Friday, December 2, 2011

About IPv6 TCP/IP and Windows Server 2008

Overview
Web Running Out of Addresses

In the mid 1990s, we started to run into an ever shrinking pool of IPv4 addresses. According to the Wall Street Journal, February 1, 2011, was the week the last batch of Internet addresses was doled out.

Because of the growing proliferation of network devices and the expanding Internet, Internet Protocol version 6 (Ipv6), is built into Windows Server 2008. Ipv6 is a new suite of protocols developed to ensure growing Internet client needs. The IPv4 scalability will no longer meet the challenges ahead.


IPv6 is very different from IPv4 and uses 128 bit addressing represented in hexadecimal as opposed to 32 bits. IPv6 does not use subnets, it uses IPv6 prefixes.

Those of us who struggled getting to know how to configure how to subnet in IPv4, and finally got it, now have an entirely new challenge. We have to learn about link-local addresses, and how to configure and test IPv6 addresses. We also have to learn how IPv6 will work with IPv4, IPv6 tunneling technologies, how to transition from IPv4 to IPv6, and how to troubleshoot IPv6.

Benefits of IPv6


  • Large address space (128 bits in IPv6 vs. 32 bits in IPv4)
  • Hierarchical addressing and efficient routing
  • Stateless (allows host to configure automatically when connected to a routed IPv6 network,  (IPv6 address autoconfiguration)) and Stateful address configuration
  • Built-in security (network-layer encryption and authentication via IPSEC)
  • Prioritized delivery (a field in the packet lets the network service know the packet should be processed at a specific rate)
  • Neighbor detection (better detection of other devices and hosts in its network)
  • Extensibility (can be extended further than IPv4)


Main Differences between IPv4 and IPv6




 IPv4 IPv6
Source and destination addresses 32 bits (4 bytes) 128 bits (16 bytes)
IPSEC Optional. Required.
Quality of Service (QoS) Handling No id of packet flow for QoS by routers present in IPv4 header.
Pack-flow id for QoS handling by routers included
in IPv6 header with the Flow Label field.
Fragmentation Done by both routers and sending host. Only done by sending host.
Checksum Included in Header. Not included in Header.
Options Header includes options. Optional data moved to IPv6 extension headers.
Address Resolution Protocol (ARP) Broadcast ARP Request frames to resolve IPv4 address to link-layer address.
ARP Request frames replaced with multicast
Neighbor Solicitation messages.
Internet Group Management Protocol (IGMP) IGMP is a communications protocol, like ICMP, used by hosts and routers on an IPv4 network, to establish multi-cast memberships (Manages local subnet group membership).
IGMP replaced with Multicast Listener Discovery
(MLD) messages.
Resource Records Uses A records in DNS to map host names Uses AAAA records in DNS to map host names
Configuration Manually or through DHCP
Does not require manual configuration or
DHCP
Broadcast Addresses Traffic sent to all nodes on a subnet
All nodes multicast address instead of an
IPv6 broadcast address (uses a link-local scope)
Internet Control Message Protocol (ICMP) Router Discovery ICMP Router Discovery (optional), uses router advertisements and solicitation messages to determine the IPv4 address of the default gateway/router.
ICMP (required), is replaced with
ICMPv6 Router Solicitation and Router
Advertisement messages.


This video summarizes IPv6:



IPv6 Implementations Using Microsoft Technologies


IPv6 can be used in Microsoft implementations without affecting IPv4 communications.

Windows XP SP1 and SP2 and Windows Server 2003 have the IPv6 protocol.

Windows CE .NET versions 4.1 have the IPv6 protocol.

Windows Vista and Windows Server 2008 have the Next Generation TCP/IP stack, a dual-layer construction where there is one TCP and one UDP for both IPv4 and IPv6 protocols.

IPv6 Address Space



  • Place your Windows calculator into scientific mode to do binary to hex conversion and binary to decimal conversion.
  • IPv6 compresses zeros in the address because a binary representation will have an enormous number of zeros.
  • A contiguous sequence of 16-bit blocks set to 0 can be compressed using the double colon “::”.

Example:

  • 128-bit binary address:

00100000000000010000110110111000000000000000000000101111001110110000001010101010000000001111111111111110001010001001110001011010



  • 128-bit binary address divided into 16-bit boundaries:

0010000000000001 0000110110111000

0000000000000000 0010111100111011

0000001010101010 0000000011111111

1111111000101000 1001110001011010

  • 16-bit blocks converted to HEX (base 16):

2001:0DB8:0000:2F3B:02AA:00FF:FE28:9C5A

  • Remove leading zeros:

2001:DB8:0:2F3B:2AA:FF:FE28:9C5A


  • A single contiguous block of 16 bits can be converted to a double colon, "::". 
  • To determine how many zero bits are represented by the double colon, subtract the number of blocks and subtract from the number 8, then multiply by 16


IPv6 Addressing (TechRef)

IPv6 Prefixes


The high-order bits in an IPv6 address are static and are known as the prefix. They are subnet prefixes. Subnet masks are not used in IPv6.

