IPv6 Crash Course

Astro <astro@spaceboyz.net>

Warum IPv6?

IPv6 Packet Header

Adressen

IPv4

IPv6

Subnets & Subnet Masks

IPv4

  172.22.16.21
& 255.255.255.0
= 172.22.16.0
  172.22.16.70
& 255.255.255.192
= 172.22.16.64

IPv6

  2001:08d8:0081:05c8:0219:dbff:fe64:81a7
& ffff:ffff:ffff:ffff:0000:0000:0000:0000
= 2001:08d8:0081:05c8:0000:0000:0000:0000
  2001:8d8:81:5c8:219:dbff:fe64:81a7
& ffff:ffff:ffff:ff00::
= 2001:8d8:81:500::

CIDR Notation

IPv4 (Netmask bits)

a.b.c.d/0
0.0.0.0
a.b.c.d/8
255.0.0.0
a.b.c.d/16
255.255.0.0
a.b.c.d/24
255.255.255.0
a.b.c.d/25
255.255.255.128
a.b.c.d/26
255.255.255.192
a.b.c.d/27
255.255.255.224
a.b.c.d/28
255.255.255.240
a.b.c.d/29
255.255.255.248
a.b.c.d/30
255.255.255.252
a.b.c.d/31
255.255.255.254
a.b.c.d/32
255.255.255.255

IPv6 (Prefix length)

::/0
::
a:b:c:d:e:f:g:h/60
ffff:ffff:ffff:fff0::
a:b:c:d:e:f:g:h/61
ffff:ffff:ffff:fff8::
a:b:c:d:e:f:g:h/62
ffff:ffff:ffff:fffc::
a:b:c:d:e:f:g:h/63
ffff:ffff:ffff:fffe::
a:b:c:d:e:f:g:h/64
ffff:ffff:ffff:ffff::
a:b:c:d:e:f:g:h/128
ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff

Routing-Tabelle

default via 172.22.16.4 dev eth0        default = 0.0.0.0/0
172.22.16.0/24 dev eth0
default via 172.22.16.2 dev eth0
unreachable 172.16.0.0/12
172.22.0.0/15 via 172.22.16.1
172.22.16.0/24 via 172.22.16.4
172.22.16.0/26 dev eth0
2001:8d8:81:5c8::/64 dev eth0 
fe80::/64 dev eth0  
ff00::/8 dev eth0  
default via fe80::2de:caff:fefb:ad03 dev eth0
2001:67c:21ec:bbbb::/64 via fe80::f00d:f00d dev dc99 
2001:67c:21ec:cccc::/64 via fe80::f00d:f00d dev dc99 
2001:67c:21ec:eeee::/64 via fe80::f00d:f00d dev dc99 
2001:67c:21ec::/48 via fe80::cafe:cafe dev dc24

sipcalc

IPv4

$ sipcalc 217.115.11.132/27
-[ipv4 : 217.115.11.132/27] - 0

[CIDR]
Host address		- 217.115.11.132
Host address (decimal)	- 3648195460
Host address (hex)	- D9730B84
Network address		- 217.115.11.128
Network mask		- 255.255.255.224
Network mask (bits)	- 27
Network mask (hex)	- FFFFFFE0
Broadcast address	- 217.115.11.159
Cisco wildcard		- 0.0.0.31
Addresses in network	- 32
Network range		- 217.115.11.128 - 217.115.11.159
Usable range		- 217.115.11.129 - 217.115.11.158

IPv6

$ sipcalc 2001:db8::c3d2:0:1/64
-[ipv6 : 2001:db8::c3d2:0:1/64] - 0

[IPV6 INFO]
Expanded Address	- 2001:0db8:0000:0000:0000:c3d2:0000:0001
Compressed address	- 2001:db8::c3d2:0:1
Subnet prefix (masked)	- 2001:db8:0:0:0:0:0:0/64
Address ID (masked)	- 0:0:0:0:0:c3d2:0:1/64
Prefix address		- ffff:ffff:ffff:ffff:0:0:0:0
Prefix length		- 64
Address type		- Aggregatable Global Unicast Addresses
Network range		- 2001:0db8:0000:0000:0000:0000:0000:0000 -
			  2001:0db8:0000:0000:ffff:ffff:ffff:ffff

