Thursday, 23 January 2014

IPv6

IPv6 Addressing:
IPv6 has moved from a 32-bit address space to a 128-bit address space. Therefore the need for Classless Inter-Domain Routing (CIDR) is no longer needed because the number of addresses needed are no longer a concern. The number of address available per person on this planet is approximately 1030. 

The IPv6 addressing architecture makes a few adjustments to different types of address available to and IP host.  There are three types of IPv6 addresses, unicast, multicast, and anycast addresses. The unicast and multicast addresses are similar to the IPv4 versions. However, IPv4 broadcast address is no longer supported and is replaced with a new type of address called anycast.

Unicast:

Unicast is an identifier for a single interface.  A packet sent to a unicast address is delivered to the interface identified by that address.  A node can have more than one IPv6 network interface.  Each separate interface must have its own unicast address associated with it.  Contained in the 128-bit field is an address that identifies one interface.
3
13
8
24
16
64 bits
FP
TLA ID
RES
NLA ID
SLA ID
Interface ID

FP: The format prefix is the three-bit prefix to the IPv6 address that identifies where it belongs in the IPv6 address space.

TLA ID: The top-level aggregation identifier contains the highest-level routing information of the address. This refers to the grossest level of routing information in the internetwork, and as currently defined (at 13 bits) there can be no more then 8192 different top-level routes.

RES: The next eight bits are reserved for future use.

NLA ID: The next-level aggregation identifier is 24 bits long, and it is meant to be used by organizations that control top-level aggregation Ids to organize that address space.

SLA ID: The site-level aggregation identifier is the address space given to organizations for their internal network structure.  With 16 bits available, each organization can create its own internal hierarchical network structure using subnets in the same way they are used in IPv4.  As many as 65,535 different subnets are available using all 16 bits as a flat address space.  Using the first eight bits for higher-level routing within the organization would allow 255 high-level subnets, each of which has as many as 255 sub-subnets.


Interface ID: This 64-bit field contains a 64-bit value based on the IEEE EUI-64 interface ID

Multicast:

Multicast is an identifier for a set of interfaces (typically belonging to different nodes). A packet sent to a multicast address is delivered to all interfaces identified by that address. As soon as the first few bytes of a packet are received the node checks to see if the destination address is at the beginning of the transmission. If the destination address is the same as the node's interface address then the node will pick up the rest of the transmission. This makes it relatively simple for a node to pick up on broadcast and multicast transmissions. If a broadcast is sent then the node will listen. For multicasts, the node subscribes to a multicast address, and if it senses that the destination address is a multicast address, it must determine if it's a multicast address to which the node is then subscribed. When a node subscribes to a multicast address, it announces that it wants to be a member and any local routers will subscribe on behalf of that node. When a transmission is sent to that multicast address from another node that is on the same network, the IP multicast packet is encapsulated into a link layer multicast data transmission unit. The IPv6 solution to the broadcast problem is to use an “all nodes” multicast addresses to replace those broadcasts that are absolutely necessary, while resorting to more limited multicast addresses for other situations in which broadcasts were previously used. Below is an IPv6 multicast address format, from RFC 2373.

8
4
4
112 bits
11111111
Flags
Scope
Group ID

The first octet, which is all ones, identifies the address as a multicast address.  Multicast addresses include a full 1/256th of the IPv6 address space, as shown above.  The rest of the multicast address consists of three fields:

Flags: This is actually a set of four single-bit flags.  Only the fourth flag is currently assigned, and it represents whether or not the address is a well-know multicast address that has been assigned by the Internet numbering authority or is a temporary multicast address.  If this flag is set to zero, it means the address is well-known; being set to one signifies a transient address.  The other three flags are currently being reserved for future use.


Scope: This four-bit field contains a value that indicates what the scope of the multicast group is.  Whether the multicast group can include only nodes on the same local network, same site, same organization, or anywhere within the IPv6 global address space. Possible values range from 0 to 15 (hexadecimal) in table below.
Hex
Decimal
Value
0
0
reserved
1
1
node-local scope
2
2
link-local scope
3
3
(unassigned)
4
4
(unassigned)
5
5
site-local scope
6
6
(unassigned)
7
7
(unassigned)
8
8
organization-local scope
9
9
(unassigned)
A
10
(unassigned)
B
11
(unassigned)
C
12
(unassigned)
D
13
(unassigned)
E
14
global scope
F
15
reserve

Group ID: This 112-bit field identifies the multicast group.  The same group ID can represent different groups, depending on whether the address is transient or well known, and also depending on the scope of the address.  Permanent multicast addresses use assigned group ID's with special meaning, and the membership in such groups will depend both on the group ID and on the scope.

