IPv6 Crash Course

Astro <astro@spaceboyz.net>

Warum IPv6?

Mehr Adressen
Multicast
IPSec
Autokonfiguration

IPv6 Packet Header

Adressen

IPv4

4 × 8 bits = 32 bits
192.0.2.11
10.0.0.1
(Meist) Dezimalschreibweise

IPv6

8 × 16 bits = 128 bits
2001:8d8:81:5c8:219:dbff:fe64:81a7
2001:db8::c3d2:0:1
:(0:)* kann 1× durch :: abgekürzt werden.
Führende Nullen können weggelassen werden

Subnets & Subnet Masks

IPv4

  172.22.16.21
& 255.255.255.0
= 172.22.16.0

  172.22.16.70
& 255.255.255.192
= 172.22.16.64

IPv6

  2001:08d8:0081:05c8:0219:dbff:fe64:81a7
& ffff:ffff:ffff:ffff:0000:0000:0000:0000
= 2001:08d8:0081:05c8:0000:0000:0000:0000

  2001:8d8:81:5c8:219:dbff:fe64:81a7
& ffff:ffff:ffff:ff00::
= 2001:8d8:81:500::

CIDR Notation

IPv4 (Netmask bits)

a.b.c.d/0: 0.0.0.0
a.b.c.d/8: 255.0.0.0
a.b.c.d/16: 255.255.0.0
a.b.c.d/24: 255.255.255.0
a.b.c.d/25: 255.255.255.128
a.b.c.d/26: 255.255.255.192
a.b.c.d/27: 255.255.255.224
a.b.c.d/28: 255.255.255.240
a.b.c.d/29: 255.255.255.248
a.b.c.d/30: 255.255.255.252
a.b.c.d/31: 255.255.255.254
a.b.c.d/32: 255.255.255.255

IPv6 (Prefix length)

::/0: ::
a:b:c:d:e:f:g:h/60: ffff:ffff:ffff:fff0::
a:b:c:d:e:f:g:h/61: ffff:ffff:ffff:fff8::
a:b:c:d:e:f:g:h/62: ffff:ffff:ffff:fffc::
a:b:c:d:e:f:g:h/63: ffff:ffff:ffff:fffe::
a:b:c:d:e:f:g:h/64: ffff:ffff:ffff:ffff::
a:b:c:d:e:f:g:h/128: ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff

Routing-Tabelle

default via 172.22.16.4 dev eth0        default = 0.0.0.0/0
172.22.16.0/24 dev eth0

default via 172.22.16.2 dev eth0
unreachable 172.16.0.0/12
172.22.0.0/15 via 172.22.16.1
172.22.16.0/24 via 172.22.16.4
172.22.16.0/26 dev eth0

2001:8d8:81:5c8::/64 dev eth0 
fe80::/64 dev eth0  
ff00::/8 dev eth0  
default via fe80::2de:caff:fefb:ad03 dev eth0
2001:67c:21ec:bbbb::/64 via fe80::f00d:f00d dev dc99 
2001:67c:21ec:cccc::/64 via fe80::f00d:f00d dev dc99 
2001:67c:21ec:eeee::/64 via fe80::f00d:f00d dev dc99 
2001:67c:21ec::/48 via fe80::cafe:cafe dev dc24

sipcalc

IPv4

$ sipcalc 217.115.11.132/27
-[ipv4 : 217.115.11.132/27] - 0

[CIDR]
Host address		- 217.115.11.132
Host address (decimal)	- 3648195460
Host address (hex)	- D9730B84
Network address		- 217.115.11.128
Network mask		- 255.255.255.224
Network mask (bits)	- 27
Network mask (hex)	- FFFFFFE0
Broadcast address	- 217.115.11.159
Cisco wildcard		- 0.0.0.31
Addresses in network	- 32
Network range		- 217.115.11.128 - 217.115.11.159
Usable range		- 217.115.11.129 - 217.115.11.158

IPv6

$ sipcalc 2001:db8::c3d2:0:1/64
-[ipv6 : 2001:db8::c3d2:0:1/64] - 0

[IPV6 INFO]
Expanded Address	- 2001:0db8:0000:0000:0000:c3d2:0000:0001
Compressed address	- 2001:db8::c3d2:0:1
Subnet prefix (masked)	- 2001:db8:0:0:0:0:0:0/64
Address ID (masked)	- 0:0:0:0:0:c3d2:0:1/64
Prefix address		- ffff:ffff:ffff:ffff:0:0:0:0
Prefix length		- 64
Address type		- Aggregatable Global Unicast Addresses
Network range		- 2001:0db8:0000:0000:0000:0000:0000:0000 -
			  2001:0db8:0000:0000:ffff:ffff:ffff:ffff