The global unicast and link-local unicast addresses are 15% of the total IPv6 address space, leaving 85% for host address assignments.

How to Configure Static Routes

Unicast IPv6 Address Types


Include:

  • Global unicast addresses (in IPv4 this was the public Internet address)
  • Link-local addresses (equivalent to IPv4 APIPA)
  • Site-local addresses (used to communicate between nodes in the same site – equivalent to the network id in IPv4)
  • Unique local IPv6 unicast addresses (private addressing for Intranet traffic)
  • Special addresses

Global Unique Unicast Address


Prefix managed by IANA Prefix assigned to top-level ISP For organizations Client interface id
001 Global Routing Prefix (45 bits) Subnet ID (16 bits) Interface ID (64 bits)


Link-Local Address


1111 1110 10 (10 bits) FE80 000…000 (54 bits) Interface ID (64 bits)



Site-Local Address


1111 1110 11 (10 bits) FEC0 Subnet ID (54 bits) Interface ID (64 bits)



IPv6 Addresses Assigned to Hosts and Routers


Hosts and routers are usually assigned:

  • Unicast addresses
  • Multicast addresses (to listen for multicast traffic)

IPv6 routers must have these addresses:

  • Multicast addresses
  • Anycast addresses

Zone IDs


In link-local addresses, you may have multiple network adapters within a single machine. Each one can be attached to different networks.

The zone id can identify with link-local addresses which network a network card is connected to.

Within site-local addresses, the zone id is the site id.

You can see the zone id, by using the netsh command.



IPv6 Address Autoconfiguration


Types of autoconfiguration:

  • Stateless: Address configuration based on the receipt of Router Advertisement messages with the Managed Address Configuration and Other Stateful Configuration flags set to 0 and one or more Prefix Information options.
  • Stateful: Configuration based on the use of a stateful address configuration protocol such as DHCPv6 to obtain addresses and other configuration options.
  • Both: Configuration based on the receipt of Router Advertisement messages with Prefix Information options and the Managed Address Configuration or Other Stateful Configuration flags set to 1
The difference between stateless and stateful mode of a Windows Server 2008 R2 DHCP server for IPv6 (DHCPv6)

DHCP Protocols

Steps:

  1. Client derives the link-local address
  2. Client checks for address conflicts using neighbor solicitation Neighbor Discovery for IP Version 6 (IPv6)
  3. Client checks for a router on the network that is using IPv6
  4. The router is checked for any prefixes
  5. Prefixes are then added to the IPv6 client
  6. If the managed flag is set, it will go to DHCPv6 and pick up a stateful address

Introduction to IPv6

To view IPv6 information from the client

  • Start | Control Panel | Network and Sharing Center
  • Select: Manage Network Connections
  • Right-click Local Area Connections | Properties
  • Click on Internet Protocol Version 6 (TCP/IPv6)
  • Select: Properties
  • Select: Obtain an IPv6 address automatically
  • Select: Use the following DNS server addresses:
  • ::1 entered into the text box indicates the local host which means it is using itself for DNS (it is the domain controller and is running DNS)
  • Select: the Advanced… button
  • On the IP Settings tab, you can add additional gateways or you can go to the DNS tab and add additional DNS servers (you can add IPv4 addresses, if desired)
  • Go the command prompt
  • Type: ipconfig /all to view the IPv6 information

IPv4 Coexistence with IPv6

DHCP is used to distribute IP addresses on an IPv4 network. DHCP is fully compatible with IPv6. With IPv6, IP addresses can be allocated in a stateful manner using DHCP.
In Windows Server 2008, DNS supports AAAA records for IPv6 hosts.

Node Types

IPv6 Only Node (IPv6 Network)
IPv4 Only Node (IPv4 Network)
IPv4/IPv6 Node (IPv4 Network)

What is Dual Layer Architecture?

A dual layer can create IPv4 packets, IPv6 packets, or IPv6 over IPv4 packets.
The IPv6 and IPv4 Internet layers with a single TCP-UDP transport layer.

This link has a good representation of the difference between dual layer and dual stack architecture:
http://technet.microsoft.com/en-us/library/bb727021.aspx

What is a Dual Stack Architecture?

