Fred Explains Ipv 6

Fred Bovy. IPv6 For Life!
2012
First Edition
Fred
Explains
IPv6
In-depth
1
This is why I wrote this
very rst book and a great
tribute to my CISCO
Colleagues from who I
learned so many things!
Then it also gives a pointer
to the Web server that must
be used with this book and
the IPv6 Certications.
Please read important
information at the End of
this Chapter!
Preface

1 Preface
My name is Fred Bovy, CCIE #3013, and I have been in the Networking industry for
more than 20 years, with a focus primarily on IPv6 and Service Provider issues for
about 10 years.
In 1999 I joined CISCO as a Network Consultant. My initial long term project involved
helping a Service Provider and an enterprise deploy brand new MPLS-VPN
backbones. Since then, I have been hooked, and have developed an expertise in
this subject. I later joined the CISCO IPv6 IOS Engineering Team as a dev-tester.
For more than 3 years, I focused on 6PE and 6VPE testing. During that time, I devel-
oped many TCL scripts to test 6PE and 6VPE functionalities, routing and switching
performance, scalability, High Availability, all the supported network design like Inter-
net Access models, Carriers Carrier or Hub and Spoke and more. I also got deeply
involved in testing Netflow for IPv6 and SeND.
In 2009 I resumed teaching, keeping the focus on IPv6 with special attention on the
transition to IPv6. I believe that we have finally hit the tipping point for IPv6, given
that all of the IPv4 addresses ran out in February. Its time for everyone to realize,
before companies and individuals lose their competitive edge, that IPv6 is fast be-
coming a requirement that will enable the Next Generation Internet.
About
I have written this book to help anyone who needs to design, configure and trouble-
shoot IPv6 Networks because this is the experience I have gathered in my life as an
IPv6 Tester, Consultant and Trainer and also from my 20+ (almost 25) years of IP
and CISCO Routers.
In this first book I will cover the Fundamentals. Following books will be about Routing
Protocols, Transition To IPv6, Multicast, Security and more...
The book must be used with the IPv6 TUTORIAL that can be found from
http://www.ipv6forlife.com.
1.1 !"#$%&' &) *+,*- ./0 &) &1' 2,34
IPv6 is more than a Job to me; it is a hobby and a philosophy; it is a Community. It is open, and every-
body is welcome to bring something!
IPv6 was designed about 20 years ago by people who thought that the Internet should be for every-
body and not only for the lucky ones who can get a Class A or whatever IPv4 block... It was designed
to support ALL applications for EVERYONE! ! 12 years ago I decided to join the community of people
who are building the new Internet for everyone and for the new applications that IPv6 enables!
I joined the CISCO IPv6 IOS Engineering Team to help the development of 6PE and 6VPE for about
3 years then Netflow for IPv6 and finally SeND and related IPv6 Security for about 3 years.
I would like to thank Eric Levy-Abegnoly, who was my IPv6 Team Leader and mentor (with Luc Revar-
del), who designed and developed 6PE, 6VPE, SeND and more, Ole Troan, another Great IPv6 Team
Leader, who designed most of the IPv6 IOS Code, Benoit Lourdelet, who is the IPv6 Product man-
ager, Patrick Grossetete before him and many other great CISCO people I have been working with. I
learned so much with them. I was a CCIE and a CCSI when I joined CISCO, but I learned more about
the Networks during the 10 years working for CISCO than all I had learned before. Special thanks to
Jim Guichard (my first mentor who went with me to the customers in my first 6 months within CISCO),
Peter Psenak (who was the NSA Engineer for EQUANT before me and also helped me a lot during
the transition. He is now one of the best OSPF Engineers WorldWide. Networks are transparent for
him.), Arjen Boers (The multicast man who hired me with Valerio), JP Vasseur (CISCO Fellow Guru
who worked with me on the MPLS-TE Fast Re-Route project for EQUANT and such a nice guy !),
Francois Le Faucheur (Another Brain, the Architects of QoS in MPLS Network who invented DiffServ-
TE, QoS Models in MPLS Networks), Robert Hanzl (The Customer support Engineer who helped me
on my first crisis with a customer and then became an MPLS Team Leader), Robert Rasczuk (The
MPLS Deployment Engineer who helped me on my first big crisis with a customer facing a major Back-
bone instability), Luc Revardel (who taught me the basics of IPv6 Testing Automation), Greg Boland,
Steve Glaus, Mandy Mac Diarmid, Mado Bourgoin and all my managers who helped me to focus on
my work starting with Valerio Muzzolini, Serge Dupouy, Nick Gale.... And all the good guys and girls
who I am forgetting, who are the CISCO Assets.
These 10 years were the best school, university, experience and also basis for human values, not only
technical...
This was not only a matter of knowledge and people, it was also a way to manage the people that I
had never found in any French companies or International companies not managed by Americans.
During my interviews when I got hired, someone asked me what I was expecting from my manage-
ment. I answered support to keep me focused on my technical job, and I was correct! This was typi-
cally what I found with all my managers with an exception of the French SE (Pre Sales) Manager I got
when I joined the Account Team to help the customer validation process for free as this was normally
a service charged to the customer. But except this one, I only got great managers who always sup-
ported me when I was a Network Consulting and a Software Engineer. I was always supported to fo-
cus on my job and didn't have to worry about the political cases that the French really enjoy in most
big companies. I had the benefit of working for a big company, but at the same time I was so free to
organize my work and received awards every time I was doing something good that I had the feeling I
was working for my own company. This was the first time that I was also working for a company where
the technical skills were considered and you did not have to become a (often bad) manager when you
were good in your Technical role as a reward! At last I found people like me, people working like me!
Working for CISCO was my best experience in my carreer.
After CISCO I resumed my trainer and consultant life and started to teach what I had learned with my
CISCO masters and more! I am a self-employed IPv6 Expert working as a Fast Lane IPv6 Course
Subject Matter Expert with other CISCO partners and for myself as well.
2
2 About the book
2.1 Iv6 Iundamenta|s
IPv6 cannot be understood if the Fundamentals are not. That's why the first Module of this book is
essential.
You can find some help in the "IPv6 For Life!" Tutorial from the home page: http://www.ipv6forlife.com.
This Tutorial has several chapters for the Fundamental Module:
Fundamentals #1. Introduction and IPv6 Addressing
Fundamentals #2. More about IPv6 Addressing. ICMPv6 and an Intro about Neighbor Discovery
Fundamentals #3. DHCPv6, DNS, MOBILE IPV6 and derived applications
Our first chapter will introduce the IPv6 basics.
Then we will study the IPv6 Addressing which is the main reason why IPv6 was developed, to provide
an addressing which will match the requirements of the Internet for the next century.
There was a day one missed requirement which was the Multihoming requirement. This should have
been managed by the IPv6 Stack as a service like Mobile IPv6, but the Engineers just missed to ad-
dress this issue which is still not completely resolved with a long term solution commonly accepted.
The next chapter will be about the IPv6 header, the long addresses, the Extension Headers and other
interesting improvements for more efficiency.
Then ICMPv6 basics, quite close to IPv4 and more interesting, the Neighbor Discovery Protocol which
is described in two separate RFCs. Many solutions are provided by ND like Autoconfiguration or
Router Discovery and more.
Finally we will describe all the most important Services which are not implemented for all platforms.
Linux is the best platform to test and support all the IPv6 Services.
2.2 Iv6 Cernhcanons
2.2.1 Iv6 Iorum Cernhcanon
There are many certifications at the IPv6 Forum with 2 levels, Silver and Gold for
Engineer and Trainer. The Trainer is more advanced than the Engineers.
For the moment, all you need is to apply on the IPv6 Forum Web Server and provide
a few proof of achievements to get certified.
2.2.2 nurr|cane L|ectr|c
Hurricane Electric propose a very challenging certification with multiple levels up to
Sage Level.
Each step requires both theory and practical exercise.
You need to have a host connected to the Internet to do the proposed exer-
cises and to validate that you were able to provide the correct answers.
This is Free and very interesting certification.
2.2.3 CISCC CCIL kounng & Sw|tch|ng
Cisco has one main 5 days training course and a derivated training from this
one I have designed for CISCO which is aimed at the SP Market
2.3 Important |nformanon
THIS BOOK CAN BE READ COVER TO COVER OR YOU CAN PICK UP ANY
PAGE FROM ANY CHAPTER WHEN NEEDED.
THIS E-BOOK IS ALIVE. MANY VIDEO LINKS ARE FLASH PRESENTATIONS
AND YOU WILL NEED A LARGE SCREEN AND FLASH (ADOBE) SOFTWARE
ENABLED BROWSER. PLEASE CHECK http://www.adobe.com.
I AM ADDING NEW PRESENTATIONS ON A REGULAR BASIS AND I WILL UP-
DATE THE LINKS IN THIS BOOK. WHEN YOU GET A NEW VERSION OF THIS
E-BOOK YOU WILL GET PLENTY OF NEW PRESENTATIONS.
FOR ALL THE LINKS YOU WILL NEED To ACCESS IPv6 FOR LIFE WEB
SERVER: http://www.ipv6forlife.com
Despite I am based in France I have been speaking and writing more in English
than French for the last 25 years but I still may do some mistakes that I need
you to forgive me if it happens in this book!
The IPv6 Internet belongs to everybody. Thanks for reading me!

Kindest Regards,
Fred Bovy
3
2
This chapter how we
arrived to IPv6 in 2012 and
the long path we walked by
since the 80s!
Address depletion is not a
new issue and IPv4 was
never intended to scale a
Global Public Internet!
Introduction to IPv6
5
1 Introduction to IPv6
1.1 n|story
IPv4 was developed in the 80s for a military network with a few thousands hosts maximum by the
DoD of the USA.
There was no need for security as it was a private network in the DoD Buildings. There was no need
for Autoconfiguration or Mobility and many things.
IPv4 Addresses were widely distributed until they were no more enough for everyone. In the early 90s,
IPv4 Address depletion started to be a problem.
I posted something about it in my blog about this history:
http://ipv6forlife.net/wordpress/?p=61
1.1.1 CSI rotoco|s
The first serious candidate to replace TCP/IP was the OSI Protocols. The Open Systems Interconnec-
tion (OSI) protocols are a family of information exchange standards developed jointly by the ISO and
the ITU-T starting in 1977.
OSI defined a Layered Model with 7 Layers while TCP/IP just had 5 since OSI Layers 5, 6 and 7 were
actually managed by the TCP/IP Application Layer.
OSI Protocols was providing a Datagram Service like IP called Connectionless Network Service
(CLNS) with an address of up to 20 bytes (160 bits) long.
Its routing protocol, ISIS, very close to OSPF immediately interested many service providers since it
was an Integrated routing protocol which could support IPv4 as well (RFC1195). Actually it was more
SP Oriented and could support many more routers in the same area. It is also a much easier protocol
to troubleshoot. A simple look at its Database will convince any Network Engineer in 5 minutes.
Digital Equipment thought that OSI would replace IPv4 and that DecNET Phase V was actually OSI
Protocols.
1.1.2 A1M and Irame-re|ay
But at the same time the convergence of Data and Voice Networks had started since the middle of the
80s, and we were looking for a network which could manage both Real Time (Voice, Video) and Non-
Real Time data with multiple levels of Precedence as IPv4 was already doing. Some people were
working very hard for a converged network and they came up with a new protocol called ATM (Asyn-
chronous Transfer Mode).
ATM could manage any kind of Traffic: Voice, Video, Business Data, Bulk Data. ATM was really a Net-
work Scientist Protocol Architecture, its routing protocol PNNI was able to react in Real-Time to any
change in the Network to find paths which could match any Class of Service Traffic.
ATM was based on 53 bytes cells at the Physical Level for Real-Time and Non Real-Time traffic to be
interleaved.
ATM was designed for 155 Mbps Sonet SDH Fiber links minimum, and this was not really widely avail-
able at this time. Also, the ASICS to manage the 53 Bytes Cells were not yet available or very expen-
sive as it was not made at a sufficient large scale to get a reasonable price. So, an interim technology
Chapter 2
Introduction to IPv6
6
was also created to transport Data and Voice while ATM was growing. This was Frame-Relay, a
stripped down version of X.25 with PVC only. SVCs came later, but they were never as popular as
PVC.
In the mid 90s ATM was the only serious candidate to support these converged Networks, and VoIP
was not an option in the networking business world.
At the end of the 90s, most people realized that ATM would not scale with MultiGigabit Links, which
were arriving slowly. Also, some ATM Protocols like LAN Emulations collapsed under traffic as the
Node dedicated to replicate the Broadcast and Multicast was too much solicited. ATM, which was
great on paper, proved to be not scalable, and a complex and expensive solution, so VoIP came back
as a viable solution.
But all this work made for ATM was not thrashed, and many protocols built for ATM are still in use in
many solutions. A lot of of the QoS, a protocol like NHRP, which was developed for ATM Classical IP,
is now used for CISCO DMVPN.
1.1.3 MLS
And also, there was the idea to replace a long address by a label that was already used by the old
X.25, then ATM networks gave the idea of replacing the IPv4 header with a short label! Epsilon's IP
Switching, Cisco's tag switching and many other Vendors provided such a solution with an initial moti-
vation to make faster routers.
Then CISCO also saw that with Tag Switching it was possible to add some services which were not
possible with IP like Tag-VPN. Tag-VPN permitted providing each connected customer with a Virtual
Private Network having its own IPv4 Addresses.
Tag-VPN was based on a Multi-Protocol BGP Extension with a new BGP vpnv4 address family as it
was adding a 32 bit prefix to the the IPv4 address, called a Route Distinguisher (RD) for the BGP pre-
fix to be unique in the Service Provider Backbone BGP Table.
In addition to the RD, an Extended Community BGP Attribute was added to the BGP Prefix before it
was advertised to a remote BGP Router. This Extended Attribute was then used to recognize a prefix
and import it into the Customer Virtual Routing Table.
The Benefits of Tag-VPN on the previous Layer 3 VPN based on IP were that:
The Backbone routers (P) did not have to know any of the the Customers Route. Only the BGP Next-
Hop, the exit point host route for each Provider Edge (PE) Router which was connecting to the Cus-
tomer Edge (CE) Router was enough.
Before Tag-VPN, in the SP Point of Presence, each Customers needed to have a dedicated router
which was importing all the BGP Routes with a given Community Attribute. With Tag-VPN. the same
PE could be shared by all the customers with each customer having its own Virtual Route.
Customers could have overlapping addresses without any problem.
The provisoning and the management of the VPN were very much simplified.
Traffic Engineering was another great service of Tag-VPN, allowing the SP to use more than the best
route links in their backbone to use all the available bandwidth of the core.
Tag-Switching was then standardised by the IETF to MPLS,
So in the late 90s and in the early y2k, most service providers were upgrading their backbone to
MPLS!
1.1.4
Iv6
Later, in the early Y2Ks when IPv6 became the next version approved by the IETF and more and
more requested by the Customers, CISCO's reply was to provide an IPv6 Service over IPv4/MPLS
without any need to upgrade the backbone.
They invented 6PE designed and developed in the South of France from an Architecture (RFC) of
Francois Le Faucheur and other companies and then designed and coded by Eric Levy-Abegnoly.
In the early Y2K, the first large scale IPv6 offers from SPs were mostly brought by 6PE in Asia and in
the USA.
Later came 6VPE which was actually 6PE in the VRF, allowing the customers to have a dual-stack
VPN supporting both IPv4 and IPv6.
We will cover 6PE and 6VPE later with all details...
1.2 Iv4 Address Dep|enon
As we have seen earlier, the IPv4 address Depletion started to be a problem in the 90s, and while
some people were working on new protocols to replace IPv4, some others were working on a work-
around to keep on working longer with IPv4.

7
They came up with NAT and Private Addresses (RFC1918). Before
RFC1918, some people were already doing some private addressing,
but it was at their own risk if they were choosing an address already
in use, and they could need one day to join like for instance 7.0.0.0/8
or 9.0.0.0/8. One of these was used in my company in the early 90s
with Proxies to reach the Internet for http or ftp protocols.
Now with RFC1918, some block were reserved for private address-
ing, and with NATPT aka PAT, it was possible to use one public ad-
dress for a whole building or all the PCs of a residential user.
Let's take a shortcut and call NAT: NAT, NATPT or PAT.
NAT immediately solved the problem for many years, but at the same
time, it killed some concepts which created the popularity of the Inter-
net like the End-to-End Addressing or peer to peer capabilities.
In the 90s, this was the time for Downsizing and Client-Server Applica-
tions. Many companies moved to TCP/IP for this reason.
Downsizing was the migration of Applications from Mainframes to
Servers running on RISC Workstations, Mini Computers (AS/400) or
even PCs and PS/2s.
Client-Server Applications was the migration from hierarchical Applica-
tions runnning on a Mainframe and accessed by dumb terminals to
Applications on Servers accessed by smart Clients, mostly micro com-
puters or Unix Plaforms, PCs or RISC based.
To keep on working with NAT, now we have to provision a public ad-
dress for each server and configure a Static NAT Translation for each
Server. This can become tedious when you have a lot of servers to
manage. And we cannot save anymore addresses. Still each server
requires a Public Address.
NAT introduced many states in the IP Network, which was a datagram
best-effort model, and this has many Architectural Implications. Just
make a search in the IETF Server for all the RFCs about NAT or PAT
or NAPT, and you will find more than 80 documents explaining the
limitations, how to workaround NAT to support most of the Network
Applications.
NAT seems an easy and cheap solution, but when you look into it,
you find that it actually cost a fortune in hidden costs and thousands
of lines of code to support it!
To support Voice application, Skype workaround is to use a Server in the middle of your connection,
and your Smartphone must send keepalive on a regular basis to keep the NAT States up draining
your batteries.
Skype makes it with the cost of a server and keepalives, but many voice applications are still impossi-
ble because of NAT!
A 10.0.0/8 block looks like a big block for the needs of most companies, but it is still too small for
some very large companies or some Service Providers. That's why the Cable SPs requested that
DOCSIS 3.0 supports IPv6!
Today, even with the use of NAT, we are now running out of IPv4 Addresses in most regions of the
World!
And even if the Service Provider was running NAT a second time in the SP Backbone to share an
IPv4 Address among multiple Customers (NAT444), this could not give enough addresses to match
the need of all the emerging countries, the need for more than one IPv4 address per user. We must
now support plenty of new connected devices which did not exist in the 90s: Smartphones, iPADs,
and so on...
So today the question is no more if we need to move to IPv6 but when!
1.3 1he Current Market Needs
We have seen that IPv4 even with double NAT could not provide enough addresses for all the Emerg-
ing Countries, new devices and new applications which require more and more addresses and even
more and more ports (Ajax)!
The Cable Networks Operators have requested that the last DOCSIS Cable standard MUST support
IPv6.
Voice Applications suffer more and more from the NAT limitations and Mobile IPv6 or Proxy Mobile
IPv6 can bring solutions impossible to solve for IPv4.