Scopes (1/2)

IPv4 (RFC5735)

0.0.0.0/8: "This" network
10.0.0.0/8: Private use (RFC1918)
127.0.0.1/8: Loopback
169.254.0.0/16: Link-local (Zeroconf)
172.16.0.0/12: Private use (RFC1918)
192.0.0.0/24: Reserved
192.0.2.0/24: TEST-NET-1
192.88.99.0/24: 6to4 relay anycast
192.168.0.0/16: Private use (RFC1918)
198.18.0.0/15: SPECIAL-IPV4-BENCHMARK-TESTING-IANA-RESERVED
198.51.100.0/24: TEST-NET-2
203.0.113.0/24: TEST-NET-3
224.0.0.0/4: Multicast

IPv6 (RFC4291)

::1: Loopback
ff00::/8: Multicast
fe80::/8: Link-local
Alles andere: Global Unicast; Aktuelles Unicast Prefix: 2000::/3 (2000:: - 3fff:ffff:…)
fec0::/10, 0200::/7, ::/96, 5f00::/8, 3ffe::/16: Deprecated

Scopes (2/2)

General multicast address format
Bits	8	4	4	112
Field	prefix	flags	scope	group ID

Multicast address flags^[5]
Bit	Flag	0	1
0 (MSB)	(Reserved)	(Reserved)	(Reserved)
1	R (Rendezvous)^[6]	Rendezvous point not embedded	Rendezvous point embedded
2	P (Prefix)^[7]	Without prefix information	Address based on network prefix
3 (LSB)	T (Transient)^[8]	Well-known multicast address	Dynamically assigned multicast address

Multicast address scope
IPv6 address^{[note 1]}	IPv4 equivalent^[9]	Scope	Purpose
`ff00::/16-ff0f::/16`		Reserved
`ffx1::/16`	`127.0.0.0/8`	Interface-local	Packets with this destination address may not be sent over any network link, but must remain within the current node; this is the multicast equivalent of the unicast loopback address.
`ffx2::/16`	`224.0.0.0/24`	Link-local	Packets with this destination address may not be routed anywhere.
`ffx3::/16`	`239.255.0.0/16`	IPv4 local scope
`ffx4::/16`		Admin-local	The smallest scope that must be administratively configured.
`ffx5::/16`		Site-local	Restricted to the local physical network.
`ffx8::/16`	`239.192.0.0/14`	Organization-local	Restricted to networks used by the organization administering the local network. (For example, these addresses might be used over VPNs; when packets for this group are routed over the public internet (where these addresses are not valid), they would have to be encapsulated in some other protocol.)
`ffxe::/16`	`224.0.1.0-238.255.255.255`	Global scope	Eligible to be routed over the public internet.

Verkonfiguriert?

% ping6 ff02::1%eth0
PING ff02::1%eth0(ff02::1) 56 data bytes
64 bytes from fe80::219:dbff:fe64:81a7: icmp_seq=1 ttl=64 time=0.022 ms
64 bytes from fe80::2de:caff:fefb:ad07: icmp_seq=1 ttl=64 time=0.852 ms (DUP!)
64 bytes from fe80::21b:21ff:fe0e:5592: icmp_seq=1 ttl=64 time=0.978 ms (DUP!)
^C

% ssh fe80::21b:21ff:fe0e:5592%eth0
blaster:~$

iproute2 (1/3)

$ ip
Usage: ip [ OPTIONS ] OBJECT { COMMAND | help }
       ip [ -force ] -batch filename
where  OBJECT := { link | addr | addrlabel | route | rule | neigh | ntable |
                   tunnel | tuntap | maddr | mroute | mrule | monitor | xfrm |
                   netns | l2tp }
       OPTIONS := { -V[ersion] | -s[tatistics] | -d[etails] | -r[esolve] |
                    -f[amily] { inet | inet6 | ipx | dnet | link } |
                    -l[oops] { maximum-addr-flush-attempts } |
                    -o[neline] | -t[imestamp] | -b[atch] [filename] |
                    -rc[vbuf] [size]}