A dual stack can create IPv4 packets, IPv6 packets, or IPv4 over IPv6 packets.
The separate Internet layer IPv6 goes with the separate TCP/UDP transport layer. The same is true with the IPv4 layer.

DNS Support of IPv6

DNS Host records are AAAA records.
DNS returns the appropriate IPv4 or IPv6 address, but IPv6 is preferred.
Reverse lookup zone pointer records are in the IP6.ARPA zone.
Nameservers for IPv4 and IPv6 Reverse Zones

Configure DNS to support IPv6

SVR1 is the domain controller

  • Start | Administrative Tools | DNS
  • Expand Forward Lookup Zones
  • Highlight domain name
  • Right-click and select New Host (A or AAAA)…
  • In the Name box, type SVR1
  • Type: the IPv6 address in the IP address: text box
  • Insert a check mark in the Create associated pointer (PTR) record
  • Click on Add Host box. Click OK. Click Done.
    Verify:
  • Go to the command prompt.
  • Type: ping -6 SVR1 (forces it to query IPv6 addressing)
  • Press Return
  • Type: ipconfig /displaydns

IPv6 Over IPv4 Tunneling

IPv6 over IPv4 tunneling is a transitional technique and allows an IPv6 node to communicate with an IPv4 network. An IPv4 header is added to an IPv6 packet so the IPv6 packets can be sent over an IPv4 infrastructure.

Since IPv6 is in a transition phase, a DNS query could return a set of addresses that contain both IPv4 and IPv6 addresses.

The IPv4 Protocol field within the IPv4 header is set to read 41, indicating an encapsulated IPv6 packet. The Source and Destination fields are set to IPv4 addresses of the tunnel end-points.

The tunnel end-points are either configured manually as part of the tunnel interface, or, as automatic from the next hop address of the matching route for the destination and tunneling interface.

Note: IPv6 over IPv4 tunneling does not provide security for the IPv6 packets.

IPv6 Tunneling Technologies

ISATAP

ISATAP is a transitional technology to assist us going from IPv4 to IPv6. Packets are tunneled over IPv4 routing infrastructures, which give IPv6 clients the ability to communicate using 6to4 addresses or ISATAP (Intra-Site Automatic Tunnel Addressing Protocol) addresses, to tunnel IPv6 packets across IPv4 networks.
ISATAP is an address assignment and host-to-router or router-to-host, or host-to-host automatic tunneling technology.
  • Local intranets
  • Auto-configuration on host (manual configuration not required due to the ISATAP router)
  • Primary method that allows IPv6 nodes to communicate over an IPv4 subnet
  • Enabled by default

In order to find(resolve) the ISATAP router:
  • An entry in the host file on the client computer that points to the IPv4 Address of the ISATAP router.
  • A WINS Server could also be used to discover the ISATAP router, however, WINS is being phased out.
  • An ‘A’ record that indicates ‘ISATAP’ on the DNS server can be used to find the ISATAP router.
  • The netsh command can be used with this command: Netsh Interface IPv6 ISATAP set router.

6to4

6to4 is an address assignment and router-to-router, host-to-router or router-to-host, automatic tunneling technology.

6to4 provides unicast connectivity between IPv6 sites across an IPv4 Internet.

The local IPv6 routers advertise subnet prefixes, address: 2002:WWXX:YYZZ:Subnet_ID::/64, so hosts auto-configure 6to4 addresses.

Normally used when you have IPv4 Internet in between IPv6 networks and we need to transit the IPv4 networks.
  • IPv6 to IPv6 networks over an IPv4 Internet
  • Auto-configuration on host
  • Enabled by default
  • In a site, local IPv6 routers advertise 2002:WWXX:YYZZ:Subnet_ID::/64 subnet prefixes, so the hosts auto-configure the 6to4 addresses.
  • IPv6 routers within the site, deliver traffic between the 6to4 hosts.
  • Hosts that are in individual subnets are configured automatically with a 64-bit subnet route to enable direct delivery and are also configured with a default route with the next-hop address of the advertising router.
  • IPv6 traffic not matching any subnet prefix, is forwarded to a 6to4 router on the site border.
  • The 6to4 router on the site border has a 2002::/16 route that forwards traffic to other 6to4 sites and a default route , ::/0, that forwards the traffic to a 6to4 relay.

