Overblog Suivre ce blog
Administration Créer mon blog
1 juillet 2013 1 01 /07 /juillet /2013 14:22

One of the novelty IPv6 brought is SLAAC ( Stateless Address Autoconfiguration ).

 

D5a

 

Basically, it builds on the premises of the old IPv4 169. autoconfig, but turns it into something fully functionnable. A simple, plug and play, full autoconfiguration of hosts, for Global Internet connectivity.


We will see SLAAC theory, then real exemples and configurations of SLAAC served by a 40€/$ network router and SLAAC served by a Windows OS router. We'll have a look at what benefits a 200+ €/$ network router can bring SLAAC-wise. Finally, we'll sum up all the flags settings we'll go through.



SLAAC :  The theory

 

SLAAC ( Stateless Address Autoconfiguration ) allows an host to do autoconfigure by mean of advertised network prefixes.

SLAAC is build on RAs ( Router Advertisement ) as  a foundation. Let's see an advertised SLAAC RA closely.

First, the ' managed ' flag must be unset to allow host to autoconfigure :

 

D5d

 

  Secondly, we have a RA option here, named prefix information :

 

D5b

 

Let's expand the ' prefix information message ' to see the option flags :

 

D5c

 

if the ' on link ' flag and the ' Autonomous address-configuration ' flag are both set, then a host can create an IPv6 address, using the advertised prefix as network ID, and using either a modified EUI-64 ( MAC address based ) or a RFC 4941 privacy ID ( IPv6 Privacy ) as a host ID.


Network ID+Host ID = Autoconfigured IPv6 address

 

We now have an IPv6 address autoconfigured

 

We already have a default gateway autoconfigured ( see Part 1 of IPv6 Dynamic Networking )

 

What our host still lacks for Global Internet connectivity is the DNS servers IP. Either of two mechanismes are providing for this : ND RDNSS or Stateless DHCPv6



SLAAC and ND RDNSS

 

The first mechanisme is ND RDNSS ( Network Discovery Recursive DNS Server ) and ND DNSSL ( Network Discovery DNS Search List ) as a RA option ( RFC 6106 ). It provide a mean for the router to add these optionnal lines in the advertised RAs.
Some OS don't support RFC 6106, like Windows OS, unless you use an open-source third-party add-on
When using ND RDNSS, the router's RA ' other ' flag is unset :

 

D5d

 

 

 

SLAAC and Stateless DHCPv6

The second mechanisme is the host configuration being completed by a DHCPv6 request.

 

The router keeps the managed flag unset, allowing the host to perform SLAAC. The ' other ' flag is set, thus informing the host to perform a stateless DHCPv6 request to complete its configuration :

 

D5i

Note that in this case, the DHCPv6 request can by served by either the network router or a discrete link-local DHCPv6 server. The host preference will follow the same rules as outlined in the previous post about DHCPv6.


IPv6 SLAAC using a network router

D5a

 

 

 

Performing SLAAC by mean of our neat Dlink DIR 626-L is pretty straightforward. We just have to check the ' Enable automatic IPv6 address assignment ' and choose either SLAAC+RDNSS or SLAAC+Stateless DHCPv6 :

 

D5e

 

I haven't managed to make SLAAC+RDNSS work on the DLink 626L. The RDNSS options are not in the captured IPv6 RAs on the network. I keep on being puzzled by that. I'll complete or correct this subject here when I find out.


In the case of SLAAC+Stateless DHCPv6, it worked and performed perfectly. The IPv6 address is autoconfigured, based on the Lan IPv6 Address of the network router, configured on the same page. It can just only be a /64.

 

The DNS DHCPv6 request is served by the Dlink own DHCPv6 server, without anything needing to be configured. It just passes the own Dlink configured DNS servers IPs on the same page.

 

In case another DHCPv6 server is present link-local, it will get preffered by the host, provided it features more informations or has a >0 preference flag ( see previous post ).

a few last notes about the DLink DIR 626-L with SLAAC :


The DLink router lifetime as a gateway is set to 180 s by design
The router advertisement lifetime setting is the host's SLAAC address lifetime ( 1440m=24h default )

 

 

IPv6 SLAAC using a Windows Server 2008 R2 as an IPv6 router + SLAAC provider

 

 

D5f

 

( To see how to make an IPv6 router out of any Windows OS with two network card, or how to set it up as an IPv6 tunnel endpoint, please see previous posts ).

 

Windows Server 2008 R2 doesn't supportserving SLAAC+RDNSS, so we can only use SLAAC+Stateless DHCPv6.

 

Let's do a quick cleanup of the server DHCP and IPv6 settings :
We empty the folders C:\windows\System32\DHCP and C:\Windows\System32\DHCP\Backup
We do an IPv6 reset : netsh int ipv6 reset
We reboot

First, we add the DHCP server role, using server manager :


We check only the LAN NIC

 

we choose the DNS search list and the DNS servers, and don't need to create an IPv4 scope. Just clicking next.
we choose ' Enable DHCPv6 stateless mode ' and fill the DNS search list and DNS servers that will be advertised by the server :

 

D5g

 

we have now enabled the DHCPv6 server to perform stateless requests.


To have the hosts being able to perform SLAAC, more jobs need to be done by hand.

 

We first allow router discovery and advertising :

 

netsh int ipv6 set int [Idx] routerdiscovery=enable
netsh int ipv6 set int [Idx] advertise=enable

 

where [Idx] is the lan interface index.

 

We then have to choose and allow the published prefix. For this, we just have to type :

 

netsh int ipv6 show route
netsh int ipv6 set route [prefix]::/64 [IDx] :: publish=yes

 

where [prefix] is the lan prefix you want to be published, and [IDx] is the lan interface index.

 

Finally, to allow the router to be a routing default gateway :

 

netsh int ipv6 set int [IDx] forwarding=enable
netsh int ipv6 set int [IDx] advertisedrouterlifetime=1800
netsh int ipv6 set int [IDx] advertisedefaultroute=enable
netsh int ipv6 set int [IDx2] forwarding=enable

where [Idx] is the lan interface index and where [Idx2] is the Wan interface index.