8
We
need
autono-
mous devices which not only do autoconfiguration, but also can form Networks dynamically after they
automatically discover neighbors. This is Wireless Sensors Networks (6LowPAN) applications.
1.4 1rans|non k|chness
Since the IPv6 introduction, tools for a soft transition were provided. They have evolved with the time
and the demand.
In 1996, IPv6 was shipped with a dual-stack and static tunnels.
While the Internet is still growing very fast with more connected devices every day, the available IPv4
addresses have declined and IANA has been completely depleted since February 2011. As IPv6 has
been now implemented for more than 15 years and available on most Operating Systems and Net-
work vendors, most Service Providers and even more companies have not yet switched to the next
generation Internet protocol. As a consequence we still need to buy some time to allow a smooth tran-
sition to IPv6. It is planned that we will need to support mixed IPv4 and IPv6 networks.
Clearly, maximum performances, security and other benefits we can think about with running IPv6 will
be achieved when the transition is complete.
During the transition we will need to compromise features, performances and security for the
benefit of supporting old IPv4 nodes and applications.
We have to address the four following problems:
To Support a maximum of new IPv4 customers with the few remaining IPv4 Public Addresses.
This implies more sharing of the remaining addresses.
The current solutions to address this problem are the Stateful Carrier Grade NAT (CGN) aka
Large Scale NAT (LSN) and the Stateless dIVI-pd or A+P Solutions.
SPs with IPv4 Backbones need to provide IPv6 Access to the IPv6 Internet or among IPv6
customers. This is based on 6PE or 6VPE for MPLS/IPv4 or 6RD for IPv4 Backbone.
SPs with IPv6 Backbone need to provide IPv4 Access to the IPv4 Internet or among IPv4 Cus-
tomers.
This is based on DS-Lite or 4RD based Solutions.
To Provide access to IPv4 Resources for IPv6 ONLY Customers.
This is based on Address Family Translators with NAT64 and DNS64 as currently the best solu-
tions. These translators permit to translate IPv6 to IPv4 packets originating from the IPv6 side.
With Stateless it is a One-to-One translation using a reserved IPv6 prefix.
With Stateful NAT64, multiple IPv6 addresses can be translated to one IPv4 addresses
.
There is a Stateless implementation on Linux called TAYGA. They say on theire Web site that to get a
stateful NAT64 one just needs to combine their TAYGA with a Statefull NAT44 also available on Linux.
IPv4
Internet
ISP
IPv4 Private
Network
10.0.0.0/8
172.17.0.0/12
RFC 1918
172.16.0.0/12
NAT44
(CGN/LSN)
10.0.0.0 -> 202.45.3.0
ISP Control
172.18.0.0/12
NAT44
172.19.0.0 -> 10.0.0.0
172.19.0.0/12
NAT44
NAT44
DHCPv6 Client
IPv6
Internet
STATEFUL
NAT64
101.12.13.1/24
2001:db8:678::1/64
(SLAAC)
DHCPv6-PD Client
Use LL for the p2p Link Address to SP
IPv6 Private
Network
2001:db8:658::/48
2001:db8:678:1::/56
8 bits for Subnets
2001:db8:678:3::/56
8 bits for Subnets
2001:db8:678:2::/56
8 bits for Subnets
First Subnet
2001:db8:678::/64
2001:db8:678:30::/64
2001:db8:678:31::/64
...
2001:db8:678:20::/64
2001:db8:678:21::/64
...
2001:db8:678:10::/64
2001:db8:678:11::/64
...
1
2
All IPv6 Addresses of a building Xlate to one IPv4 Addresses:
2001:DB8:678:1000::/48 -> IP 10.12.13.2/24
2001:DB8:678:1000::/48 -> IP 10.12.13.3/24
2001:DB8:678:1000::/48 -> IP 10.12.13.4/24
IPv4 Only Host
10.12.13.1/24
10.12.13.2/24
10.12.13.3/24
9
This will be more developed in the next book with a module or a full book about Translation to IPv6.
There are so many possibilies and so many technologies being tested if we really want to cover all the
experience currently or lately performed.
SP are not very happy with the CGN or LSN based solutions since they have to run a stateful protocol
in their backbone. The Capacity Planning is almost impossible in most cases so they may have to
over provision the NAT64 or NAT444 with big CPU and a lot of RAM just in case you have to manage
twice more translation for an occasion like a global sport event like the Olympic Games. If TV is not
working for the Olympic Games or a Mundial soccer event it would be a reason for many users to
move to a competitor! Protocol like 4RD, dIVI-PD.
With CGN/LSN the SP must keep the logs which represent some Tera Bytes of Data each month.
Transition protocols are expensive and as all SPs are transitioning to IPv6, I have serious doubts now
that dual-stack will be supported for a long time. The "Good" Internet User who complies with IPv6 will
not want to pay the bill of the one who is doing nothing for 15 years?
1.S What are the Iv6 |mprovements?
1.S.1 128 b|ts Addresses
!"#"!"! $%&' )**+,--,- . /01 2)34 5- 6/)6 53 3728,+-9
IPv6 is our Word of the Day today. The big difference between it and IPv4 is the increase in address
space. IPv4 addresses are 32 bits; IPv6 addresses are 128 bits. Thats a lot more, for sure, but what
does it look like in numbers? What could we compare it to in real-world terms?
DevDevin did the math:
How many IP addresses does IPv6 support? Well, without knowing the exact implementation details,
we can get a rough estimate based on the fact that it uses 128 bits. So 2 to the power of 128 ends up
being 340,282,366,920,938,000,000,000,000,000,000,000,000 unique IP addresses.
How do you say that, though? 340 trillion, 282 billion, 366 million, 920 thousand, 938 followed by
24 zeroes. Theres no short way to say it in numbers without resorting to math.
Heres how Wikipedia expresses it:
The very large IPv6 address space supports a total of 2128 (about 3.4!1038) addresses - or approxi-
mately 5!1028 (roughly 295) addresses for each of the roughly 6.5 billion (6.5!109) people alive to-
day. In a different perspective, this is 252 addresses for every observable star in the known universe.
Steve Leibson takes a shot at putting it in real world terms. Its big grains of sand dont even enter
into it. No, hes got to take it to the atomic level. Heres his conclusion:
So we could assign an IPv6 address to EVERY ATOM ON THE SURFACE OF THE EARTH, and still
have enough addresses left to do another 100+ earths. It isnt remotely likely that well run out of IPV6
addresses at any time in the future.
1.S.2 Lxtens|on neaders
In IPv4 we had a limited amount of Option which could not provide for any new Extension. In IPv6 we
have Extension Headers instead. These Extension Headers can be daisy chained so it is now possi-
ble to put as many Options as we want in an IPv6 packet to support any new IPv6 Level Applications.
The first great example of what we can do with Extension Headers is Mobile IPv6 and all derived appli-
cations: Mobile router (NEMO), MANET, Wireless Sensors Networks (6LowPAN), PMIPv6. As we can
tweak Addresses at the Network Layer it becomes transparent for the Transport or Application Level.
1.S.3 More Lmc|ent ackets Sw|tch|ng
No more Header Checksum in IPv6. This field has been completely removed.
Header aligned on 64 bits for more efficient access.
Routers are no more responsible for fragmentation. If fragmentation must be done, it must be
done by the source. The fragmentation information are no more carried in each packet but in
an Extension Header if needed.
3
This chapter introduces the
key feature of IPv6 which is
an address that scales the
Internet requirements of
2012 until we all die!
IPv6 Addresses
Addresses
Topics
1. Introduction
2. What does 128 bit represent?
3. All types of IPv6 Addresses:
1. Unicast
1. Unique Local Unicast
2. Global Unicast Addresses
3. Special Addresses
2. Multicast
3. Anycast
11
1 IPv6 Addresses
1.1 Introducnon
IPv6 not only makes longer addresses, but also makes a better use of addresses and how to manage
them. For instance if you have a small LAN without any routers, the workstations will be able to pick
up an address automatically, which will only be valid on this LAN (Link-local) and will permit the Node
to be automatically configured with a local address. Then if a router comes up, new prefixes will be
advertised by the router, and the Workstation will automatically configure addresses derived from
these prefixes. The most important things are:
There is no more Broadcast, only Multicast!
Link-Local addresses only valid on the link where it is configured. This leads to the concept of
Zone. This Link-local address belongs to a zone with its own routing table.
Anycast Addresses which is an address to the nearest Service. This was already existing in
IPv4 but now it is fully managed.
Routers are discovered Automatically
ARP has been dramatically improved in the Neighbor Discovery protocol. There is no more
just a TImeout for the MAC to IP Address cache, but the Neighbors are Managed in the cache
by a Finite State Machine. Useless entries of dead neighbors are cleared. When a Timer ex-
pires, a few probes are sent to the neighbor (About 35 seconds with default).
The concept of zone is also important in IPv6. For the moment it mostly applies to Multicast
and Link-local Addresses, but it could be used to creat VPN. Still each zone has its own Rout-
ing Table (Please see RFC4007 "Scoped Zone Architecture" for more details).
See RFC4291 for IPv6 Address Architecture
1.2 What does 128 b|t represent?
We could assign an IPv6 address to EVERY ATOM ON THE SURFACE OF THE EARTH, and still
have enough addresses left to do another 100+ earths.
It isnt remotely likely that well run out of IPV6 addresses at any time in the future!
So we must change the way we design networks and stop trying to save IP Addresses!
We must give large blocks when needed as wasting IPv6 Addresses is not to use the huge amount of
available address to make scalable Networks rather than saving each single bit of Address! Wasting
Addresses does not mean the same thing in IPv6 as in IPv4!
1.3 now to wr|te an Iv6 Address?
The 128 bits Address is written as 8 16 bits digits written in Hexa and separated by a colon :.
Leading zeros can be ignored. You can write:
Chapter 2
IPv6 Addresses
12
2001:db8:1:459d:f123:98ab:d0:e1
instead of:
2001:0db8:0001:459d:f123:98ab:00d0:00e1.
Once in the address you can replace a long list of zeroes with double colons ::
You can write:
2001:db8::1
instead of:
2001:db8:0:0:0:0:0:1
1.3.1 1he Iv6 Addresses are:
Unicast: One to One
Global Unicast Addresses (Public)
Unique Local Addresses (Private)
Link-Local Address
Special addresses: loopback, unspecified, IPv4 Mapped
Anycast: One to Any
Multicast: One to Many
1.4 Iv6 Un|cast Addresses
1.4.1 G|oba| Un|cast Addresses (ub||c)
The Global Unicast Addresses are similar to the Public IPv4 addresses and are routable in the IPv6
Internet.
Global Routing Prefix SLA Interface ID
Provider . 48 bits Site . 16 bits Host. 64 bits
Global Unicast Address
In the Internet 2000::/3 (binary 0010) is reserved by IANA for the global unicast address. You will find
more details on the Internet here and RFC4291 for IPv6 Address Architecture:
ThAs the Global Routing Prefix contains the IANA prefix for Global Unicast Adddress, a prefix
which identifies the Regional Internet Registries (RIPE in Europe for instance) and eventually
another prefix which identifies the ISP:
http://www.iana.org/assignments/ipv6-unicast-address-assignments/ipv6-unicast-address-assignments.xml
http://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xml
IPv6 addresses are made of 128 bits, but we still find the same 3 parts that we have in an IPv4
Address:
ARIN Subnet ID Interface ID
3
16bits
Host. 64 bits
001
9 bits 16 Bits
RIR or ISP
36 bits
IPv6 Unicast Addresses
!":"!"! ;<08)< =07>3? %+,@A
An ISP Customer Prefix used to route the packet to the customer. This Prefix itself is built of a com-
mon prefix for all the Global Unicast Addresses 0010 or 2000::/3. Then you have a prefix matching a
Regional Internet Registry, a RIR and then the part of the Address which addresses the customer. The
most common prefixes are typically a /48 Prefix for each site. This may seem overkill, but we do not
waste addresses if we use them. We waste them if we don't!
2001:db8::/16 is reserved for documentation and labs!
!":"!"B C/, D783,6- 856-
These bits can be used by the customer to address many subnets for each site. We may find that us-
ing a /48 prefix for each site may be a waste of Addresses with our IPv4 reflexes, but this is actually
the other way around as we have so many addresses available that it would be wasting addresses if
we were trying to save addresses instead of using them generously to maximize the scalability of the
addressing and allow easy growing of the sites.
!":"!"E C/, $36,+F)G, $H
The Interface ID is similar to the IPv4 Host Address. It is used to identify the Host itself.
!":"!"E"!IJ$.': 0+ K0*5@,* IJ$.':
This address is generally derived from the Interface MAC Address which is 48 bit. 0xFFFFE is added
in the middle of the MAC address to make a 64 bits address:
00 90 59 02 E0 F9
00 90 59 02 E0 F9 FF FE
000000X0
EUI-64 Address
In this example, the MAC Address is 00-90-59-02-E0-F9.
The EUI-64 Address will be: 90:59ff:ff02:e0f9
And the Modified EUI-64 Address will be: 290:59ff:fe02:e0f9
13
For the Modified EUI-64 address X=1 which means that the address is a Locally Administratively Man-
aged Address.
!":"!"E"BC,2L0+)+4 =)3*02 %+,@A M=NO:P:!Q
As NAT is no more used and the Interface ID of a Laptop may not change, a user may be tracked by
its address. To avoid this possible problem it is possible to use a Random Temporary Interface ID and
change it everyday!
This is configurable on all the available platforms (Windows, MAC OS, Linux).
!":"!"E"EK)37)<<4 O03@?7+,*
On Routers or some servers, it may be better to assign static addresses instead of a EUI or Random
Interface ID.
For instance, in a Datacenter your router HSRPv6 Group could be 2001:db8:a01::1 and you may con-
figure a static default route on all your Servers.
You make sure that your system will not waste anytime or receive any Rogue information!
IPv6 Global unicast address Format (RFC 3587)
nitial Format

ETF assigned 001 for Global Unicast, 2620::/12 assigned to American
Registry for nternet Numbers

RFC 2374: Aggregatable Global Unicast Address Structure

Frdric Bovy - October 2011 - 37
Global Routing Prefix Subnet D Interface ID
!"#$%&'" ) * +%,- ./ )* +%,- 0#-,) ./ +%,-
ARN Subnet D Interface ID
1
0#-,) ./ +%,-
00
1
2 +%,-
NLA D SLA D Interface ID
1 ./ +%,-
FP TLA D RES
31 4 5/ 3.
3. 6%,-
!"#$%& ()*)$)+, -%./ ()*)$)+, 01./234&/ 05/1.%3%/2
RR or SP
1. +%,-
0!67 8$)#4$ 91%&4:. ;552/:: <)2=4. >?<@ ABCDE
1.4.2 Un|que Loca| Addresses (r|vate. kIC4193)
The ULA are Private Unicast Addresses not routable on the Internet.
Global ID 40 bits Subnet ID Interface ID
1111 1100
1111 1101
FC00::/7
FD00::/8
Unique local Address
The big benefits of ULA other RFC1918 in IPv4 is that you have 40 bits to make your Prefix Unique.
So in case one day you need to merge two Private Networks using ULA Addresses you may not have
to renumber your Network.
Actually there are two kinds of ULA, the Locally Managed and the Centrally Managed. If you make a
Reservation and use the Centrally Managed Addresses, there is absolutely no risk of finding a dupli-
cate subnet. With Locally Managed, the risk exist.
You can make a reservation at this URL:
http://www.sixxs.net/tools/grh/ula/
At the beginning of IPv6, they was no ULA but a prefix for site-local addresses: fec0::/10. But with this
approach we had the same problem as with RFC1928 IPv4 Addresses so this prefix is no more re-
served for Site-Local Addresses, which are deprecated and replaced by ULA.
To access the Internet from a ULA Address you may need Proxies. For instance, if your internal Serv-
ers only need http or ftp access to the Internet for SW Updates at night, ULA + Proxy may be the right
approach.
1.4.3 L|nk-|oca| Addresses
Link-local Addresses are the Only Mandatories Addresses for each interface. When an IPv6 interface
is coming up, the first step is to validate that its Link-local address is unique (Valid). If not, the IPv6
Interface is disabled. The interface could be used for other protocols but not IPv6!
IPv6 Link-local addresses are only valid on the interface where they are configured. If you have many
interfaces on a host or a router, it is no problem to use the same address for all the interfaces.
They all start with the prefix fe80::/10.
Tout 0 Interface ID
128bits
FE80::/10
11111
1010
64 bits
Link-local Address
When you are using a Link-local address in a command, you must specify the Outgoing interface by
its name or its index with the % sign in between like:
fe80::34f:a011:2:d78%FastEthernet1 on Cisco Router or
14
fe80::34f:a011:2:d78%15 on Microsoft Windows, 15 is the interface index.
In IPv4 it is similar to the 169.254.0.0/16 address (RFC 3927).
All the Next Hop but recursive static or BGP routes use a Link-local address.
1.4.4 Spec|a| Addresses
!":":"! J3-L,G5@,* R**+,-- 5- SSTU
The Unspecified is only used as a source address when a node is booting, and it is verifying its Link-
local Address.
A router MUST NOT route a packet with an unspecified source address.
!":":"B V00L8)GW R**+,-- 5- SS!
The loopback address is a Link-local address to the node itself. It must not be assigned to any physi-
cal interface. It is similar to the IPv4 127.0.0.1 address.
!":":"E $%&: K)LL,* R**+,--
This is used when you need to code an IPv4 address in the IPv6 format. For instance with 6PE or
6VPE, the destination IPv6 Address will have the Egress PE IPv4 Loopback interface. This is illegal
for BGP to advertise a destination with a next hop of another Address Family. So the Next Hop is
coded as an IPv4 Mapped Address.
You got 80 bit set to 0, then 16 bits set to ffff and then the 32 bits of your IPv4 address:
If the next hop was 192.9.0.1, it would be coded:
0:0:0:0:0:ffff:<32 bits IPv4 Address>
::ffff:192.9.0.1 or
::ffff:c009:1
!":":": I3G)L-7<)>03 0F $%&' 53 I6/,+3,6
IPv6 Protocol is 0x86dd
Dest Ethernet
Adress
Source Ethernet
Adress
0x86DD IPv6 Header and charge
IPv6 in Ethernet
1.S Iv6 Anycast Addresses
This is a one to any addressing.
Anycast Addresses are like duplicated Unicast Addresses. The goal is to find the nearest server imple-
menting a function.
It was already existing in IPv4 for the DNS Root Servers. We have only 13 addresses, which repre-
sent more than 200 physical servers.
In IPv4 it was also used by Anycast RP to find the nearest RP in a redundant RP mode using MSDP
to make the RPs communicate with each other.
These addresses do not have any reserved prefix so you cannot recognize an Anycast Address from
a Unicast.
1.6 Iv6 Mu|ncast Addresses
This is a one to many addressing.
There is no Broadcast in IPv6 only Multicast. But you have an address for all IPv6 nodes (ff02::1) as in
IPv4 an address for all IPv4 nodes (224.0.0.1). The prefix ff02:: is reserved just like 224.0.0.x for IPv4.
Multicast Addresses are used like in IPv4, when a source needs to send a packet to a Group of Re-
ceivers.
The Flags are used for the Embedded RP Address. This is new in IPv6 and
allows the RP Address to be embedded in the Group Address. We will study
the Flags when we cover the Multicast in detail.
The Scope is also new in IPv6 and allowed to set the Scope of the Mul-
ticast Group:
1 is Node Local
2 is Link-local scope. Example:ff02::1
4 is Admin-local
5 is Site-local
8 is Organization-local
E is a Global Group
Example:
ff02::1:2 All DHCP Servers and Relay. Link-local Scope
ff05::1:3 All DHCP Servers. Site-local Scope (used by Relays)
ff02::2 All IPv6 Routers. Link-local Scope
ff02::5 All IPv6 OSPFv3 Routers. Link-local Scope
ff02::6 All IPv6 OSPFv3 DR Routers. Link-local Scope
ff02::9 All IPv6 RIPng Routers. Link-local Scope
ff02::A All IPv6 EIGRP Routers. Link-local Scope
Only the Link-local Scope is automatically filtered and not forwarded by Routers. All the other Scopes
must be implemented with ACLs.
15
For each unicast or anycast address configured, the IPv6 node automatically configures a Solicited
Node Multicast Address derived address. This address is setup with a common Multicast Prefix and
the last 24 bits of the Unicast Address.
Example:
Unicast Address
2001:DB8:DC28::FC57:D4C8:1FFF
Solicited Node Multicast Prefix
FF02:0:0:0:0:1:FF
Solicited-node multicast address
FF02:0:0:0:0:1:FFC8:1FFF
The solicited node multicast address derived from the unicast
Prfixe Interface Identifier
FF02 O 0001 FF 24 bits
128 bits
1.7 Iv6 Address |an Lxamp|e

2001:db8:abcd::/48 has been assigned for the USA offices of this company.
Each Regional largest office aggregates the traffic for the area as a /52 route. In the address
2001:db8:abcd:9000::/52, 9 identifies the West Coast.
Each office has a /56 prefix. In the address 2001:db8:abcd:9100::/56, 91 identifies San Francisco Of-
fice.
Then 2001:db8:abcd:9101::/64 may be the first LAN in SF.
IPv6
Address Plan Example
2001:db8:abcd::/48 has been assigned for the USA offices of this company.
Each Regional largest office aggregates the traffic for the area as a /52 route. In the address
2001:db8:abcd:9000::/52, 9 identifies the West Coast.
Each office has a /56 prefix. In the address 2001:db8:abcd:9100::/56, 91 identifies the San Francisco
Office.
Then 2001:db8:abcd:9101::/64 may be the first LAN in SF.
16
1.8 1he Mu|nhom|ng Issue
1.8.1 Iv6 Address|ng n|erarchy
ISP1
21ae:db8::/32
Cust1
21ae:db8:1::/48
RIR1
21ae::/8
Cust2
21ae:db9:1::/48
IANA
2000::/3
RIR2
2001::/8
Cust4
2001:db8:2::/48
ISP3
2001:db8::/32
ISP2
21ae:db9::/32
Cust3
2001:db8:1::/48
IPv6 Addressing Aggregation
Having an address 4 times bigger, the IPv6 designers didn't want to need 4 times more memory! So
they designed a model to maximize Aggregation.
IANA has allocated the block 2000::/3 for Global Unicast Addresses. Then in your address you will
have a Prefix which identifies each Regional Internet Registry: RIPE-NCC, ARIN, APNIC, AfricNIC,
LACNIC. And a Prefix for each SP
The end user does not own a Prefix, and if he changes the SP, he will have to renumber its Network
with a new Prefix.
The goal is to maximize route Aggregation, allowing each SP to summarize all its client with one or a
few Prefixes. This is what we call Provider Assigned (PA) Prefixes.
Internet Admin hierarchy
IANA
RIR
ISP/
LIR
EU/ISP
EU
RIR NIR
ISP/
LIR
EU
Regional Internet Registries
(ARIN, APNIC, RIPE, NCC)
National
Internet
Registries
Local Internet
Registries
End Users
http://www.ripe.net/ripe/docs/ripe-512
1.8.2 Mu|nhom|ng Issue and so|unons
This works very well as long as a customer does not want to use more than one SP for Redundancy
or other reasons like best price in different regions of the world for instance.
In this case, the customer will have to deal with multiple Prefixes. This is not a problem again as any
IPv6 interface can be configured with multiple Prefixes.
The problem is for resiliency and load-balancing.
There is a Flash animation in my Free On-Line Tutorial Fundamentals #2.
ISP1
2001::db8::/32
2001:db8:1::/48
ISP2
2001:db9::/32
2001:db9:100::/48
2001:db9:100::/48 2001:db8:1::/48
2001:db8:1::/48
2001:db9:100::/48
Provider Assigned Address
17
1.8.3 rov|der Independant Addresses
The best solution, which may be expensive in some regions, is the P
Provider Indendant (PI) Prefixes.
They have been available since 2009, and we can see that the number of IPv6 prefixes has started to
increase tremendously since this date. First, because there was no solution to this problem before and
then because we cannot Aggregate the PI PRefix since it punched a hole in the summary address for
each SP where it does not fall into one of its summary and must be advertised independantly.
ISP1

ISP2

! Better route from ISP2
! A session is started
2001:db9:100::/
48
2001:db9:100:99:42:345F:1:1/64
2001:db8:1:99:42:345F:1:1/64
2001:db8:1::/48
In this case your RIR will allocate a Prefix to the end-user who is authorized to advertise its own prefix
to multiple SPs. Below is an example. 2001:678:e01::/48 has been assigned to this company and the
same prefix is advertised to SP ACME and
ABC! So each of these SPs will have to advertise this Prefix in the IPv6 Internet if it does not fall under
the summaries of each SP.
It is seen as a short term solution as a long term solution should permit maximum aggregation and
must be managed by Hosts or Routers.
ISP1
ISP2
! A new session must be started
2001:db9:100::/48
2001:db9:100:99:42:345F:1:1/64
2001:db8:1:99:42:345F:1:1/64