$ ip a help
Usage: ip addr {add|change|replace} IFADDR dev STRING [ LIFETIME ]
                                                      [ CONFFLAG-LIST ]
       ip addr del IFADDR dev STRING
       ip addr {show|flush} [ dev STRING ] [ scope SCOPE-ID ]
                            [ to PREFIX ] [ FLAG-LIST ] [ label PATTERN ]
IFADDR := PREFIX | ADDR peer PREFIX
          [ broadcast ADDR ] [ anycast ADDR ]
          [ label STRING ] [ scope SCOPE-ID ]
SCOPE-ID := [ host | link | global | NUMBER ]
FLAG-LIST := [ FLAG-LIST ] FLAG
FLAG  := [ permanent | dynamic | secondary | primary |
           tentative | deprecated | dadfailed | temporary |
           CONFFLAG-LIST ]
CONFFLAG-LIST := [ CONFFLAG-LIST ] CONFFLAG
CONFFLAG  := [ home | nodad ]
LIFETIME := [ valid_lft LFT ] [ preferred_lft LFT ]
LFT := forever | SECONDS

iproute2 (2/3)

Adresse konfigurieren:

ip addr add fe80::fefe:fa7/64 dev wlan0

Adresse entfernen:

ip a d fe80::fefe:fa7/64 dev wlan0

iproute2 (3/3)

IPv4-Routingtabelle anzeigen:

ip route

IPv6-Routingtabelle anzeigen:

ip -6 route

Route setzen:

ip r a 2000::/3 dev wlan0 via fe80::2de:caff:fefb:ad03

Route löschen:

ip r d 2000::/3

Transition Mechanisms

IPv6 over IPv4 Tunnels: RFC2529

3. Frame Format

   IPv6 packets are transmitted in IPv4 packets [RFC 791] with an IPv4
   protocol type of 41, the same as has been assigned in [RFC 1933] for
   IPv6 packets that are tunneled inside of IPv4 frames.  The IPv4
   header contains the Destination and Source IPv4 addresses.  The IPv4
   packet body contains the IPv6 header followed immediately by the
   payload.

     0                   1                   2                   3
     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |Version|  IHL  |Type of Service|          Total Length         |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |         Identification        |Flags|      Fragment Offset    |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |  Time to Live | Protocol 41   |         Header Checksum       |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |                       Source Address                          |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |                    Destination Address                        |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |                    Options                    |    Padding    |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |            IPv6 header and payload ...              /
    +-------+-------+-------+-------+-------+------+------+

IPv6 over IPv4 Tunnels: Linux

Auf 1.2.3.4:

ip tunnel add sit1 mode sit remote 5.6.7.8

Auf 5.6.7.8:

ip tunnel add sit1 mode sit remote 1.2.3.4

Danach:

ip link set sit1 up
ip route add 2001:db8:c3d2:cafe::/64 dev sit0

Tunneln mit SixXS

https://www.sixxs.net/ — Seit 1999

apt-get install aiccu

/etc/aiccu.conf

username SMA2-SIXXS
password ***
protocol tic
server tic.sixxs.net
ipv6_interface sixxs
tunnel_id T74093
daemonize true
automatic true

/64 auf Interface sixxs
Default-Route
Punkte durch Uptime sammeln, größeres Netz beantragen

Tunneln mit 6to4

Tunnel Remote: 192.88.99.1 (Anycast-Adresse)
Beispiel:
- Öffentliche IPv4-Adresse: 217.115.11.132
- Hexadezimal: 0xd9, 0x73, 0xb, 0x84
- Diese Adresse erhält Pakete für 2002:d973:b84::/48

Tunneln mit Teredo

UDP statt Protokoll 41, besser NAT-bar
Teredo Server: Konfiguration
Teredo Relay: Router

Teredo IPv6 example table: 2001:0:4136:e378:8000:63bf:3fff:fdd2
Bits	0 - 31	32 - 63	64 - 79	80 - 95	96 - 127
Length	32 bits	32 bits	16 bits	16 bits	32 bits
Description	Prefix	Teredo server IPv4	Flags	Obfuscated UDP port	Obfuscated Client public IPv4
Part	2001:0000	4136:e378	8000	63bf	3fff:fdd2
Decoded		65.54.227.120	cone NAT	40000	192.0.2.45

Public Teredo Servers

teredo.remlab.net / teredo-debian.remlab.net (France)
teredo.autotrans.consulintel.com (Spain)
teredo.ipv6.microsoft.com (USA, Redmond) (default for WindowsXP/2003/Vista/2008 OS)
teredo.ngix.ne.kr (South Korea)
teredo.managemydedi.com (USA, Chicago)
teredo.trex.fi (Finland)

6rd: IPv6 Rapid Deployment (RFC5569)

Mehr Kontrolle für Provider, bessere Erreichbarkeit
Statt 2002::/16 beliebiges Provider-Prefix, ggf. mit weniger als 32 Bit der IPv4-Adresse
Andere Anycast-Adresse, je nach Provider (Bsp. free.fr: 192.88.99.201)
free.fr seit Dezember 2007 (innerhalb von 5 Wochen)