Here is the complete sequence :

D5h

 

Well, nothing else needs to be taken care of. Just look at your advertisedrouterlifetime setting ( 1800 s default ) because a too little value may have your hosts discard the default gateway before a new RA arrives to renew the validity, thus creating an inconsistent connection. To verify a host default gateway remaining lifetime :

 

netsh int ipv6 show route verbose

A few more notes : Windows Server 2008 R2, when proposing you to enable or disable DHCPv6 Stateless mode, really does nothing more than handling you the option 23 and option 24 of the DHCPv6 Statefull Server ( See previous post : DHCPv6 ). We can as well choose the ' disable DHCPv6 Stateless mode ' option, and right click the DHCP Server IPv6 option to set the DNS Servers and DNS Search List options ( no 23 and 24 ). It will all work ok all the same.


 

SLAAC with a pro-grade network router

Here is what a pro-grade ( 200+ €/$ ) network router may bring you SLAAC-wise a consumer-grade network router lacks :

Domain search list
Unicast / Multicast advertise mode
Advertise interval
RA flags manual setup
Router Preference
MTU settings   
Router lifetime
Prefix length
Prefix lifetime


Sum-up of flags combinaisons

Here is the different combinaison for the 4 flags : managed, other, on-link, autoconfigure

and the host setup it initiates :

 

flags set                                                       setup

 

managed                                                     full DHCPv6
other + onlink + autoconfigure                SLAAC+Stateless DHCPv6
onlink + autoconfigure                              SLAAC+RDNSS

Repost 0
Published by computer outlines - dans IPv6
commenter cet article
29 juin 2013 6 29 /06 /juin /2013 09:31

We'll see here how to setup the Raspberry PI as a DHCPv6 client and server, using wide-dhcpv6,
with configuration files exemples.

Please see previous post for DHCPv6 theory ( DUID, IAID, ... )

 

 

 

RaspberryPI DHCPv6 client setup

D4a.gif

 

First we disable SLAAC :

sudo nano /etc/sysctl.conf :

#net.ipv6.conf.all.forwarding=1
net.ipv6.conf.all.autoconf=0
net.ipv6.conf.eth0.autoconf=0

nb : net.ipv6.conf.eth0.autoconf=0 might be needed to erease a previous setup. Use it if needed


We install the Wide-DHCPv6-Client :

sudo apt-get install wide-dhcpv6-client

at installation, the listenning interfaces are requested. We choose eth0 in this case

 

We edit the configuration file :

sudo nano /etc/wide-dhcpv6/dhcp6c.conf :

interface eth0{
  send ia-na 0;
  request domain-name-servers;
  script "/etc/wide-dhcpv6/dhcp6c-script";
};

id-assoc na 0 {
};


We reboot the Raspbian OS

A few explainations about this config file :

interface eth0{ ... };                                                   defines settings for eth0

  send ia-na 0                                                           sets IAID 0 for this interface
  request domain-name-servers                          request DNS IPs
  script "/etc/wide-dhcpv6/dhcp6c-script"            copies the DNS IPs in /etc/resolv.conf 

id-assoc na 0 { };                                                     needed stanza



for reference, here is the /etc/network/interfaces file for the interface eth0 to behave DHCPv4/DHCPv6 client :

auto lo

iface lo inet loopback
iface eth0 inet dhcp

allow-hotplug wlan0
iface wlan0 inet manual
wpa-roam /etc/wpa_supplicant/wpa_supplicant.conf
iface default inet dhcp

Firewall settings


We have to remember to allow in DHCPv6 answers if the firewall is too restrictive :

ip6tables -A INPUT -s FE80::/10 -p udp --dport=546 -j ACCEPT


Raspbian with 2 DHCPv4/DHCPv6 listening interfaces

While rarely usefull, this configuration is interesting to outline. It does brings some
subtlelties into light :

First, be sure to install wide-dhcpv6-client and to select both interfaces at the initial setup : eth0 eth1
( Or do rpkg ). Forgetting to do this will have the unregistered interface not listening.

here is the dhcp6c.conf file :

# Default dhpc6c configuration: it assumes the address is autoconfigured using
# router advertisements.


interface eth0{
  send ia-na 0;
  request domain-name-servers;
  request domain-name;
  script "/etc/wide-dhcpv6/dhcp6c-script";
};

interface eth1{
  send ia-na 1;
  request domain-name-servers;
  request domain-name;
  script "/etc/wide-dhcpv6/dhcp6c-script";
};

id-assoc na 0 {
};

id-assoc na 1 {
};

 

 

This is how we setup the IAIDs, one per interface
Here is the /etc/network/interfaces file :

auto lo

iface lo inet loopback
iface eth0 inet dhcp
iface eth1 inet dhcp

allow-hotplug wlan0
iface wlan0 inet manual
wpa-roam /etc/wpa_supplicant/wpa_supplicant.conf
iface default inet dhcp


Finally here is an extract of sysctl.conf :

# Uncomment the next line to enable packet forwarding for IPv6
#  Enabling this option disables Stateless Address Autoconfiguration
#  based on Router Advertisements for this host
#net.ipv6.conf.all.forwarding=1
net.ipv6.conf.all.autoconf=0
net.ipv6.conf.eth1.autoconf=0
net.ipv6.conf.eth0.autoconf=0


( the last two lines may be needed, if the previous settings don't want to discard ).

 

 

 

Raspbian as a DHCPv6 Server

 

( actually under redaction )

 

Repost 0
Published by computer outlines - dans RASPBERRY PI
commenter cet article
28 juin 2013 5 28 /06 /juin /2013 14:13


DHCPv6, also named statefull DHCPv6, is very similar to DHCPv4. It allows full control of address attribution, and full hosts configuration ( IPv6 address, prefix length, DNS servers, DNS prefix, NTP servers, ... ). Remember that DHCPv6 won't hand out default gateway information to hosts ( see previous part ).