2001:db8:1::/48
ISP1
2001:db8:1::/48
2001:db8:66::/48
ISP2
2001:db8:100::/48
2001:db8:66::/48
2001:db8:66::/48
2001:db8:1::/48
2001:db8:1::/48
2001:db8:100::/48
2001:db8:66::/48
2001:db8:100::/48
ISP1
ISP2
! Dest thru ISP2 is no longer reachable
! The session fails
2001:db9:100::/48
2001:db8:1::/48
2001:db9:100:99:42:345F:1:1/64
2001:db8:1:99:42:345F:1:1/64
18
Internet
Bldg 2-1
2001:678:1001:f1100::/52
2001:678:1001:f100::/56
2001:678:1001:f101::/64
255 user /64 LANs per Building
Bldg B 1-1
2001:678:1001:f102::/64
Bldg 2-2
2001:678:1001:f1200::/52
2001:678:e01::/48
2001:db8:1001:f000::/52
2001:678:e01::/48
2001:db8:1001:f1000::/52
2001:678:1001:f1000::/52
2001:678:1001:f000::/52
Campus 1 Backbone Router
Campus 2
BB Router
Campus 3
BB Router
2001:678:e01:3000::/52
Bldg 3-2
2001:678:e01:3100::/52
Bldg 3-2
2001:678:e01:3200::/52
ISP ACME
ISP ABC
1.8.4 Cther So|unons
There are some host based and routers based solutions to solve this problem without losing the maxi-
mum Aggregation of the PA Prefixes. Some solutions are host based like shim6 or HIP, which also
managed Mobility, and some others are managed by the routers like LISP.
"The basic idea behind the Loc/ID split is that the current Internet routing and addressing architecture
combines two functions: Routing Locators (RLOCs), which describe how a device is attached to the
network, and Endpoint Identifiers (EIDs), which define 'who'
the device is, in a single numbering space, the IP address. Proponents of the Loc/ID split argue that
this "overloading" of functions makes it virtually impossible to build an efficient routing system without
forcing unacceptable constraints on end-system use of addresses. Splitting these functions apart by
using different numbering spaces for EIDs and RLOCs yields several advantages, including improved
scalability of the routing system through greater aggregation of RLOCs. To achieve this aggregation,
we must allocate RLOCs in a way that is congruent with the topology of the network ("Rekhter's Law").
Today's 'provider-allocated' IP address space is an example of such an allocation scheme. EIDs, on
the other hand, are typically allocated along organizational boundaries. Because the network topology
and organizational hierarchies are rarely congruent, it is difficult (if not impossible) to make a single
numbering space efficiently serve both purposes without imposing unacceptable constraints (such as
requiring renumbering upon provider changes) on the use of that space.
LISP, as a specific instance of the Loc/ID split, aims to decouple location and identity. This decoupling
will facilitate improved aggregation of the RLOC space, implement persistent identity in the EID space,
and, in some cases, increase the security and efficiency of network mobility."
http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_11-1/111_lisp.html
4
To summarize the IPv6
Header we could say:
longer addresses and a
simple efcient versatile,
exible, powerful Network
Layer!
The daisy chained IPv6
Extension header is a
major important step for
any application in the
future! Mobile IPv6 is the
rst example of this power!
IPv6 Header
Topics
1. IPv6 versus IPv4 headers
2. Path MTU discovery
3. Extension Headers
4. Encapsulations of Packets in Layer 2
20
Section 1
IPv6 Header
21
.1 Iv6 vs Iv4 neaders
No more Fragmentation fields (Fragment ID, Frag Offset, Flags). Fragmentation is no
longer performed by Routers but only the source of the Traffic and an Extension Header will
be used for the Fragmentation information
No more Header Checksum as it was redundant with the Link Layer and Transport Check-
sum
Other fields have been renamed with more explicit names like Hop Limit instead of TTL
The Traffic Class used instead of ToS/Precedence but still transports a DSCP for QoS
IPv6 Addresses are 4 times larger.
The Protocol field is replaced with a Next Header as now the Headers can be daisy
chained to add several options to a packet!
A new field pretty much unused so far: the Flow Label. It should be used to identify a flow with
the Source and Destination Addresses. It is not used for two reasons:
There is no common agreement to use it in a standard way.
People are scared that a non default Flow Label (0) would give information to hackers about the sensi-
tive traffic!
The data are aligned on 64 bits for better memory access
.2 ath M1U D|scovery
Fragmentation is expensive as it consumes resources on the Router or the Host which fragments the
packet, and it also consumes resources on the destination host which reassembles the packets.
Some Firewall or NAT devices do the reassembly as they need the information contained in the first
fragment like the Port numbers.
Fragmentation is also a very easy to initiate DoS Attack, as a station sending traffic requiring a lot of
Fragmentation or Reassembly can kill this station overwhelming its CPU!
So Fragmentation is avoided in IPv4 already systematically for all TCP Traffic with a protocol called
Path MTU Discovery!
An IPv6 router is not allowed to fragment a packet, only a source of a connection can, including a
router is it is the head-end of a tunnel and it encapsulates IPv6 in IPv6 but this is a special case.
The principle is that the station starts sending at the maximum MTU, and every time a Router cannot
route the packet because of MTU it drops the packet rather than fragmenting and sends an ICMP Re-
port providing the next Link MTU. The source sends the next packet at this MTU, and the operation
may eventually be repeated.
MINIMUM MTU FOR IPv6 IS 1280 BYTES
.3 Lxtens|on neaders
The biggest improvement which really gives IPv6 more Flexibility and Versatility is the use of daisy
chained Extension Headers. Now, it becomes possible to push many headers in an IPv6 packet and
as these Headers are TLV (Type, Length, Value) you can add a new Header Extension to support a
new Network Layer Application.
The first great example of what we can do will be introduced in a later Module. This is for Mobile IPv6
and the derived applications.
The Extension Headers are the following and SHOULD follow this order:
Hop-by-hop. This Option MUST be checked by each router in the path. In IPv4 we had the
Router Alert to do the same, and this Router Alert is transported in this Option when needed.
It is used by Multicast (IGMP or PIM), RSVP and other applications.
Router Alert Option
The Router Alert Option (RFC2711) tells the router that it must take a look at the packet. It is car-
ried in an hop-by-hop option.
Example :
Frame 3836 (90 bytes on wire, 90 bytes captured)
Ethernet II, Src: ca:00:06:a9:00:1c (ca:00:06:a9:00:1c), Dst: IPv6mcast_00:00:00:01
(33:33:00:00:00:01)
Destination: IPv6mcast_00:00:00:01 (33:33:00:00:00:01)
Source: ca:00:06:a9:00:1c (ca:00:06:a9:00:1c)
Type: IPv6 (0x86dd)
22
Internet Protocol Version 6
0110 .... = Version: 6
.... 1110 0000 .... .... .... .... .... = Traffic class: 0x000000e0
.... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000
Payload length: 36
Next header: IPv6 hop-by-hop option (0x00)
Hop limit: 1
Source: fe80::c800:6ff:fea9:1c (fe80::c800:6ff:fea9:1c)
Destination: ff02::1 (ff02::1)
Hop-by-Hop Option
Next header: ICMPv6 (0x3a)
Length: 0 (8 bytes)
Router alert: MLD (4 bytes)
PadN: 2 bytes
Internet Control Message Protocol v6
Type: 130 (Multicast listener query)
Code: 0
Checksum: 0x88d1 [correct]
Maximum response delay[ms]: 10000
Multicast Address: ::
S Flag: OFF
Robustness: 2
QQI: 125
Destination options. This Option is only checked by the Destination of the packet. Mobile
IPv6 uses this Option.
If a routing header is present it tells what to do to each intermediary router. If there is no routing
header, it is only for the final destination.
Example:
Ethernet II, Src: ca:00:06:a9:00:1c (ca:00:06:a9:00:1c), Dst: ca:01:06:a9:00:1c
(ca:01:06:a9:00:1c)
0110 .... = Version: 6
.... 1010 0000 .... .... .... .... .... = Traffic class: 0x000000a0
.... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000
Payload length: 60
Hop limit: 64
Source: 2001:db8:c0a8:b:c800:6ff:fea9:1c (2001:db8:c0a8:b:c800:6ff:fea9:1c)
Destination: 2001:db8:c0a8:b:c801:6ff:fea9:1c
(2001:db8:c0a8:b:c801:6ff:fea9:1c)
Hop-by-Hop Option
Next header: IPv6 destination option (0x3c)
Length: 0 (8 bytes)
PadN: 6 bytes
Destination Option
Next header: UDP (0x11)
Length: 0 (8 bytes)
PadN: 6 bytes
User Datagram Protocol, Src Port: 57768 (57768), Dst Port: echo (7)
Echo
Routing Header. 3 Types. Type 0 and 1 are now deprecated and should not be used anymore, too
dangerous. Type 2 is still used by Mobile IPv6.
o Type 0. There is a list of addresses in the header, and the packet must go through
each of the routers listed. There is a pointer for the router to know where in the list we
are. The destination IP address of the IP packet is the next hop of the source routing
header. This was not the case in IPv4 where the IP source and destination IP ad-
dresses were not modified by source routing. It is now deprecated since RFC5095.
o Type 1 is deprecated for a long time.
o Type 2 are used by Mobile IPv6. It is used to specify the home address of the mobile
node. Only one hop!
Example of a capture. Note that the addresses used are the deprecated site-local addresses :
Frame:
+ Ethernet: Etype = IPv6
- Ipv6: Next Protocol = ICMPv6, Payload Length = 64
+ Versions: IPv6, Internet Protocol, DSCP 0
PayloadLength: 64 (0x40)
NextProtocol: IPv6 Routing header, 43(0x2b)
HopLimit: 127 (0x7F)
SourceAddress: FEC0:0:0:2:2B0:D0FF:FEE9:4133
DestinationAddress: FEC0:0:0:2:260:97FF:FE02:578F
- RoutingHeader:
NextHeader: ICMPv6
ExtHdrLen: 2(24 bytes)
RoutingType: 0 (0x0)
SegmentsLeft: 1 (0x1)
Reserved: 0 (0x0)
RouteAddress: FEC0:0:0:1:260:8FF:FE32:F9D8
Icmpv6: Echo request, ID = 0x0, Seq = 0x3d1a
o Fragment. If the Source must fragment the packet.
o IPSec Authentication (AH)
o IPSec Authentication and Encryption (ESP)
o Mobility. Used for the signaling of Mobile IPv6.
o Destination option (if routing absent)
o Jumbo Payload option
The Jumbo payload option allow for larger datagram than the 65,536 permitted by plain IPv6. With
Jumbo payload option, it can be up to 4,294,967,295 octets (RFC2675).
Upper layer
23
.4 MAC Lncapsu|anon of Iv6 ackets
Ethernet Protocol Encapsulation
Dest Ethernet
Address
Source Ethernet
Address
0x86DD IPv6 Datagram
Protocol: 0x86dd
In IPv4 it was 0x800 and 0x806 for ARP
.4.1 Mu|ncast MAC Address Mapp|ng
! IPv6 Multicast Address
! FF02:0:0:0:0:1:FF90:FE53
! 128 bits

! Mac Address
! 33:33:FF:90:FE:53
! 48 bits
FF02:0:0:0:0:1:FF90:FE53
33:33:FF:90:FE:53
24
25
26

.
27
5
IPv6 ICMP is very similar to
IPv4 but NEighbor
Discovery which is
encapsulated in ICMPv6
brings many IPv6 key
features such as Address
Autoconguration, Default
Router Discovery or simple
functions like an optimized
version of ARP!
IPv6 ICMP &
Neighbor Discovery
Topic
1. ICMPv6
1. Introduction
2. Error Messages
3. Echo
4. Options
2. Neighbor Discovery Protocol
1. Introduction
2. ND Packets and Options
3. Neighbor Discovery (ND)
4. Duplicate Address Discovery (DAD)
5. Neighbor Unreachability Detection (NUD)
6. Router Discovery (RD)
7. Autocong (SLAAC)
29
Section 1
ICMPv6 & ND
30
1 IPv6 ICMP
1.1 Introducnon
Type Code Checksum
Message Body
ICMPv6 can be used to report problems and to ping a destination.
The Type identifies which kind of packet, which problem we want to report such as a "Destination Un-
reachable" or "Echo Request".
The Code gives more details about the problem. Why the destination is unreachable? The problem
with the destination address? port? filtered by an ACL? When ICMP is used to transport other proto-
cols like "Neighbor Discovery" (next chapter), the code is null.
ICMPv6 manage much more in IPv6 than its IPv4 counterpart. For instance, Neighbor Discovery and
Multicast Listener Discovery are now part of ICMPv6.
Much ICMP Information is provided in some standard ICMP Options which are Mandatory with some
requests.
1.2 ICM Lrror Messages
Error Messages:
Destination Unreachable (Type 1)
Packet Too Big (Type 2)
Time Exceeded (Type 3)
Parameter Problem (Type 4)
1.2.1 ICMv6 Desnnanon Unreachab|e (1ype 1)
Payload length: 1960
Hop limit: 64
Source: 2001:db8::1 (2001:db8::1)
Destination: 2001:db8::2 (2001:db8::2)
Hop-by-Hop Option
Next header: IPv6 destination option (0x3c)
Length: 0 (8 bytes)
PadN: 6 bytes
Destination Option
Next header: UDP (0x11)
Length: 0 (8 bytes)
PadN: 6 bytes
User Datagram Protocol, Src Port: 56486 (56486), Dst Port: echo (7)
Source port: 56486 (56486)
Destination port: echo (7)
Length: 1944
Checksum: 0xa5bd [unchecked, not all data available]
Echo
1.2.2 acket 1oo 8|g (1ype 2)
When a datagram is too big to be switched on an interface, an ICMP mesage packet that is too big
must be sent back to the sender. MTU of the outgoing link is provided
Frame:
+ Ethernet: Etype = IPv6
- Ipv6: Next Protocol = ICMPv6, Payload Length = 1240
PayloadLength: 1240 (0x4D8)
NextProtocol: ICMPv6, 58(0x3a)
HopLimit: 64 (0x40)
SourceAddress: FEC0:0:0:F282:201:2FF:FE44:87D1
DestinationAddress: FEC0:0:0:F282:2B0:D0FF:FEE9:4143
- Icmpv6: Packet too big
MessageType: Packet too big, 2(0x2)
- PacketTooBig:
Code: 0 (0x0)
Checksum: 44349 (0xAD3D)
MTU: 1280 (0x500)
- InvokingPacket: Next Protocol = ICMPv6, Payload Length = 1460
PayloadLength: 1460 (0x5B4)
NextProtocol: ICMPv6, 58(0x3a)
HopLimit: 63 (0x3F)
SourceAddress: FEC0:0:0:F282:2B:D0FF:FEE9:4143
DestinationAddress: FEC0:0:0:0:fredoc0:0:0:1
1.2.3 1|me Lxceed (type 3)
If Code = 0. Hop Limit Exceeded in Tansit.

31
If Code = 1. Fragment Reassembly Time Exceeded. The receiving station could not reassemble the
original datagram within 60 seconds.
1.2.4 arameter rob|em (type 4)
Code
0 - Erroneous header field encountered
1 - Unrecognized Next Header type encountered
2 - Unrecognized IPv6 option encountered
1.3 ICMv6 Informanona| Messages
1.3.1 ICMv6 Lcho kequest. (1ype 128)
Ethernet II, Src: ca:00:06:a9:00:1c (ca:00:06:a9:00:1c), Dst: ca:01:06:a9:00:1c (ca:01:06:a9:00:1c)

Destination: ca:01:06:a9:00:1c (ca:01:06:a9:00:1c)
Source: ca:00:06:a9:00:1c (ca:00:06:a9:00:1c)
Type: IPv6 (0x86dd)
0110 .... = Version: 6
.... 0000 0000 .... .... .... .... .... = Traffic class: 0x00000000
.... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000
Payload length: 60
Hop limit: 64
(2001:db8:c0a8:b:c801:6ff:fea9:1c)
Type: 128 (Echo request)
Code: 0
Checksum: 0x401b [correct]
ID: 0x062b
Sequence: 0x0002

Data (52 bytes)
1.3.2 Lcho kep|y (1ype 129)
Please note that in IPv6 the packet which triggers the MAC Address resolution is not dropped but buff-
ered, waiting for the resolution. This could be a potential target for DoS attack, but you can see ping
reached 100% even the first time you ping a destination.
(ca:00:06:a9:00:1c)
Source: ca:01:06:a9:00:1c (ca:01:06:a9:00:1c)
Type: IPv6 (0x86dd)
0110 .... = Version: 6
.... 0000 0000 .... .... .... .... .... = Traffic class: 0x00000000
.... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000
Payload length: 60
Hop limit: 64
(2001:db8:c0a8:b:c800:6ff:fea9:1c)
Type: 129 (Echo reply)
Code: 0
Checksum: 0x3f1b [correct]
ID: 0x062b
Sequence: 0x0002
Data (52 bytes)

