Module 2: Benefits of IPv6 - Millennia Systems

cursefarmNetworking and Communications

Oct 24, 2013 (3 years and 7 months ago)

66 views

IPv6 Tutorial

Module 2: Benefits of IPv6

Dan Campbell, President

Millennia Systems, Inc.

www.MillenniaSystems.com

2

Contents


Addressing


Performance


Quality of Service


Security


Auto
-
Configuration


Extension Headers


Mobility

www.MillenniaSystems.com

3

Address Enhancements


IPv4 addresses are 4 bytes (32 bits)


Allows for 4,294,967,296


Removing reserved, experimental, multicast and other unusable address pools, the effective
number of addresses is reduced by about 15% to 3.7M addresses


Subnetting substantially reduces the total amount of addresses available for actual hosts


Large /8 and /16 allocations made before RIR oversight depleted the overall pool substantially


Although opinions differ on when it will occur, eventually the IPv4 address pool will be
depleted for all practical purposes


IPv6 addresses are 16 bytes (128 bits)

The most obvious change in IPv6 is the increased address size
and, subsequently, the number of addresses

www.MillenniaSystems.com

4

Address Enhancements


Effectively an infinite amount of address space


Allows for the addressing and networking of trillions of non
-
traditional devices


Most ISPs will acquire at least a /32 from the RIRs


Most organizations will acquire a /48 prefix from their ISP


Provider
-
independent addressing for non
-
ISPs is still in debate but seems to be moving
forward


Recommendation is to provide
every

network segment with a /64 prefix


Even small point
-
to
-
point links


Provides for better route aggregation and management of routing table size


Recommendation is to provide every unique site with a /48


Allows for 65K unique subnets within the site


IANA / ICANN / RIR policies will continue to evolve

IPv6 addresses are 128 bits in length (16 bytes)

www.MillenniaSystems.com

5

Address Enhancements


Address scopes serve different purposes


Link local


Unique Local Addresses (ULA)


Global


Teredo and other tunnel addresses


Interfaces can have more than one of each address type (scope)


Addresses can be gracefully deprecated so that existing sessions are not terminated prematurely


Easier renumbering


EUI
-
64 addressing allows for MAC address to be used as IPv6 address


Facilitates auto
-
configuration


Privacy extensions allow for interfaces to choose random addresses


Addresses change periodically to protect source identity


Multiple global addresses acquired from multiple ISPs can be used simultaneously


Source address selection allows the host to choose its global address based on which upstream ISP the traffic will be routed


Standards still in development

A single interface may have more than one address

www.MillenniaSystems.com

6

Address Enhancements


IPv4 portability was limited to Local Internet Registries or Service Providers


Acquisition requires justification and commitments


Enterprises usually do not acquire portable addresses but can with justification


Until recently, only service providers could acquire IPv6 addresses


Enterprises were instructed to acquire an assignment from their upstream ISP


Provider Independent (PI) or “portable” addresses were restricted to Service Providers


Creates issues if an entity wants to multi
-
home


Seems contrary to the main IPv6 driver which is solving the address depletion issue


May create anti
-
competitive situations where Enterprises are reluctant to change providers because of the renumbering headache


New RIR polices allow Enterprises to acquire portable address blocks


ARIN, APNIC and AfriNIC have PI policies


RIPE and LACNIC policies are under consideration


Impact


Multi
-
homing becomes possible


Enterprises are not tied to their upstream provider and can change without renumbering


How will routing table growth be handled?


How will source address selection work to ensure the best routing path is chosen?

Address Portability

www.MillenniaSystems.com

7

Performance Enhancements


Protocol Optimized


IPv4 header size could vary in length


IPv6 header is consistently 40 bytes


Fixed header size reduces router processing


Unnecessary Fields Removed


Header is limited to only what is necessary


Optional extension headers allow for additional features


Checksum Removed


Error checking and correction exists in other protocol layers


Unnecessary to perform at IP layer


Eliminating the checksum reduces router process and speeds up forwarding

Traffic
Class

Ver

Flow Label

Payload Length

Next
Header

Hop

Limit

Source Address

Destination Address

www.MillenniaSystems.com

8

Performance Enhancements


Fragmentation Eliminated


Routers are not involved in fragmentation and reassembly


Hosts participating in the end
-
to
-
end transaction must fragment packets


Routers will alert end host systems when fragmentation is needed


Path MTU Discovery (ICMP
-
based) is critical and must be allowed by firewalls


Broadcast Eliminated


Reduces traffic on LAN segments


Reduces the possibility of some traffic
-
intensive DOS attacks


Replaced by multicast communication and ICMPv6 messages


Route aggregation


Predominantly /32 or /48 aggregate assignments are made by RIRs


Routing table fragmentation will be kept to a minimum


IANA/RIR subnetting recommendations will keep routing tables in check

www.MillenniaSystems.com

9

QoS Enhancements


Traffic Class


8 bit field


Same as DiffServ in IPv4


Backward compatible with existing Diffserv
-
based QoS implementations


New “Flow Label”