We'll setup DHCPv6 using a network router, as well as a Windows Server OS. We'll see the DHCPv6 options an entreprise-grade network router can provide that a consumer product lacks. We will finally see the multiact addresses DHCPv6 uses.

 

But first, let's have a look at the way DHCPv6 functions, and lay a little theory

 

 

DHCPv6 Functionning

 

IPv6 provides two ways for hosts autoconfiguration : DHCPv6 and SLAAC. 

 

We saw how default gateways and routes are advertised by Routers, using RAs ( Router Announcements ). There is another part of a RA that we need to take a look at :

 

D3e.gif

 

The managed address configuration flag and the other configuration flag, if both set, have the router explicit to hosts :

 

Do a DHCPv6 request, for full DHCPv6 configuration ( IPv6 address, prefix length, DNS servers, DNS prefix, NTP servers, ... )

 

So if the DHCPv6 server is too the default gateway, the process is :

 

1. The router advertise RAs expliciting :

                                              . Router is default gateway

                                              . Hosts should request full DHCPv6 configuration ( managed and other flags set )

 

2. The host sends a DHCPv6 request to all DHCPv6 servers on-link

 

3. The router handles the DHCPv6 request

 

 

We can check the status of a Windows OS host interface ( [Idx] ) using :

 

netsh int ipv6 show int [Idx]

 

D3f.gif

 

Please note that for hosts, these flags reflect the state they're in due to received RAs. You can't set these flags on a host, only on a router ( or a routing computer. see part 1 of Dynamic networking ) .

 

Finally, there is an optionnal field in DHCPv6 messages, the preference value :

 

D3h.gif

 

If a host receives replies from two different DHCPv6 servers, it will choose the highest preference one.

If both replies have equal preference value, it will choose the most information-featured one.

The host CAN choose the less preference reply if it features more informations, it depends on the host settings.

A preference value of 0 results in the lack of the preference option field in the DHCPv6 message.

 


DHCPv6, DUID, IAID and Network Interfaces

D3j.gif

 

Whereas with DHCPv4, clients were identified by the server with their MAC address,
with DHCPv6 they're identified with their DUID : Dhcp Unique IDentifier.
Each DHCP client has a unique DUID, that is not to change, even if one of the LLA ( Link-Local Address ) of the client changes.

One computer has several IA ( Identity Association ) : one per NIC ( plus eventually one per IA type : NA, TA, ... )
The computer IAs are identified with their IAIDs ( IA ID ) : this ID number has to be unique for a given computer, and is not to change for a given interface.

EX : A computer with two interfaces requesting permanent DHCPv6 addresses on both has :

. 1 DUID
. 2 IAID ( one per interface )

As soon as a DHCPv6 lease has been done by the DHCPv6, it will register the DUID and IAADs for this lease.

The DUID is created at the OS installation, or DHCPv6 client package installation.

It is Link-Local Address derived ( there are three different formats : LLA, LLA+time, Unique Vendor Specific ), and maximum 128 Bytes long. Only one LLA is used ( that of a chipset integrated NIC preferencially ).

 

The IAID is created when a new network card is installed. It is 4 Bytes long.

To see the DUID and IAID's of a Windows OS : ipconfig /all
To see the DUID and IAID's of a Raspbian OS with wide-dhcpv6 package :

 

 

DHCPv6 with a consumer-grade network router

 

 

Let's see how to use DHCPv6 with our neat, 40€/$ Dlink DIR 626L ( Router 1 here ) :

 

D3a.gif

 

 

It's all very obvious indeed, with the only exception I outlined earlier that this setting is in the ' Manual IPv6 Internet Connection Setup ' submenu, not in the local connectivity submenu :

 

D3c.gif

 

well, we just have to :


check ' enable automatic IPv6 address assignment '
choose the Statefull ( DHCPv6 ) ' option in the submenu
assign an address range
set up the lease time

D3d.gif


pretty simple and easy
note that the network router hands up DNS servers IPs based on its own registered DNS Servers ( on the same  ' Manual IPv6 Internet Connection Setup ' submenu ). All is sent using DHCPv6 messages.

 

The Lan IPv6 Address is limited to a /64, and DHCPv6 Address range uses it as the network prefix. You can choose the remaining 64 bits to define the host id range.

 

Note too that the IP address are leased in a succesive linear way, there is no randomized choice out of the address pool.

 

There are no other option to set, or choose from

 

 

 

DHCPv6 with a Windows Server OS

 

 

Using Windows Server 2008 R2 as an exemple, let's see how to set it into a DHCPv6 Server and default gateway, using this network map :

 

D3b.gif

 

 

For IPv6 router/default gateway, please see the previous post.

Let's see how to add DHCPv6 :

 

First, I recommand to clean up any previous DHCP setup on the server. Just delete the content of these folders :

 

C:\Windows\System32\DHCP

C:\Windows\System32\DHCP\Backup

 

Then, add the DHCP server role using the Server Manager

 

Only select the Lan NIC here

Create the IPv4 Scope, using default setings ( No WINS, ... )

Choose ' Disable DHCPv6 Stateless '

 

Now, let's add an IPv6 scope :

 

Server Manager ) DHCP ) IPv6 ) Right click ) New Scope

 

all we have to setup is :

 

scope name and description

 

scope prefix ( /64 )

 

preference level                          ( default ( 0 ) is all right as there are no other DHCPv6 server here )

 

we can use some exclusions, to narrow the leased scope. As an exemple, if we only want to lease hosts id :

4:0000 to 4:FFFF

 

we add two exclusions :

0:1 to 3:FFFF

5:1 to FFFF:FFFF:FFFF:FFFF

 

 

Last, we setup DNS and DNS prefix for our DHCPv6 Server to announce :

 

IPv6 ) Server Options ) Right click ) Configure Options

 

option 23          [ enter the IPv6 DNS IPs here ]

option 24          [ enter the DNS prefix here ]

 

 

Well, that's all that needs to be done. You can note that the IPv6 addresses leases are choosen randomizely from the address pool.