Anycast:

Anycast is an identifier for a set of interfaces (typically belonging to different nodes). A packet sent to an anycast address is delivered to one of the interfaces identified by that address (the “nearest” one, according to the routing protocols' measure of distance). All nodes that are members of a multicast address expect to receive all packets sent to that address.  A router that connects five different local Ethernet networks will forward a copy of a multicast packet to each of those networks. Anycast is the same because multiple nodes may be sharing the anycast address, like a multicast address but different since only one of those nodes can expect to receive a datagram sent to the anycast address. 

Address Format:
IPv6 addresses are now four times as long as an IPv4 address.  The IPv4 address is represented as X.X.X.X, where the "X" is any number from 0-255. IPv6 address on the other hand is in the form X:X:X:X:X:X:X:X, where X refers to a four-digit hexadecimal integer (16 bits).  For example, a few valid IPv6 addresses are as follows:

CFAE:3290:ABCD:1234:CEAF:5678:9012:AAAA

ABC3:0000:0000:0003:ABCD:0123:FFFF:ABCD

The above IPv6 address could also be represented as

 ABC3::3:ABCD:123:FFFF:ABCD

Note that the integers are hexadecimal integers, so the letters A through F represent the digits 10 through 15.  Each integer must be included, but leading zeros are not required.  In addition, a double colon (::) can be used once in an address to replace multiple fields of zeros.  For example:

            1000:0:0:0:0:0:0:1

could be represented as

            1000::1


The double colon means that the address should be expanded out to a full 128-bit address.  This method replaces zeros only when they fill a complete 16-bit group, and the double colon can be used only once in any given address. 

IPv6 Header:
The new IPv6 header structure has a header boundary at 64-bits and has only 40 bytes, where 32 of them are used for IPv6 addresses and the remaining 8 bytes by 6 additional fields.  Whereas IPv4 headers are terminated on a 32-bit boundary and consist of 24 bytes, where 8 of them are used for IPv4 address and the remaining 16 bytes by 12 additional fields.  IPv6 headers do not contain any optional elements.  If additional functions are need IPv6 uses extension headers.  This makes the new IPv6 header much simpler then its predecessor.  Below is a side-by-side comparison of the IPv4 and IPv6 header.

IPv4 and IPv6 Header:
0
4
8
16
19
 
 
24
31
Version
Header Length
Service Type
Total Length
Identification
Flags
Fragment Offset
Time to Live
Protocol
Header Checksum
Source IP Address
Destination IP Address
Options
PAD
 

IPv4 Headers

 
 
0
4
8
16
24
Version
Priority
Flow Label
Payload Length
Next Header
Hop Limit
 
 
 
 
Source Address
 
 
 
 
 
 
 
 
 
 
 
Destination Address
 
 
 
 
 
 
 

IPv6 Headers

The IPv6 Header Fields: 
Version: This is a four-bit value, and for IPv6 must be equal to six. This field is the only field that has the same meaning from IPv4 to IPv6.


Priority: This four-bit priority field allows an application to specify the type of traffic that is being sourced.  This allows the network to take advantage of the various queuing and congestion control mechanisms that may exist within it.


Flow Label: This is a 24-bit value used to identify packets that belong to the same flow. Similar to the Service Type field in IPv4, this allows networks devices to prioritize and shape traffic flows appropriately.


Payload Length: This is a 16-bit field that contains an integer value equal to the length of the packet payload in bytes. It is very similar to the IPv4 Total Length Field, except that IPv6's field is the length of the data carried after the header whereas IPv4 included the header.


Next Header: This 8-bit field value indicates what protocol is in use in the header immediately following the IPv6 packet.  Similar to the IPv6 protocol field, the next header field may refer to a higher-layer protocol like TCP or UDP, but it may also indicate the existence of an IPv6 extension header.


Hop Limit: This 8-bit field is used every time a node forwards a packet, it decrements this eight-bit field by one.  If the hop limit reaches zero, the packet is discarded.  This is very similar to IPv4, where the TTL (time-to-live) field fulfills a similar purpose.


Source Address: This is the 128-bit address of the node originating the IPv6 packet.


Destination Address: This is the 128-bit address of the intended recipient of the IPv6 packet.  This address may be a unicast, multicast, or anycast address.  If a routing extension is being used (which specifies a particular route that the packet must traverse), the destination address may be one of those intermediate nodes instead of the destination node.

Extension Header: The current IPv6 specification defines 6 extension headers

1. Hop-by-Hop Options Header: This header carries information that is intended to be examined by every node en route from the source to the destination.

2. Routing Header: This header replaces source routing as it was implemented in IPv4. Source routing allows you to specify router that the packet must traverse on its way to its destination. IPv6 defines a generic routing extension header, with two one-byte fields:  a routing type field, indicating what kind of routing header is in use, and a segment-left field, which indicates how many additional routers listed in the rest of the header must still be visited before the packet reaches it final destination.