Scopes (1/2)

IPv4 (RFC5735)

0.0.0.0/8
"This" network
10.0.0.0/8
Private use (RFC1918)
127.0.0.1/8
Loopback
169.254.0.0/16
Link-local (Zeroconf)
172.16.0.0/12
Private use (RFC1918)
192.0.0.0/24
Reserved
192.0.2.0/24
TEST-NET-1
192.88.99.0/24
6to4 relay anycast
192.168.0.0/16
Private use (RFC1918)
198.18.0.0/15
SPECIAL-IPV4-BENCHMARK-TESTING-IANA-RESERVED
198.51.100.0/24
TEST-NET-2
203.0.113.0/24
TEST-NET-3
224.0.0.0/4
Multicast

IPv6 (RFC4291)

::1
Loopback
ff00::/8
Multicast
fe80::/8
Link-local
Alles andere
Global Unicast
Aktuelles Unicast Prefix: 2000::/3 (2000:: - 3fff:ffff:…)
fec0::/10, 0200::/7, ::/96, 5f00::/8, 3ffe::/16
Deprecated

Scopes (2/2)

General multicast address format
Bits844112
Fieldprefixflagsscopegroup ID
Multicast address flags[5]
BitFlag01
0 (MSB)(Reserved)(Reserved)(Reserved)
1R (Rendezvous)[6]Rendezvous point not embeddedRendezvous point embedded
2P (Prefix)[7]Without prefix informationAddress based on network prefix
3 (LSB)T (Transient)[8]Well-known multicast addressDynamically assigned multicast address
Multicast address scope
IPv6 address[note 1]IPv4 equivalent[9]ScopePurpose
ff00::/16-ff0f::/16Reserved
ffx1::/16127.0.0.0/8Interface-localPackets with this destination address may not be sent over any network link, but must remain within the current node; this is the multicast equivalent of the unicast loopback address.
ffx2::/16224.0.0.0/24Link-localPackets with this destination address may not be routed anywhere.
ffx3::/16239.255.0.0/16IPv4 local scope
ffx4::/16Admin-localThe smallest scope that must be administratively configured.
ffx5::/16Site-localRestricted to the local physical network.
ffx8::/16239.192.0.0/14Organization-localRestricted to networks used by the organization administering the local network. (For example, these addresses might be used over VPNs; when packets for this group are routed over the public internet (where these addresses are not valid), they would have to be encapsulated in some other protocol.)
ffxe::/16224.0.1.0-238.255.255.255Global scopeEligible to be routed over the public internet.

Verkonfiguriert?

% ping6 ff02::1%eth0
PING ff02::1%eth0(ff02::1) 56 data bytes
64 bytes from fe80::219:dbff:fe64:81a7: icmp_seq=1 ttl=64 time=0.022 ms
64 bytes from fe80::2de:caff:fefb:ad07: icmp_seq=1 ttl=64 time=0.852 ms (DUP!)
64 bytes from fe80::21b:21ff:fe0e:5592: icmp_seq=1 ttl=64 time=0.978 ms (DUP!)
^C
% ssh fe80::21b:21ff:fe0e:5592%eth0
blaster:~$ 

iproute2 (1/3)

$ ip
Usage: ip [ OPTIONS ] OBJECT { COMMAND | help }
       ip [ -force ] -batch filename
where  OBJECT := { link | addr | addrlabel | route | rule | neigh | ntable |
                   tunnel | tuntap | maddr | mroute | mrule | monitor | xfrm |
                   netns | l2tp }
       OPTIONS := { -V[ersion] | -s[tatistics] | -d[etails] | -r[esolve] |
                    -f[amily] { inet | inet6 | ipx | dnet | link } |
                    -l[oops] { maximum-addr-flush-attempts } |
                    -o[neline] | -t[imestamp] | -b[atch] [filename] |
                    -rc[vbuf] [size]}
$ ip a help
Usage: ip addr {add|change|replace} IFADDR dev STRING [ LIFETIME ]
                                                      [ CONFFLAG-LIST ]
       ip addr del IFADDR dev STRING
       ip addr {show|flush} [ dev STRING ] [ scope SCOPE-ID ]
                            [ to PREFIX ] [ FLAG-LIST ] [ label PATTERN ]
IFADDR := PREFIX | ADDR peer PREFIX
          [ broadcast ADDR ] [ anycast ADDR ]
          [ label STRING ] [ scope SCOPE-ID ]
SCOPE-ID := [ host | link | global | NUMBER ]
FLAG-LIST := [ FLAG-LIST ] FLAG
FLAG  := [ permanent | dynamic | secondary | primary |
           tentative | deprecated | dadfailed | temporary |
           CONFFLAG-LIST ]
CONFFLAG-LIST := [ CONFFLAG-LIST ] CONFFLAG
CONFFLAG  := [ home | nodad ]
LIFETIME := [ valid_lft LFT ] [ preferred_lft LFT ]
LFT := forever | SECONDS

