 0
ipv6 address DELEGATED_PREFIX ::1/128
interface f0/1
ipv6 address DELEGATED_PREFIX 0:0:0:1::/64 eui-64
no ipv6 redirects
194
195
196
197
Questions
IP Address Management
15 - Section
200
Address Management
NetDot
202
NetDot
203
GestiIP
204
GestiIP
205
phpIPAM
E-mail notifications
Displays free ranges and numbers of clients
Import and export to XLS files
Can pull info from the RIPE DB
Does not update DNS server
206
phpIPAM
207
NIPAP
Written in Python
Web and CLI
Integrated audit log
IP request system
XML-RPC middleware
- Easy integration with other applications
208
NIPAP
209
IPPlan
Web based
Multi lingual
DNS administration (forward and reverse zones)
Audit log
Statistics
Importing network information from routing tables
210
IPPlan
211
IP Analyser
212
IP Analyser
213
Questions
216
Feedback!
https://www.ripe.net/lir-services/training/courses/
advanced-ipv6/feedback-2016
217
Follow us!
@TrainingRIPENCC
218
Questions
The End!
Y Diwedd
Ende
Konec
Lpp
Kraj
Beigas
Fine
Einde
Liugt
Finvezh
nn
Endir
Ki
Fund
Son
Vge
Finis
An Croch
Sfrit
Fin
Slut
Pabaiga
Fim
Amaia
Loppu
Kpaj
Tmiem
Slutt
Koniec