R0>ping 2001:DB8:C0A8:B:C801:6FF:FEA9:1C
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:DB8:C0A8:B:C801:6FF:FEA9:1C, timeout is 2
seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 8/19/32 ms
1.4 Cther rotoco|s supported by ICM
ICMPv6 also supports Neighbor Discovery, SEcured Neighbor Discovery, MLDv1 and MLDv2 for Mul-
ticast.
We are going to study ND in the next paragraph and Multicast later in this book.
This will be an Intro to Multicast for IPv6 only as I will develop Multicast for IPv6 in another book.
32
2 Neighbor Discovery Protocol
2.1 Introducnon
IPv6 Nodes on the same link use NDP (rfc4861, rfc4862) to discover each others presence and link-
layer addresses, to find routers, and to maintain reachability information about the paths to active
neighbors. Both hosts and routers use NDP.
Its functions include Neighbor Discovery (ND) and MAC or Layer 2 Address Resolution, Router Discov-
ery (RD), Address Autoconfiguration, Address Resolution, Neighbor Unreachability Detection (NUD),
Duplicate Address Detection (DAD), and Redirection. It is much more sophisticated than ARP was and
uses a Finite State Machine (FSM) to manage its Neighbor Cache.
2.1.1 ND use the S messages (DU) and S Cpnons.
B"!"!"! C/, # 8)-,- %HJ- )+,S
Neighbor Solicitation (NS)/Advertisements (NA)
Router Solicitation (RS)/Advertisements (RA)
Redirection
B"!"!"B C/, # XL>03-S
Source Link-Layer Address (SLLA). Option 1
Target Link-Layer Address (TLLA). Option 2
Prefix Information. Option 3
Redirected Header. Option 4
MTU. Option 5
2.2 ND ACkL1S AND C1ICNS
2.2.1 ND ackets
2.2.2 kouter So||c|tanon
Sent by a host to get information from local routers.
MAC Layer
Source MAC Address is NIC address
Destination is all routers MAC address 33-33-00-00-00-02
IPv6 Layer
Link local or unspecified IPv6 address.
Link local all routers IPv6 address
ICMPv6 Layer
Type 133
Code 0
ICMPv6 Checksum
Source Link-Layer Address option
ICMPv6 Option (Source link-layer address)
Type: Source link-layer address (1)
Length: 8
Link-layer address: ca:02:06:a9:00:54
Sent by a host to get information from local routers.
MAC Layer
Source MAC Address is NIC address
Destination is all routers MAC address 33-33-00-00-00-02
IPv6 Layer
Link local or unspecified IPv6 address.
Link local all routers IPv6 addressr
ICMPv6 Layer
Type 133
Code 0
ICMPv6 Checksum
Source Link-Layer Address option
Length: 8
33
2.2.3 kouter Advernsement
Sent on a regular basis or as an answer to a router solicitation.
Ethernet Layer
Source MAC of the sending NIC
Destination will be 33-33-00-00-00-01 or unicast
IPv6 Layer
Link local source
Destination will be all-nodes: FF02::1 or unicast address of station which has sent the Router Solicita-
tion
Hop Limit 255
ICMPv6 Layer
Router Advertisement
Type 134
Code 0
Checksum ICMPv6
Current Hop Limit
Managed Address Configuration Flag for Statefull DHCPv6.
Other Stateful Configuration Flag for Stateless DHCPv6
Router Lifetime
Retransmission timer
Source Link-Layer Address Option
MTU Option
Prefix Information Options
Advertisement Interval Option
Home Agent Information Option for Mobile IPv6
2.2.4 Ne|ghbor So||c|tanon
Source Address. Either an address assigned to the interface from which this message is sent or (if
Duplicate Address Detection is in progress) the unspecified address.
Destination Address. Either the solicited-node multicast address corresponding to the target address,
or the target address.
Hop Limit is 255
ICMPv6 Layer
Type 135
Code 0
Target Address
Possible Option:
Used to ask the link layer address of a neighbor
(ca:00:06:a9:00:1c)
Source: ca:01:06:a9:00:1c (ca:01:06:a9:00:1c)
Type: IPv6 (0x86dd)
0110 .... = Version: 6
.... 1110 0000 .... .... .... .... .... = Traffic class: 0x000000e0
.... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000
Payload length: 32
34
Hop limit: 255
(2001:db8:c0a8:b:c800:6ff:fea9:1c)
Type: 135 (Neighbor solicitation)
Code: 0
Checksum: 0x6230 [correct]
Target: 2001:db8:c0a8:b:c800:6ff:fea9:1c (2001:db8:c0a8:b:c800:6ff:fea9:1c)
Length: 8
Link-layer address: ca:01:06:a9:00:1c
2.2.S Ne|ghbor Advernsement
They can be solicited or unsolicited.
ICMPv6 Layer
Type 136
Code 0
Router Flag if this is a Router
Solicited flag if this is an answer to a Solicitation
Override Flag if it must override an entry in the cache
Target Address. For solicited advertisements, the Target Address field in the Neighbor Solicitation
message that prompted this advertisement. For an unsolicited advertisement, the address whose
link-layer address has changed. The Target Address MUST NOT be a multicast address.
Possible Option:
Target Link-Layer Address Option
2.2.6 ked|rect
Inform a neighbor of a better next hop to reach a particular destination. Redirect messages can be
dangerous and can be ignored by configuration on most platforms (Windows, MAC OS X, Linux).
Source Address. Either an address assigned to the interface from which this message is sent or (if
Duplicate Address Detection is in progress) the unspecified address.
Destination Address. Either the solicited-node multicast address corresponding to the target address,
or the target address.
Hop Limit is 255
ICMPv6 Layer
Type 135
Code 0
Target Address
Possible Option:
Used to ask the link layer address of a neighbor
(ca:00:06:a9:00:1c)
Source: ca:01:06:a9:00:1c (ca:01:06:a9:00:1c)
Type: IPv6 (0x86dd)
0110 .... = Version: 6
.... 1110 0000 .... .... .... .... .... = Traffic class: 0x000000e0
.... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000
Payload length: 32
Hop limit: 255
(2001:db8:c0a8:b:c800:6ff:fea9:1c)
Type: 135 (Neighbor solicitation)
Code: 0
Target: 2001:db8:c0a8:b:c800:6ff:fea9:1c (2001:db8:c0a8:b:c800:6ff:fea9:1c)
Length: 8
2.2.7 Ne|ghbor D|scovery Cpnons
B"B"Y"! D07+G, V53W.V)4,+ )**+,-- XL>03
It is used by Neighbor Solicitation and Router Advertisement.
Ethernet II, Src: ca:02:06:a9:00:54 (ca:02:06:a9:00:54), Dst: IPv6mcast_00:00:00:01
(33:33:00:00:00:01)
Source: ca:02:06:a9:00:54 (ca:02:06:a9:00:54)
Type: IPv6 (0x86dd)
0110 .... = Version: 6
.... 1110 0000 .... .... .... .... .... = Traffic class: 0x000000e0
.... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000
Payload length: 64
35
Hop limit: 255
Source: fe80::c802:6ff:fea9:54 (fe80::c802:6ff:fea9:54)
Type: 134 (Router advertisement)
Code: 0
Cur hop limit: 64
Flags: 0x00
Router lifetime: 1800
Reachable time: 0
Retrans timer: 0
Length: 8
ICMPv6 Option (MTU)
Type: MTU (5)
.... 1110 0000 .... .... .... .... .... = Traffic class: 0x000000e0
.... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000
Payload length: 64
Hop limit: 255
Code: 0
Cur hop limit: 64
Flags: 0x00
Reachable time: 0
Retrans timer: 0
Length: 8
ICMPv6 Option (MTU)
Type: MTU (5)
Length: 8
MTU: 1500
ICMPv6 Option (Prefix information)
Type: Prefix information (3)
Length: 32
Prefix length: 64
Flags: 0xc0
Valid lifetime: 2592000
Preferred lifetime: 604800
Prefix: 2001:db8:c0a8:3::
B"B"Y"B C)+?,6 V53W.V)4,+ )**+,-- XL>03
It is used by Neighbor Advertisement and Redirect packets.
Ethernet II, Src: ca:01:06:a9:00:54 (ca:01:06:a9:00:54), Dst: ca:02:06:a9:00:54
(ca:02:06:a9:00:54)
Destination: ca:02:06:a9:00:54 (ca:02:06:a9:00:54)
Source: ca:01:06:a9:00:54 (ca:01:06:a9:00:54)
Type: IPv6 (0x86dd)
0110 .... = Version: 6
.... 1110 0000 .... .... .... .... .... = Traffic class: 0x000000e0
.... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000
Payload length: 32
Hop limit: 255
Destination: fe80::c802:6ff:fea9:54 (fe80::c802:6ff:fea9:54)
Type: 136 (Neighbor advertisement)
Code: 0
Checksum: 0x5f24 [correct]
Flags: 0xe0000000
Target: fe80::c801:6ff:fea9:54 (fe80::c801:6ff:fea9:54)
ICMPv6 Option (Target link-layer address)
Type: Target link-layer address (2)
Length: 8
B"B"Y"E %+,@A $3F0+2)>03 XL>03
Can be sent with a Router Advertisement to advertise Prefixes. More than one prefixes can be in-
cluded.
Type. 3
Length. 4.
Prefix Length. 8 bits. Generally 64.
On-Link Flag. 1 bit. If the prefix must be used to derive an address during SLAAC.
Autonomous Flag. 1 bit. If the prefix must be used to derive an address during SLAAC.
Router Address flag. Defined in RFC 3775 for Mobile IPv6
Site Prefix Flag.
Valid Lifetime. How long the address derived from this prefix is Valid without any refreshment before
the address is removed from the interface. A value of ALL ONEs bits represents infinity (for Static Ad-
dresses).
Prefered Lifetime. If not refreshed and the Preferred Timer expires, the address becomes deprecated
and cannot be used to establish a new connection but the address is still valid for existing. A value of
ALL ONEs bits represents infinity (for Static Addresses).
(33:33:00:00:00:01)
36
Source: ca:02:06:a9:00:54 (ca:02:06:a9:00:54)
Type: IPv6 (0x86dd)
0110 .... = Version: 6
.... 1110 0000 .... .... .... .... .... = Traffic class: 0x000000e0
.... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000
Payload length: 64
Hop limit: 255
Code: 0
Cur hop limit: 64
Flags: 0x00
Reachable time: 0
The MTU option is used in the ICMPv6 Packet too big and in the ND Router Advertisement.
(33:33:00:00:00:01)
Source: ca:02:06:a9:00:54 (ca:02:06:a9:00:54)
Type: IPv6 (0x86dd)
0110 .... = Version: 6
.... 1110 0000 .... .... .... .... .... = Traffic class: 0x000000e0
.... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000
Payload length: 64
Hop limit: 255
Code: 0
Cur hop limit: 64
Flags: 0x00
Reachable time: 0
Retrans timer: 0
Length: 8
ICMPv6 Option (MTU)
Type: MTU (5)
Length: 8
MTU: 1500
Length: 32
Prefix length: 64
Flags: 0xc0
B"B"Y": =,*5+,G6,* Z,)*,+ XL>03
It is only used in the ND Redirect packet
(ca:02:06:a9:00:1c)
Source: ca:01:06:a9:00:1c (ca:01:06:a9:00:1c)
Type: IPv6 (0x86dd)
0110 .... = Version: 6
.... 1110 0000 .... .... .... .... .... = Traffic class: 0x000000e0
.... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000
Payload length: 160
Hop limit: 255
Destination: 2001:db8:c0a8:b::1 (2001:db8:c0a8:b::1)
Type: 137 (Redirect)
Code: 0
Checksum: 0xd231 [correct]
Target: 2001:db8:c0a8:a:c800:6ff:fea9:1c (2001:db8:c0a8:a:c800:6ff:fea9:1c)
Destination: 2001:db8:c0a8:a:c800:6ff:fea9:1c
(2001:db8:c0a8:a:c800:6ff:fea9:1c)
ICMPv6 Option (Target link-layer address)
Length: 8
ICMPv6 Option (Redirected header)
Type: Redirected header (4)
Length: 112
Reserved: 0 (correct)
Redirected packet
0110 .... = Version: 6
.... 0000 0000 .... .... .... .... .... = Traffic class: 0x00000000
.... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000
Payload length: 60
Hop limit: 63
Source: 2001:db8:c0a8:b::1 (2001:db8:c0a8:b::1)
Destination: 2001:db8:c0a8:a:c800:6ff:fea9:1c
(2001:db8:c0a8:a:c800:6ff:fea9:1c)
Type: 128 (Echo request)
Code: 0
Checksum: 0xbce7 [correct]
ID: 0x22ef
Sequence: 0x0004
Data (52 bytes)
37
B"B"Y"# KCJ XL>03
The MTU option is used in the ICMPv6 Packet too big and in the ND Router Advertisement.
(33:33:00:00:00:01)
Sourcrbbre: ca:02:06:a9:00:54 (ca:02:06:a9:00:54)
Type: IPv6 (0x86dd)
0110 .... = Version: 6
.... 1110 0000 .... .... .... .... .... = Traffic class: 0x000000e0
.... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000
Payload length: 64
Hop limit: 255
Code: 0
Cur hop limit: 64
Flags: 0x00
Reachable time: 0
Retrans timer: 0
Length: 8
ICMPv6 Option (MTU)
Type: MTU (5)
Length: 8
MTU: 1500
Length: 32
Prefix length: 64
Flags: 0xc0
B"B"Y"' =076, $3F0+2)>03 XL>03
Sent in Router Advertisement (see RFC4191.).
It is used to give a preference to a router and to advertise routes (SHOULD not send more than 17
routes). It SHOULD not a be default behavior.
Possible Option: Route Information You can also advertise a more specific Route information Recur-
sive
B"B"Y"Y H[D D,+&,+ XL>03
DNS Server address can also be advertised in RA (RFC 5006):
This is a very simple option with Length, Lifetime and the addrresses of all the DNS Servers.
So you do not need to setup DHCPv6 Lite to advertise the DNS Server Address!
With Linux it can be advertised by radvd daemon.
2.3 Ne|ghbor D|scovery
IPv6 uses ND to manage its Neighbor Cache. This includes resolving the MAC Address of the Neigh-
bor and checking its Reachability (NUD).
Neighbor Discovery uses Neighbor Solicitation (NS) and Neighbor Advertisements (NA).
NS are used to discover the Neighbor MAC Address, to check if our new address is a DUPlicate or to
check if a Neighbor is still Reachable (NUD).
38

2.3.1 MAC Address keso|unon
When a host needs to send a packet to a destination, it verifies if it is a Neighbor. In this case it sends
the packet directly to the Neighbor. There is an algorithm to check if the destination is a Neighbor as
there can be many prefixes on the same cable.
Once this is verified, the host creates an entry with state INCOMPLETE and the IPv6 Address of the
destination in the Neighbor cache and sends a Neighbor Solicitation to its Solicited Node Multicast
Address. The NS contains the MAC Address of the Requester in the SLLA Option to save the reverse
operation (below in Red).
Example of NS/NA between two UBUNTU Hosts
2.3.1.1 Ne|ghbor So||c|tanon
Internet Protocol Version 6, Src: fe80::f6ca:e5ff:fe44:10ef
(fe80::f6ca:e5ff:fe44:10ef), Dst: ff02::1:ff8c:e4ac (ff02::1:ff8c:e4ac)
0110 .... = Version: 6
.... 0000 0000 .... .... .... .... .... = Traffic class: 0x00000000
.... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000
Payload length: 32
Hop limit: 255
Source: fe80::f6ca:e5ff:fe44:10ef (fe80::f6ca:e5ff:fe44:10ef)
[Source SA MAC: FreeboxS_44:10:ef (f4:ca:e5:44:10:ef)]
Destination: ff02::1:ff8c:e4ac (ff02::1:ff8c:e4ac)
Type: Neighbor Solicitation (135)
Code: 0
Checksum: 0xc88d [correct]
Reserved: 00000000
Target Address: 2a01:e35:2f26:d340:e:6a75:6c8c:e4ac
ICMPv6 Option (Source link-layer address : f4:ca:e5:44:10:ef)
Length: 1 (8 bytes)
Link-layer address: FreeboxS_44:10:ef (f4:ca:e5:44:10:ef)
2.3.1.2 Ne|ghbor Advernsement
Internet Protocol Version 6, Src: 2a01:e35:2f26:d340:e:6a75:6c8c:e4ac , Dst:
fe80::f6ca:e5ff:fe44:10ef
0110 .... = Version: 6
.... 0000 0000 .... .... .... .... .... = Traffic class: 0x00000000
.... .... .... 0000 0000 0000 0000 0000 = Flowlabel: 0x00000000
Payload length: 32
Hop limit: 255
Source: 2a01:e35:2f26:d340:e:6a75:6c8c:e4ac
(2a01:e35:2f26:d340:e:6a75:6c8c:e4ac)
Destination: fe80::f6ca:e5ff:fe44:10ef (fe80::f6ca:e5ff:fe44:10ef)
[Destination SA MAC: FreeboxS_44:10:ef (f4:ca:e5:44:10:ef)]
Type: Neighbor Advertisement (136)
Code: 0
Checksum: 0xe1ad [correct]
Flags: 0x60000000
0... .... .... .... .... .... .... .... = Router: Not set
.1.. .... .... .... .... .... .... .... = Solicited: Set
..1. .... .... .... .... .... .... .... = Override: Set
...0 0000 0000 0000 0000 0000 0000 0000 = Reserved: 0
Target Address: 2a01:e35:2f26:d340:e:6a75:6c8c:e4ac
ICMPv6 Option (Target link-layer address : 00:0c:29:30:33:86)
Length: 1 (8 bytes)
Link-layer address: Vmware_30:33:86 (00:0c:29:30:33:86)
Please note the Flags in the NA with a Router bit if we are a Router. A Solicited bit if this is a reply to a
solicitation using NS and the Override bit to enable the replacement of a cache entry! This is why the dis-
play of your neighbor cache table tells you if an entry is a Router.
The requester provides its MAC address in tbe SLLA Option.
The Replier provides its MAC address in the TLLA Option.
Once it has received an answer, it updates the Neighbor MAC Address from the reply and sets the
neighbor state as REACHable.
39
If the Neighbor does not reply, it retries a MAX_UNICAST_SOLICIT (default: 3) time with a configured
interval of RETRANS_TIMER (default: 1 second) between to request, and if no reply is received, it
clears the entry in the Cache.
2.4 Dup||cate Address Detecnon (DAD)
This process is used when an interface is coming up or every time a new address is added on an IPv6
Interface.
Its purpose is to check that the new address is not a Duplicate Address. It is a local process so the
checking is only done on the link where the address is added.
This is a very simple process that is just to send a NS to our own Solicited Node Multicast Address to
request the MAC Address of our newly configured address.
We expect NO ANSWER.
If somebody does, it means that there is another myself on the Network and my Address is a DUP.
If I don't receive any NA, we send a NA to claim the Address for ourself and initialize the address.
We can see the DAD process in the capture at the very beginning, using the unspecified source ad-
dress ::/0.
DAD Example on a CISCO Router:
ICMPv6-ND: L3 came up on GigabitEthernet0/2
IPv6-Addrmgr-ND: DAD request for 2000:1::1 on GigabitEthernet0/2
ICMPv6-ND: Sending NS for 2000:1::1 on GigabitEthernet0/2
IPv6-Addrmgr-ND: DAD: 2000:1::1 is unique.
ICMPv6-ND: Sending NA for 2000:1::1 on GigabitEthernet0/2
IPv6-Address: Address 2000:1::1/64 is up on GigabitEthernet0/2
DAD ATTACK:!!
DAD Process can be the target of a local attacker. The bad guy just listen to all the Neighbor Solicitation
messages and replies to all as if all addresses are already in use. DAD fails and the interface is disabled
for IPv6. You can get a tool which perform a DAD Attack from thc web site: http://www.thc.org/thc-ipv6/
2.S Ne|ghbor Unreachab|||ty Detecnon (NUD)
As long as the host communicates with this Neighbor, the Upper Layer will reset the Reachable Timer
so it is never reached and the Neighbor remains in the state REACHable.
If the Upper Layer stops communication with the Neighbor for a time of the Reachable Timer (default:
30 seconds), the entry moves to a STALE state.
Then the host does nothing until a packet is sent to the Neighbor. When a packet is sent to this Neigh-
bor, the entry is moved to the DELAY state (default: 5 seconds) to give some time for the Upper Layer
protocol to check the availability of the Neighbor.
If no positive packet is received, the entry is moved to PROBE and the host starts sending the Unicast
NS to the neighbor (Probe) every Retransmit Interval (default: 1 second). After MAX_UNICAST_SO-
LICIT (default: 3) attempts, the Neighbor is considered as Unreachable and its entry is cleared in the
Cache.
FIGURE 6.16 Address Autoconfiguration States
!"#$%
&'()(''(* %(+'(,-.(*
&'()(''(* #0)(.01(
!-20* #0)(.01(
3(4.
$45-20*
40
FIGURE 6.11 NA Sent during DAD Process (UBUNTU)
FIGURE 6.10 Full DAD Process and UBUNTU Interface
Startup
FIGURE 6.9 NS Send during DAD Process (UBUNTU)
2.6 kouter D|scovery
By default the hosts do not have to configure a default router. This is done automatically thanks to ND
Protocol.
The Routers send Unsolicited Router Advertisements on a regular basis (min interval is 3 seconds).
The hosts listen to the RA to refresh prefixes or update some parameters.
When a host is booting and needs RA Information immediately, it sends a Router Solicitation message
to the All Routers Multicast Address FF02::2.
The RA contains the following information:
o Default Link Parameters (Default Hop Limit, MTU)
o Neighbor Unreachability Detection Parameters. These are Reachable Timer and Retransmit Inter-
val, The value zero means unspecified which actually means that the configured information on
the hosts must not be hanged by the RA.
o Prefix availables on the Link with Timers and Flags for each Prefix about Autoconfiguration
(SLAAC, Stateless Address Autoconfiguration
o If the Router is a Candidate as Default Gateway (Lifetime, Preference). The Lifetime parameter is
only there to say how long this advertisement is valid without being refreshed to use this router as
a default Router Candidate. A RA with Lifetime=0 means: "stop using me as your default router
immediately"!
o Router IPv6 and MAC Addresses
o DNS Server Addresses (RFC6106)
o If DHCPv6 is available in the Network and if it must be used to configure Address and Everything
or Everything but Addresses. If the Router is a Home Agent (Mobile IPv6)?
2.7 Autoconhguranon (SLAAC)
If you got 2 Minutes:
o follow the whole process you can follow this quick presentation URL (Flash Video):
http://www.ipv6forlife.com/Tutorial/IPv6Startup.html
And if you have 30 minutes and if you prefer to have all the details of Autoconfig with IPv6, get this
.mov video presentation of Autoconfig (.mov) on the Web which is the long version of the short flash
presentation as it last about 30 minutes:
http://www.youtube.com/watch?v=1DnDqxA7c_g
It is also on slideshare
The whole process is summarized on the next two figures from start when the interface is
starting to stop when it is ready or disabled!
41

2.7.1 Introducnon
An IPv6 node must be able to configure its Network Access unattended with or without the presence
of Routers on the Link(s).
Autoconfiguration was one of the main requirements for IPv6 since day 1.
In any case if not disable on Linux, the Workstation performs Stateless Address Autoconfiguration
(SLAAC) when the Interfaces are coming Up.
But an IPv6 DHCPv6 can be added to configure addresses and additional information. This is stateful
DHCPv6. The additional information without addresses is stateless DHCPv6.
42

A DHCPv6 Server only needs to keep states when it allocates some addresses order tos poll a Work-
station which did not renew its reservation and get the reserved address back in the pool if the client
fails to answer. DHCPv6 will be studied in details later in this book. Right now we are going to focus
on the Stateless Address Autoconfiguration (SLAAC) process itself. Just keep in mind that DHCPv6
cannot replace it but just be a complement to SLAAC. For instance, a default route cannot be config-
ured with DHCPv6.
SLAAC is stateless because no state is kept on the router when the default SLAAC is used to config-
ure Addresses and any other things on the node.
2.7.2 SLAAC rocess
SLAAC is enabled by default on most platforms. I have seen some Linux distribution where it must be
enabled.
It is possible to configure everything statically and may be interesting for some Datacenter where we
have only Servers and Routers to configure. We may then want to configure the addresses manually
and the default route to an HSRP or GLBP Virtual IPv6 Link-local Address also configured statically.
So you will not lose any time with protocols and don't risk anything with Rogue devices and advertise-
ments.
For instance a Rogue RA, DNS or DHCP can be forged on the local link if an employee wants to
break the Company Network. For the RA, it must be on the local link since the most ND Packets, RA
included, MUST have the Hop Limit = 255 to be valid or they are dropped!
So SLAAC will be performed in most cases and here is the full process:
Here is the full process. Between A and B, this is the Prefix-list verification process detailed in the next
column. Let's explain it Step-by-Step or Click here for an animation:
B"Y"B"! \)<5*)>03 0F 6/, V53W.<0G)< R**+,--
The Interface is brought up or the host is booting. The interface enters the TENTATIVE Mode. No user
traffic can be exchanged until we reach the Stop Red State which is the end of the SLAAC process.
From the Start, we can see that the very first step is to figure out the Link-local address with an EUI-
64 or Static Interface ID and to verify it using the DAD Process.
We send a NS to our own Solicited Node Multicast Address for our own IPv6 address and expect no
answer.
If somebody replies, our link-local is not unique nor valid and the Interface is disabled for IPv6.
Only if we use SeND, we are doing two more attempts before we quit and log an error! We are most
probably under a DoS Attack!
B"Y"B"B D,3* ) =076,+ D0<5G56)>03
Then, the next Step is to send a RS to the All Router Link-Local Scope Multicast Address: FF02::1
If we don't receive any RA, we try DHCPv6 and we exit the SLAAC process.
Otherwise, we configure the IPv6 interface from the parameter received in the RA: MTU, Hop Limit,
Reachable Timer and Retransmit Interval, Router Lifetime, and so on...
B"Y"B"E O/,GW 6/, %+,@A.V5-6"
Click on the diagram or the link below for a FLASH Animation:
The next step is to examine the Prefix-List if there is any in the Router Advertisement.
If there is a list, we examine each prefix and check that the On-Link and Autonomous bit (Flag in the
Capture) are set.
With each dynamic address, there are two timers: the Preferred and the Valid.
When the Preferred Timer has expired, the Address is deprecated but remains Valid until the Valid
Timer has not expired. When the Address is deprecated, it is still there and can be used for an existing
connection. On the other hand, a deprecated address cannot be used for a new connection. When the
Valid Timer has expired, the address is removed from the Interface.
Then we must also check the Timers:
The Valid Timer MUST be NON NULL, >0
The Valid Timer MUST be > The preferred timers
43
If the bits and timers are OK, we derive an address using any of the configured mode for the Interface
ID: Static, EUI-64, Random Temporary, CGA... And we check that this address is unique using DAD.
If DAD passed, we initialize the Address otherwise the address is not used. We go to the next Prefix
until there is no more, and we get back from the Prefix-list inspection Loop.
The last step is to check if we need to call a DHCPv6 Server to configure Addresses and/or Other pa-
rameters.
Once the dynamic addresses have been acquired, they must be refreshed by SLAAC or DHCPv6 or
they will become invalid and vanish! Periodic RA refresh the prefix. With DHCPv6, this is the client
which renew or rebind its address.
2.8 kenumber|ng
As we have seen before, the Prefix is not allocated to the end-user with IPv6 but to the SP. When you
change SP, you will need to configure a new prefix in your network.
This process is Renumbering. With a good design and the right tools, it will not be a problem and will
not take long to change the Prefix of your Network.
The principle of Renumbering is very simple. We have two Prefixes. One is Deprecated, and its Pre-
ferred Timers are set to 0. This way no new connection will be established on the addresses derived
from this prefix. These addresses can remain Deprecated but still valid for the rest of the day, the
week or even more! We need to find a reasonable timer value to enable all the users to close their
sessions and not force the disconnection.
All the new connections are established on the connections which addresses are derived from Pre-
fixes which are still Preferred.
So, when the Addresses are derived from a Prefix with a Valid Timer now expired and the derived ad-
dresses are removed from their interfaces, hopefully there will not be any existing users using these
addresses.
This is how the Renumbering process operates.
3 Add|nona| Informanon about rehx Va||danon |n the
SLAAC rocess
The Configuration of CISCO Router for SLAAC
Below is how to configure the Routers for SLAAC process.