Teredo

  • IPv6 to IPv6 through IPv4 NAT
  • Disabled by default

PortProxy

  • Facilitates communication between nodes or apps that are unable to connect using IPv4 or IPv6


Tunneling Configurations

Router-to-router
Host-to-router or Router-to-host
Host-to-host

Transition Mechanisms for IPv6 Hosts and Routers

Types of Tunnels

  1. Automatic: the tunnel endpoints are determined automatically by logical tunnel interfaces, routes, and IPv6 destination addresses
  2. Configured: manual configuration of the tunnel endpoints

Teredo Tunneling

Teredo allows you to tunnel across an IPv4 network when the client is sitting behind an IPv4 NAT. Many routers used NAT to define a private address space for corporate networks. Teredo was created for this.
Teredo should only be used when ISATAP or 6to4 tunneling is not present.
Configure Teredo by setting up the two Windows-based Teredo clients:
  • Resolves the name teredo.ipv6.microsoft.com for Teredo servers
  • Sends multiple Tredo-encapsulated router solicitations to multiple Teredo servers
Based on the response, the Tredo client determines:
  • Teredo server IPv4 address
  • Type of NAT
  • Externally mapped address and port of Teredo traffic
Initial Communication between Two Teredo Clients in Different Sites
If you are operating with Teredo restricted NAT, there are some extra steps:
  1. Bubble packet sent from Teredo client A to Teredo client B. A bubble packet contains no data, but contains NAT mappings.
  2. Client B is behind a restricted NAT, so Teredo traffic from whatever IPv4 address and UDP port number is not allowed. The traffic is only allowed if there is a source specific NAT translation table entry.
  3. If there is no NAT translation table entry, the bubble is discarded silently by the restricted NAT.
  4. When client A forward the bubble packet, originally, it created a source specific NAT translation table entry that allows future packets sent from Teredo client B to be forwarded to Teredo client A.
  5. Teredo client A now sends a bubble packet to Teredo client B through Teredo Server 2 (Teredo Server 2 is Teredo client B’s server).
  6. Teredo Server 2 forwards the packet to Teredo client B.
  7. When Teredo client B receives the bubble packet from Teredo client A, it sends its own bubble packet to Teredo client A.
  8. Teredo client A determines that source specific NAT mappings exist for both NATs and subsequent packets are sent directly between Teredo clients A and B.

PortProxy

PortProxy is a component that allows proxy of traffic that does not support IPv6. It only supports TCP based applications. UDP applications are not supported. Not very flexible and is best to use other tunneling technologies.

Transitioning from IPv4 to IPv6

  1. Upgrade applications
  2. Update DNS pointer records
  3. Upgrade hosts to IPv6/IPv4 nodes
  4. Upgrade routing infrastructure for native IPv6 routing
  5. Convert IPv6/IPv4 nodes to IPv6-only nodes

Troubleshooting IPv6

  • Verify IPv6 connectivity
    • Verify configuration
      • IPconfig
      • Netsh
    • Manage configuration
      • Netsh
    • Verify connectivity
      • Ping -6 local workstation
    • Check packet filtering
    • Manage the IPv6 routing table
      • Route print
    • Verify router reliability
      • pathping
  • Verify DNS name resolution for IPv6 addresses
    • Verify DNS configuration
      • Dnscmd
      • Nslookup
      • DNS console
    • Display and flush the DNS client resolver cache
      • Ipconfig /display dns
      • Ipconfig /flushdns
    • Test DNS name resolution
      • Ping -6
    • View DNS server responses
      • nslookup
  • Verify IPv6-based TCP connections
    • Check for packet filtering (in case FTP or HTTP is blocked, ICMP or Ping requests)
    • Verify TCP connection
      • telnet ipv6 address 80 (port 80, for example)
Question: Your network has two subnets connected by a router. On Subnet1 you have several servers, a domain controller, a DNS server, a file server, and a DHCP sever. On Subnet2, you have several laptop client computers with Windows 7 and several file servers. The file server has Windows Server 2008 R2 installed. The other servers in Subnet1 also have Windows Server 2008 R2 installed. You need to make sure the client computers can resolve the names of the other client computers as well as the file servers in Subnet2, if the router connecting the two subnets fail. What should you do?

 

Answer: Enable IPv6 on all of the client computers in Subnet2. IPv6 supports link-local multicast resolution (LLMNR). LLMNR allows computers to resolve the names of computers in the same subnet using multicast request.



How to convert Decimal to Hex which is useful in IPv6. IPv6 uses hex as opposed to decimal:



How to create an IPv6 host portion:



Global IPv6_Cheat_Sheet.pdf (www.globalipv6.com)




My shortcut notes for IPv6 subnetting enumeration
Using the example in Microsoft's Technet Chapter 4 - Subnetting:  The global address prefix is 2001:DB8:0:C000::/51 and we are going to perform a 3-bit subnetting.