 

 

DHCPv6 with a network router as default gateway, and a Windows Server DHCPv6 server

 

Here is the network map :

 

D3g.gif

 

Well, nothing is different from the previous exemples we saw, except a little detail here :

 

Our D-Link, to be able to advertise default gateway RAs, must be set on lan autoconfiguration :

 

D3i.gif

 

We have to choose Statefull ( DHCPv6 ) so the right flags ( managed + other ) are set on the advertised RAs, so the host performs a DHCPv6 request.

and when choosing DHCPv6 setting on the network router, we have to be sure the Windows Server DHCPv6 will be preffered over the network router's one.

 

We could set the Windows Server DHCPv6 preference value higher, so that it will be preferred. The D-Link DIR 626-L preference value is fixed to 0.

 

But it isn't needed, as the Windows Server DHCPv6 server provides more informations to DHCPv6 requests ( Domain prefix, FQDN, vendor specific infos ), and thus gets preferred.

 

This is a perfect exemple of the IPv6 paradigm shift, and the new problems it creates ( and solves ).

 

 

 

DHCPv6 with a pro-grade network router

 

Compared to a consumer-grade network-router, a typical 200+ €/$ pro-grade router may provide you these added features and options, DHCPv6-wize :

 

. Router's preference value

. DNS prefix

. Lan prefix length

. DNSv6 proxy

. Multiple DHCPv6 address pools

. randomization of address pool leases

 

 

DHCPv6 Multicast addresses

 

 

Here are the main addresses DHCPv6 makes use of. They are IPv6 Multicast addresses :

 

Router's RAs use ff02::1 for ICMPv6 RAs

 

Hosts use ff02::1:2 for DHCPv6 requests

 

Further, you may encounter request sent to ff05::1:3

 

here are their meanings :

 

ff02::1                          all nodes link-local

 

ff02::1:2                       all DHCP servers and relay agents link-local

 

ff05::1:3                       all DHCP servers on the local network site

 

Repost 0
Published by computer outlines - dans IPv6
commenter cet article
28 juin 2013 5 28 /06 /juin /2013 13:47

After having seen IPv6 default gateway advertisement in the previous post, we will now have a look at IPv6 route advertisement.

 

Effectively, RA ( Router Advertisement ) provides a way for hosts and routers to announce and publish known routes.

Let's see three practical exemples, using the last setup of the Static IPv6 Networking :

 

D2a

 

[ G ] ::/48 is our /48 prefix. Out of this we create 3 subnets, [ G ]:1::/64, [ G ]:2::/64 and [ G ]:3::/64.

The two network routers are consumer-grade IPv6 routers ( DLink DIR 626-L in this case ), the Windows OS Router can be any Windows client or server edition. Let's see the network map again :

 

D2b

 

Router 2 and OS Router 1 default gateway is Router 1. All the hosts default gateway are obvious.

So for full hosts connectivity, we need :

 

Router 2 to advertise the [ G ]:2::/64 subnet to Router 1

OS Router 1 to advertise the [ G ]:3::/64 subnet to Router 1

 

 

 

Consumer-grade network router

 

So we need Router 2 advertise to Router 1 its knowledge of [ G ]:2::/64, so we don't have to setup a static route in Router 1.

 

 ( to be continued )

Repost 0
Published by computer outlines - dans IPv6
commenter cet article
27 juin 2013 4 27 /06 /juin /2013 15:55

We'll see the precise basis needed to understand the IPv6 dynamic networking shift, and see the most important consequence : Default Gateway advertisement. We'll see how to configure a network router or a Windows OS router to be an advertised default gateway. Finally, we'll see IPv6 multicast addresses.

 

D1a

 

 

IPv6 nodes roles

 

To have a clear view, we need to lay some basis, because IPv6 is a big thought shift from IPv4.

lets define 3 roles :


a router : performs routing, ie packet forwarding
a host : has an ip address, but doesn't perform routing
a node : a router or a host

So a node is either a host or a router.

 

A network router, like a D-link DIR 626L, obviously is a router, and this won't change.

 

A Windows PC, is either a host or a router. It depends of its ability to forward packets. To check this, type :
netsh int ipv6 show int [Idx]
and look at the line ' forwarding '. If forwarding is enabled, then it's considered a router, ipv6-wise.

In IPv6, Routers perform routing, and thus advertise routes and default routes. Hosts don't. Period.

 

 

 

RA - Router Advertisement

 

Routes are advertised by mean of RA ( Router Advertisement ). RA belong to the NDP ( Network Discovery Protocol ). NDP is part of ICMPv6.


What do Routers advertise by mean of RAs ? They advertise :

 

. On-link prefixes
. Default gateway
. Autoconfiguration informations ( SLAAC )
. Other autoconfiguration informations : Presence of statefull DHCPv6 server on-link, MTU value to be used.

RA are advertised every 20 to 40 s on average. Hosts receive this beacon, and act accordingly.
Let's see the main part of a RA packet :

D1e

 

The first line to check is Router Lifetime. If it is different from zero, the router is thus advertising itself as a default gateway. This value only refers to the router's default gateway ability, not to some other advertised routes life.

Here is the equivalent, on a routing Windows OS, using : netsh int ipv6 show int [Idx]


D1h
Now let's have a closer look. There is another important flag to see in a RA packet :

 

D1c

 

 

 

Prf ( Default Router Preference ) : sets the priority level of this router to act as a default gateway

If a router is advertising RA packets, and is willing to act as a default gateway, it will set its router  lifetime to a value different than zero, and set its preference level ( medium by default )

Hosts, on the other hand, will listen to RAs, and actuate their default gateway accordingly,  choosing the router with highest preference value.
If two routers are advertising RAs with equal preference value, the host will register two default gateways on this link.
Which is not a recommended practice.

 

 

Default Gateway configuration exemple using a network router

 

 

D1a

 

On a network router, like the d-link DIR 626L, you can set the autoconfig to any mode ( Statefull DHCPv6, SLAAC+Stateless DHCPv6,  SLAAC+rdnss ) to have default gateway announced.
Only ' No autoconfiguration ' mode will completely disable the RA default gateway announcement ( it sets the router's lifetime to zero ) :

 

D1d

 

There's nothing more to do, nor option to set.