Im lokalen Netz

NDP statt ARP

17:29:36.297044 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::a800:42ff:fe7a:3246 > fe80::a800:5bff:fe08:f05b: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::a800:5bff:fe08:f05b
          source link-address option (1), length 8 (1): aa:00:42:7a:32:46
            0x0000:  aa00 427a 3246
17:29:36.297199 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 24) fe80::a800:5bff:fe08:f05b > fe80::a800:42ff:fe7a:3246: [icmp6 sum ok] ICMP6, neighbor advertisement, length 24, tgt is fe80::a800:5bff:fe08:f05b, Flags [solicited]

Stateless Autoconfiguration mit radvd

/etc/radvd.conf

interface eth0
{
        AdvSendAdvert on;

        prefix 2001:8d8:81:5c8::/64
        {
                AdvOnLink on;
                AdvAutonomous on;
                AdvRouterAddr on;
                AdvPreferredLifetime 60;
                AdvValidLifetime 600;
        };

};

Router Advertisements empfangen

Linux: echo 1 > /proc/sys/net/ipv6/conf/.../accept_ra
BSD: rtsol & rtsold

15:33:55.051275 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 56) fe80::2de:caff:fefb:ad03 > ff02::1: [icmp6 sum ok] ICMP6, router advertisement, length 56
        hop limit 64, Flags [none], pref high, router lifetime 15s, reachable time 0s, retrans time 0s
          prefix info option (3), length 32 (4): 2001:8d8:81:5c8::/64, Flags [onlink, auto, router], valid time 600s, pref. time 60s
            0x0000:  40e0 0000 0258 0000 003c 0000 0000 2001
            0x0010:  08d8 0081 05c8 0000 0000 0000 0000
          source link-address option (1), length 8 (1): 00:de:ca:fb:ad:03
            0x0000:  00de cafb ad03

$ ip -6 r
2001:8d8:81:5c8::/64 dev eth0  proto kernel  metric 256  expires 599sec
fe80::/64 dev eth0  proto kernel  metric 256 
default via fe80::2de:caff:fefb:ad03 dev eth0  proto kernel  metric 1024  expires 14sec

Verwendung von MAC-Adressen

Lokale Netze sollen /64 sein
EUI64: Einfügen von FF:FE
Invertieren des 7. MSB des EUI64
Beispiel:
- MAC: 00:1f:16:13:17:ba
- IPv6: fe80::21f:16ff:fe13:17ba
Tracking anhand MAC-Adresse vermeiden: Privacy Extensions
- ```
echo 1 > /proc/sys/net/ipv6/conf/.../use_tempaddr
```

DNS type: “Quad-A”

www.c3d2.de.		86400	IN	A	46.4.11.4
www.c3d2.de.		86400	IN	AAAA	2a01:4f8:131:30e1::c3d2

DNS Reverse Lookups

IPv4

127.0.0.1

1.0.0.127.in-addr.arpa. IN PTR localhost.

192.0.2.23

23.2.0.192.in-addr.arpa. IN PTR example.com.

IPv6

::1

1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa IN PTR localhost.

2001:db8:32e:12c:aa30:2:fff8:e7a

a.7.e.0.8.f.f.f.2.0.0.0.0.3.a.a.c.2.1.0.e.2.3.0.8.b.d.0.1.0.0.2.ip6.arpa IN PTR example.com.

NAT64 (RFC6052)

+-----------------------+------------+------------------------------+
| Network-Specific      |    IPv4    | IPv4-embedded IPv6 address   |
| Prefix                |   address  |                              |
+-----------------------+------------+------------------------------+
| 2001:db8::/32         | 192.0.2.33 | 2001:db8:c000:221::          |
| 2001:db8:100::/40     | 192.0.2.33 | 2001:db8:1c0:2:21::          |
| 2001:db8:122::/48     | 192.0.2.33 | 2001:db8:122:c000:2:2100::   |
| 2001:db8:122:300::/56 | 192.0.2.33 | 2001:db8:122:3c0:0:221::     |
| 2001:db8:122:344::/64 | 192.0.2.33 | 2001:db8:122:344:c0:2:2100:: |
| 2001:db8:122:344::/96 | 192.0.2.33 | 2001:db8:122:344::192.0.2.33 |
+-----------------------+------------+------------------------------+

NAT64-Implementationen

Portable Transport Relay Translator Daemon (pTRTd) — declared dead December 2010
TAYGA
Ecdysis