3. Fragment Header: By allowing fragmentation only by the source node, IPv6 streamlines the processing of packets by intermediate routers. The fragment header fields include:
o  Next header field:  This eight-bit field is common to all IPv6 headers
o  Reserved: The next eight bits are unused at this time and set to zero.
o  Fragment offset field:  This 13-bit field indicates, in units of eight bytes, where the data included in this packet (a fragment) begins in relation to the beginning of the fragmented portion of the data.
o  Reserved field:  This two-bit field is set to zero and is not currently used.
o  M flags: This single bit indicates whether or not more fragments are to come.
o  Identification field:  This is like the IPv4 ID field except that it is 32 bits long rather than 16 bits.

4. Authentication Header: The authentication header provides a mechanism for a source node to digitally sign packets.  All data that follows an authentication header remains in plaintext and may be intercepted by attacker.  Upon receipt by the destination node, however, the data can be authenticated with the data included in the authentication header.

5. Encrypted Security Payload: The ESP header makes it possible to encrypt the contents of a packet.  The ESP header holds enough data to allow the recipient to decrypt the rest of the packet (all data following an ESP header is encrypted).

6. Destination Option Header: This option provides a mechanism, like the hop-by-hop options header, to deliver optional information along with IPv6 packets. 


Security:
Authentication and security, including secure password transmission, encryption, and digital signatures on datagrams are all implemented under IPv6 through the Authentication Headers (AH) and Encapsulating Security Payload (ESP).  The reason IPv4 did not incorporate any real security features during its time was because IPv4 was created to be an internetworking protocol. 


The Authentication Header (AH) provides strong integrity services and strong authentication for IP datagrams.  This means that the AH header can be used to carry content verification data for IP datagrams and can be used to link an entity with the contents of the datagrams.  This also protects against replay attacks through the use of a sequence number field.  The authentication header can be used in tunnel mode or in transport mode, which means that it can be used to authenticate and protect simple, direct datagram transfers between two nodes or it can be used to encapsulate an entire stream of datagrams that is sent to or from a security gateway.


The Encapsulating Security Payload (ESP) header is designed to allow IP nodes to send and receive datagrams whose payload is encrypted.  The ESP header is designed to provide several different services including:
  • Confidentiality of datagrams through encryption
  • Authentication of data origin through the use of public key encryption
  • Anti-replay services through the same sequence number mechanism as provided by the authentication header.
  • Limited traffic flow confidentiality through the use of security gateways.
ESP can be used in tunnel or transport mode  In transport mode, the IP header and any hop-by-hop, routing, or fragmentation extension headers precede the authentication header and are then followed by the ESP header. Any destination option headers can either precede or follow the ESP header. Where all headers that follow the ESP will be encrypted. 

IPv6 Configuration:
One of the important stated goals of IPv6 was to support “plug-and-play”. This would make it possible to plug a node into an IPv6 network and have it boot to the network without needing manual configuration.  

IPv6 offers two types of autoconfigurations, Stateful and Stateless.


Stateful autoconfiguration is the IPv6 equivalent of DHCP.  This requires that a DHCP server be installed and administered and it requires that each new node to be served must be configured on the server.  The DHCP server keeps a list of nodes that it will supply configurations information to and rejects all others.  The problem with stateful auto configuration is that someone needs to maintain and administer a server in order to manage all the current connections.  An update to DHCP for IPv6 is called DHCPv6 and is still under development.


Stateless autoconfiguration requires that the local link supports multicast and that the network interface be able to send and receive multicasts.  With Stateless auto configuration, a host gains an address via an interface automatically leasing an address and does not require the establishment of a server to pass out and address.  This address will be based on the network prefix and Ethernet MAC address.  However, before it can take on that address, the node must verify that the starting address is in fact unique to the local link.  This is the default mode for most IPv6 systems.

Mobile IPv6 is considerably more convenient to implement and to use.  The reason is IPv6 is much simpler with stateless autoconfiguration.  Because of its ability to establish contact with its home network even though its regular home agent becomes unavailable.  The mobile node can send an anycast packet to an address reserved for home agents on the home network, with result that whatever home agent is available can notify the mobile node of its options.  

IPv6 Transition
The IPv6 transition will continue to take place relatively slowly, as vendors and developers gradually introduce versions of IPv6 for different platforms.  It is expected that IPv4 and IPv6 will have to coexist for a long time, perhaps forever.  One approach is to have protocol tunneling, where IPv6 packets are encapsulated within IPv4 packets for transmission from IPv6 islands through IPv4 oceans.  The other approach is to have a dual-stack, where hosts and routers run IPv4 and IPv6 stacks on the same network interfaces.  This way, a dual-stack node can accept and transmit both IPv4 and IPv6 packets.

No comments:

Post a Comment