 


Default Gateway configuration exemple using a Windows OS Router

 

D1b

 

On a Windows OS, you too have to set the routing interface ' advertisedefaultroute=enable'. So you need for complete functionning :

 

advertise=enable
forwarding=enable
advertiserouterlifetime=[x]        with x>0
advertisedefaultroute=enable

 

here is the complete command lines, with [Idx1] as Lan interface and [Idx2] as Wan interface :

 

D1f

 

I include too the complete netsh int ipv6 int [Idx1], for reference, just in case you scrambled your settings, and don't want to do a netsh int ipv6 reset :

 

D1g

 

 

 

 

Default Gateway using more advanced products

 

 

Using consummer level products ( Windows client OS, entry level network router ) at this level stops the control we can fine-tune over the default gateway announcement.


To have more control and options, we need professionnal products, like pro-grade network routers ( 200+ €/$ ), or a Windows Server OS ( using RRAS ). We can then set the Router's preference as an exemple.

 

 

Multicast IPv6 addresses

 

 

We at this stage encounter a new kind of IPv6 addresses : Multicast IPv6 addresses.

RAs are sent from Routers to this address :

 

ff02::1

 

Here is a network sequence using Wireshark :

 

D1i

 

ff02::1 is a multicast address, whose meaning is ' all nodes link local '. To see the multicast groups a host joined, just type :

 

netsh int ipv6 show joins

 

here is a typical Windows 7 host multicast groups with their meaning :

 

ff01::1            all nodes interface local
ff02::1            all nodes link-local
ff02::c            SSDP link-local
ff02::1:3        multicast name resolution link-local
ff02::1:ff00:101    solicited node multicast link-local
ff02::1:ff57:87f   


IPv6 makes great use of multicast, to reduce broadcast-caused traffic congestion.

 

the first part ( ff01::, ff02::, ..) encodes the scope :

ff01:: is interface local, ff02:: is link-local, ff05:: is site local, etc ...

 

the second part ( 1, c, 1:3, ... ) encodes the node type :

1 is a node, 2 is a router, 9 is a RIP router, 1:3 is a DHCP server, etc ... )

Repost 0
Published by computer outlines - dans IPv6
commenter cet article
20 juin 2013 4 20 /06 /juin /2013 14:19

RFC 6724 : Default Address Selection for Internet Protocol Version 6 (IPv6)

As IPv6 hosts may have several IPv6 addresses over a single network interface, a choice has to be made by the OS so to choose a Source IP, as well as a Destination IP.

Furthermore, in case of Dual-Stack IPv4/IPv6 networking, a choice has to be made too about which IP to use as Source and Destination IPs : IPv4 or IPv6.

Finally, in case there are several physical or virtual network interfaces ( ex: tunnelling, .... ), a choice has to be made too.


RFC 6724 provides the mechanismes to be implemented in OS and in softwares to resolve this Source Address and Destination Address selection.


 

The RFC 6724 Basic Algorithm



. Each Address is passed through the prefix policy table, and thus receives a Precedence and a Label value.

. The Source address is selected

. The Destination address is selected



The Prefix policy table

 

To show the Prefix policy table on a windows OS :

 

netsh int ipv6 show prefix

 

Here is the default Prefix Policy table :

 

      Prefix          Precedence            Label
      ::1/128                 50                     0
      ::/0                        40                     1
      ::ffff:0:0/96           35                     4
      2002::/16             30                    2
      2001::/32              5                     5
      fc00::/7                  3                     13
      ::/96                       1                      3
      fec0::/10               1                      11
      3ffe::/16                1                      12


It's a longest prefix match, like the routing table. Each candidate address receives a Precedence and a Label value, based on this longest prefix match.

The IPv4 addresses are processed through this table too, using a ::ffff:0:0/96 IPv4 mapped address.

 

 

here is the meaning of the default table entries :

::1/128                                   Loopback
::/0                                          Default Route
::ffff:0:0/96                             IPv4 mapped address
2002::/16                              6to4
2001:0000::/32                    reserved for teredo
fc00::/7                                  ULAs
::/96                                        IPv4 compatible address ( depracated )
fec0::/10                                ancient site-local address, deprecated
3ffe::/16                                 6bone


notes :

IPv6 GUA wins over IPv4 Public IP for destination choice because the IPv6 matches a 40 preference, wherease the IPv4 gets a 35

::/0                 40    1
::ffff:0:0/96    35    4


For source selection, same labels win as source ( rule 6 ) all other rules being equals

So this default table prefers IPv6 over IPv4, and native connectivity over tunnelled one.



source selection

 

All the potential source addresses are processed through this set of rules, discarding addresses as they loose in a rule, and stopping when one only address is left :

 

1.  Prefer same address ( ie source IP=destination IP )
2.  Prefer appropriate scope
3.  Avoid deprecated addresses
4.  Prefer home adress ( Mobile IPv6 )
5.  Prefer outgoing interface ( ie to internal forwarding interface )
5.5 Prefer the next-hop advertised prefix addresses
6.  Prefer matching label
7.  Prefer temporary address
8.  Use longest matching prefix

nb : rules 5.5 and 8 are optional, and can be supperseded

        rule 7 is supposed to be user-configurable in OS and applications



destination selection

1.  Avoid unusable destinations ( unreachable or undefined )
2.  Prefer matching scope
3.  Avoid deprecated addresses
4.  Prefer home addresses
5.  Prefer matching label
6.  Prefer higher precedence
7.  Prefer native transport
8.  Prefer smalller scope
9.  Use longest matching prefix
10. Otherwise, choose the first on the list

note : rules 9 and 10 may be superseded


Exemple of Prefix Policy Table settings

 

For administrative means, the prefix policy table may be changed, so to reach a particular effect. For an example :

 

prefering IPv4 :