New 20
-
bit field


Allows for mapping of flows directly to the layer 3 header


Used for flow prioritization, expedited forwarding and other special treatment


Reduces router processing by restricting flow
-
based QoS processing to layer 3


Allows mapping of flows to IP layer prior to encryption of upper layers


Still no good RFC or white paper describing its usage


Great potential

www.MillenniaSystems.com

10

Auto
-
configuration Enhancements


Allows for hosts to be deployed into operation with little to no manual intervention


Auto
-
configuration communication is handled by ICMPv6 through multicast messages


Neighbor / Router Discovery allows hosts and routers to interact for configuration and forwarding
purposes


EUI
-
64 Addressing allows for host MAC address to automatically become host IPv6 address


Privacy extensions allow for hosts to configure themselves with a random address that changes
periodically


Duplicate Address Detection (DAD) protects against duplicates


Prefix Delegation allows for easy network or segment renumbering from a central source


Interfaces can have multiple addresses with obsolete addresses gracefully deprecated


Critical feature made use by other features such as Mobile IPv6


DHCPv6 (stateful) is available if desired

Stateless Auto
-
configuration is one of IPv6’s best features

www.MillenniaSystems.com

11

Extension Headers


Headers are optional and not part of the standard 40
-
byte header


Hop
-
by
-
Hop


Destination Options


Routing


Fragmentation


Authentication Header


Encapsulating Security Payload


Mobility


Multiple headers can be nested if the packet or application requires


Additional features can be developed as new extension headers

Extension headers provide additional features

www.MillenniaSystems.com

12

Security Enhancements

IPSec Mandate



IPSec in IPv4 is a separate add
-
on, often a separate feature set


OS must be purchased with IPSec and added to devices


Requires OS upgrade, which is disruptive and might discourage use


Implementations that do not support IPSec may be considered non
-
compliant


Does not mandate the
use

of IPSec, just the
inclusion

in the protocol stack


IPSec is turned off by default and must be enabled by the user


Will encourage more secure peer
-
to
-
peer communications


Host
-
to
-
host VPNs


IPSec is a a pair of IPv6 Extension Headers (AH and ESP)


AH is optional if ESP is used

Perhaps the best security enhancement is the mandate that vendor
IPv6 implementations support IPSec

www.MillenniaSystems.com

13

Security Enhancements

AH / ESP Extension Headers


IPSec in IPv6 is implemented as two separate
extension headers


Authentication Header


Next Header Value = 51


Validates packet’s authenticity


Same as AH in IPv4 IPSec


Optional header (may not be required in some ESP
implementations)


Encapsulating Security Payload


Next Header Value = 50


Provides packet confidentiality and integrity through
encryption


Same as ESP in IPv4 IPSec


Can be used without AH


Overall, IPSec in IPv6 is fundamentally no
different than in IPv4

Authentication Header

Encapsulating Security Payload Header

Traffic
Class

Ver

Flow Label

Payload Length

Next
Header

Hop

Limit

Source Address

Destination Address

www.MillenniaSystems.com

14

Mobility Enhancements


Mobile IPv4 (MIPv4) was an add
-
on to IPv4


Requires upgrades to routers and other systems participating in the mobile infrastructure


Mobile IPv6 (MIPv6) was developed with tight integration to IPv6


Mobility extension header


Development is ongoing in the various working groups


Improvements:


Alleviates need for deployment of foreign agents


Takes advantage of IPv6 auto
-
configuration, neighbor discovery, router advertisements for address changes


Better movement detection and faster handoff


Alleviates the issue with triangular routing through route optimization (RFC 3775)


Control messages can be piggy
-
backed on normal IP packets rather than be separate packets


Reduces the chance of ingress filtering blocking traffic


Dynamic Home Agent Address Discovery (DHAAD)


Security and mobile node identity assurance


Indirectly, the vast address space will help mobility as it is likely NAT will be eliminated and all hosts will have an addre
ss


Allows for
network

mobility, in addition to traditional
host

mobility


May become the most important facet of IPv6 and ultimately its biggest driver

Realize Tomorrow.

Today.