iproute2 (2/3)

Adresse konfigurieren:

ip addr add fe80::fefe:fa7/64 dev wlan0

Adresse entfernen:

ip a d fe80::fefe:fa7/64 dev wlan0

iproute2 (3/3)

IPv4-Routingtabelle anzeigen:

ip route

IPv6-Routingtabelle anzeigen:

ip -6 route

Route setzen:

ip r a 2000::/3 dev wlan0 via fe80::2de:caff:fefb:ad03

Route löschen:

ip r d 2000::/3

Transition Mechanisms

IPv6 over IPv4 Tunnels: RFC2529

3. Frame Format

   IPv6 packets are transmitted in IPv4 packets [RFC 791] with an IPv4
   protocol type of 41, the same as has been assigned in [RFC 1933] for
   IPv6 packets that are tunneled inside of IPv4 frames.  The IPv4
   header contains the Destination and Source IPv4 addresses.  The IPv4
   packet body contains the IPv6 header followed immediately by the
   payload.

     0                   1                   2                   3
     0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |Version|  IHL  |Type of Service|          Total Length         |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |         Identification        |Flags|      Fragment Offset    |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |  Time to Live | Protocol 41   |         Header Checksum       |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |                       Source Address                          |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |                    Destination Address                        |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |                    Options                    |    Padding    |
    +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    |            IPv6 header and payload ...              /
    +-------+-------+-------+-------+-------+------+------+

IPv6 over IPv4 Tunnels: Linux

Auf 1.2.3.4:

ip tunnel add sit1 mode sit remote 5.6.7.8

Auf 5.6.7.8:

ip tunnel add sit1 mode sit remote 1.2.3.4

Danach:

ip link set sit1 up
ip route add 2001:db8:c3d2:cafe::/64 dev sit0

Tunneln mit SixXS

https://www.sixxs.net/ — Seit 1999

apt-get install aiccu

/etc/aiccu.conf

username SMA2-SIXXS
password ***
protocol tic
server tic.sixxs.net
ipv6_interface sixxs
tunnel_id T74093
daemonize true
automatic true

Tunneln mit 6to4

Tunneln mit Teredo

Teredo IPv6 example table: 2001:0:4136:e378:8000:63bf:3fff:fdd2
Bits0 - 3132 - 6364 - 7980 - 9596 - 127
Length32 bits32 bits16 bits16 bits32 bits
DescriptionPrefixTeredo
server IPv4
FlagsObfuscated
UDP port
Obfuscated Client
public IPv4
Part2001:00004136:e378800063bf3fff:fdd2
Decoded65.54.227.120cone NAT40000192.0.2.45

Public Teredo Servers

6rd: IPv6 Rapid Deployment (RFC5569)

Im lokalen Netz

NDP statt ARP

17:29:36.297044 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::a800:42ff:fe7a:3246 > fe80::a800:5bff:fe08:f05b: [icmp6 sum ok] ICMP6, neighbor solicitation, length 32, who has fe80::a800:5bff:fe08:f05b
          source link-address option (1), length 8 (1): aa:00:42:7a:32:46
            0x0000:  aa00 427a 3246
17:29:36.297199 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 24) fe80::a800:5bff:fe08:f05b > fe80::a800:42ff:fe7a:3246: [icmp6 sum ok] ICMP6, neighbor advertisement, length 24, tgt is fe80::a800:5bff:fe08:f05b, Flags [solicited]

Stateless Autoconfiguration mit radvd

/etc/radvd.conf

interface eth0
{
        AdvSendAdvert on;

        prefix 2001:8d8:81:5c8::/64
        {
                AdvOnLink on;
                AdvAutonomous on;
                AdvRouterAddr on;
                AdvPreferredLifetime 60;
                AdvValidLifetime 600;
        };