To prefer IPv4 over IPv6 for Internet Access, we raise the preference value of the ::ffff:0:0/96 row ( which matches IPv4 addresses ) to 100, over the ::/0 40 preference value ( which matches IPv6 default addresses ) :

 

      Prefix          Precedence            Label

      ::ffff:0:0/96          100                   4
      ::1/128                 50                     0
      ::/0                        40                     1
      ::ffff:0:0/96           35                     4
      2002::/16             30                    2
      2001::/32              5                     5
      fc00::/7                  3                     13
      ::/96                       1                      3
      fec0::/10               1                      11
      3ffe::/16                1                      12

command line :

 

netsh int ipv6 set prefix ::ffff:0:0/96 100 4

 

Repost 0
Published by computer outlines - dans IPv6
commenter cet article
20 juin 2013 4 20 /06 /juin /2013 13:37

Using ULA ( Unique Local Addresses ) and GUA ( Global Unicast Addresses ) on the same network.

 

S9b

 

We're going to see how to use both ULA and GUA on the same network, the limitations or problems that might occur, as well as the way to solve them.

 

we'll use ULA subnets based on the fd07:44de:a327::/48 prefix :

fd07:44de:a327:0::/64

fd07:44de:a327:1::/64

fd07:44de:a327:2::/64

 

and GUA subnets based on the 2001:0DB8:0::/48 prefix :

2001:0DB8:0:0::/64

2001:0DB8:0:1::/64

2001:0DB8:0:2::/64

 

keeping the subnet ID in line ( fd07:44de:a327:0::/64 and 2001:0DB8:0::0/64 on the same physical subnet, etc ... ).

thus, [G] represents a /48 prefix throughout this post.

 

Using ULA and GUA on a single subnet

 

S9b.gif

 

 

 

Using our neat little Dlink DIR 626-L router ( Router 1 ), let's add ULA capability to a GUA network.
We keep GUA networking in the router's main networking page ( Internet connectivity setup ), and as we do static networking, we disable LAN address autoconfiguration on this page.

 

and use for the first time the ' local connectivity setup ' to add an ULA capability :

 

S9a.gif

 

. We check ' enable ULA '
. We don't use default ULA, so we can use our own choosen subnet ID
( the default subnet ID seems to be one-time uniquely generated, but it is fixed. there is no documentation as to how it is generated. MAC derived ? )

 

 

Client setup

We're going to configure PC1 to use both an ULA and a GUA.
First, as we're doing static networking here, we disable the ability for PC1 to autoconfigure itself ( ie we disable router discovery ) :
netsh int ipv6 set int [Idx] router=dis

We statically configure a GUA address ( in network connections )

We too need to add an ULA address, using the command line :
netsh int ipv6 add address [Idx] [IP address]
ex : netsh int ipv6 add address 12 fd07:44de:a327:2::140

we can now check the interface addresses :
netsh int ipv6 show address [Idx]

we can too check our local connectivity :
ping fd07:44de:a327:2::1


and our global connectivity :
ping -6 www.wikipedia.org

 

 

Tools for troubleshooting ULA/GUA combinaison

As we now have 2 potential source address, it is good to be able to check which address is used as a source. Here are some tips :


tracert [IP address]                                                                 shows you the nodes used, thus the address type ( ULA or GUA )
tracert -S [source IP] [dest IP]                                               forces the use of the source IP
ping -S [source IP] [dest IP]                                                  ( idem )

Please note that ULA address, as a source address, gets discarded by Internet router, so there won't be any answer to an ULA source packet.
thus this packet :
tracert -S fd07:44de:a327:3::140 www.wikipedia.org


won't get any answer.
This is one of the big shift when going IPv6 : ULA addresses are private. Period. No NAT will turn them into public IPs.
On the other hand, GUA addresses are public. So all our network hosts using GUA are public. Period. So take good care of your firewalls ...

There is no tipid waters, like IPv4 private address geting internet access through NAT, and IPv4 Public IP being forwarded to the private Lan.

A good deal of the problems when doing both ULA//GUA over a subnet is the source address selection, which is well documented ( RFC 6724). So checking and troubleshooting the source address selection is the first essential step.
The second essential step is using ' netsh int ipv6 show prefixpolicies ' to see the prefix policies table. ( More informations about these in the next post )

 

 

 

Adding ULA and GUA over several subnets

 

S9c.gif

 

The ULA fonctionnality works very well over a single subnet. Unfortunately, the DLink 626-L network engine can't handle routing both ULA and GUA through the WAN port.
Using a Windows OS as a Router, we can have ULA and GUA both routed easily. There's no extra step needed compared to simple ULA or GUA routing.

 

We just need to have two IPv6 static routes pointing to the subnet #2 in Router 2, one for ULA and one for GUA :

 

S9d.gif

 

 

 

 

The benefits of using both ULA and GUA in a network

The first benefit is network numbering autonomy. In case of ISP change, or of ISP-attributed network ID change, we can avoid network renumbering, which is a huge task. We just have to setup the routers GUA addresses, and can leave most of our servers infrastructure and setups unchanged ( DNS, AD, ... ).
The second benefit is network isolation. As ULA can't reach the Internet, and can't be reached, we can isolate some key components from the outside world ( AD Server, internal Data Server, .. ), leaving them with ULA-only connectivity.

The benefits of using a GUA-only network :
When using only GUA on our network, we have a somewhat easier to manage and troubleshoot network.


Repost 0
Published by computer outlines - dans IPv6
commenter cet article
19 juin 2013 3 19 /06 /juin /2013 13:57

In this last post about IPv6 Static Networking, we'll breifly see how to use a routed /48 network, and how to disignin its subnets. See the previous posts for basics like turning a Windows OS PC into an IPv6 router, basic IPv6 routing, creating a Hurricane Electric tunnel, etc ...

 

The basic network topology will look like this :

 

Static8a.gif

 

 

But first, let's have a quick look at something very static indeed : the host file

 

 

 

IPv6 and the host file

 

Reaching a certain complexity, managing the network can be eased up a little bit by the use of the host file.