For global addresses, Internet Assigned Numbers Authority (IANA) or an ISP assigns an IPv6 address prefix in which the first 48 bits are fixed. Subnetting the Subnet ID field for a 48-bit global address prefix requires a two-step procedure:

  1. Determine the number of bits to be used for the subnetting.
  2. Enumerate the new subnetted address prefixes.
Variables:
s=the number of bits chosen for subnetting
m=the prefix length of the address being subnetted
f=m-48  the number of bits in the subnet that are already fixed
n=2^s the number of address prefixes/subnets that you will obtain
i=2^16 - (f + s) the incremental value between each successive subnet
P=m+s the prefix length of the new subnetted address prefixes

Example: 2001:DB8:0:C000::/51
IPV6 addresses are 128 bits. The first 64 bits is the network and subnet prefix. The next 64 bits is the host.

The fixed network address is the first 48 bits and the next 16 bits are for the subnet. In the above example, C000 is the subnet.



Method

Calculate the missing variables:

n=2^3=8  (the number of address prefixes/subnets that you will obtain)
f=51-48=3  (the number of bits in the subnet that are already fixed)

i=2^16 - (3 + 3) = 2^10 = 1024 (the incremental value between each successive subnet)
P=51+3=54 (the prefix length of the new subnetted address prefixes

  • To subnet the address, you need to first determine the number of bits you will need for the subnet(s). Because you are doing 3-bit subnetting, you have n=2^3=8 networks. 

  • Next, determine the number of bits of the fixed address that is not part of the global address. The global address is 48 bits. Therefore, subtract 48 from 51. Assign this value to variable  f=51-48=3

  • Now, determine the increment between addresses. The formula for this is i=2 to the power of (16 minus f + s). In this case i = 1024 or a Hex value of 0x400 (Fig. A1). Therefore, the increment is 0x400, making the subnets:

There are 8 subnet prefixes, n=2^3=8 , and the new prefix length is P=51+3=54:
2001:DB8:0:C000::/54
2001:DB8:0:C400::/54
2001:DB8:0:C800::/54
2001:DB8:0:CC00::/54
2001:DB8:0:D000::/54
2001:DB8:0:D400::/54
2001:DB8:0:D800::/54
2001:DB8:0:DC00::/54


The largest power of 2 which is less than or equal to 1024 is 1024 (Fig. A1). Turn on the bit for the corresponding hex value and put zeros in the remaining places. 1024 is Hex 0400. (see Fig. A1 below)


note: every four bits is a hex value

Hex: 
8
4
2
1
8
4
2
1
8
4
2
1
Dec:
2048
1024
512
256
128
64
32
16
8
4
2
1
Base2
2^11               
2^10
2^9
2^8 
2^7 
2^6
2^5
2^4
2^3 
2^2 
2^1
2^0
Bits
0
1
0
0
0
0
0
0
0
0
0
0
Fig. A1




How to convert a decimal to Hex 



Hex: 
8
4
2
1
8
4
2
1
8
4
2
1
Dec:
2048
1024
512
256
128
64
32
16
8
4
2
1
Base2
2^11               
2^10
2^9
2^8 
2^7 
2^6
2^5
2^4
2^3 
2^2 
2^1
2^0
Bits
0
0
0
0
1
1
0
0
0
1
0
1

Fig. A2


Let's pretend your decimal number is 197. You look for the corresponding number that is not greater than 197 in the Dec row. It is 128. So you turn on the 128 bit. 


Next, you add the next lower Dec number, 64 + 128 = 192. 192 is lower than 197, so turn on the corresponding 64 bit. 


You need 5 more to equal 197, so you turn on the 4 and the 1 bits to equal a total of 197 and a binary value of 1100 0101 (Bits row) 


Look at the Hex values that correspond to every set of 4 Bits values and add them. The Hex value that corresponds to Dec 128 is 8. The Hex value that corresponds to Dec 64 is 4. Add the two hex values, 8 + 4 = 12, which is a Hex value of C (Fig. A3). 


Next, add the hex value that corresponds to Dec 4 and Dec 1 and you get Hex value 5. 


So... the Hex translation to 197 is C5.


Fig. A3

Hex
Dec
1
1
2
2
3
3
4
4
5
5
1
6
7
7
8
8
9
9
A
10
B
11
C
12
D
13
E
14
F
15




Posted by Unknown
Related Posts: , , , , , , , , , , , , ,

1 comment:

"Comment As:" anonymous if you would rather not sign into an account!

Subscribe to: Post Comments (Atom)