2012 Fred Bovy. EIRL IPv6 For Life! IPv6AutoConfig1-35
Refreshing the SLAAC Addresses Timers
An address which has been derived from a RA must
be refreshed by new RAs advertizing the same prefix
The RA Interval must be consistent with the Preferred
and the Valid Timers for the addresses to be refreshed
in time
ipv6 nd ra-interval 200 seconds by default
ipv6 nd ra-lifetime 1800 seconds or 30 minutes default
ipv6 nd managed-config-flag
ipv6 nd other-config-flag
ipv6 nd prefix <prefix/mask>[Valid][Preferred][no-advertise| off-link | no-autoconfig]
To Be used by SLAAC:
- The On-Link and Autonomous Bits Must be Set
- If Preferred Lifetime > Valid lifetime, ignore the Prefix
Information option.
A node MAY wish to LOG a system management ERROR in this case.

6
IPv6 is now widely
distributed and it is the
default protocol for most if
not all of them: Windows,
Linux, MAC OS, iPhone,
iPAD, HP LaserPrinter talk
IPv6 and many, many
others... All applications
and most content on the
Internet are available via
IPv6: Yahoo, Google,
Facebook, MS and others...
This is NOW!
IPv6 On Hosts and
Routers
IPv6 On Hosts & Cisco Routers
.1 Conhguranon and Check|ng on nosts
.1.1 W|ndows
IPv6 is loaded by default and now configured as the default preferred protocol.
On Windows XP it was loaded, but you had to enable it with a netsh command "netsh interface ipv6
install"
You cannot uninstall IPv6 in Windows 7, but you can disable IPv6 on a per-adapter basis. To do this,
follow these steps:
1. In Control Panel, open Network And Sharing Center.
2. Click Manage Network Connections and then double-click the connection you want to
configure.
3. Clear the check box labeled Internet Protocol Version 6 (TCP/IPv6), and then click
OK.
Note that if you disable IPv6 on all your network connections using the user interface method de-
scribed in the preceding steps, IPv6 will still remain enabled on all tunnel interfaces and on the loop-
back interface.
As an alternative to using the user interface to disable IPv6 on a per-adapter basis, you can selec-
tively disable certain features of IPv6 by creating and configuring the following DWORD registry value:
HKLM\SYSTEM\CurrentControlSet\Services\tcpip6\Parameters\DisabledComponentsreally should
disable them.
.
More Details:
"!"!"! $%&' C00<- 156/ ]53*01-
"!"!"!"! $%G03@?
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . : ectasie.example.com
IPv6 Address. . . . . . . . . . . : 2001:db8:21da:7:713e:a426:d167:37ab
Temporary IPv6 Address. . . . . . : 2001:db8:21da:7:5099:ba54:9881:2e54
Link-local IPv6 Address . . . . . : fe80::713e:a426:d167:37ab%6
IPv4 Address. . . . . . . . . . . : 157.60.14.11
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : fe80::20a:42ff:feb0:5400%6
157.60.14.1
Tunnel adapter Local Area Connection* 6:
Connection-specific DNS Suffix . :
IPv6 Address. . . . . . . . . . . : 2001:db8:908c:f70f:0:5efe:157.60.14.11
Link-local IPv6 Address . . . . . : fe80::5efe:157.60.14.11%9
Site-local IPv6 Address . . . . . : fec0::6ab4:0:5efe:157.60.14.11%1
Default Gateway . . . . . . . . . : fe80::5efe:131.107.25.1%9
fe80::5efe:131.107.25.2%9
Tunnel adapter Local Area Connection* 7:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
"!"!"!"B =076,
IPv6 Routing Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
8 286 ::/0 fe80::3cec:bf16:505:eae6
1 306 ::1/128 On-link
45
Flag Low-
Order bit
Result of Setting this bit to a value of 1
0
Disables all IPv6 tunnel interfaces, including ISATAP, 6to4
and Teredo Tunnels
1 Disables all 6to4-based interfaces
2 Disables all ISATAP-based interfaces
3 Disables all Teredo-based interfaces
4
Disables IPv6 over all non-tunnel interfaces, including LAN
and PPP interfaces
5
Modies the default prex policy table* to prefer IPv4 over IPv6
when attempting connections
8 38 2001:db8::/64 On-link
8 286 2001:db8::4074:2dce:b313:7c65/128
On-link
8 286 2001:db8::b500:734b:fe5b:3945/128
On-link
8 286 fe80::/64 On-link
17 296 fe80::5efe:10.0.0.3/128 On-link
8 286 fe80::b500:734b:fe5b:3945/128
On-link
1 306 ff00::/8 On-link
8 286 ff00::/8 On-link
===========================================================================
"!"!"!"E %53?
f:\>ping 2001:db8:1:f282:dd48:ab34:d07c:3914
Pinging 2001:db8:1:f282:dd48:ab34:d07c:3914 from
2001:db8:1:f282:3cec:bf16:505:eae6 with 32 bytes of data:
Reply from 2001:db8:1:f282:dd48:ab34:d07c:3914: time<1ms
Ping statistics for 2001:db8:1:f282:dd48:ab34:d07c:3914:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
"!"!"!": C+)G,+6
F:\>tracert 2001:db8:1:f282:dd48:ab34:d07c:3914
Tracing route to 2001:db8:1:f282:dd48:ab34:d07c:3914 over a maximum of 30 hops
1 <1 ms <1 ms <1 ms 2001:db8:1:f241:2b0:d0ff:fea4:243d
2 <1 ms <1 ms <1 ms 2001:db8:1:f2ac:2b0:d0ff:fea5:d347
3 <1 ms <1 ms <1 ms 2001:db8:1:f282:dd48:ab34:d07c:3914
Trace complete.
"!"!"!"# %)6/L53?
F:\>pathping 2001:db8:1:f282:dd48:ab34:d07c:3914
Tracing route to 2001:db8:1:f282:dd48:ab34:d07c:3914 over a maximum of 30 hops
0 server1.example.microsoft.com [2001:db8:1:f282:204:5aff:fe56:1006]
1 2001:db8:1:f282:dd48:ab34:d07c:3914
Computing statistics for 25 seconds...
Source to Here This Node/Link
Hop RTT Lost/Sent = Pct Lost/Sent = Pct Address
0 server1.example.microsoft.com
[2001:db8:1:f282:204:5aff:fe56:1006]
0/ 100 = 0% |
1 0ms 0/ 100 = 0% 0/ 100 = 0% 2001:db8:1:f282:dd48:ab34:d07c:
3914
Trace complete.
"!"!"!"' 3,6-6)6 .-
F:\>netstat -s
IPv4 Statistics
Packets Received = 187107
Received Header Errors = 0
Received Address Errors = 84248
Datagrams Forwarded = 0
Unknown Protocols Received = 0
Received Packets Discarded = 0
Received Packets Delivered = 186194
Output Requests = 27767
Routing Discards = 0
Discarded Output Packets = 0
Output Packet No Route = 0
Reassembly Required = 0
Reassembly Successful = 0
Reassembly Failures = 0
Datagrams Successfully Fragmented = 0
Datagrams Failing Fragmentation = 0
Fragments Created = 0
IPv6 Statistics
Packets Received = 53118
Received Header Errors = 0
Received Address Errors = 0
Datagrams Forwarded = 0
Unknown Protocols Received = 0
Received Packets Discarded = 0
Received Packets Delivered = 0
Output Requests = 60695
Routing Discards = 0
Discarded Output Packets = 0
Output Packet No Route = 0
Reassembly Required = 0
Reassembly Successful = 0
Reassembly Failures = 0
Datagrams Successfully Fragmented = 0
Datagrams Failing Fragmentation = 0
46
Fragments Created = 0
ICMPv4 Statistics
Received Sent
Messages 682 881
Errors 0 0
Destination Unreachable 2 201
Time Exceeded 0 0
Parameter Problems 0 0
Source Quenches 0 0
Redirects 0 0
Echos 340 340
Echo Replies 340 340
Timestamps 0 0
Timestamp Replies 0 0
Address Masks 0 0
Address Mask Replies 0 0
ICMPv6 Statistics

Errors 0 0
Destination Unreachable 193 0
Echos 4 0
Echo Replies 0 4
MLD Reports 0 6
Router Solicitations 0 7
Router Advertisements 54 0
Neighbor Solicitations 31 32
Neighbor Advertisements 27 31
TCP Statistics for IPv4
Active Opens = 128
Passive Opens = 106
Failed Connection Attempts = 0
Reset Connections = 3
Current Connections = 16
Segments Received = 22708
Segments Sent = 26255
Segments Retransmitted = 37
TCP Statistics for IPv6
Active Opens = 74
Passive Opens = 72
Failed Connection Attempts = 1
Reset Connections = 0
Current Connections = 14
Segments Received = 52809
Segments Sent = 59813
Segments Retransmitted = 3
UDP Statistics for IPv4
Datagrams Received = 160982
No Ports = 2158
Receive Errors = 2
Datagrams Sent = 591
UDP Statistics for IPv6
Datagrams Received = 0
No Ports = 0
Receive Errors = 0
Datagrams Sent = 744
"!"!"!"Y [,6-/ 536,+F)G, 5L&' -/01 536,+F)G,
Idx Met MTU State Name
--- --- ----- ----------- -------------------
1 50 4294967295 enabled Loopback Pseudo-Interface 1
9 50 1280 enabled Local Area Connection* 6
6 20 1500 enabled Local Area Connection
10 50 1280 enabled Local Area Connection* 7
7 10 1500 disabled Local Area Connection 2
Netsh interface ipv6 show address
Interface 1: Loopback Pseudo-Interface 1
Addr Type DAD State Valid Life Pref. Life Address
--------- ----------- ---------- ---------- ------------------------
Other Preferred infinite infinite ::1
Interface 9: Local Area Connection* 6
--------- ----------- ---------- ---------- ------------------------
Other Deprecated infinite infinite fe80::5efe:1.0.0.127%9
Interface 6: Local Area Connection
--------- ----------- ---------- ---------- ------------------------
Public Preferred 29d23h59m59s 6d23h59m59s 2001:db8:21da:7:1f3e:9e51:2178:b9ob
Temporary Preferred 5d19h59m25s 5d19h59m25s 2001:db8:21da:7:a299:85ae:21da:59cc
Other Preferred infinite infinite fe80::713e:a426:d167:37ab%6
47
--------- ----------- ---------- ---------- ------------------------
Other Deprecated infinite infinite fe80::5efe:1.0.0.127%10
"!"!"!"^ [,6-/ 536,+F)G, 5L&' -/01 +076,
Publish Type Met Prefix Idx Gateway/Interface Name
------- -------- --- ------------------------ --- -----------------------
No Manual 256 ::/0 8 fe80::3cec:bf16:505:eae6
No Manual 256 ::1/128 1 Loopback Pseudo-Interface 1
No Manual 8 2001:db8::/64 8 Local Area Connection
No Manual 256 2001:db8::4074:2dce:b313:7c65/128 8 Local Area Connec-
tion
No Manual 256 2001:db8::b500:734b:fe5b:3945/128 8 Local Area Connec-
tion
No Manual 1000 2002::/16 11 Local Area Connection* 7
No Manual 256 fe80::/64 10 Local Area Connection* 9
No Manual 256 fe80::/64 8 Local Area Connection
No Manual 256 fe80::100:7f:fffe/128 10 Local Area Connection* 9
No Manual 256 fe80::5efe:10.0.0.3/128 17 Local Area Connection* 6
No Manual 256 fe80::b500:734b:fe5b:3945/128 8 Local Area Connection
No Manual 256 ff00::/8 1 Loopback Pseudo-Interface 1
No Manual 256 ff00::/8 10 Local Area Connection* 9
No Manual 256 ff00::/8
"!"!"!"P [,6-/ 536,+F)G, 5L&' -/01 3,5?/80+-
Interface 1: Loopback Pseudo-Interface 1
Internet Address Physical Address Type
-------------------------------------------- ----------------- -----------
ff02::16 Permanent
ff02::1:3 Permanent
-------------------------------------------- ----------------- -----------
2001:db8::3cec:bf16:505:eae6 00-13-72-2b-34-07 Stale (Router)
2001:db8::4074:2dce:b313:7c65 00-00-00-00-00-00 Unreachable
2001:db8::6c4b:bf6d:201a:ccbf 00-00-00-00-00-00 Unreachable
fe80::3cec:bf16:505:eae6 00-13-72-2b-34-07 Stale (Router)
ff02::16 33-33-00-00-00-16 Permanent
-------------------------------------------- ----------------- -----------
fe80::b500:734b:fe5b:3945 255.255.255.255:65535 Unreachable
ff02::16 255.255.255.255:65535 Permanent
"!"!"!"!U[,6-/ 536,+F)G, 5L&' -/01 *,->3)>03 G)G/,
PMTU Destination Address Next Hop Address
---- --------------------------------------------- -------------------------
1500 2001:db8::3cec:bf16:505:eae6 2001:db8::3cec:bf16:505:eae6
.1.2 MAC CS k
With LINUX and MAC OS all the IPv6 stack and usefull tools are available. Also, as Windows, the GUI
cannot help much, and the CLI will be used for most commands.
Please note the percent sign which gives the interface name or index according to the OS. In IPv6 this
refers to the zone (See RFC about Scoped Zone Architecture).
Each zone has its own routing table internally, and it is currently being used by 1) Link-local ad-
dresses, 2) Multicast Addresses, 3) Unicast. It is very rare BUT one application which was requested
for our IPv6 Group was 6VPE.
From an IPv6 point of view, 6VPE has no interest at all! MPLS-VPN was a great feature for IPv4 be-
cause of address depletion. With IPv6 it is no longer very interesting, and the VRF that exists in IPv6
is called a Zone. The Zone has its own routing table internally, and there is no complex provisioning!
With MAC OS or Linux it is the name of the interface:
.1.2.1 netstat -|n |p6
power-mac-g5-de-fred-bovy-6:~ root# netstat -in ip6
Name Mtu Network Address Ipkts Ierrs Opkts Oerrs Coll
lo0 16384 <Link#1> 623227 0 623227 0 0
lo0 16384 ::1/128 ::1 623227 - 623227 - -
lo0 16384 fe80::1%lo0 fe80:1::1 623227 - 623227 - -
lo0 16384 127 127.0.0.1 623227 - 623227 - -
48
lo0 16384 fd6e:28d7:6 fd6e:28d7:65b4:77 623227 - 623227 - -
gif0* 1280 <Link#2> 0 0 0 0 0
stf0* 1280 <Link#3> 0 0 0 0 0
en0 1500 <Link#4> d4:9a:20:d0:f9:ae 0 0 0 0 0
fw0 4078 <Link#5> d4:9a:20:ff:fe:c7:17:70 0 0 0 0 0
en1 1500 <Link#6> 04:1e:64:ec:73:a9 3393882 0 2455868 0 0
en1 1500 fe80::61e:6 fe80:6::61e:64ff: 3393882 - 2455868 - -
en1 1500 192.168.0 192.168.0.10 3393882 - 2455868 - -
en1 1500 2a01:e35:2f 2a01:e35:2f26:d34 3393882 - 2455868 - -
vmnet 1500 <Link#8> 00:50:56:c0:00:01 0 0 0 0 0
vmnet 1500 192.168.58 192.168.58.1 0 - 0 - -
vmnet 1500 <Link#9> 00:50:56:c0:00:08 0 0 0 0 0
vmnet 1500 172.16.4/24 172.16.4.1 0 - 0 - -
utun0 1500 <Link#7> 26 0 31 0 0
utun0 1500 fe80::d69a: fe80:7::d69a:20ff 26 - 31 - -
utun0 1500 fd00:6587:5 fd00:6587:52d7:f8 26 - 31 - -
.1.2.2 |fconhg
power-mac-g5-de-fred-bovy-6:~ root# ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
inet 127.0.0.1 netmask 0xff000000
inet6 fd6e:28d7:65b4:77b3:d69a:20ff:fed0:f9ae prefixlen 128
gif0: flags=8010<POINTOPOINT,MULTICAST> mtu 1280
stf0: flags=0<> mtu 1280
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
ether d4:9a:20:d0:f9:ae
media: autoselect
status: inactive
fw0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 4078
lladdr d4:9a:20:ff:fe:c7:17:70
media: autoselect <full-duplex>
status: inactive
en1: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
ether 04:1e:64:ec:73:a9
inet6 fe80::61e:64ff:feec:73a9%en1 prefixlen 64 scopeid 0x6
inet6 2a01:e35:2f26:d340:61e:64ff:feec:73a9 prefixlen 64 autoconf
.1.3 L|nux
Linux is the best platform to support a maximum of services like Mobile IPv6, DHCPv6 and more. Mo-
bile IPv6 and DHCPv6 as not suppported by Linux or MAC OX. MAC OS is afree BSD so there may
be aa way to have it running on MAC but it is not a MACOS X Supported feature.
Also with Linux you can enable or disable SLAAC and many parameters for very fine tuning of ND
Tuning the Kernel
The /proc/sys/net/ipv6 filesystem exports a number of parameters that you might want to set. The
Linux IPv6 HOWTO explains all available parameters, so let me just show you the ones I set in
/etc/sysctl.d/ipv6.conf and load with a call to sysctl -p:
net.ipv6.conf.default.autoconf = 0
net.ipv6.conf.default.accept_ra = 0
net.ipv6.conf.default.accept_ra_defrtr = 0
net.ipv6.conf.default.accept_ra_rtr_pref = 0
net.ipv6.conf.default.accept_ra_pinfo = 0
net.ipv6.conf.default.accept_source_route = 0
net.ipv6.conf.default.accept_redirects = 0
net.ipv6.conf.default.forwarding = 0
net.ipv6.conf.all.autoconf = 0
net.ipv6.conf.all.accept_ra = 0
net.ipv6.conf.all.accept_ra_defrtr = 0
net.ipv6.conf.all.accept_ra_rtr_pref = 0
net.ipv6.conf.all.accept_ra_pinfo = 0
net.ipv6.conf.all.accept_source_route = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.all.forwarding = 0
.1.3.1 Add an address to an |nterface
Ifconfig <interface> ipv6 add <prefix>/<length >
.1.3.2 kemove an address from an |nterface
Ifconfig <interface> ipv6 del <prefix>/<length>
.1.3.3 Add a route
Route A inet6 add <destination> gw <next-hop>
.1.3.4 Add a DNS server |n the ]etc]reso|v.conf h|e
nameserver 2001:db8:233::1
49
There are many tools and services available with Linux and only Linu like DHCPv6, Mobile IPv6,
IPSec etc....
Example below with both NDPmon and tcpdump utilities.
14:30:13.980542 IP6 (hlim 64, next-header TCP (6) payload length: 32)
2a01:e35:2f26:d340:105d:f22a:d1bd:635e.55318 > 2a00:1450:4009:808::1005.80: Flags
[.], cksum 0xb983 (correct), seq 3060, ack 9779, win 32249, options [nop,nop,TS val
340919915 ecr 1985866212], length 0
0x0000: 6000 0000 0020 0640 2a01 0e35 2f26 d340 `......@*..5/&.@
0x0010: 105d f22a d1bd 635e 2a00 1450 4009 0808 .].*..c^*..P@...
0x0020: 0000 0000 0000 1005 d816 0050 a479 6453 ...........P.ydS
0x0030: 7a0b 605a 8010 7df9 b983 0000 0101 080a z.`Z..}.........
0x0040: 1452 066b 765d e9e4 .R.kv]..
14:30:13.981120 IP6 (hlim 64, next-header TCP (6) payload length: 32)
2a01:e35:2f26:d340:105d:f22a:d1bd:635e.55318 > 2a00:1450:4009:808::1005.80: Flags
[.], cksum 0xb181 (correct), seq 3060, ack 11461, win 32616, options [nop,nop,TS
val 340919916 ecr 1985866212], length 0
0x0000: 6000 0000 0020 0640 2a01 0e35 2f26 d340 `......@*..5/&.@
0x0010: 105d f22a d1bd 635e 2a00 1450 4009 0808 .].*..c^*..P@...
0x0020: 0000 0000 0000 1005 d816 0050 a479 6453 ...........P.ydS
0x0030: 7a0b 66ec 8010 7f68 b181 0000 0101 080a z.f....h........
0x0040: 1452 066c 765d e9e4 .R.lv]..
----- ND_NEIGHBOR_SOLICIT -----
Reset timer for 4:1e:64:ec:73:a9 fe80:0:0:0:61e:64ff:feec:73a9
------------------
14:30:16.588733 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32)
fe80::61e:64ff:feec:73a9 > fe80::f6ca:e5ff:fe44:10ef: [icmp6 sum ok] ICMP6, neigh-
bor solicitation, length 32, who has fe80::f6ca:e5ff:fe44:10ef
source link-address option (1), length 8 (1): 04:1e:64:ec:73:a9
0x0000: 041e 64ec 73a9
0x0000: 6000 0000 0020 3aff fe80 0000 0000 0000 `.....:.........
0x0010: 061e 64ff feec 73a9 fe80 0000 0000 0000 ..d...s.........
0x0020: f6ca e5ff fe44 10ef 8700 e9bb 0000 0000 .....D..........
0x0030: fe80 0000 0000 0000 f6ca e5ff fe44 10ef .............D..
0x0040: 0101 041e 64ec 73a9 ....d.s.
----- ND_NEIGHBOR_ADVERT -----
Reset timer for 4:1e:64:ec:73:a9 fe80:0:0:0:61e:64ff:feec:73a9
------------------
fe80::61e:64ff:feec:73a9 > fe80::f6ca:e5ff:fe44:10ef: [icmp6 sum ok] ICMP6, neigh-
bor advertisement, length 24, tgt is fe80::61e:64ff:feec:73a9, Flags [solicited]
0x0000: 6000 0000 0018 3aff fe80 0000 0000 0000 `.....:.........
0x0010: 061e 64ff feec 73a9 fe80 0000 0000 0000 ..d...s.........
0x0020: f6ca e5ff fe44 10ef 8800 94c3 4000 0000 .....D......@...
0x0030: fe80 0000 0000 0000 061e 64ff feec 73a9 ..........d...s.
----- ND_ROUTER_SOLICIT -----
Reset timer for 0:c:29:30:33:86 fe80:0:0:0:20c:29ff:fe30:3386
------------------
[SNIP]
Writing cache...
fe80::20c:29ff:fe30:3386 > ff02::2: [icmp6 sum ok] ICMP6, router solicitation,
length 64
source link-address option (1), length 56 (7):
00:0c:29:30:33:86:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:85
:00:00:00:00:00:00:00:00:92:5e:aa:f8:cf:10:08:d4:c6:8b:bf:f4:6f:45:00:f4:4f:13
0x0000: 000c 2930 3386 0000 0000 0000 0000 0000
0x0010: 0000 0000 0000 0000 0000 0085 0000 0000
0x0020: 0000 0000 925e aaf8 cf10 08d4 c68b bff4
0x0030: 6f45 00f4 4f13
0x0000: 6000 0000 0040 3aff fe80 0000 0000 0000 `....@:.........
0x0010: 020c 29ff fe30 3386 ff02 0000 0000 0000 ..)..03.........
0x0020: 0000 0000 0000 0002 8500 65e5 0000 0000 ..........e.....
0x0030: 0107 000c 2930 3386 0000 0000 0000 0000 ....)03.........
0x0040: 0000 0000 0000 0000 0000 0000 0085 0000 ................
0x0050: 0000 0000 0000 925e aaf8 cf10 08d4 c68b .......^........
0x0060: bff4 6f45 00f4 4f13 ..oE..O.
----- ND_ROUTER_ADVERT -----
Reset timer for f4:ca:e5:44:10:ef fe80:0:0:0:f6ca:e5ff:fe44:10ef
Warning: wrong ipv6 router f4:ca:e5:44:10:ef fe80:0:0:0:f6ca:e5ff:fe44:10ef
------------------
fe80::f6ca:e5ff:fe44:10ef > ff02::1: [icmp6 sum ok] ICMP6, router advertisement,
length 104
hop limit 64, Flags [none], pref medium, router lifetime 1800s, reachable
time 0s, retrans time 0s
prefix info option (3), length 32 (4): 2a01:e35:2f26:d340::/64, Flags [on-
link, auto], valid time 86400s, pref. time 86400s
0x0000: 40c0 0001 5180 0001 5180 0000 0000 2a01
50
0x0010: 0e35 2f26 d340 0000 0000 0000 0000
rdnss option (25), length 40 (5): lifetime 600s, addr: 2a01:e00::2 addr:
2a01:e00::1
0x0000: 8000 0000 0258 2a01 0e00 0000 0000 0000
0x0010: 0000 0000 0002 2a01 0e00 0000 0000 0000
0x0020: 0000 0000 0001
mtu option (5), length 8 (1): 1480
0x0000: 0000 0000 05c8
source link-address option (1), length 8 (1): f4:ca:e5:44:10:ef
0x0000: f4ca e544 10ef
0x0000: 6000 0000 0068 3aff fe80 0000 0000 0000 `....h:.........
0x0010: f6ca e5ff fe44 10ef ff02 0000 0000 0000 .....D..........
0x0020: 0000 0000 0000 0001 8600 2541 4000 0708 ..........%A@...
0x0030: 0000 0000 0000 0000 0304 40c0 0001 5180 ..........@...Q.
0x0040: 0001 5180 0000 0000 2a01 0e35 2f26 d340 ..Q.....*..5/&.@
0x0050: 0000 0000 0000 0000 1905 8000 0000 0258 ...............X
0x0060: 2a01 0e00 0000 0000 0000 0000 0000 0002 *...............
0x0070: 2a01 0e00 0000 0000 0000 0000 0000 0001 *...............
0x0080: 0501 0000 0000 05c8 0101 f4ca e544 10ef .............D..
14:37:07.387405 IP6 (hlim 255, next-header UDP (17) payload length: 53)
fe80::61e:64ff:feec:73a9.5353 > ff02::fb.5353: [udp sum ok] 0 [2q] A (QM)?
server.exchange.local. AAAA (QM)? server.exchange.local. (45)
0x0000: 6000 0000 0035 11ff fe80 0000 0000 0000 `....5..........
0x0010: 061e 64ff feec 73a9 ff02 0000 0000 0000 ..d...s.........
0x0020: 0000 0000 0000 00fb 14e9 14e9 0035 117a .............5.z
0x0030: 0000 0000 0002 0000 0000 0000 0673 6572 .............ser
0x0040: 7665 7208 6578 6368 616e 6765 056c 6f63 ver.exchange.loc
0x0050: 616c 0000 0100 01c0 0c00 1c00 01 al...........
14:38:28.549702 IP6 (hlim 255, next-header UDP (17) payload length: 53)
fe80::61e:64ff:feec:73a9.5353 > ff02::fb.5353: [udp sum ok] 0 [2q] A (QM)?
server.exchange.local. AAAA (QM)? server.exchange.local. (45)
0x0000: 6000 0000 0035 11ff fe80 0000 0000 0000 `....5..........
0x0010: 061e 64ff feec 73a9 ff02 0000 0000 0000 ..d...s.........
0x0020: 0000 0000 0000 00fb 14e9 14e9 0035 117a .............5.z
0x0030: 0000 0000 0002 0000 0000 0000 0673 6572 .............ser
0x0040: 7665 7208 6578 6368 616e 6765 056c 6f63 ver.exchange.loc
0x0050: 616c 0000 0100 01c0 0c00 1c00 01 al...........
Example of Wireshark screen capture.of a Router Advertisement.