The host file holds records of host name/IP address couples.

 

it's located at C:\Windows\System32\drivers\etc\

 

you can edit it with the notepad ( admin mode ). As an exemple :

 

hosts.gif

 

having a good static host file on the main PC makes access to network hosts for monitoring and configuration fast and easy.

 

 

 

 

Creating a routed /48 tunnel with Hurricane Electric

 

 

To create the routed /48 tunnel, first we create a regular tunnel at Hurricane Electric.

We then click the ' assign /48 ' link :

 

Static8f.gif

 

We will get this screen :

 

Static8g.gif

We have a new value ( [ G ] ) : our routed /48 prefix

 

please note

 

Server IPv4 and IPv6 addresses : [ D ] and [ E ]

 

Client IPv6 address : [ B ]

 

Routed /48 prefix : [ G ]

 

for the client IPv4 address, you will use your IPv6 Tunnel Endpoint Router's Wan IPv4 Address, which is likely to be a private address, not the displayed public IPv4 [ A ]. See previous posts.

 

 

 

a routed /48 subnet using 1 IPv6 Router and 1 routing Windows OS

 

 

using a Windows OS PC as a second IPv6 router, the network topology looks like this :

 

Static8b.gif

 

PC 1 and PC 2 have Router 2 as default gateway. Router 2 has OS Router 1 as default gateway.

 

We first setup the tunnel endpoint on OS Router 1 :

 

Static8h.gif

 

then check the 2 Routing interfaces Indexes using : netsh int ipv6 show interface

 

and issue the routing commands :

 

Static8i.gif

 

we finally assign an IPv6 address from our routed /48 [ G ] to the Lan interface.

Let's create a first /64 subnet, that we'll number 1, out of our /48 :

 

[ G ]:1:: / 64                                                                  ( replace [G] with your routed /48 prefix )

 

so we will assign the Lan Interface the IP [ G ]:1::1

 

As an exemple, if [ G ] = 2001:DB8:0::/48, our Lan IP will be 2001:DB8:0:1::1

 

As OS Router 1 has no knowledge of the [ G ]:2:: /64 subnet location, we have to add a route to it :

 

netsh int ipv6 add route 2001:DB8:0:2::/64 [Idx] 2001:DB8:0:1::230

 

( replace [Idx] with the OS Router Lan Interface Index )

( we could use netsh int ipv6 add route 2001:DB8:0::/48 [Idx] 2001:DB8:0:1::230 so to route the whole /48 subnet beyond Router 2. It just works the same in the present case )

 

 

all hosts in the network are able to ping each other. Just not forget Router 2 Firewall settings.

 

 

One final note : like in the previous exemple, OS Router 1 doesn't need 2 network interfaces, it can do fine with just one.

Here is the network topology then :

 

Static8c.gif

 

the settings for the tunnel should change in this last case :

 

Client IPv4 = OS Router 1 Lan IPv4

 

Router 2 IPv6 default gateway = OS Router 1 Lan IPv6

 

 

 

a routed /48 subnet using 2 networks IPv6 Routers

 

The network topology is :

 

Static8a

 

Well, if you read the previous post, nothing is different here. The Router 1 IPv6 Tunnel is setup the same way.

 

We need to add Router 1 a static IPv6 route to the [ G ]:2:: /64 Subnet.

( We can add Router 1 a static IPv6 route to the [ G ]:: /48 Subnet.to provide route aggregation beyond Router 2. It just works the same in the present case )

 

Take care of your firewall rules, and all is easy.

 

 

Three Subnets Routing

 

For this last topology, we will add a third router to the situation. Here is the network topology :

 

Static8d.gif

 

If you followed the last two parts, this should be very easy for you.

Here is the default gateway design :

 

Hosts                                                    Default Gateway

 

PC1 PC2                                               Router 2

Router 2                                                Router 1

PC 2                                                      OS Router

OS Router                                             Router 1

 

Here are the routes that need to be added, all hosts to be able to ping each other :

 

Hosts                                                     Needed Additionnal Route

 

Router 2 Router 1                                Subnet 3

OS Router 1 Router 1                          Subnet 2

 

 

We have then made 3 /64 subnets out of our /48 subnet, and all hosts are able to ping each other.

The network topology is :

 

Static8e.gif

 

This concludes this serie of articles about Static IPv6 Networking. The next serie will be about IPv6 Dynamic Networking.

 

Repost 0
Published by computer outlines - dans IPv6
commenter cet article
16 juin 2013 7 16 /06 /juin /2013 14:26

For this next part, we're going to see how to bring IPv6 internet connectivity to a whole subnet. For this, we will need an IPv6 capable Router, or to use a Windows PC as an IPv6 Router. We'll see both ways to do this.

 

The basic network topology looks like this :

 

Static7a.gif

 

To have Internet connectivity for a whole subnet, we need what is named a ' routed /64  subnet'.
This means that beside your Wan IPv6 IP, which is on a first subnet with the IPv6 ISP endpoint, we need another /64 subnet, for our IPv6 Lan. Finally, we need that second /64 subnet to be routed to by the ISP. That is a ' routed /64 subnet '.
To see how to create an IPv6 Internet Tunnel with Hurricane Electric, see this post : Static IPv6 Networking Part 5 : Internet Connectivity

At out Tunnel Details page, we see this :

 

Static7c.gif

 

We need to note :
the Server IPv4 and IPv6 Addresses : [D ] and [ E ]
the Client IPv4 and IPv6 Addresses : [ A ] and [ B ]
the routed /64 prefix : [ F ]

we need too our Client real IPv4 address : [ C ], which in most case is a private IPv4. It's the IPv4 address of the Router Wan side in this case. We will use this one as Client IPv4 Address.
please note that in this case, the client is our Router ( or Windows OS Router )

A Routed /64 subnet using an IPv6 Router

The network topology as a reminder :
Static7a

 