};

Router Advertisements empfangen

15:33:55.051275 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 56) fe80::2de:caff:fefb:ad03 > ff02::1: [icmp6 sum ok] ICMP6, router advertisement, length 56
        hop limit 64, Flags [none], pref high, router lifetime 15s, reachable time 0s, retrans time 0s
          prefix info option (3), length 32 (4): 2001:8d8:81:5c8::/64, Flags [onlink, auto, router], valid time 600s, pref. time 60s
            0x0000:  40e0 0000 0258 0000 003c 0000 0000 2001
            0x0010:  08d8 0081 05c8 0000 0000 0000 0000
          source link-address option (1), length 8 (1): 00:de:ca:fb:ad:03
            0x0000:  00de cafb ad03
$ ip -6 r
2001:8d8:81:5c8::/64 dev eth0  proto kernel  metric 256  expires 599sec
fe80::/64 dev eth0  proto kernel  metric 256 
default via fe80::2de:caff:fefb:ad03 dev eth0  proto kernel  metric 1024  expires 14sec

Verwendung von MAC-Adressen

DNS type: “Quad-A”

www.c3d2.de.		86400	IN	A	46.4.11.4
www.c3d2.de.		86400	IN	AAAA	2a01:4f8:131:30e1::c3d2

DNS Reverse Lookups

IPv4

127.0.0.1
1.0.0.127.in-addr.arpa. IN PTR localhost.
192.0.2.23
23.2.0.192.in-addr.arpa. IN PTR example.com.

IPv6

::1
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa IN PTR localhost.
2001:db8:32e:12c:aa30:2:fff8:e7a
a.7.e.0.8.f.f.f.2.0.0.0.0.3.a.a.c.2.1.0.e.2.3.0.8.b.d.0.1.0.0.2.ip6.arpa IN PTR example.com.

NAT64 (RFC6052)

+-----------------------+------------+------------------------------+
| Network-Specific      |    IPv4    | IPv4-embedded IPv6 address   |
| Prefix                |   address  |                              |
+-----------------------+------------+------------------------------+
| 2001:db8::/32         | 192.0.2.33 | 2001:db8:c000:221::          |
| 2001:db8:100::/40     | 192.0.2.33 | 2001:db8:1c0:2:21::          |
| 2001:db8:122::/48     | 192.0.2.33 | 2001:db8:122:c000:2:2100::   |
| 2001:db8:122:300::/56 | 192.0.2.33 | 2001:db8:122:3c0:0:221::     |
| 2001:db8:122:344::/64 | 192.0.2.33 | 2001:db8:122:344:c0:2:2100:: |
| 2001:db8:122:344::/96 | 192.0.2.33 | 2001:db8:122:344::192.0.2.33 |
+-----------------------+------------+------------------------------+

NAT64-Implementationen

DNS64-Implementationen

DHCPv6

Secure Neighbor Discover (SEND)

ip6tables

ip6tables -F INPUT
ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A INPUT -p icmpv6 -j ACCEPT
ip6tables -A INPUT -p udp --dport 5353 -j ACCEPT
ip6tables -P INPUT DROP
    

NAT is no firewall!

Programmieren für die Zukunft

One Server Socket To Rule Them All

Internet Clients (1/2)

struct sockaddr_in
  {
    sa_family_t sin_family;
    in_port_t sin_port;                 /* Port number.  */
    struct in_addr sin_addr;            /* Internet address.  */

    /* Pad to size of `struct sockaddr'.  */
    unsigned char sin_zero[sizeof (struct sockaddr) -
                           __SOCKADDR_COMMON_SIZE -
                           sizeof (in_port_t) -
                           sizeof (struct in_addr)];
  };
/* Ditto, for IPv6.  */
struct sockaddr_in6
  {
    sa_family_t sin6_family;
    in_port_t sin6_port;        /* Transport layer port # */
    uint32_t sin6_flowinfo;     /* IPv6 flow information */
    struct in6_addr sin6_addr;  /* IPv6 address */
    uint32_t sin6_scope_id;     /* IPv6 scope-id */
  };

Internet Clients (2/2)