.1.4 L|nux
Linux is the best platform to support a maximum of services such as Mobile IPv6, DHCPv6 and more.
Mobile IPv6 and DHCPv6 is not suppported by Linux or MAC OX. MAC OS is a free BSD so there
may be a way to have it running on MAC, but it is not a MAC OS X Supported feature.
Also with Linux you can enable or disable SLAAC and many parameters for very fine tuning of ND
"!":"! C7353? 6/, _,+3,<
The /proc/sys/net/ipv6 filesystem exports a number of parameters that you might want to set. The
Linux IPv6 HOWTO explains all available parameters, so let me just show you the ones I set in
/etc/sysctl.d/ipv6.conf and load with a call to sysctl -p:
.2 1est your Iv6 Stack: hup:]]test-|pv6.com]
51
.3 1est the Iv6 Web Serverswqwqa
2
Conhguranon and System Check|ng on CISCC kouters
2.1 CISCC kouters Mode
A CISCO Router has two main modes of Operation:
B"!"! IA,G K0*, M[0+2)< 0+ %+5&5<,*?,*Q"
This mode is to run any commands to display to reset something. Actually there are 16 levels of privi-
leges to give Authorization to each level. The Normal mode is the lowest mode when you enter the
router by default. It is a kind of Read-Only mode where you cannot configure anything or cannot even
dispaly the configuration file.
The default prompt is the Router name plus > if you are a Normal user or # for a privileged: R2(con-
fig)> OR R2(config)#
B"!"B O03@?7+)>03 K0*,"
This mode is used to configure the Router. So before giving any configuration mode you must enter
into this mode with the command "Configure Terminal". You must be a privileged user to use this com-
mand. This mode has many submodes. For instance, if you want to configure an interface or a routing
protocol, you must first select it to enter in this submode.
The default prompt for Router R2 in configuration mode is: R2(config)#
The next step is to configure IP routing with the config command:
R2(config)# ipv6 routing
In the past you also had to configure CEFv6 has it was not enabled by default with the command
R2(config)# ipv6 unicast-routing
or
R2(config)#ipv6 unicast-routing distributed
For some platforms, you had the choice to run a distributed CEFv6 or not.
With distributed CEFv6, a copy of the CEFv6 tables are downloaded on the Line Cards and the in-
gress LC which receives the packet Takes the switching decison. The router CPU card is not involved.
The first troubleshooting command I was checking with a low performance problem was to check if
CEF was properly started with
R2# show ipv6 cef summary
R7#show ip cef summary
IPv4 CEF is enabled and running
VRF Default
17 prefixes (17/0 fwd/non-fwd)
Table id 0x0
Database epoch: 0 (17 entries at this epoch)
R7#show ipv6 cef summary
IPv6 CEF is enabled and running centrally.
VRF Default
14 prefixes (14/0 fwd/non-fwd)
Table id 0x1E000000
Database epoch: 0 (14 entries at this epoch)
2.2 *5678
If you have to Troubleshoot CISCO device One day you will have to deal with CEF!
No DATA PLANE Troubleshooting without CEFv6!...
If you are looking for the Engineering Team with really high skills guys at cisco you are looking for the
CEF team! These guys need to do two things mutually exclusives and this all the time: They must sup-
port a maximum number of services and at the same time they must design the fastest code because
all the cisco switching performances rely on CEF! If an IP feature is not supported by CEF, the feature
has no future if it has also to be Efficient. if it is
a slow terminal conversion things which need the speed of typing with one finger, fine! but if it must
support wire speed? Forget it!
WHY???
We need to get back to the basics of computers to understand...
When a packet is received by an ASIC specialized to process the data coming from a Physical Media
port, an Interrupt is sent to the CPU. An interrupt is a Signal Transition like 0 to +5v or the opposite.
The Interrupt is raised by the Physical Media Processor to tell the CPU that it has a packet just like
the Postman set up the flag after it has dropped a few mails in your mailbox! Guess who is called first
by the CPU when it gets the interrupt signal? CEF...
52
Now CEF must take a decision either switch the packet in interrupt mode, either Q the packet for
further processing in a time sharing fashion. It is clear that Real-Time traffic will only be supported by
the Interrupt mode. So where is the problem? The process in interrupt mode disables any other
interrupt. The other Line Cards have a dedicated ASIC with MEmory to accomodate a few packet but
not too much...
The process must manage the packet as fast as possible for the protocol which is being routed and
for the other traffic waiting to be processed. This is why complex operation cannot be supported by
CEF and this has been the case of NAT-PT in IPv6!
For more details about CEFv6, please click on the link below:
http://www.ipv6forlife.com/Docs/CEFv6InaNutshell.pdf
The Next step to configure a Cisco Router of ipv6 is
Then you might be interested to check some other commands listed be
Then you might be interested to check some other commands listed below:
2.3 CISCC kouters Iv6 Commands
R2(config)#ipv6 ?
access-list Configure access lists
cef Cisco Express Forwarding for IPv6
cga Configure IPv6 certified generated address
dhcp Configure IPv6 DHCP
general-prefix Configure a general IPv6 prefix
hop-limit Configure hop count limit
host Configure static hostnames
icmp Configure ICMP parameters
inspect Context-based Access Control Engine
local Specify local options
mfib Multicast Forwarding
mld Global mld commands
mobile Mobile IPv6
multicast IPv6 multicast
multicast-routing Enable IPv6 multicast
nat NAT-PT Configuration commands
nd Configure IPv6 ND
neighbor Neighbor
ospf OSPF
pim Configure Protocol Independent Multicast
port-map Port to application mapping (PAM) configuration commands
prefix-list Build a prefix list
route Configure static routes
router Enable an IPV6 routing process
source-route Process packets with source routing header options
unicast-routing Enable unicast routing
R2(config)#ipv6
R2(config-subif)#IPV6 ?
IPv6 interface subcommands:
address Configure IPv6 address on interface
authentication authentication subcommands
bandwidth-percent Set EIGRP bandwidth limit
cga Configure cga on the interface
dhcp IPv6 DHCP interface subcommands
eigrp Configure EIGRP IPv6 on interface
enable Enable IPv6 on interface
flow Flow related commands
hello-interval Configures IP-EIGRP hello interval
hold-time Configures IP-EIGRP hold time
inspect Apply inspect name
mfib Interface Specific MFIB Control
mld interface commands
mobile Mobile IPv6
mode Interface mode
mtu Set IPv6 Maximum Transmission Unit
multicast multicast
nat Enable IPv6 NAT on interface
nd IPv6 interface Neighbor Discovery subcommands
next-hop-self Configures IP-EIGRP next-hop-self
ospf OSPF interface commands
pim PIM interface commands
policy Enable IPv6 policy routing
redirects Enable sending of ICMP Redirect messages
rip Configure RIP routing protocol
router IPv6 Router interface commands
split-horizon Perform split horizon
summary-address Summary prefix
traffic-filter Access control list for packets
53
unnumbered Preferred interface for source address selection
unreachables Enable sending of ICMP Unreachable messages
verify Enable per packet validation
virtual-reassembly IPv6 Enable Virtual Fragment Reassembly
2.4 D|sp|ay the Iv6 1ramc Stansncs
R2#show ipv6 traffic
IPv6 statistics:
Rcvd: 295 total, 251 local destination
0 source-routed, 0 truncated
0 format errors, 0 hop count exceeded
0 bad header, 0 unknown option, 0 bad source
0 unknown protocol, 0 not a router
0 fragments, 0 total reassembled
0 reassembly timeouts, 0 reassembly failures
Sent: 278 generated, 0 forwarded
0 fragmented into 0 fragments, 0 failed
0 encapsulation failed, 0 no route, 0 too big
0 RPF drops, 0 RPF suppressed drops
Mcast: 276 received, 259 sent
ICMP statistics:
Rcvd: 49 input, 0 checksum errors, 0 too short
0 unknown info type, 0 unknown error type
unreach: 0 routing, 0 admin, 0 neighbor, 0 address, 0 port
parameter: 0 error, 0 header, 0 option
0 hopcount expired, 0 reassembly timeout,0 too big
10 echo request, 0 echo reply
0 group query, 0 group report, 0 group reduce
0 router solicit, 20 router advert, 0 redirects
4 neighbor solicit, 5 neighbor advert
Sent: 46 output, 0 rate-limited
unreach: 0 routing, 0 admin, 0 neighbor, 0 address, 0 port
parameter: 0 error, 0 header, 0 option
0 hopcount expired, 0 reassembly timeout,0 too big
0 echo request, 10 echo reply
0 group query, 0 group report, 0 group reduce
0 router solicit, 23 router advert, 0 redirects
7 neighbor solicit, 6 neighbor advert
UDP statistics:
Rcvd: 212 input, 0 checksum errors, 0 length errors
0 no port, 0 dropped
Sent: 212 output
TCP statistics:
Rcvd: 0 input, 0 checksum errors
Sent: 0 output, 0 retransmitted
2.S D|sp|ay the Ne|ghbor Cache
R2# show ipv6 neighbor
IPv6 Address Age Link-layer Addr State Interface
2001:DB8:CAFE:11::1 52 ca00.0494.0006 STALE Fa0/1.11
FE80::C800:4FF:FE94:6 44 ca00.0494.0006 STALE Fa0/1.11
2.6 D|sp|ay the kouters Cache
R2# sh ipv6 routers
Router FE80::C800:4FF:FE94:6 on FastEthernet0/1.11, last update 0 min
Hops 64, Lifetime 1800 sec, AddrFlag=0, OtherFlag=0, MTU=1500
HomeAgentFlag=0, Preference=Medium
Reachable time 0 (unspecified), Retransmit time 0 (unspecified)
Prefix 2001:DB8:CAFE:11::/64 onlink autoconfig
Valid lifetime 2592000, preferred lifetime 604800
2.7 CLIv6 !!! Mandatory know|edge to 1roub|eshoot the C|sco kouters data p|ane !
When you want to trace the handling of a paquet in a CISCO router, you need to take a look at the
CEFv6 table. IPv6 paquet switching is performed by CEFv6. CEFv6 resolves all the recursions that
you may find in an IPv6 table and setup an optimized structure for very quick lookup and easy mainte-
nance of a mtrie structure. CEFv6 table works with the help of adjacency table which gives the map
between IPv6 packet and layer 2 address.
R1#show ipv6 cef 2001:db8:cafe:10::/64 internal
2001:DB8:CAFE:10::/64, epoch 0, RIB[I], refcount 4, per-destination sharing
54
sources: RIB
feature space:
IPRM: 0x00038000
ifnums:
FastEthernet0/1.11(11): FE80::C801:4FF:FE94:6
path 6822BA1C, path list 6822A77C, share 1/1, type attached nexthop, for IPv6
nexthop FE80::C801:4FF:FE94:6 FastEthernet0/1.11, adjacency IPV6 adj out of
FastEthernet0/1.11, addr FE80::C801:4FF:FE94:6 66F91C60
output chain: IPV6 adj out of FastEthernet0/1.11, addr FE80::C801:4FF:FE94:6 66F91C60
Once the CEFv6 entry is found, we need to look for the matching next-hop entry in the adja-
cency table. In the adjacency entry we find the origin of the resolution like ND for IPv6 or ARP
for IPv4.
If the router is currently resolving the IPv6 next hop to a layer 2 MAC Address, the entry will
be in the state INCOMPLETE. The packet which has trigger the resolution must be buffered, waiting
for the resolution to complete. Once the resolution is complete, the packet will be encapsulate and
sent to its destination. This is different with IPv4 where the packet was dropped. We use to get 80%
for the first time we ping a destination because first packet was dropped. This is no longer the case
and we should get 100% even for the first time.
R1#show adjacency FE80::C801:4FF:FE94:6
Protocol Interface Address
IPV6 FastEthernet0/1.11 FE80::C801:4FF:FE94:6(7)
R1#show adjacency FE80::C801:4FF:FE94:6 internal
Protocol Interface Address
IPV6 FastEthernet0/1.11 FE80::C801:4FF:FE94:6(7)
0 packets, 0 bytes
epoch 0
sourced in sev-epoch 1
Encap length 18
CA0104940006CA00049400068100000B
86DD
IPv6 ND
Fast adjacency enabled [OK]
L3 mtu 1500
Flags (0x11A9E)
Fixup disabled
HWIDB/IDB pointers 0x66CCDD10/0x67E58500
IP redirect enabled
Switching vector: IPv6 adjacency oce
Adjacency pointer 0x66F91C60
Addresses of an IPv6 Host.
A link-local.
One or many unicast addresses
One loopback ::1
On each interface :
Local node scope all-nodes multicast address : FF01 ::1
A Link-local scope all-node multicast address : FF02 ::1
A solicited-node multicast address for each unicast.
Router IPv6 Addresses
The loopback ::1for the router
A link-locale for each link
As many global as needed
Multicast addresses such as all-nodes ff02 ::1, all-routers ff02 ::2