First, we need to setup the Wan side of our router. HE ( Hurricane Electric ) IPv6 tunneling type is IPv6inIPv4. We enter the IPv4 and IPv6 endpoints IP addresses, and choose a Lan IP address on the Routed /64 prefix subnet ( [ F ] ) :

 

Static7d.gif

 

For a reminder, we don't use the Local Connectivity tab on this setup. Here is how it should look like :

 

Static7e.gif

 

We then setup PC 1 and PC 2, using the /64 router prefix, and using the Router Lan IP as a default gateway. As an exemple :

Name                IP                        prefix length                  DG                     DNS1                                      DNS2
PC1 :                 [F]::40                 /64                                  [F]::1                   2001:4860:4860::8888       2001:4860:4860::8844
PC2 :                 [F]::41                 /64                                  [F]::1                   2001:4860:4860::8888       2001:4860:4860::8844


On last note : We need to take care of the Router IPv6 Firewall. Here is a basic, working configuration :

Static7f.gif

 

I'll focus on IPv6, and especially This D-link 626-L firewall implementation, in a following post.

 

We can now try our Internet connectivity :
tracert -d ipv6.google.com

A few notes : The D-Link DIR 626-L doesn't seem to be able to do DNSv6 relay.

 

A Routed /64 subnet using an Windows OS as an IPv6 Router

Here is the topology we're going to use :

Static7b.gif

 

Please note that we will need a switch behind OS Router 1. It can be any switch, or the switching side of an IPv4 Router. Just disable DHCP and verify the IPv4 subnet for this en-switched Router.

first, we will create the tunnel :

 

Static7g.gif

 

then, we will identify the [Idx] our 2 routing interfaces using this command :

 

netsh int ipv6 show interface

 

 

[ Idx1 ] = Lan side Interface

[ Idx2 ] = IP6Tunnel

 

 

and issue the forwarding command for both interfaces. replace [Idx1] and [Idx2] of course :

 

Static7h.gif

 

we then assign the address [ F ]::1 for the Lan Side Router's Interface
and setup PC 1 and PC 2 :

Name                IP                        prefix length                  DG                     DNS1                                      DNS2
PC1 :                 [F]::40                 /64                                  [F]::1                   2001:4860:4860::8888       2001:4860:4860::8844
PC2 :                 [F]::41                 /64                                  [F]::1                   2001:4860:4860::8888       2001:4860:4860::8844

 

On last note : We do not need to take care of the Windows OS IPv6 Router Firewall. Which is easy, but is a good reminder that you're essentially trusting your OS for firewalling issues. And here, it seems quiet comprehensive to say the least ...

We can now try our Internet connectivity :
tracert -d ipv6.google.com


A few last notes : we can turn our Windows OS into an IPv6 subnet access point using a single network interface. In this case, the network topology is this :

Static7i.gif

 

and we use the Windows OS IPv4 as client IPv4, and as IPv6 address we use [F]::1
( the IP6Tunnel interface is virtual after all, and receives the WAN IPv6 address )





Repost 0
Published by computer outlines - dans IPv6
commenter cet article
15 juin 2013 6 15 /06 /juin /2013 14:21

As we're getting into the Global Internet connectivity, we need to spend a little time talking about DNS. Because without correct DNS functionning, there is no name resolution, and thus most computer softwares are stalled ( Web browser, Mail client, Antivirus updates, ... )

Static6a

 

 

First, we have IPv4 DNS Servers. This means they are reachable over IPv4. They hold records of names/IPv4 address couples. That is called a ' A ' record.


What is good is that those IPv4 DNS Servers hold too records of names/IPv6 address couples.  These are called ' AAAA ' records. So you don't need to enter an IPv6 DNS Server IP, except if you have the whole IPv4 Stack disabled.

 

 

In a same way, an IPv6 DNS Server holds ' A ' records and ' AAAA ' records. So it can answer to ' A ' records requests.

 

As an exemple, if you want all DNS requests ( ' A ' and ' AAAA ' records ) to be served by the IPv6 DNS Server, enter no IPv4 DNS IP on the client, only an IPv6 DNS IP.

If you want all DNS requests ( ' A ' and ' AAAA ' records ) to be served by the IPv4 DNS Server, enter no IPv6 DNS IP on the client, only an IPv4 DNS IP.

Finally, do note that windows gives priority to IPv6, so if you entered both an IPv4 DNS IP and an IPv6 DNS IP, the IPv6's one will be used first

Of course, one unique DSN server can have both an IPv6 and an IPv4 address, thus providing DNS resolution both over IPv4 and IPv6. The previous exemple was just to clarify things out. 

 

Usefull commands to troubleshoot DNS

 

We'll use OpenDNS for DNS resolution in these exemples :

 

IPv4 DNS : 208.67.220.220
IPv6 DNS : 2620:0:ccd::2

to test the DNS resolution of www.wikipedia.org :
nslookup www.wikipedia.org

 

notice that www.wikipedia has no AAAA record.

if you try :                nslookup www.google.com

 

you see that there exists both A and AAAA records for www.google.com

 

now let's try :          nslookup ipv6.google.com

 

there is no A record. Only a AAAA IPv6 record

 

 

 

to test the DNS resolution forcing the use of an IPv4 DNS Server :
nslookup www.google.com 208.67.220.220

to test DNS resolution forcing the use of an IPv6 DNS Server :
nslookup www.google.com 2620:0:ccd::2

 

strangely, nslookup doesn't seem to have a working fallback mechanism. If a DNS IPv6 is registered on the PC, it sends it the request. If the request isn't answered, it doesn't try a registered IPv4 address, it just stops here.

 

 

Why are IPv6 records named ' AAAA ' records

Well, IPv4 records are named ' A ' records. And they're 32 bits long.
As an IPv6 record is four time this size ( ie 128 bits), it is named an ' AAAA ' record, a Quad A record.

 



Repost 0
Published by computer outlines - dans IPv6
commenter cet article

Présentation

  • : Computer Outlines Blog
  • : Blog mainly focused over IPv6, Windows Server, and Networking in general.
  • Contact

Recherche

Liens