DNS64-Implementationen

Trick or Treat Daemon (totd)
Ecdysis

DHCPv6

Stateful Autoconfiguration
Mehr Informationen, z.B. DNS-Server
In this example, the server's link-local address is fe80::0011:22ff:fe33:5566/64 and the client's link-local address is fe80::aabb:ccff:fedd:eeff/64.
1. DHCPv6 client sends a Solicit from [fe80::aabb:ccff:fedd:eeff]:546 for [ff02::1:2]:547.
2. DHCPv6 server replies with an Advertise from [fe80::0011:22ff:fe33:5566]:547 for [fe80::aabb:ccff:fedd:eeff]:546.
3. DHCPv6 client replies with a Request from [fe80::aabb:ccff:fedd:eeff]:546 for [ff02::1:2]:547.
4. DHCPv6 server finishes with an Reply from [fe80::0011:22ff:fe33:5566]:547 for [fe80::aabb:ccff:fedd:eeff]:546.

Secure Neighbor Discover (SEND)

Unabhängig von IPSec
Patentiert
http://amnesiak.org/NDprotector/
The Neighbor Discovery protocol (RFC 4861 and RFC 4862) for IPv6 which is equivalent to IPv4 ARP (RFC 826), is prone to many different attacks. RFC 3756 describes and categorizes these attacks. Well aware of this issue, the IETF developped an extension to the Neighbor Discovery protocol. It is named Secure Neighbor Discover (SEND). It relies on a new format of IPV6 addresses described in RFC 3972 named Cryptographically Generated Addresses (CGA). A CGA address securely binds a Public Key to an address. SEND further completes the mechanism and carries new Neighbor Discovery options (Nonce, RSA Signature, ...), that allow the node to prove its address ownership (thus preventing address spoofing) and that the content of the message is unaltered.
When a Neighbor Discovery message (i.e. an ICMPv6 packet) is received or is emitted on/by an interface, a hook set by ip6tables redirect the packet to the userspace before it goes to the kernel/network card. This extraction is performed by the libnetfilter_queue. We then use a modified version of scapy6 (Arnaud Ebalard added SEND messages format, CGA generation procedure and X.509 certificate processing to the original scapy6). Scapy6 dissects each intercepted messages. We inspect each "important" field and decide if we need to modify the message (add an RSA signature option for outgoing packets) or let the message pass (for ingoing packet with a correct signature).
Each assigned address is bound to a Public Key/Private Key. Whenever a message comes from this address, the implementation uses the Private Key and adds an RSA signature option to it.

ip6tables

ip6tables -F INPUT
ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A INPUT -p icmpv6 -j ACCEPT
ip6tables -A INPUT -p udp --dport 5353 -j ACCEPT
ip6tables -P INPUT DROP

NAT is no firewall!

Programmieren für die Zukunft

One Server Socket To Rule Them All

```
echo 0 > /proc/sys/net/ipv6/bindv6only
```
bind() mit :: (IN6ADDR_ANY)

% ncat -6vlp 6667
Ncat: Version 5.21 ( http://nmap.org/ncat )
Ncat: Listening on :::6667
Ncat: Connection from ::ffff:127.0.0.1.

Internet Clients (1/2)

struct sockaddr_in
  {
    sa_family_t sin_family;
    in_port_t sin_port;                 /* Port number.  */
    struct in_addr sin_addr;            /* Internet address.  */

    /* Pad to size of `struct sockaddr'.  */
    unsigned char sin_zero[sizeof (struct sockaddr) -
                           __SOCKADDR_COMMON_SIZE -
                           sizeof (in_port_t) -
                           sizeof (struct in_addr)];
  };

/* Ditto, for IPv6.  */
struct sockaddr_in6
  {
    sa_family_t sin6_family;
    in_port_t sin6_port;        /* Transport layer port # */
    uint32_t sin6_flowinfo;     /* IPv6 flow information */
    struct in6_addr sin6_addr;  /* IPv6 address */
    uint32_t sin6_scope_id;     /* IPv6 scope-id */
  };

Internet Clients (2/2)

Implementing AF-independent application:

avoid struct in_addr and struct in6_addr.

struct sockaddr_storage
  {
    sa_family_t ss_family;
    __ss_aligntype __ss_align;  /* Force desired alignment.  */
    char __ss_padding[_SS_PADSIZE];
  };

use getaddrinfo() and getnameinfo() everywhere.

int getaddrinfo(const char *node, const char *service, const struct addrinfo *hints, struct addrinfo **res);

int getnameinfo(const struct sockaddr *sa, socklen_t salen, char *host, size_t hostlen, char *serv, size_t servlen, int flags);

do not hardcode knowledge about particular AF.