Example of a CISCO router :
R0> show ipv6 int f1/0
FastEthernet1/0 is up, line protocol is up
IPv6 is enabled, link-local address is FE80::C800:6FF:FEA9:1C
No Virtual link-local address(es):
Global unicast address(es):
2001:DB8:C0A8:A:C800:6FF:FEA9:1C, subnet is 2001:DB8:C0A8:A::/64 [EUI]
2001:DB8:C0A8:B:C800:6FF:FEA9:1C, subnet is 2001:DB8:C0A8:B::/64 [EUI]
Joined group address(es):
FF02::1
FF02::2
FF02::1:FFA9:1C
MTU is 1500 bytes
ICMP error messages limited to one every 100 milliseconds
ICMP redirects are enabled
ICMP unreachables are sent
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds (using 30000)
ND advertised reachable time is 0 (unspecified)
ND advertised retransmit interval is 0 (unspecified)
ND router advertisements are sent every 200 seconds
ND router advertisements live for 1800 seconds
ND advertised default router preference is Medium
Hosts use stateless autoconfig for addresses.
55
7
We need to manage IPv6
addresses 4 times longer
than IP6 and the good old
spreadsheet that we were
using for IPv4 does not
make it any more!
With long addresses a
good names management
is key for a successful
deployment! New software
named IPAM are now the
MUST have for any network
to solve this important
question.
Addresses, Names
& Services Mgmt.
DHCPv6 & DNS
1. Summary of dynamic addressing
2. SLAAC, DHCPv6 Stateful, Stateless Operations
3. DHCPv6
4. DHCP-PD Prex Delegation
57
1 DHCPV6
1.1 Introducnon
DHCPv6 is DHCP support for IPv6 and has been enhanced to support multiple modes of operations.
It is documented in many RFCs as multiple modes exist.
The principal mode is described in RFC3315.
`Also, the presence of DHCPv6 must be advertised by the routers in the Router Advertisements (NDP)
for the workstation to send requests or the DHCPv6 servers will be ignored.
DHCPv6 basic RFC3115 provides Authentication for the messages to avoid any sort of Rogue DHCP
Server.
DHCPv6 can be used in 3 Modes:
Stateful DHCPv6. This is the standard DHCP Operation. The request includes both Addresses and
Other Information.
Stateless DHCPv6 RFC3736. This is a new mode in IPv6 where we do not want to get any Address
from the DHCPv6 Servers but only Other Information like domain name, DNS and other Servers ad-
Chapter 7
Addresses, Names
& Services
IPv6 Supports 3 different methods to provide dynamic addressing
which can be combined as they are not mutually exclusive!
Without any DHCPv6 it can be plug and play thanks to SLAAC.
A DHCPv6 Server can be added to get more details about4 the servers
after we have gured out our IPv6 addresses without him.
DHCPv6 can be used to provide a full block to address the full site a site
DHCPv6 CANNOT REPLACE ND PROTOCOL (RA)
58
dresses. It is called stateless because in this mode the DHCPv6 Server does not need to keep any
state because it does not allocate any address to remember and manage.
DHCPv6 Prefix Delegation RFC3633. This is also a new mode for DHCP. It is used to request a full
block from the Service Provider. The block is allocated and then the block can be subnetted at will.
This mode is very convenient for some SPs who can manage the Prefixes allocated to each customer
from a DHCPv6 Server which gets the Prefix for each customer from a Radius Server.
We have seen that at the end of the SLAAC process, a boot Workstation of an interface coming up
may eventually request a DHCPv6 Server for more configuration.
These bits are contained in a field called Flags.
If the Managed bit (M-bit) is set in Flags of the RA, the workstation makes a full request including
Address(es) and other information. This is Stateful DHCPv6 because the server needs to keep states
for the allocated addresses.
If the Other bit (O-bit) is set in the Flags of the RA, the workstation just requests Other information
and NO ADDRESS. This is Stateless DHCPv6.
These bits MUST be set on the local routers interfaces where some workstations which need to re-
quest DHCPv6 servers are located.
For a Quick Video Presentation of DHCPv6, there is a serie of Tutorial starting with Part1 from:
http://www.ipv6forlife.com/Tutorial/DHCPv6-Part1.html
1.2 DnCv6 Commands and I|e|ds
DHCPv6 protocol basic operations are not very different from IPv4; the messages names are different
and multicasts are more used in IPv6, but it is pretty much the same protocols. A DHCPv6 Server can
provide Address(es) for a client and Other Information like Domain name or any Server Addresses.
1.2.1 DUID
Each client and server is identified by its DHCP Unique Identifier (DUID). This Identifier is mostly de-
rived from one of the DHCP Mac Addresses, but it can be :
1 Link-layer address plus time
2 Vendor-assigned unique ID based on Enterprise Number 3 Link-layer address
The DUID are very important for a protocol which uses a lot of Multicast messages to reach many
Servers or Relays.
See RFC3315 section 9 for details of the ways in which a DUID may be constructed.
1.2.2 1ransacnon IDs
A Transaction ID is used to identify all the messages from the same Transaction. It permits pairing a
solicit with a reply and should be chosen randomly with algorithms, making it quite impossible to
guess!
1.2.3 Iv6 UD orts Number
It is encapsulated in UDP over IPv6.
DHCPv6 Clients use port 546 and Servers use 547.
1.2.4 Iv6 Mu|ncast Addresses
DHCPv6 also use IPv6 Multicast addresses:
- All_DHCP_Relay_Agents_and_Servers: (ff02::1:2)
This is a Link-local IPv6 Multicast Address used by the Clients to communicate with all the local Serv-
ers and Relays.
Only the DUID permits each one to see that the packet is for itself.
- All_DHCP_Servers (ff05::1:3)
This is a Site-local IPv6 Multicast Address which is used by the Relays to forward the local Clients
Requests to all the DHCPv6 Servers of the Site that have registered this Multicast group.
Multicast routing must be enabled on all the site routers.
DHCPv6 Relays can be used to encapsulate the messages from the Clients to the Servers and vice-
versa.
1.2.S Idennty Assoc|anon (IA)
Basically we need an Identity Association to request address(es) for each interface.
See RFC 3315 Section 10 for an excellent definition
'An "identity-association" (IA) is a construct through which a server and a client can identify, group,
and manage a set of related IPv6 addresses. Each IA consists of an IAID and associated configura-
tion information.
A client must associate at least one distinct IA with each of its network interfaces for which it is to re-
quest the assignment of IPv6 addresses from a DHCP server. The client uses the IAs assigned to an
interface to obtain configuration information from a server for that interface. Each IA must be associ-
ated with exactly one interface.'
To get more details about how the addresses are allocated from the server, please see Section 11 of
RFC3315.
Another exemple of the uses of IA would be a Virtual Server with many virtual interfaces. Each virtual
group of Interface playing the same role will be using the same Identity Association.
1.2.6 C||ent]Server ID
DHCPv6 uses a lot of Multicast. The SOLICIT and REQUEST messages are sent to the All_DH-
CP_Relay_Agents_and_Servers (FF02::1:2). So it is important to identify both Client and Server with
something other than the address.
59
1.2.7 DnC Messages
There are 13 messages to support the DHCPv6 Operations. There is no need to explain each mes-
sage one by one, but we will explain most if not all of them as we get into the details of how DHCPv6
operates.
For a full list with explanations, please refer to Section 5.3 of RFC3315.
The 13 messages are:
SOLICIT 1
ADVERTISE 2
REQUEST 3
CONFIRM 4
RENEW 5
REBIND 6
REPLY 7
RELEASE 8
DECLINE 9
RECONFIGURE 10
INFORMATION-REQUEST 11
RELAY-FORW 12
RELAY-REPL 13
1.2.7.1 Used dur|ng the startup w|thout ke|ays
SOLICIT (1), ADVERTISE (2), REQUEST (3), REPLY (7)
1.2.7.2 If a ke|ay |s used we must add to prev|ous
RELAY-FORW (12), RELAY-REPL (13)
1.2.7.3 1o kefresh an Address keservanon
RENEW (5), REBIND (6), REPLY (7)
1.2.7.4 1o kequest Informanon Cn|y (State|ess DnCv6)
INFORMATION-REQUEST (11)
1.2.7.S C||ent don't need th|s address anymore
RELEASE (8)
1.2.7.6 C||ent conhrm that a||ocated address |s sn|| Ck
CONFIRM (4)
1.2.7.7 C||ent refuse an address a|ready |n use
DECLINE (9)
1.2.7.8 A new conhg ava||ab|e needs a new kequest
RECONFIGURE (10)
1.2.7.9 DnC Messages Authenncanon
DHCPv6 messages can be authenticated, See Section 21 of RFC3315. This would make Rogue
DHCP Server impossible. It is open to any Authentication Protocol and can manage the keys of a
DHCPv6 Server Realm.
A DHCPv6 Realm is a name used to identify the DHCP administrative domain from which a DHCP
authentication key was selected.
1.2.8 DnC Cpnons
All the Information which is requested by a client or given by a Server are actually coded in a DHCPv6
Options.
The full list is :
OPTION_CLIENTID 1
OPTION_SERVERID 2
OPTION_IA_NA 3
OPTION_IA_TA 4
OPTION_IAADDR 5
OPTION_ORO 6
OPTION_PREFERENCE 7
OPTION_ELAPSED_TIME 8
OPTION_RELAY_MSG 9
OPTION_AUTH 11
OPTION_UNICAST 12
OPTION_STATUS_CODE 13
OPTION_RAPID_COMMIT 14
OPTION_USER_CLASS 15
OPTION_VENDOR_CLASS 16
OPTION_VENDOR_OPTS 17
OPTION_INTERFACE_ID 18
OPTION_RECONF_MSG 19
60
OPTION_RECONF_ACCEPT 20
There are actually MORE OPTIONS which are added by RFC:
IA_PD (RFC3633. Section 10) for DHCP-Prefix Delegation
For all details, please see section 22 of RFC3115.
DNS Configuration options for Dynamic Host Configuration Protocol for IPv6 (DHCPv6)
http://tools.ietf.org/html/rfc3646
1.2.8.1 C||ent ID and Server, ID Cpnon
These options carry the Client DUID to the Server and the Server DUID to the Client. Generally, a
MAC Address is used.
1.2.8.2 Addresses
!"B"^"B"! $RRHH= XL>03
The IAADDR Option permit to carry the IPv6 Dynamic Addresses allocated by the Server.
Like the Prefixes advertised to the RA which permit deriving IPv6 Addresses for the interfaces,
the IAADDR Option has a a Preferred Lifetime and a Valid Lifetime for each allocated Address.
This permits IPv6 to manage the dynamic addresses Lifecycle like the addresses derived from Pre-
fixes contained in the RA. See the figure for more details about the states of a dynamic Address.
Remember that an Address must remain in the Preferred State if we want to use it, so Preferred and
Valid Lifetime must be chosen carefully.
The IAADDR IPv6 Dynamic Address Option must be encapsulated in one of the following IA_NA or
IA_TA. We can see the IAADDR Options with a yellow background and Red letters in both IA_NA and
IA_TA figures.
!"B"^"B"B $R`[R XL>03
The IA_NA is used to encapsulate Non-Temporary Addresses.
There are two timers associated with the Refreshing of IPv6 Addresses.
T1 is the timer when to query the DHCPv6 Server which has allocated the Address.
T2 is the Timer to query any DHCPv6 Server for an Address.
Care should be taken in setting T1 or T2 to 0xffffffff ("infinity"). A client will never attempt to extend the
lifetimes of any addresses in an IA with T1 set to 0xffffffff. A client will never attempt to use a Rebind
message to locate a different server to extend the lifetimes of any addresses in an IA with T2 set to
0xffffffff.
!"B"^"B"E $R`CR XL>03
The IA_TA is used to encapsulate Temporary Addresses (Privacy Extension RFC4941). There is no
Timer associated with it.
1.2.8.3 rehx De|eganon
This is used in DHCP-PD RFC3633 to request and provide a full block like 2001:db8:678::/48 to
allocate all the building of a Company in a City for instance.
!"B"^": XL>03 =,a7,-6 XL>03 MX=XQ
The ORO is used to provide the list of the Options which are requested by a client or need to be recon-
figured from the server. For instance, if the Client requested the Domain Name, it is in the ORO Op-
tion.
"A client MAY include an Option Request option in a Solicit, Request, Renew, Rebind, Confirm or
Information-request message to inform the server about options the client wants the server to send to
the client. A server MAY include an Option Request option in a Reconfigure option to indicate which
options the client should request from the server."
http://tools.ietf.org/html/rfc3315#section-22.7
Example of a Captured ORO:
1.2.9 Status Code Cpnon
It is used to report the status of an operation. If it does not appear where it should, success is as-
sumed.
1.2.10 reference Cpnon
It is possible for the servers to give a level of preference when multiple servers are available. When
the client receives multiple ADVERTISE messages, the client will prefer the server with the highest
Preference.
Elapsed Time Option
This is used by the client to measure the duration of an exchange. For instance, if an exchange lasts
too long, the client may use a secondary server.
1.2.11 ke|ay
!"B"!!"! =,<)4 K,--)?, XL>03
It contains the DHCP message encapsulated by the replay in a Relay-Forward or a Relay-Reply Mes-
sage.
!"B"!!"B $36,+F)G,.$H XL>03
This option may be added by a Relay to add the Interface-Id by which the message was received. It
will use it to forward the reply back to the right interface.
1.2.12 Authenncanon Cpnon
Used for DHCP message Authentication. Useful to avoid Rogue DHCP Servers.
61
1.2.13 Server Un|cast Cpnon
The server sends this option to a client to indicate to the client. This way the client can bypass any
Relay and send messages directly to the server.
RFC3115 Section 18.1.
"Use of unicast may avoid delays due to the relaying of messages by relay agents, as well as avoid
overhead and duplicate responses by servers due to the delivery of client messages to multiple serv-
ers. Requiring the client to relay all DHCP messages through a relay agent enables the inclusion of
relay agent options in all messages sent by the client. The server should enable the use of unicast
only when relay agent options will not be used."
1.2.14 kap|d Comm|t Cpnon
This option permits some transactions to be only 2 ways: Solicit, Reply instead of 4. It is set in the So-
licit message by the client.
1.2.1S User C|ass Cpnon
This option permits one to configure a multiple class of users that do not need the same parameters.
For instance, some clients may need a SIP server address and some don't.
1.2.16 Vendor
!"B"!'"! \,3*0+ O<)-- XL>03
This option set by the client tells the server on which Vendor the client is running.
!"B"!'"B \,3*0+.DL,G5@G $3F0+2)>03 XL>03
This Option allows some Vendor-Specific information to be exchanged between the Client and the
Server.
1.2.17 keconhgure
!"B"!Y"! =,G03@?7+, K,--)?, XL>03
This Option is used when a server has been reconfigured. It is asking the client to send a message to
get a new config. In a Reconfigure message, this Option tells the client if it must respond with a Re-
new message to request an address or an Information-Request message to request Other Informa-
tion.
!"B"!Y"B =,G03@?7+, RGG,L6 XL>03
A client uses this message to tell the server if it accepts the Reconfigure message.
The server uses this option to tell the client whether to accept or not the Reconfigure message.
62
1.3 DnCv6 Startup
The DHCPv6 messages used during the initialization to request Addresses and/or Other Information
are the following.
1.3.1 C||ent & Server(s) are on the same ||nk
!"E"!"! D0<5G56
The client first sends a Solicit discovery message. It is not a reservation request when an address is
needed, just a discovery to figure out which server around is available and could provide the informa-
tion needed.
The destination address is the All Servers and Relays Link-local Multicast Address ff02::1:2, Source is
the Workstation Link-local Address.
The information needed by the client is in the Option Request Object (ORO).
!"E"!"B R*&,+>b,
The Server(s) reply(ies) with an Advertise including all the available resources matching the client
ORO. This is sent back to the Link-Local address of the Client.
!"E"!"E =,a7,-6
The Request is sent to the All Servers and Relays Link-local Multicast Address ff02::1:2, Source is the
Workstation Link-local Address.
The DUID of the Server is used to identify which server we want to use.
!"E"!": =,L<4
The Server provides the Reservation if an address has been requested and Information or Information
Only if this is what we have requested (Information-Request)
1.3.2 C||ent & Server(s) use a ke|ay
If the Server is not located on the same link than the client needs a Relay in between. The Relay will
encapsulate the request to the Server as Unicast Messages of any kind, Anycast or a Well-known Mul-
ticast site-local ff05::1:3.
The Relay encapsulates the request in a Relay-Forward to the Server, and the server encapsulates its
response in in Relay-Reply Message
1.3.3 DnC-D Startup Lxamp|e
In this example, the client sends a solicit with an IA_PD requesting a Prefix from the server. It is for-
warded by the Relay. The server Advertises a Prefix and gives the Server Unicast Option for the Client
to send its request in a Unicast message.
This is why the Request and the Reply bypass the Relay.
The Server provides a block, for instance 2001:db8:678::/48, which can be used and subnetted by the
DHCP-PD client.
1.4 DnCv6 Conhguranon Management
"A client uses Request, Renew, Rebind, Release and Decline messages during the normal life cycle
of addresses. It uses Confirm to validate addresses when it may have moved to a new link. It uses
Information-Request messages when it needs configuration information but no addresses." (Section
18.1 RFC3115).
1.4.1 Address kefreshment |n|nated by the C||ent
Once the Address has been allocated, it must be maintained and Refreshed as soon as required.
IA_NA and IA_PD Addresses are provided with the DHCP timers, which trigger the process.
T1 and T2 are provided. These 2 timers must be set consistently with the Preferred and Valid Ad-
dresses. Remember that an address MUST remain as a Preferred Address. So the T1/T2 Timers Pre-
fixes must be set accordingly.
IPv6 Addresses come with two Timers, the Preferred and the Valid Timers. For Static Addresses,
these timers are usually set to Infinity which is ALL ONEs.
For Dynamic Addresses, they must be refreshed to reset these timers for the Addresses or Derived
Addresses remain in the Preferred State.
In figure 6.18 we can see how these timers are Reset with Unsolicited RA.
With DHCPv6, the Preferred Timers and Valid Timers must also be Refreshed when the DHCPv6 RE-
NEWs its reservation. These timers are included in the IAADDR Option which is encapsulated in the
IA_NA or IA_PD Option. Both IA_NA and IA_TA Options have also two timers related to DHCPv6 pro-
tocol.
When T1 expires, the client sends RENEW to the server from which it has learned its configuration.
If the client Timesout for the RENEW with the Server which had provided the initial configuration, it will
send a REBIND to all the available servers.
RFC3115. Section 18.1.4.
"The message exchange is terminated when the valid lifetimes of all the addresses assigned to the IA
expire (see section 10), at which time the client has several alternative actions to choose from.
For example:
The client may choose to use a Solicit message to locate a new DHCP server and send a Request
for the expired IA to the new server.
The client may have other addresses in other IAs, so the client may choose to discard the expired IA
and use the addresses in the other IAs."
1.4.2 A c||ent may have mooved
http://tools.ietf.org/html/rfc3315#section-18.1.3
63
In any situation when a client may have moved to a new link, the client MUST initiate a Confirm/Reply
message exchange.
For Example:
The client reboots.
The client is physically connected to a wired connection.
The client returns from sleep mode.
The client using a wireless technology changes access points.
1.4.3 A c||ent doesn't need an Address anymore
The client sends a Release Message to the Server
1.4.4 A c||ent detect a DU||cated Address
The client sends a Decline Message to the Server.
1.4.S Server Conhguranon has changed
The Server must inform the client with a RECONFIGURE message.
The RECONFIGURE message includes the Reconfigure Message Option to tell the client if it must
send a Renew providing Addresses or an Information-Request not providing Address(es).
1.4.6 Constants
1.4.7 DnC ke||ab|||ty
Because UDP does not provide reliablity, it must be provided by the Application. The client begins the
message exchange by transmitting a message to the server. The message exchange terminates
when either the client successfully receives the appropriate response or responses from a server or
servers, or when the message exchange is considered to have failed according to the retransmission
mechanism described below.
1.S Capture Lxamp|e
1.S.1 So||c|t Message
1.S.2 Advernse Message
Option Server ID, Client ID, IA_NA with IAADDR and Domain Search List
1.6 SUMMAk
64
2 DNS
2.1 Introducnon
DNS was introduced in RFC1035. The objects of DNS are organized as a tree structure. The root is
the ".".
It is transported by IPv6 then encapsulated over UDP port 53 for most messages but for some ex-
changes like zone-transfer where TCP is more appropriate.
The initial RFC1035 had a serious limitation for IPv6, which is the UDP size limit of 512 octets.
So we had actually two problems to solve:
The Maximum Size of 512 bytes for UDP Messages
How to Code IPv6 Names to Addresses and vice-versa
Many Objects are used for DNS:
NS for Name Servers, MX for Mail Exchange. DNS is playing a key role on Mail routing in the Internet,
A for IPv4 Addresses, AAAA for IPv6 Addresses.
And more...
2.1.1 Servers h|erarchy
B"!"!"! =XXC D,+&,+-
At the very top, we have the ROOT Servers.
They manage the list of each Top-Level domain Servers like .com or .uk and they return their ad-
dresses.
13 IPv4 anycast addresses are used and last time I checked 9 IPv6 Addresses were also ready:
13 ipv4 addresses can be sent in a 512 (436) bytes UDP message ! Remember that 512 octets were
the size limit for an UDP message in RFC 1035! Adding 13 IPv6 addresses was certainly going over
the limit (800+ bytes)!
There is actually 200+ physical servers around the globe.
Domain root-servers.net: a.root-servers.net through m.root-servers.net
In Europe RIPE Servers k.root-servers.net are located in Amsterdam, Athens, Doha, Frankfurt, Lon-
don and Milan. IPv4:193.0.14.129, IPv6:2001:7fd::1
IPv6 addresses are already supported by 9 of the 13 root-servers
Requirements of a Root Server are in RFC2870
http://www.iana.org/domains/root/
2.1.2 1op Leve| Doma|n Servers
They return the address of the NS for a User domain for example fredbovy.com.
The full list is at http://www.iana.org/domains/root/db/
There are two kinds of TLD:
B"!"B"! C/, ;,3,+5G C0L.V,&,<.H02)53- M?CVHQ
.com, .edu, .net, .mil,
But there are also some other registered gTLDs:
The .org domain is intended to serve the noncommercial community.
The .aero domain is reserved for members of the air transport industry.
The .biz domain is reserved for businesses.
The .coop domain is reserved for cooperative associations.
The .int domain is only used for registering organizations established by international treaties be-
tween governments.
The .museum domain is reserved for museums.
The .name domain is reserved for individuqals.
The .pro domain is being established; it will be restricted to credited professionals and related enti-
ties.
B"!"B"B C/, O0736+4 O0*, C0L.V,&,<.H02)53- MGGCVHQ
There is one for each country: .us, .ca, .fr, .uk.
2.1.3 1he Author|tanve Doma|n Servers
To increase performance and reliability of DNS, there is more than one DNS server for each domain.
B"!"E"! %+52)+4 0+ K)-6,+ H[D D,+&,+
The Master Zone file describing the zone (Zone config file) is located on the Primary server.
B"!"E"B D,G03*)+4 0+ D<)&, H[D D,+&,+
The Secondary Server is synchronized with the Primary thanks to Zone Transfer over TCP.
B"!"E"E O)G/53? 03<4 D,+&,+-
The Caching Server is used to cache the answer on a local Server so when the same query is re-
quested, it will be available locally.
2.2 C||ents uery Modes
The are two modes for Clients to resolve the IPv6 Name to Address:
2.2.1 Iteranve (supported by a|| NS)
This mode actually involves more the requester than the local NS.
65
2.2.2 kecurs|ve
The Recursive mode actually involves more the Local Server than the Requester.
2.3 Support of Iv6 for DNS
2.3.1 LDNS0
RFC1035 specifies the maximum DNS UDP message to 512 bytes
13 IPv4 anycast addresses was used to represent 200+ Servers for the announce to fit in a 512 bytes
message, 436 bytes actually to leave room for some options.
With only 5 IPv6 addresses added to the Additional Section of the DNS Type NS response message
root server operators return during the priming exchange, the size of the response message increases
from 436 bytes to 576 bytes.
9 Root Servers have been assigned IPv6 addresses
When all 13 root name servers are assigned IPv6 addresses, the priming response will increase in
size to 811 bytes !
2.3.2 r|m|ng Lxchange
The priming exchange is done when the list of Root Servers are requested. Conditions for the success-
ful completion of a priming exchange:
Resolvers and any intermediate systems that are situated between resolvers and root name servers
must be able to process DNS messages containing Type AAAA resource records.
Additionally, Resolvers must use DNS Extensions (EDNS0, RFC 2671) to notify root name servers
that are able to process DNS response messages larger than the 512 byte maximum DNS message
size specified in RFC1035.
Intermediate systems must be configured to forward UDP-encapsulated DNS response messages
larger than the 512 byte maximum DNS message size specified in RFC1035 to resolvers that issued
the priming request.
2.3.3 1est LDNS0 Imp|ementanon
To test the action a firewall implementation takes when it receives a UDP-encapsulated DNS re-
sponse message larger than 512 bytes, a network or firewall administrator can perform the following
DNS lookup using:
This command should elicit a 699 bytes response that contains AAAA resource records
If no response is received, network and firewall administrators should first determine if a security pol-
icy other than the vendor's default processing for DNS messages is blocking large response mes-
sages or large UDP messages. If no policy other than the vendor's default processing is configured,
note the implementation and version and contact your vendor to determine if an upgrade or hot fix is
available.
2.4 DNSSLC
DNSSEC is an effort to make DNS more secure with some Authentication of the messages.
DNSSEC is detailed in RFC4033, RFC4034 and RFC4035. A discussion of operational practices relat-
ing to DNSSEC can be found in RFC4641.
In DNSSEC a secure response to a query is one which is cryptographically signed and validated.
No Protection against DoS attack
DNSSEC adds new Resource Record types: Resource Record Signature (RRSIG), DNS Public Key
(DNSKEY), Delegation Signer (DS) and Next Secure (NSEC)
A signed zone will contain the 4 additional security-related records
DNSSEC requires support for EDNS0 (RFC2671) and DNSSEC OK (DO) EDNS bit EDNS0 (RFC
3225)
Root Zone is Signed
http://data.iana.org/root-anchors/draft-icann-dnssec-trust-anchor.html
66
2.S Conhguranon of DNS 8|nd Server on L|nux
2.S.1 2ones and 2ones I||es
A Zone file translates the domain names into addresses.
A Zone File contains:
Data that describes the zone authority known as the Start of the Authority (S0A) Resource Record.
All the hosts within the zones.
A Resource Record for an IPv4 Address
AAAA Resource Record for an IPv6 Address
Data that describes global information for the zone. MX Resource Records for the domains mail serv-
ers and NS Resource Records for the Name Servers
In the case of a subdomain delegation, the name servers responsible for this subdomain.
A Zone file looks like this:

2.S.2 keverse-Mapp|ng 2one
2.S.3 1ransport of Iv6 Informanon |n Iv6
DNS requests must be transported in IPv6
DNS Root servers and Top-level domains must support IPv6
9 of the 13 root-servers are IPv6 ready !
DNS messages larger than 512 bytes are supported since DNS Extension 0 (EDNS0. RFC2671)
The old Firewalls were blocking the DNS UDP messages bigger than 512 Octets. It has been fixed for
a long time, but if you are at a customer site which has not upgraded its Sw for a long time too, you
may hit this issue.
67
2.6 Dynam|c DNS
DNS Servers can be updated dynamically
An address allocated with DHCPv6 or SLAAC automatically updates the DNS Servers by sending
Updates to the Servers. So this is not only possble with Servers doing both DHCPv6 and DNS. The
Authentication process between the client and the servers is not defined by the RFC but is left to the
convenience of the designers.
Dynamic Updates in the Domain Name System (DNS UPDATE): http://tools.ietf.org/html/RFC2136
Secure Domain Name System (DNS) Dynamic Update: http://tools.ietf.org/html/RFC3007
Operational Considerations and Issues with IPv6 DNS: http://tools.ietf.org/html/rfc4472
2.7 Capture of DNS 1ramc
8
IPv6 Multicast is not very
different from its IPv4
Counterpart. Only the non
scalable protocols have
been removed like PIM-DM
or MSDP and the others
have been ported with a
new name sometime like
MLD instead of IGMP.
Multicast
Topic
1. Introduction
2. Protocol Independent Multicast (PIM)
1. PIM Sparse Mode or ASM
2. PIM Source Specic Multicast (SSM)
3. PIM BIDIR
3. Embedded Rendez-vous Point
4. Multicast on Layer 2
69
1 Introduction
IPv6 Multicast is not very different from the IPv6 Counterpart.
Only the non scalable protocols have been removed: PIM-DM,
and the other have been ported with a new name sometime like
MLD instead of IGMP.
PIM is used for the routing of Multicast and for the receivers
management, IGMP has been ported as MLD.
The very long addresses of IPv6 allowed the Embedded RP
which is great not to have to congure the RP on each router.
The IPv6 multicast router conguration can then be summa-
rized in only one command on CISCO IOS: ipv6 multicast-
routingand thats it.
When multicast users are connected with Layer switches, MLD
Snooping should be used where IGMP snooping was for IPv4.
The common rule for all Multicast routing is the Reverse Path
Forwarding or RPF. This rule says that a packet MUST always
be received on the interface which has the best cost to get
back to the Source Address of the packet. Otherwise we say
that RPF fails and packet get silently dropped. This is a basic
rule to avoid Multicast Routing loops.
Chapter 8
Multicast
70
! Unicast Address
! 805B:2D9D:DC28::FC57:D4C8:1FFF
! Prex
! FF02:0:0:0:0:1:FF
! Solicited-node multicast adress
! FF02:0:0:0:0:1:FFC8:1FFF
! Automatically congured for each unicast
Prfixe Interface Identifier
FF02 O 0001 FF 24 bits
128 bits
Solicited Node IPv6 Multicast Address
Just remember the Solicited Node Multicast address example
which is derived from the Unicast address for the ND MAC Ad-
dress Resolution Protocol.
Other example of Applications which use Multicast are NTP or
DHCP.
For this Chapter you will need a Web connection and a Display
unit supporting Flash Presentation for these presentations:
IPv6 Multicast Part 1
http://www.ipv6forlife.com/Tutorial/IPv6Multicast-Part1.html
On the other hands, the Powerpoint Presentations can be found
in PPS Slideshow format from IPv6 for Life Web Site and in
PDF from the Public Slideshare Server so you can also down-
load it from there.
71
2 Protocol Independent Multicast
PIM is Independent because it does not build a separate
Unicast Routing Table to run the RPF. Instead it uses the exist-
ing routing table but the same good old RPF rule still applies.
At the beginning there was two avors PIM Dense Mode and
PIM Sparse Mode. The rst one has not been ported to IPv6 be-
cause it was clearly not scalable. On the other hand PIM-SM is
still in use for IPv6 Networks.
With PIM-SM, the Multicast Receivers are not supposed to
know the addresses of the Sources when they register to listen
for a particular Group with the local MLD Querier. The Mul-
ticast sources do not need any signaling to send any trafc.
This must be managed by its directly connected router that we
call a PIM Designated Router or PIM-DR.
So we need a place somewhere in the network for any Source,
thanks to its PIM-DR to meet the receivers thanks to the local
MLD Querier. This meeting place is called a Rendez-Vous
Point.
For a detailed presentation of PIM-SM Operations and other
topic addressed in this chapter, please use this presentation:
http://www.ipv6forlife.com/Docs/MulticastIPv6.pps
This presentation and other is also located on the public site
Slideshare.com, look for Fred Bovy, IPv6 For Life Presenta-
tions.
PIM-SM is also explained in these short Flash Presentations:
With PIM-SSM, the Receivers know the address of the Source.
When the receiver register with the MLD Querier, it provides
both the Group address it wants to listen to and the IPv6
unicast address of the source. So there is no need for a
Rendez-Vous Point and its associated shared tree. We are al-
ways on the Shortest-Path Tree.
PIM-BIDIR is actually the Shortest Path Tree of PIM-SM (see
the Flash Presentation but the Sources can also Receive and
the Receivers can also Send.
72
3 Embedded Rendez-Vous Point
The Embedded-RP is also fully covered in the PPT Slideshow
given earlier. But it is really easy to explain quickly.
The idea is to code a 128 address in another /128 so what we
do is that we only advertise a prex which can be up to /64 long
and then using only 4 bit we can code 16 RP from this prex.
For the Prex lets see how it is coded. We got a Prex length
whoch is here 30hex or 48 decimal. Prex is
2001:db8:9abc::/48
FF7E:0130:2001:db8:9abc::4321
Plen = 30 Hex = 48 dec
2001:db8:9abc::
Embedded RP Prex
and for the rest, lets see this now:
FF7E:0130:2001:db8:9abc::4321
Rendez-Vous Point Address
2001:db8:9abc::1

o RFC3956
Embedded RP Address
The IPv6 Address FLAGS are R, P and T. T is for Temporary ad-
dress. R and P are both an Embedded RP information.
The we see that the RP Address is 1, so the full address for this
RP will be 2001:db8:9abc::1.
Then on the CISCO routers you just need to go on each router
and type the coommand ipv6 multicast-routingand thats it!
Your work is done, the customer can sign the papers and you
can get back home early today!
73
4 IPv6 Multicast on Layer 2
IPv6 is encapsulate in Ethernet Frame using a prex MAC Ad-
dress of 33:33 instead of 01:00:5e for IPv4. Then we nd the
last 32 bits of the IPv6 Address.
! IPv6 Multicast Address
! FF02:0:0:0:0:1:FF90:FE53
! 128 bits

! Mac Address
! 33:33:FF:90:FE:53
! 48 bits
FF02:0:0:0:0:1:FF90:FE53
33:33:FF:90:FE:53
IPv6 Encapsulation in Ethernet
When switches are used we use MLD Snooping to only for-
ward trafc on the p2p links with attached interested Receivers.
This is only possible because now switching is performed in the
silicium with fast ASICS because this feature requires that the
switch looks in the MLD Packet to nd the unsolicited reports
MLD messages to gure out that there is a receiver
MLD Snooping
33:33
This is the MAC address prex for IPv6 encapsulated address. The next 32 bits are
the IPv6 last IPv6 address bits.
Related Glossary Terms
Index
Chapter 8 - Multicast
Faire glisser ici les termes connexes
Rechercher un terme
ASICS
A chip which perform a special task in the silicium like Layer 2 switching in our case.
Index
Rechercher un terme
ASM
Any Source Multicast. This is another name for PIM Sparse Mode (see PIM)
Index
Rechercher un terme
BIDIR
Bi-directional. This is for PIM BIDIR which is actually the PIM-SM Shared Tree where
Sources can Receive and Receivers can Send.
Index
Rechercher un terme
CCIE
Cisco Certied Internet Expert. It started with number 1023. With #3013 I deserve the
CISCO dinosaur distinction. When I was younger and I passed at rst attempts both
the written and the lab test, cheating was impossible and the answers were not avail-
able for $20 from the Web. It was a Great distinction! And you must be recertied
every two years. Again it is not so old that you can get the answers before taking it and
I had to take the written test every two years since 97 to be still active. I also nd in the
eld many consultant who say that they are CCIE but they only have the written exam
or they are not recertied for 10 years but they get hired as cheap CCIE! This is
really unfair!
Index
Chapter 1 - Preface
Rechercher un terme
Cost
This is the metric of Link-State Routing protocol. The lower the path cost is the better
the route will be. The lowest path cost is used for routing.
Index
Rechercher un terme
DAD
Duplicate Address Detection, the Neighbor Discovery process to check that an ad-
dress is not in use before using it. This is enabled by default on LAN interface on
CISCO routers but disable on Serial interfaces.
Index
Chapter 5 - ICMPv6 & ND
Rechercher un terme
DHCP
Dynamic Host Control Protocol used to congure the workstations with IPv6 address
and/or Other information. With IPv6 there are much more variation than IPv4 because
IPv6 has a Stateless built-in Autoconguration feature with Neighbor Discovery Proto-
col (RFC 4862, RFC 4861).
So DHCPv6 can be used for Other information but address. This is Stateless DHCPv6.
DHCPv6 can also be used to provide a Site Prex instead of individual Addresses. The
prex can then be subnetted. This is DHCP Prex Delegation or DHCP-PD.
Index
Rechercher un terme
DHCP-PD
DHCP Prex Delegation. See DHCP.
Index
Chapter 7 - Addresses, Names & Services
Rechercher un terme
DHCPv6
DHCP for IPv6. See DHCP.
Index
Rechercher un terme
Embedded RP
This is a method to code the PIM-SM Rendez-Vous Point in the group address. With
Embedded RP you only need ONE command to have your multicast Routing cong-
ured on a CISCO IOS Router, ipv6 multicast-routing.
Index
Rechercher un terme
IGMP
Internet Group Membership Protocol. The protocol to manage the signaling between
the Receivers and the Multicast Last Hop Router, the IGMP Querier. For IPv6 it has
been renamed MLD. (see MLD).
Index
Rechercher un terme
IOS
Internetwork Operating System, the historical CISCO Operating System. A Great survi-
vor pretty much like me! A big Monolith with a round-robin scheduler to manage the
processes. A simple OS written and programmable in plain C Code. A basic Time
Shared Scheduler which can be interrupted to switch a packet in Real-time when it is
possible to make it shortly. Otherwise the incoming packet is punted to be switched
later on. This is IOS and we love it!
Index
Chapter 1 - Preface
Rechercher un terme
IPAM
IP Address Management Tools. With IPv4, many Service PRoviders were using
Spreadsheet to manage their IPv4 addresses using home made macros and every-
body was very happy. The 128 bits addresses of IPv6 made it impossible and new Soft-
ware were introduced to manage these very long addresses. IPAM was born. The next
step was to link these big databases with DNS and DHCP et voila!
Today it is just insane or just impossible to plan any decent network without an IPAM to
manage your IPv6 Addresses and node names.
Index
Chapter 7 - Untitled
Rechercher un terme
IPv4
Internet Protocol version 4. The protocol which started the Internet in the late 70s. Like
Jim Morrison or Jimmy Hendrix IPv4 will die one day as it is clearly not designed to
sustain the Internet of 2012.
It was requested by the USA Department of Defense (DoD) to build a Private Internet
when a few thousands hosts was just the impossible boundary that will never get
reached. For the DoD and the 70s Mainframes technology, IPv4 with its 32 bits was
here to last forever!
Index
Rechercher un terme
IPv6
Internet Protocol version 6. The protocol developed in the 90s to scale the y2k Internet
and replace IPv4 forever.
http://www.tcpipguide.com/free/t_IPv6AddressSizeandAddressSpace-2.htm
Since IPv6 addresses are 128 bits long, the theoretical address space if all addresses
were used is 2128 addresses. This number, when expanded out, is
340,282,366,920,938,463,463,374,607,431,768,211,456, which is normally expressed
in scientic notation as about 3.4*1038 addresses. That's about 340 trillion, trillion, tril-
lion addresses. As I said, it's pretty hard to grasp just how large this number is. Con-
sider:
! It's enough addresses for many trillions of addresses to be assigned to
every human being on the planet.
! The earth is about 4.5 billion years old. If we had been assigning IPv6 ad-
dresses at a rate of 1 billion per second since the earth was formed, we would have by
now used up less than one trillionth of the address space.
! The earth's surface area is about 510 trillion square meters. If a typical com-
puter has a footprint of about a tenth of a square meter, we would have to stack com-
puters 10 billion high blanketing the entire surface of the earth to use up that same tril-
lionth of the address space.
Index
Rechercher un terme
MAC
MAC Addresses are used at Layer 2 to address an Ethernet workstation on a LAN.
Index
Rechercher un terme
MLD
Multicast Listener Discovery. MLD is IGMP ported to IPv6.
MLDv1 is IGMPv2 and MLDv2 is IGMPv3.
This is the signaling between the Receiver and the last hop router.
Hosts use MLD to tell the local router that they want to receive a Group. Then the MLD
Router propagate the MLD exchange with PIM protocol to build the Shared or Shortest
Path Tree.
Index
Rechercher un terme
MLD Snooping
Does for IPv6 what IGMP snooping was doing for IPv4. It listens the Multicast trafc
and looks into the MLD packet to nd the control packet of a Receiver saying that it
wanna join a given group. Then the switch will only forward the Multicast on the port
where it knows that it has a receiver interested by this Group.
Index
Rechercher un terme
MSDP
Multicast Source Discovery Protocol. A protocol above TCP that was used to join two
separate shared Tree. It was useful when you had multiple Rendez-Vous Point for the
Source a Rendez-Vous point will nd the Receivers registered on another RP.
It was used by the Service Provider to setup Redundant RPs with a feature called Any-
cast RP.
Problem is that MSDP sessions must be full meshed leading to a O(n)2 Complexity.
They were conguring 2 RPs in each country for Redundancy. For 40 Countries you
had to congure (80*79)/2 MSDP over TCP sessions and reasonable size routers
were not supporting that much MSDP Sessions and collapsed.
MSDP and Anycast RP using MSDP have not been ported to IPv6.
Index
Rechercher un terme
NAT
Network Address Translation. A workaround which broke the peer to peer IP capability
which was a key driver in th 80s for people to switch to TCP/IP. Just before they switch
to TCP/IP, IBM proposed SNA LU6.2 based APPN Solution to move from a hierarchical
model to a peer-to-peer. In the early 80s, Peer-to-peer and downsizing to port applica-
tion from Mainframes down to Mini or RISC and Micro Computers was the way to go!
But in the 90s Peer-to-Peer was broken by NAT which is breaking many applications
and is a security weakness seen as a security feature by some NAT proponents! They
are grasping IPv4 and NAT as if their life would have no reason to be without NAT!
NAT was never a security feature. The best Security is true end-to-end security which
does not work if someone change anything in the original Address. Because you can-
not be identied from your address anymore = no security. Someone who does some
really bad things using a NATed address will never get caught.
Index
Chapter 2 - Introduction to IPv6
Rechercher un terme
ND
Neighbor Discovery Protocol dened in RFC 4861 is a key protocol for IPv6.
Index
Rechercher un terme
NTP
Network Time Protocol to synchronize all the system clocks in a Network.
Index
Rechercher un terme
NUD
Neighbor Unreachability Detection is a par of ND and is used to check that a NEighbor
is still alive and clean up the entry if the node fails to reply.
Index
Rechercher un terme
P2p
Point-to-Point Network.
Index
Rechercher un terme
PIM
Protocol Independent Multicast Protocol. It is independent because it uses the default
Unicast Routing Table to run RPF Algorithm instead of building a separate table.
Index
Rechercher un terme
PIM-BIDIR
PIM-BIDIR see PIM
Index
Rechercher un terme
PIM-DM
PIM Dense Mode. Deprecated. It was not scalable. (See PIM)
Index
Rechercher un terme
PIM-DR
PIM Designated Router. The router which is directly connected to a Multicast Source.
The highest priority wins. The highest IP address is used as a tie breaker. See PIM.
Index
Rechercher un terme
PIM-SSM
PIM Single Source Multicast. Only work with the Shortest Path Tree as the Receivers
know the Source Address(es) when they register for a Group (see PIM).
Index
Rechercher un terme
Querier
MLD for IPv6 or IGMP for IPv4 Querier is the router which has directly connected Re-
ceivers. The Lowest IP Address is the Elected Querier when multiple candidate are
available.
Index
Rechercher un terme
RD
PIM Rendez-Vous point is the place where the PIM-SM Source meets the Receivers.
Index
Rechercher un terme
Rendez-Vous
See PIM-SP
Index
Rechercher un terme
Reverse Path Forwarding
The Reverse Path Forwarding Rule is the IP Multicast universal rule.
To avoid routing loops a multicast router checks each packet receive on each interface
against the Source Address. The packet MUST be received on the Interface which has
the best (lower) path cost to get back to the Source or it gets dropped whe RPF failed.
Index
Rechercher un terme
RPF
See Reverse Path Forwarding
Index
Rechercher un terme
SLAAC
Stateless Address Auto Conguration. This is a process to get an interface automati-
cally congured with address using NEighbor Discovery Protocol (RFC 4861).
SLAAC is described in RFC 4862.
Index
Rechercher un terme
SSM
PIM Source Specic Multicast. (See PIM)
Index
Rechercher un terme
Stateful
Stateful means that a Server must keep some state for each allocation to manage the
entry.
For instance when DHCP allocate an Address, it keeps an entry for this allocated ad-
dress and if the neighbor fails to RENEW the address, it will get back to the unused
pool and will be allocated for another node.
Stateful devices are easy target for DoS Attacks and should be protected with some
mitigation technics to limit the effects of the attack!
Index
Rechercher un terme
Stateless
When DHCP is not used to allocate Addresses it is called Stateless DHCPv6 and only
provides information, not addresses.
Index
Rechercher un terme
ULA
Unique Local Addresses are used when Private Addresses are needed. ULA can be
centrally managed or locally administrated. The idea was not to repeat the IPv4 mis-
takes, We have 40 bits to make the ULA unique and avoir any risk of having overlap-
ping addresses when we merge two networks.
Index
Chapter 3 - IPv6 Addresses
Rechercher un terme

Fred Explains Ipv 6

Încărcat de

Informații document

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Fred Explains Ipv 6

Încărcat de

Drepturi de autor:

Formate disponibile

Fred Bovy. IPv6 For Life!

S-ar putea să vă placă și